Privacy Policy

Xmaskalender respects your privacy and is committed to protecting your personal information in accordance with GDPR (General Data Protection Regulation) and applicable data protection laws. This privacy policy explains how we collect, use, store, and share your information when you use our service.

Data controller for personal information: • Company: Xmaskalender AS • Organization number: 123 456 789 • Address: [Your address] • Email: [email protected] • Phone: +47 123 45 678 Data Protection Officer: [Name] Email: [email protected]

We collect the following types of personal information: • Contact information: Name, email address, phone number, postal address • Company information: Company name, organization number, billing address • User data: Login, activity on the platform, preferences • Technical data: IP address, browser, device, operating system • Payment data: Payment information (handled by Stripe) • Communication: Email correspondence, customer support • Cookies: See our cookie policy below

We process your personal information for the following purposes: • Deliver and improve our service (legitimate interest) • Handle customer support and communication (legitimate interest) • Billing and payment processing (contract) • Ensure platform security and prevent abuse (legitimate interest) • Comply with legal obligations (legal obligation) • Marketing and communication (consent) • Analysis and statistics (consent) • Content personalization (consent)

We process your personal information based on: • Consent (GDPR Article 6(1)(a)): For marketing, analysis, and personalization • Contract (GDPR Article 6(1)(b)): To deliver the service and handle payments • Legitimate interest (GDPR Article 6(1)(f)): For security, customer support, and service improvement • Legal obligation (GDPR Article 6(1)(c)): For accounting and other legal requirements You can withdraw your consent at any time by contacting us.

We share your personal information with: • Service providers: - Stripe (payment processing) - Vercel (hosting and CDN) - Google Analytics (web analytics) - Email providers (SendGrid, Mailchimp) • Public authorities: When required by law • Legal authorities: Upon legal request All service providers have data processing agreements and process data in accordance with GDPR.

Some of our service providers may be located outside the EEA: • USA: Stripe, Google Analytics, Vercel • Security mechanisms: - EU Standard Contractual Clauses (SCCs) - Adequacy decisions where available - Appropriate safeguards for privacy We ensure all transfers comply with GDPR Chapter V.

We store your personal information for the following periods: • Customer data: As long as you are a customer + 3 years for accounting • Marketing data: Until consent is withdrawn • Technical data: Maximum 2 years • Payment data: 5 years (accounting law) • Support data: 3 years after last contact • Cookies: See cookie policy for details Data is automatically deleted when the storage period expires.

You have the following rights: • Access (Article 15): Get a copy of your personal information • Rectification (Article 16): Correct inaccurate information • Erasure (Article 17): Delete your information • Restriction (Article 18): Restrict processing of information • Data portability (Article 20): Transfer data to another provider • Object (Article 21): Object to processing • Withdraw consent: At any time without affecting lawful processing • Automated decisions (Article 22): Not subject to automated decisions Contact us to exercise your rights.

We do not use automated decisions or profiling that significantly affects you. Any algorithms are used only to improve user experience and personalize content, but do not affect your rights or opportunities.

We implement the following security measures: • Encryption: All data encrypted in transit and at rest • Access control: Limited access on a need-to-know basis • Regular security updates • Backup and recovery • Secure development and testing • Monitoring and logging of security events • Employee security and training We have implemented technical and organizational measures to protect your information.

We use cookies and similar technologies: • Necessary cookies: For basic functionality • Functional cookies: To remember your preferences • Analytical cookies: Google Analytics for web analytics • Marketing cookies: For targeted advertising You can control cookie settings via our consent manager or browser settings. Read more in our cookie policy.

If you believe we process your personal information in violation of privacy regulations, you can: 1. Contact us first: [email protected] 2. Complain to the Data Protection Authority: - Email: [email protected] - Phone: +47 22 39 69 00 - Address: Postboks 458 Sentrum, 0105 Oslo We will handle all complaints promptly and in accordance with GDPR.

For questions about privacy or to exercise your rights: • Email: [email protected] • Phone: +47 123 45 678 • Mail: [Your address] • Data Protection Officer: [email protected] We respond to all inquiries within 30 days in accordance with GDPR.