Data Protection and Privacy Policy
Otivio AS
Drammensveien 130
0277 Oslo
Norway
Email: info@emano-project.no
This is version 2 last updated on 9 OCT 2024.
1. Introduction
1.1 This Data Protection and Privacy Policy (the “Policy”) describes how Otivio AS (“us”, ”we” or ”our”) when acting in the role of a controller, collects and processes your personal data relating to the purchase of services, membership, products, or your use of our website,
1.2 The Policy is prepared and made available to comply with the General Data Protection Regulation (2016/679 of 27 April 2016) (the ”GDPR”) and the rules included herein on information to be provided to you.
2. Collecting personal data with cookies
2.1 By visiting and using our website(s), personal data collected with cookies will be processed. Information about this processing can be accessed here: https://emano.flowox.com/no/cookieerklaering
3. Types of personal data processed
3.1 We process personal data about you when this is necessary and in accordance with the applicable legislation. Depending on the specific circumstances, the processed personal data include the following types of personal data:
a) password
b) address
c) age
d) payment card details
e) username
f) National identification number
g) email
h) Facebook data
i) invoicing and bookkeeping data and documentation
j) Google data
k) IP addresses
l) Customer number
m) purchasing history
n) name
o) account status (customer points, payments etc.)
p) telephone number
3.2 Depending on the circumstances and only when it is strictly relevant and necessary, we may process special categories of personal data (so-called "sensitive personal data"). These personal data include:
a) health information of one or more persons (health, illness, diagnosis, etc.)
3.3. We process these sensitive personal data for the following purposes:
a) In relation to registration
b) As a service and guide in relation to system navigation and trouble shooting.
3.4 If we need to collect more personal data than specified above, we will inform you by updating this Policy.
4. Purposes of processing the personal data
4.1 We will only process your personal data if we have a legitimate purpose and in that case in accordance with the rules of the GDPR. The personal data we collect about you is processed for the following purposes:
a) To administrate a customer or membership club
b) To respond to inquiries or complaints.
c) To improve our products, services, or website.
d) To perform profiling of users, customers or members to analyse and predict their preferences and/or behavior.
e) To prevent fraudulent behavior or misuse of our products, services and website, including the processing of personal data for the purpose of legal actions.
f) To prevent fraudulent behavior or misuse of the IT System and/or the products or services that are provided via the IT system(s).
g) To provide support and service messages, including responding to questions and complaints and sending updates about our products and services.
h) To communicate and exchange data with public authorities when required by law.
i) To deliver products or services.
j) To provide service messages and information.
k) To store personal data to comply with applicable legislation requirements such as bookkeeping acts.
l) To send newsletters and direct marketing (such as e-mails, MMS', direct messages on social media, etc.)
m) To send newsletters by e-mail.
5. Legal basis for processing personal data
5.1 We only process your personal data when we have a legal basis to do so in accordance with the GDPR. Depending on the specific circumstances, the processing of personal data is done on the following legal basis:
a) The processing is necessary in order to take steps at the request of the data subject prior to entering into a contract in accordance with GDPR, Article 6(1)(b), last indent.
b) The processing is necessary for the performance of a contract to which the data subject is a party in accordance with GDPR, Article 6(1)(b), the first indent.
c) The processing is necessary to comply with applicable legislation in accordance with GDPR, Article 6(1)(c).
d) The processing is necessary for the purposes of the legitimate interests where such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data in accordance with GDPR, Article 6(1)(f).
e) The legal basis for the processing of such personal data is consent, in accordance with GDPR, Article 6(1)(a). You can withdraw your consent at any time by contacting us via the contact details provided at the end of this Policy. If you withdraw your consent, the personal data processed will be deleted, unless it can or must be processed in order to comply with legal obligations.
5.2 When it is strictly relevant and necessary, sensitive personal data (the “special categories of personal data”) listed in the GDPR, Article 9(1), may be processed. In such case the processing will only take place when permitted by the GDPR, Article 9(2) to Article 9(4), including but not limited to the following instances:
a) Your explicit consent in accordance with the GDPR, Article 9(2)(a).
b) The processing is necessary for the purposes of carrying out the obligations and exercising specific rights in the field of employment and social security and social protection law or a collective agreement pursuant to national EU member state law, which provides for appropriate safeguards for the fundamental rights and the interests of the data subject in accordance with GDPR, Article 9(2)(b).
5.3 In addition to the above, in some instances we process social security number or other identification number. Before we perform such processing, we will collect a consent hereto. We perform this processing activity for the following purposes: In relation to registrations and documentation, certain of our customers require the provision of national identification numbers. National identification numbers are also processed in connection with salary and employment.
5.4 In addition to the above, in some instances we disclose personal data to third-parties in order for the third-parties to use the personal data to marketing activities on their own behalf. Before we perform such processing, we will collect a consent hereto. We perform this processing activity for the following purposes: Analysis tools, including random sample checks, are used for analysing customer and user journeys. All session data are anonymised and pseudonymised to the greatest extent possible.
5.5 In addition to the above, in some instances we disclose and/or transfer information about creditworthiness to third-parties. Before we perform such processing, we will collect a consent hereto. We perform this processing activity for the following purposes: We negotiate and manage payment gateways from various operators, including WorldLine, QuickPay and Swiipe, etc., through which we access transaction information, including orders, invoices and payment details.
5.6 In addition to the above, in some instances we analyse individual customers' or users' personal preferences and/or behaviour with the purpose of using such analyses for marketing, sales or similar commercial activities. Before we perform such processing, we will collect a consent hereto. We perform this processing activity for the following purposes: Analytical tools, including random checks, are used for the purpose of analysis of customer journeys as well as to detect technical errors. All session data are anonymised and pseudonymised.
5.7 To the extent that we process personal data about these children based on their consent, we will collect consent from the children's parents or legal guardian before processing their personal data. We perform this processing activity for the following purposes: In relation to the development and operation of learning plaforms and websites for schools, we process personal data as well as information such as national identification numbers, age, school, class, siblings, family relationships, and in certain cases, health information on behalf of the companies.
5.8 If we send you direct marketing, including by email, we will ask for your prior consent in accordance with the applicable rules such as marketing acts.
5.9 All information is encrypted from the beginning of data storage. Encryption is thus applied to data in-use, in-transit, and at rest. Additionally, all data is protected by comprehensive security measures, both organisational, physical, and digital.
6. Disclosure and transfer of personal data
6.1 We only transfer personal data to other entities when legally permitted or required. Our organization is part of a concern or a group of companies where, depending on the circumstances, personal data is shared.
7. Erasure and retention of personal data
7.1 We ensure that the personal data is deleted when it is no longer necessary for the processing purposes described above. However, we retain your personal data to the extent that we are legally obligated, as is the case with for example accounting and bookkeeping materials and records. If you have any questions about our retention of your personal data, you may contact us by using the email mentioned in the last section of this Policy."
8. Data subject rights
8.1 As a data subject under GDPR, you have a number of rights.
8.1.1 You have the right to request access to the personal data we process about you, the purposes we process the personal data, and whether we disclose or transfer your personal data to others.
8.1.2 You have the right to have incorrect information rectified.
8.1.3 You have the right to have certain personal data deleted.
8.1.4 You may have the right to restriction of our processing of your personal data.
8.1.5 You may have the right to object to our processing of your personal data based on reasons and circumstances that pertain to your particular situation.
8.1.6 You have the right not to be subject to a decision based solely on automated means, without human interference unless the decision (1) is necessary for entering into, or performance of a contract between you and the Organization,
(2) is authorised by law, or (3) is based on your explicit consent.
8.1.7 If the processing of your personal data is based on your consent, you are entitled to withdraw such consent at any time. Withdrawal of your consent will not affect the lawfulness of the processing carried out prior to your withdrawal.
8.1.8 You are entitled to receive personal data which you have provided to us in a structured, commonly used, and machine-readable format (data portability).
8.1.9 You can always lodge a complaint with the data protection authority.
8.2 Your rights may be subject to conditions or restrictions. Accordingly, there is no certainty that you will be entitled to for example data portability in the specific situation; it will depend on the circumstances of the processing.
8.3 More information about data subject rights can be found in the guidelines of the national data protection authorities.
8.4 Please use you the contact details below if you want to use your rights.
8.5 We try to meet your wishes about our processing of personal data, but you can always file a complaint to the data protection authorities.
9. Changes to this Policy
9.1 We reserve the right to update and amend this Policy. If we do, we correct the date and the version at the top of this Policy. If we make significant changes, we will provide notification by way of a visible notice, for example on our website or by direct message.
10. Contact
10.1 You may contact us at the below specified email if you:
a) disagree with our processing or consider our processing of your personal data infringes on the law,
b) have questions or comments to this Policy, or
c) want to invoke one or more of your rights as a data subject described in this Policy.
If you have questions or comments to this Policy or if you would like to invoke one or more data subject rights, please contact us at info@emano-project.no.