Data protection ↬

Last updated:
8 May 2024

Data protection policy

Why and for whom?

At Norrhavet Lab AB, organization number 559258-3792, (“Norrhavet“,“we“,“us“,“our“) we care about personal privacy. This means that we respect and safeguard your privacy and your right to control and transparency when processing your Personal Data.

This Data Protection Policy (the“Policy“) applies to the processing operations for which Norrhavet is the Data Controller. The policy describes in general terms the purposes for which we need your Personal Data, the legal basis we rely on and the measures we take to protect Personal Data. We also provide information on how to exercise the rights you have in relation to our processing of your Personal Data.

This policy informs you about our processing of Personal Data when you communicate with us, use the Service or visit our website (together“Features“).


“Processing” of Personal Data is anything that can be done with a Personal Data, e.g. storing, modifying, reading, handing over, etc.

“Applicable Law” means the legislation applicable to the processing of Personal Data including the General Data Protection Regulation (GDPR), supplementary national legislation, as well as practices, guidance and recommendations issued by a national or European supervisory authority.

“Personal data” is any information that can be linked to an identifiable, living person.

“Controller” is the company/organization that determines the purposes and manner in which the Personal Data will be processed and is therefore also responsible for ensuring that Personal Data is processed in accordance with Applicable Law.

“Processor” is the company/organization that processes Personal Data on behalf of the Controller and may therefore only process the Personal Data in accordance with the Controller’s instructions and Applicable Law.

“Data Subject” means the living, natural person whose Personal Data are processed.

The “Service” is a website for information about our consulting services.

Norrhavet’s responsibility for personal data

The information in this Policy covers the Processing of Personal Data for which Norrhavet is the Data Controller, i.e. the Processing for which we determine the purposes (why a Processing is done) and means (in what way, what personal data, for how long, etc.). The policy does not describe how we process personal data in our role as Data Processor – i.e. when we process personal data on behalf of our customers.

1. We provide an information-based website where visitors can immerse themselves in our services. Services are purchased on a per-project basis and invoiced either on an ongoing basis or at a fixed price. We also contact relevant target groups to sell our services. This can be done through our contact forms on the website or in the form of newsletters or email follow-ups on or from the website.
2. on our website there is also a blog/article function where the visitor can immerse himself in different topics and form more knowledge on the respective subject.

Processing of personal data by Norrhavet

We have a responsibility to describe and demonstrate how we comply with the requirements placed on us when processing your Personal Data. This section aims to give you an understanding of the types of personal data we process about you and for what purposes.

Registrants and retention period

The intended recipients of this Policy are the following groups, whose personal data we store in accordance with the criteria below.

  • Employees of potential customers
    Personal data of employees of potential customers will be stored for the time necessary to determine whether the potential customer wishes to enter into a contract.

  • Employees of existing customers
    Personal data of employees will be stored for the time necessary to provide the service and to fulfill legal obligations such as to deal with alleged errors in the service.


Personal data of visitors to our website will be processed in accordance with our cookie policy.
Norrhavet uses cookies and similar tracking technologies to, among other things analyze how Features are used so that we can provide you with the absolute best user experience. More information on how we use cookies can be found in our Cookie Policy (

Treatments and purposes

The main purpose of the personal data processing we carry out is to provide, perform and improve our services to you. There are several reasons why we may need to collect, process and store your data.

We mainly process personal data for the following purposes:

  • Contact and identification details to confirm your identity, verify your details and communicate with you

  • Financial data to perform, where applicable, ex. customer insight and risk analysis

  • Information about your use of the service or product to improve your customer experience

  • IP address to perform customer analytics and to present content on our site effectively to you and the device you are using

How do we get access to your personal data?

We collect your personal data in a number of different ways. We mainly get access to your personal data:

Legal bases

In order for us to process your personal data, we need a so-called legal basis for the respective processing. In our activities, we process your personal data mainly on the following grounds:

Consent – Norrhavet processes your Personal Data after we have obtained your consent to the Processing. Information about the processing is always provided when we ask for consent.

If you would like further information about the legal basis(s) on which we process your personal data, you always have the right to request a so-called register extract. Read more under “How to use your rights” below.

Your rights

You are the controller of your Personal Data. We always aim to ensure that you can exercise your rights as effectively and smoothly as possible.

Access – You always have the right to obtain information about the Personal Data processing operations that concern you in a so-called register extract. The extract from the register shows, inter alia which of your personal data we have stored, for what purposes and on what legal basis We will only disclose information if we have been able to verify that it is actually you who is asking for the information.

Correction – If you discover that the Personal Data we process about you is incorrect, contact us and we will fix it!

Deletion – Do you want us to forget you completely? You have the right to request the deletion of your Personal Data when it is no longer necessary for the purpose for which it was collected. If we are required to retain your data by law or a contract we have entered into with you, we will ensure that it is processed only for the specific purpose set out in the law or contract. We will then ensure that the data is deleted as soon as possible.

Objection – Do you disagree with us that our interest in processing your Personal Data outweighs your interest in privacy? Don’t worry – in that case we will review our balance of interests and check that it still holds. We will, of course, take your objection into account when carrying out a new assessment to evaluate whether we can still justify our Processing of your Personal Data. If you object to direct marketing, we will delete your Personal Data immediately without reviewing our assessment.

Restriction – You can also ask us to restrict our Processing of your data:

  • While we are processing a request from you for any of your other rights.

  • If, instead of requesting erasure, you want us to indicate that the data should not be processed for a particular purpose. For example, if you don’t want us to send you advertising in the future, we still need to save your name to know not to contact you.

  • Where we no longer need the data for the purpose for which it was collected, provided that you do not have an interest in us retaining the data in order to pursue a legal claim.

Data portability – We can provide you with the data you have provided to us or that we have received from you in the context of entering into a contract with you. You will receive your data in a commonly used and machine-readable format, which you can then take with you to another Data Controller.

Withdrawing consent – If you have consented to one or more specific processing(s) of your Personal Data, you have the right to withdraw your consent at any time and thus ask us to cease Processing immediately. Please note that you can only withdraw your consent for future Processing(s) of Personal Data and not for any Processing that has already taken place.

How to use your rights

Contact us at and we will help you.

Transfer of Personal Data

In order to conduct our business, we rely on others to process Personal Data on our behalf, known as Processors.
We always strive to process personal data within the EU/EEA but have Data Processors in the following countries outside the EU/EEA

  • the United States, to which we transfer personal data under the European Commission’s standard contractual clauses for third country transfers.

  • Canada, to which we transfer your personal data based on the European Commission’s decision that the country ensures an adequate level of protection.

  • the United Kingdom, to which we transfer your personal data based on the European Commission’s decision that the country ensures an adequate level of protection.

We have entered into Data Processing Agreements (DPAs) with all our Data Processors. The PUB Agreement regulates how the Processor may process the Personal Data and what security measures are required for the processing of Personal Data.

We may also need to disclose your Personal Data to certain designated authorities in order to comply with legal obligations or governmental decisions.

Our categories of Data Processors

Below are categories of recipients with whom we may share your data.

  • Marketing service providers, such as advertising agency for the development of campaigns or supplier for help with mailings by post or email.

Safety and security

Norrhavet has taken technical and organizational measures to ensure that your personal data is processed securely and that it is protected from loss, misuse and unauthorized or unlawful access.

Our security measures

Organizational security measures are measures that are implemented in working practices and procedures within the organization. Our organizational security measures are:

  • Internal governing documents (policies/instructions)

Technical security measures are measures implemented through technical solutions. Our technical security measures are:

  • Encryption

  • VPN

  • Firewall

  • Backing up

  • Regular monitoring of security level

  • Two-step verification

If we do not keep our promises

If you feel that we are processing your Personal Data incorrectly, even after you have brought this to our attention, you always have the right to lodge your complaint with the Data Protection Authority.

More information about our obligations and your rights can be found on the website of the Data Protection Authority( You can also contact the Agency at

Changes to this policy

We reserve the right to make changes to this Policy. Where the change affects our obligations or your rights, we will inform you of the changes in advance so that you have the opportunity to consider the updated policy.

Contact us

Please contact us if you have any questions about your rights or if you have any other questions about how we process your personal data: