Personvernpolicy

Nordlys Svøm og Velvære AS

Privacy Policy

1. Introduction and company information

This privacy policy explains how Nordlys Svøm og Velvære AS collects, uses, stores, shares, and protects personal data in connection with our swimming and wellness services, including course registration, membership administration, customer service, facility access, communication, and related activities.

Company name: Nordlys Svøm og Velvære AS
Address: Strandveien 12, 1366 Lysaker, Norway
Email: [email protected]
Phone: +47 67 58 41 29

We process personal data in accordance with applicable privacy laws, including the General Data Protection Regulation (GDPR) and relevant Norwegian data protection rules.

2. Data collection and processing

We may collect and process the following categories of personal data:

  • Identification and contact information: name, address, email address, phone number, date of birth, and emergency contact details.
  • Customer and membership information: registration details, membership status, course participation, attendance records, payment status, and service preferences.
  • Health-related information: information you voluntarily provide that is relevant to safe participation in swimming or wellness activities, such as allergies, medical conditions, disabilities, or special needs. We only process such data when necessary and appropriate safeguards are in place.
  • Payment information: invoice details, transaction references, and payment confirmations. We do not store full card details unless handled by a secure payment provider.
  • Technical data: IP address, device information, browser type, log data, and cookie-related information when you use our website or digital services.
  • Communication data: inquiries, feedback, complaints, and correspondence with our customer service team.
  • Security and access data: access logs, CCTV recordings where applicable, and incident reports for safety and security purposes.

We collect personal data directly from you, from your legal guardian where applicable, from payment providers, from booking systems, and from other service providers acting on our behalf.

3. Purpose of data processing

We process personal data for the following purposes:

  • to provide swimming, training, wellness, and related services;
  • to manage registrations, memberships, bookings, and attendance;
  • to communicate with customers, participants, and guardians;
  • to process payments, invoices, refunds, and accounting records;
  • to ensure safety, including emergency handling and risk management;
  • to adapt services to individual needs where necessary;
  • to maintain security, prevent misuse, and protect our facilities and users;
  • to comply with legal obligations, including accounting, tax, and documentation requirements;
  • to improve our services, website, and customer experience;
  • to send relevant service information, such as schedule changes, reminders, and important notices;
  • to handle complaints, claims, and legal disputes.

4. Legal basis for processing

We process personal data only when we have a valid legal basis. Depending on the situation, our processing is based on one or more of the following:

  • Performance of a contract: when processing is necessary to provide our services, manage memberships, or fulfill obligations under an agreement with you.
  • Legal obligation: when we are required to process data under applicable law, such as accounting, tax, safety, or record-keeping obligations.
  • Legitimate interests: when processing is necessary for our legitimate interests, such as service improvement, security, fraud prevention, and administration, provided that your interests and fundamental rights do not override those interests.
  • Consent: when you have given clear consent, for example for certain marketing communications, optional health-related information, or specific cookie use where required.
  • Vital interests: in exceptional cases where processing is necessary to protect someone’s life or physical safety, such as during an emergency.
  • Special category data: health-related information is processed only when necessary, with an appropriate legal basis and additional safeguards, such as your explicit consent or another lawful basis under applicable law.

5. Data sharing and third parties

We may share personal data with third parties only when necessary and lawful. These recipients may include:

  • IT and hosting providers: for website hosting, cloud storage, maintenance, and security services;
  • Booking and membership system providers: for administration of registrations, schedules, and customer accounts;
  • Payment service providers and banks: for payment processing and financial administration;
  • Accounting and audit providers: for bookkeeping, invoicing, and statutory reporting;
  • Insurance companies and legal advisors: where necessary for claims handling, legal compliance, or dispute resolution;
  • Public authorities: when required by law or to respond to lawful requests;
  • Emergency services or medical personnel: in urgent situations to protect health or safety.

All third parties that process personal data on our behalf are required to protect the data, use it only for agreed purposes, and implement appropriate security measures.

6. Data transfer to third countries

In some cases, personal data may be transferred to or accessed from countries outside the European Economic Area (EEA). This may occur if we use service providers with infrastructure or support teams located outside the EEA.

Where such transfers take place, we ensure that appropriate safeguards are in place, such as:

  • an adequacy decision by the European Commission, where applicable;
  • Standard Contractual Clauses or other approved transfer mechanisms;
  • additional technical and organizational safeguards where necessary.

You may contact us for more information about international data transfers and the safeguards we use.

7. Storage duration

We store personal data only for as long as necessary for the purposes for which it was collected, or as long as required by law. Retention periods may vary depending on the type of data and the legal basis for processing.

  • Customer and membership data: retained for the duration of the relationship and for a reasonable period thereafter to handle follow-up matters, claims, or legal obligations.
  • Accounting and transaction data: retained for the period required by accounting and tax laws.
  • Communication records: retained as long as needed to handle inquiries, complaints, or service matters.
  • Security logs and CCTV recordings: retained for a limited period unless needed longer for incident investigation, safety, or legal claims.
  • Consent-based data: retained until consent is withdrawn or the data is no longer needed.

When data is no longer needed, we delete, anonymize, or securely archive it in accordance with applicable rules.

8. User rights

Subject to applicable law, you have the following rights regarding your personal data:

  • Right of access: you may request confirmation of whether we process your personal data and obtain a copy of that data.
  • Right to rectification: you may request correction of inaccurate or incomplete data.
  • Right to erasure: you may request deletion of your data in certain circumstances, for example where it is no longer necessary or consent has been withdrawn.
  • Right to restriction: you may request that we limit the processing of your data in certain situations.
  • Right to data portability: you may request to receive certain data in a structured, commonly used, machine-readable format and, where technically feasible, have it transferred to another controller.
  • Right to object: you may object to processing based on legitimate interests and to direct marketing at any time.

To exercise your rights, please contact us using the details below. We may need to verify your identity before responding. We will respond within the time limits required by law.

9. Withdrawal of consent

Where we rely on your consent to process personal data, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

You can withdraw consent by contacting us at [email protected] or by using any available unsubscribe or preference settings in our communications.

10. Right to complain

If you believe that our processing of your personal data does not comply with applicable law, you have the right to lodge a complaint with the relevant supervisory authority.

In Norway, this is the Norwegian Data Protection Authority (Datatilsynet). We encourage you to contact us first so that we can try to resolve your concern directly.

11. Data security

We take appropriate technical and organizational measures to protect personal data against unauthorized access, loss, misuse, alteration, or disclosure. These measures may include:

  • access controls and role-based permissions;
  • encryption and secure transmission where appropriate;
  • regular backups and system monitoring;
  • staff training on confidentiality and data protection;
  • physical security measures at our premises;
  • incident response procedures and security reviews.

While we work to protect your data, no system can be guaranteed to be completely secure. If a data breach occurs that is likely to result in a risk to your rights and freedoms, we will handle it in accordance with applicable legal requirements.

12. Contact information

If you have questions about this privacy policy or our processing of personal data, or if you wish to exercise your rights, please contact:

Nordlys Svøm og Velvære AS
Strandveien 12, 1366 Lysaker, Norway
Email: [email protected]
Phone: +47 67 58 41 29

13. Changes to privacy policy

We may update this privacy policy from time to time to reflect changes in our services, legal requirements, or data processing practices. The latest version will always be made available through our website or other appropriate channels.

We encourage you to review this policy regularly. If changes are significant, we may provide additional notice where appropriate.

4/9/2026 Hjem