Privacy Policy

1. Who we are

The data controller responsible for the processing of personal data under this Privacy Policy is EASY FLOW AS, organisation number 936 443 672, registered in Norway. If you have questions about this Privacy Policy or about how we process your personal data, you can contact us at:

2. Scope of this Privacy Policy

This Privacy Policy applies to personal data collected through our website and online store, checkout and payment flows, subscription and recurring order functionality, customer support communications, newsletter and email signups, advertising, remarketing, and analytics tools, cookies and similar tracking technologies, social media interactions connected to Nordvell, and forms, surveys, giveaways, and promotional campaigns.

This Privacy Policy does not apply to third-party websites, platforms, or services that we do not control, even if we link to them.

3. What personal data we collect

We may collect the following categories of personal data:

• Identity: first name, last name, username, or similar identifier.
• Contact: email address, telephone number, billing address, shipping address, country, and region.
• Order: products purchased, order value, delivery details, subscription status, refunds, and transaction history.
• Payment: limited payment-related information such as payment method, billing status, and transaction references; full card details are processed by our payment providers and not stored by us directly.
• Account: login details, account preferences, saved routine settings, and account-related activity if customer accounts are enabled.
• Technical: IP address, browser type, device type, operating system, language settings, referring URL, time zone, and similar device or session information.
• Usage: pages viewed, buttons clicked, time spent on pages, cart activity, purchase path, and interactions with content, offers, and campaigns.
• Marketing: email preferences, consent choices, campaign interactions, attribution data, and audience or advertising signals where permitted.
• Communications: messages you send us, support requests, reviews, feedback, survey responses, and other correspondence.
• Fraud and security: information relevant to suspicious activity, abuse prevention, chargeback management, and platform security.

We do not intentionally request or need special categories of personal data for ordinary skincare ecommerce purchases.

4. How we collect personal data

We collect personal data directly from you when you place an order, subscribe, contact us, sign up for emails, or fill out a form; automatically when you browse our website through cookies, pixels, logs, tags, and similar technologies; from service providers that help us process payments, prevent fraud, fulfill orders, run analytics, and manage customer support; and from advertising and social media platforms when you interact with our content or ads, subject to your settings and consent choices.

5. Why we process personal data

We may process personal data to provide our website and services, create and fulfill orders, process payments and subscriptions, ship products and handle logistics, provide customer service, send service-related messages, manage recurring subscriptions and renewals, prevent fraud and abuse, operate and improve our website, analyze performance and user experience, personalize offers where legally permitted, send newsletters and marketing communications where legally permitted, comply with accounting, tax, and regulatory obligations, and establish or defend legal claims.

6. Legal bases for processing

Where the GDPR applies, we rely on one or more of the following legal bases:

• Performance of a contract: when processing is necessary to sell products, take payment, deliver orders, manage subscriptions, or provide customer support.
• Legitimate interests: when processing is necessary for website operations, fraud prevention, service improvement, analytics, and business administration, provided those interests are not overridden by your rights.
• Consent: when required for certain cookies, similar tracking technologies, and certain types of direct marketing or profiling.
• Legal obligation: when we must process data to comply with applicable law, including tax, bookkeeping, consumer, and regulatory obligations.

Where we rely on consent, you may withdraw it at any time. Withdrawal of consent does not affect processing that took place before the withdrawal.

7. Cookies and similar technologies

We use cookies, pixels, tags, and similar technologies to make our website function, remember preferences, measure traffic, understand performance, and improve marketing effectiveness. Where required by law, non-essential cookies and similar technologies will only be activated after you provide consent through our consent banner. You can update your cookie preferences at any time through the cookie settings link on our website. For more details, please see our Cookie Policy.

8. Marketing communications

We may send you newsletters, educational content, launch announcements, offers, and other marketing messages if you sign up, purchase from us where permitted by law, or otherwise provide the necessary permission. You can unsubscribe from marketing emails at any time by clicking the unsubscribe link in the email or by contacting us. Even if you opt out of marketing, we may still send transactional or service-related communications about your orders, subscriptions, billing, or account.

9. Sharing personal data

We do not sell personal data. We may share personal data with trusted third parties when necessary to run the business, including ecommerce platform providers, website hosting and infrastructure providers, payment processors, subscription management providers, logistics and fulfillment partners, customer service tools, email and SMS communication providers, analytics providers, advertising and social media partners, fraud prevention and security providers, accounting and legal advisers, and public authorities where required by law.

We require service providers to process personal data only on appropriate instructions and to use suitable security and confidentiality measures.

10. International transfers

Because Nordvell is a global ecommerce brand, personal data may be processed in countries outside your own jurisdiction, including outside the EEA, depending on the providers, infrastructure, and fulfillment arrangements used by the business. Where cross-border transfers are subject to GDPR restrictions, they are handled using a recognized transfer mechanism such as adequacy decisions or standard contractual clauses.

11. Data retention

We keep personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, including order fulfillment, customer support, subscriptions, security, dispute handling, and legal or accounting compliance. Retention periods may vary depending on the type of data, the purpose of processing, and applicable legal requirements.

12. Your rights

Depending on your location and applicable law, you may have the right to request access to your personal data, request correction of inaccurate or incomplete data, request deletion of your personal data, request restriction of processing, object to certain processing, request data portability, withdraw consent where processing is based on consent, and complain to a relevant supervisory authority.

To exercise any of these rights, contact us at [email protected]. We may need to verify your identity before responding to your request.

If you believe we have not handled your data correctly, you have the right to lodge a complaint with Datatilsynet, the Norwegian Data Protection Authority.

13. Children's privacy

Our website and products are not intended for children, and we do not knowingly collect personal data directly from children where doing so would violate applicable law. If you believe a child has provided personal data to us unlawfully, please contact us so we can review and take appropriate action.

14. Security

We use reasonable technical, organizational, and administrative measures designed to protect personal data against unauthorized access, loss, misuse, alteration, or disclosure. However, no system, website, or transmission method can be guaranteed to be completely secure.

15. Third-party links and services

Our website may contain links to third-party websites, platforms, or services. If you leave our website or interact with a third-party service, that third party may collect and process data under its own terms and privacy notice, and we are not responsible for those independent practices.

16. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in the law, our business, our products, our vendors, or our data practices. If we make material changes, we will update the effective date and take any further steps required by law.