Privacy Policy for Bartstua AS
Last updated: December 6, 2025
1. Data Controller
Bartstua AS (org. no. 927 525 348) is responsible for the processing of your personal data.
Address: Grottenveien 10, 1177 Oslo, Norway
E-mail: support@stu.no
Bartstua is not required to appoint a Data Protection Officer (DPO). All inquiries regarding privacy should be directed to the contact details above.
2. Personal data we process – purpose and retention
| Type of Data | Purpose | Legal Basis | Retention Period* |
|---|---|---|---|
| Name, phone, e-mail | Administer bookings, memberships, and gift cards | Contract (GDPR Art. 6 (1)(b)) | 5 years after the last active customer relationship |
| Payment and transaction data | Invoicing and accounting | Legal obligation (Accounting Act) Art. 6 (1)(c) | 5 years plus the current year |
| Newsletter consent | Sending newsletters and campaigns | Consent Art. 6 (1)(a) | Until consent is withdrawn |
| Analysis, marketing, and user data | Website improvement, statistics, and targeted advertising (incl. social media) | Consent (GDPR Art. 6 (1)(a)) | See detailed overview in cookie settings on the website |
| Support inquiries | Answering questions and complaints | Legitimate interest Art. 6 (1)(f) | 2 years from last contact |
*Data may be stored longer if necessary for legal claims.
3. Where we collect data from
We receive data directly from you when you book, register, or contact us.
Use of tracking technology:
We use a combination of traditional cookies (in your browser) and server-side technology (via API). This means that information about how you use the website can be sent to us both directly from your device and via our servers. The purpose of this is to ensure that the data basis for analysis and marketing is as accurate as possible.
4. Sharing of information and transfers outside the EEA
We never sell your personal data. We share data with the following categories of vendors to deliver our services:
- Booking System: LatePoint (USA)* / Twilio (USA)* – Administering bookings and SMS.
- Payment: Stripe Payments Europe – Card and mobile payments.
- E-mail/Newsletter: Mailchimp (Intuit Inc., USA)* – Sending newsletters.
- Analysis: Google Tag Manager* / Google Analytics* / Microsoft Clarity* – Website usage statistics.
- Marketing: Meta Pixel* / Google Ads* / TikTok (ByteDance) – Targeted advertising and conversion tracking.
- Consent Management: CookieYes (CookieYes Limited, UK) – Managing cookie banners and logging consent.
*Marked services involve transfer to countries outside the EEA (mainly the USA). For companies in the USA, the “EU-US Data Privacy Framework” is used where the company is certified. For other transfers (e.g., TikTok), EU Standard Contractual Clauses (SCC) are used to ensure a valid transfer basis.
5. Storage and Security
All traffic is encrypted (TLS). Access is role-based and on a need-to-know basis. Regular backups are performed, and employees and data processors are subject to a duty of confidentiality. We use modern technology, including server-side integrations, to ensure robust and secure handling of data transfers.
6. Automated decision-making and profiling
We do not make automated decisions that have legal effects or similarly significant effects on you. However, we use profiling for marketing purposes (e.g., via TikTok or Meta) to show you relevant ads based on your visit to us, provided you have consented to marketing cookies.
7. Cookies
From January 1, 2025, the Electronic Communications Act (ekomloven) § 3-15 is strictly enforced, and we require active, voluntary, and unambiguous consent for all non-necessary cookies.
We use CookieYes to manage consents. Instead of a static list here that may quickly become outdated, we refer to the cookie banner on our website for an always up-to-date overview.
How to see which cookies we use:
You can click on “Cookie Settings” (often a small icon at the bottom corner of the website) at any time to:
- See a complete list of all cookies (including TikTok, Google, Meta, etc.).
- See the purpose of each individual cookie and provider.
- See retention period/expiry date.
- Change or withdraw your consents.
Necessary cookies are always set for the website to function. Other cookies (analysis and marketing) are optional. Declining does not affect your ability to book an appointment but may reduce the user experience.
8. Your Rights
In accordance with the General Data Protection Regulation (GDPR), you have the right to:
- Access your own information.
- Rectification of incorrect data.
- Erasure or restriction where permitted by law.
- Data portability (receive data in a machine-readable format).
- Object to processing based on legitimate interest or marketing.
- Withdraw consent at any time (done via cookie settings for website tracking, or via link in newsletters).
Inquiries should be directed to: support@stu.no. We will respond within 30 days.
9. Right to Complain
If you believe we are not complying with privacy legislation, you may file a complaint with the Norwegian Data Protection Authority (Datatilsynet), P.O. Box 458 Sentrum, 0105 Oslo, www.datatilsynet.no.
10. Changes to this Policy
Significant changes will be notified via e-mail or on stu.no before they take effect.
By using our services, you confirm that you have read and understood this privacy policy.