Legal

Privacy & Data Protection Policy

Last updated: 19 May 2025
Effective date: 19 May 2025

1. Introduction

VRS processes personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable Norwegian data protection laws.

2. Data Protection Principles

We process personal data in accordance with the following principles:

  • Lawfulness, fairness, and transparency
  • Purpose limitation (data is collected for specific purposes only)
  • Data minimisation (only necessary data is processed)
  • Accuracy (data is kept up to date)
  • Storage limitation (data is retained only as long as necessary)
  • Integrity and confidentiality (data is kept secure)

3. Roles and Responsibilities

3.1 Data Controller

VRS acts as Data Controller when determining the purposes and means of processing personal data.

3.2 Data Processor

Where we process personal data on behalf of customers, we act as Data Processor under a Data Processing Agreement (DPA) in accordance with Article 28 GDPR.

3.3 Third-Party Controllers

Certain third parties (e.g., Microsoft, LinkedIn, analytics providers) may act as independent data controllers.

4. How We Collect Personal Data

We collect personal data through:

  • Direct interactions (e.g., when you contact us, register, or use our services)
  • Automated technologies (e.g., cookies, analytics tools, server logs)
  • Third-party sources, including:
    • cloud platforms (e.g., Microsoft AppSource);
    • business partners;
    • publicly available sources;
    • analytics and service providers.

5. Personal Data We Process

5.1 Website Usage

  • IP address
  • browser and device information
  • access time and location

Purpose: security, analytics, and performance

5.2 Contact and Communication

  • name
  • email
  • phone number
  • message content

Purpose: responding to inquiries

5.3 Customer and Account Data

  • name
  • company
  • contact details
  • account credentials

Purpose: service delivery and contract management

5.4 Service Usage Data

  • user activity
  • system logs
  • configuration data

Purpose: provide services, ensure compliance, improve performance

5.5 Support and Diagnostics

  • support communications
  • technical data and logs

Purpose: troubleshooting and support

5.6 Analytics Data

We process aggregated or anonymized usage data for service improvement.

6. Legal Basis for Processing

We process personal data based on:

  • Contractual necessity
  • Legal obligations
  • Legitimate interests, including: improving services, ensuring security
  • Consent, where required (e.g., marketing, cookies)

Where we rely on legitimate interest, we ensure that such interests are not overridden by your rights and freedoms.

7. Consequences of Not Providing Data

Where personal data is required to enter into a contract or access services, failure to provide such data may result in:

  • inability to provide services;
  • inability to respond to requests.

8. Data Sharing

We may share personal data with:

  • cloud and IT service providers
  • analytics providers
  • support and communication tools
  • legal and professional advisors
  • authorities where required by law

All third parties are bound by contractual obligations to protect personal data and process data only as instructed. We do not sell personal data.

9. International Data Transfers

Where personal data is transferred outside the EEA, we ensure appropriate safeguards, including:

  • EU Standard Contractual Clauses (SCCs);
  • equivalent legal mechanisms.

For information about how we use cookies in relation to data processing, please see our Cookie Policy.

10. Data Retention

We retain personal data only as long as necessary. Typical retention periods:

Data Type Retention Period
Contact inquiriesup to 12 months
Customer/account dataduration of contract + up to 5 years
Support dataup to 3 years
Analytics data12–24 months
Legal/compliance dataas required by law

After this period, data is deleted or anonymised.

11. Data Security

We implement appropriate technical and organisational measures, including:

  • access control and authentication
  • encryption and secure communication
  • vulnerability management
  • incident response procedures
  • employee training

Our approach is aligned with industry frameworks such as ISO 27001 principles and the NIST Cybersecurity Framework.

12. Personal Data Breaches

In the event of a personal data breach, we will:

  • notify relevant authorities where required;
  • inform affected individuals where necessary.

13. Your Rights

You have the right to:

  • access your personal data
  • rectify inaccurate data
  • request deletion
  • restrict processing
  • object to processing
  • data portability
  • withdraw consent

Requests can be made via the contact details below. You also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet).

14. Children's Data

Our services are not intended for individuals under 16, and we do not knowingly collect such data.

15. Automated Decision-Making

We do not carry out automated decision-making or profiling with legal or significant effects.

16. Changes to This Policy

We may update this policy to reflect:

  • legal changes;
  • technological developments;
  • business updates.

Material changes will be communicated via our website or direct communication.

17. Contact Information

For any privacy-related inquiries:

VRS, Odda, Norway
↑ Back to top