Privacy Policy

Øyo AS
Last updated: 2026

We are committed to protecting both our customers and their personal data. This privacy policy explains what information we collect when you visit our website, shop in our online store, or sign up for our newsletter, why we do so, and what rights you have.

We strive to make this as simple and straightforward as possible. If you have any questions about how we process personal data, you are always welcome to contact us.

1. Data Controller

The data controller for the personal data collected on oeyo.no is:

Øyo AS Org. no.: 917 516 197

Øyovegen 32, N-3580 Geilo, Norway

Tel.: +47 32 09 09 11

Email: [email protected]

2. What personal data do we collect?

2.1 Visitor Data and Website Statistics

When you visit oeyo.no, we automatically collect the following information:

  • IP address

  • Browser type (e.g., Chrome, Safari) and operating system

  • Geographic location (country/region, based on IP address)

  • Pages visited, time spent, and navigation patterns

  • Interactions with advertisements (clicks, views)

2.2 Purchase and Customer Data

When making a purchase in the online store, we collect:

  • Name and contact information

  • Delivery and billing address

  • Order details and purchase history

  • Payment information – This is processed directly by our payment providers (Klarna, Vipps, card payment) and is not stored by us

2.3 Newsletter and Marketing

If you sign up for our newsletter, we collect your email address and, if provided, your name. You can unsubscribe at any time via the unsubscribe link included in the emails.

2.4 Social Media

We may receive information about you when you interact with us via Facebook or Instagram, for example through ad clicks or purchases via social media platforms. This information is processed in accordance with Meta Platforms' terms and conditions.

3. Legal Basis for Processing

We process personal data on the following legal bases in accordance with GDPR Article 6:

Website statistics and analysis (Google Analytics)

  • Legal basis: Legitimate interest

  • GDPR Article: Art. 6(1)(f)

Processing and fulfilling orders and deliveries

  • Legal basis: Performance of a contract

  • GDPR Article: Art. 6(1)(b)

Invoicing and accounting obligations

  • Legal basis: Legal obligation

  • GDPR Article: Art. 6(1)(c)

Newsletters and email marketing

  • Legal basis: Consent

  • GDPR Article: Art. 6(1)(a)

Ad targeting (Meta Pixel)

  • Legal basis: Consent

  • GDPR Article: Art. 6(1)(a)

Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of the processing carried out prior to its withdrawal.

4. Purpose of Processing

We use the personal data to:

  • Operate, maintain, and improve the website and user experience

  • Process, fulfill, and send notifications regarding orders and deliveries

  • Handle returns, complaints, and customer service

  • Send newsletters and marketing communications (only with consent)

  • Analyze and improve social media advertising

  • Fulfill legal obligations, including accounting legislation

5. Cookies

We use cookies on oeyo.no. These cookies help us analyze website usage and personalize marketing. The following types of cookies are used:

  • Necessary cookies: Ensure basic functionality such as the shopping cart and site navigation. These cannot be disabled.

  • Statistics cookies: Collect anonymized data about visits via Google Analytics 4 to provide us with insights into traffic and usage patterns.

  • Marketing cookies: Track behavior for ad targeting via Meta Pixel (Facebook/Instagram).

You can manage or withdraw your consent for non-necessary cookies via our cookie banner, or by changing your browser settings.

6. Third Parties and Data Processors

We share personal data with the following third parties who process data on our behalf. We enter into data processing agreements (DPAs) with all suppliers. We never sell your personal data.

Google LLC (Google Analytics 4)

  • Purpose: Website analysis and traffic measurement

  • Country: USA

  • More info: policies.google.com/privacy

Meta Platforms, Inc. (Meta Pixel)

Centra / Rule Communication AB

  • Purpose: Email marketing and newsletters

  • Country: Sweden (EEA)

  • More info: rule.se

Klarna AB

  • Purpose: Payment processing (invoice, installment plans)

  • Country: Sweden (EEA)

  • More info: klarna.com/no

Vipps MobilePay AS

  • Purpose: Payment processing

  • Country: Norway (EEA)

  • More info: vipps.no

Klarna (Card Payment Provider*)

  • Purpose: Card payments

  • Country: Sweden (EEA)

  • More info: klarna.com/no

Posten Norge AS / Bring

  • Purpose: Delivery and shipping

  • Country: Norway (EEA)

  • More info: bring.no

PostNord AB

  • Purpose: Delivery and shipping

  • Country: Sweden (EEA)

  • More info: postnord.no

7. Transfer of Data Outside the EEA

Google LLC and Meta Platforms, Inc. are located in the USA. The transfer of data to these companies is carried out on the basis of the EU-U.S. Data Privacy Framework (DPF), which the EU Commission has approved as an adequate level of protection (decision of July 10, 2023).

All other data processors are located within the EEA and are subject to EU data protection regulations.

You can read more about data processing at Google at policies.google.com/privacy and at Meta at facebook.com/privacy/policy.

8. Retention Period

We only retain personal data for as long as necessary to fulfill the specified purposes, or as required by law:

Customer data and order history

Retention period: 5 years after the last purchase (the Norwegian Accounting Act § 13)

Newsletter subscription

Retention period: Until you unsubscribe or withdraw your consent

Website statistics (Google Analytics)

Retention period: 14 months (standard GA4 setting)

Meta Pixel data

Retention period: In accordance with Meta's guidelines (typically 180 days)

Contact inquiries

Retention period: 3 years after the dialogue has ended

9. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

Access (Art. 15): You can request access to the personal data we have registered about you.

Rectification (Art. 16): You can request that inaccurate or incomplete information be corrected.

Erasure (Art. 17): Under certain circumstances, you can request that we delete your data ("the right to be forgotten"). Please note that we may be required by law to retain certain information, e.g., for accounting reasons.

Restriction of processing (Art. 18): You can request that the processing of your data be restricted while a dispute is being investigated.

Data portability (Art. 20): You can request to receive your data in a structured, commonly used, and machine-readable format.

Objection (Art. 21): You can object to processing that is based on our legitimate interest.

Withdrawal of consent (Art. 7): If the processing is based on your consent, you can withdraw this consent at any time.

To exercise any of your rights, please send an inquiry to [email protected] or by post to our address. We will respond within 30 days.

10. Right to Complain to the Norwegian Data Protection Authority

If you believe that we are processing your personal data in violation of data protection regulations, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet):

Datatilsynet

P.O. Box 458 Sentrum, 0105 Oslo, Norway

www.datatilsynet.no

11. Changes to this Policy

Øyo may update this privacy policy as needed. In the event of significant changes, we will notify you via our newsletter, social media channels, or directly by email. The date of the last update is always indicated at the top of the document. We recommend that you check this page regularly.

12. Contact Us

Do you have questions about privacy or wish to exercise your rights?

Contact us:

Øyo AS Øyovegen 32, N-3580 Geilo, Norway

Tel.: +47 32 09 09 11

Email: [email protected]