Privacy Policy

How Elbowbright collects, uses, and protects your personal data.

Last updated:

1. Data Controller

The data controller responsible for processing your personal data is:

Elbowbright
Vestre Torggaten 22, 5015 Bergen, Norway
Phone: +47 41 14 39 04
Email: welcome@elbowbright.world

2. Legal Framework

We process personal data in accordance with:

  • Regulation (EU) 2016/679 (General Data Protection Regulation — GDPR), as incorporated into Norwegian law through the EEA Agreement;
  • The Norwegian Personal Data Act (Personopplysningsloven);
  • Relevant regulations and guidance from the Norwegian Data Protection Authority (Datatilsynet).

As Norway is part of the EEA, GDPR rights and obligations apply to processing of personal data relating to visitors and users in Norway and the wider EEA.

3. What Data We Collect

We may collect the following categories of personal data:

  • Contact information: name, email address, and message content when you submit our contact form.
  • Technical data: IP address, browser type, operating system, referring URL, pages visited, and time spent on pages.
  • Cookie data: information stored through cookies and similar technologies as described in our Cookie Policy.

4. Purposes of Data Processing

We process your personal data for the following purposes:

  • Responding to your inquiries submitted through the contact form.
  • Improving our website functionality and user experience.
  • Analysing website traffic and usage patterns to enhance our content.
  • Ensuring the security and proper functioning of our website.
  • Complying with legal obligations applicable under Norwegian and EU law.

5. Legal Basis for Processing

We process your data based on the following legal grounds under GDPR:

  • Consent (Art. 6(1)(a)): When you submit the contact form with the privacy consent checkbox selected, or when you accept optional cookies (analytics and marketing) via our cookie banner.
  • Legitimate interest (Art. 6(1)(f)): For essential website security, fraud prevention, and limited technical operation, where our interest does not override your rights. Optional analytics and marketing cookies are not placed on this basis — they require your consent under Norwegian and EU rules.
  • Legal obligation (Art. 6(1)(c)): When we must retain or disclose data to comply with applicable law.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes described above:

  • Contact form submissions: retained for up to 12 months after your inquiry has been resolved, then securely deleted.
  • Analytics data: aggregated and anonymised within 26 months of collection.
  • Cookie data: retained according to the durations specified in our Cookie Policy.

7. Data Sharing and Third Parties

We do not sell your personal data. We may share your data with:

  • Website hosting providers: to store and deliver the website securely.
  • Analytics providers (with consent): such as Google Analytics, to understand aggregated website usage.
  • Advertising and measurement providers (with consent): such as Google Ads conversion tracking, to measure advertising effectiveness when you have accepted marketing cookies.
  • Legal authorities: when required by law, court order, or to protect our legal rights.

Where we use processors, we enter into data processing agreements (Art. 28 GDPR) requiring them to process data only on our instructions and in compliance with applicable data protection law.

8. International Data Transfers

If your data is transferred outside the European Economic Area (EEA), we ensure adequate protection through Standard Contractual Clauses (SCCs) approved by the European Commission or other legally recognised safeguards.

9. Your Rights

Under GDPR and the Personal Data Act, you have the following rights regarding your personal data:

  • Right of access: request a copy of the personal data we hold about you.
  • Right to rectification: request correction of inaccurate or incomplete data.
  • Right to erasure: request deletion of your personal data under certain conditions.
  • Right to restrict processing: request limitation of how we use your data.
  • Right to data portability: receive your data in a structured, commonly used, machine-readable format where processing is based on consent or contract and carried out by automated means.
  • Right to object: object to processing based on legitimate interest, including profiling where applicable.
  • Right to withdraw consent: withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
  • Right not to be subject to automated decisions: we do not make decisions about you based solely on automated processing that produce legal or similarly significant effects.

To exercise any of these rights, contact us at welcome@elbowbright.world. We will respond without undue delay and within one month, as required by GDPR Art. 12. We may extend this period by up to two further months for complex requests, and will inform you if an extension applies.

If we cannot fulfil your request, we will explain the reasons and inform you of your right to lodge a complaint with Datatilsynet.

10. Marketing Communications

We do not send unsolicited marketing emails based on contact form submissions. If we ever contact you by email, it will relate to your inquiry unless you have given separate, explicit consent for newsletters or similar communications, which you may withdraw at any time.

Direct marketing in Norway must comply with the Marketing Control Act (Markedsføringsloven), including rules on identification of the sender and opt-out rights.

11. Children's Privacy

This website is intended for adults. We do not knowingly collect personal data from children under 16 without parental consent. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Data Security and Breach Notification

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption of data in transit using TLS/SSL protocols.
  • Access controls limiting data access to authorised personnel only.
  • Regular security assessments and updates to our systems.
  • Secure data storage with backup and recovery procedures.

If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify Datatilsynet without undue delay and, where required by law, inform affected individuals.

13. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet):

Datatilsynet
Postboks 458 Sentrum, 0105 Oslo, Norway
Website: www.datatilsynet.no

You may also contact your local data protection authority in another EEA country if you reside there.

14. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. The updated version will be posted on this page with a revised "Last updated" date. We encourage you to review this policy periodically.