Privacy Policy for Bartstua AS
Last updated 15 July 2025
1. Who is the Data Controller
Bartstua AS (org. no. 927 525 348) has overall responsibility for the processing of your personal data.
- Address: Grottenveien 10, 1177 Oslo
- Email: support@stu.no
Bartstua is not required to appoint a data protection officer. All privacy inquiries are answered through the addresses above.
2. Which personal data we process – why and for how long
| Type of data | Purpose | Legal basis | Retention period* |
|---|---|---|---|
| Name, phone, email | Manage booking, membership and gift cards | Contract (GDPR Art. 6 (1)(b)) | 5 years after the last active customer relationship |
| Payment and transaction data | Invoicing and accounting | Legal obligation (Bookkeeping Act) Art. 6 (1)(c) | 5 years plus the current year |
| Newsletter consent | Send newsletters and campaigns | Consent Art. 6 (1)(a) | Until consent is withdrawn |
| Analytics and user data | Improve the website | Consent or legitimate interest, see section 7 | See the cookie matrix |
| Support inquiries | Answer questions and complaints | Legitimate interest Art. 6 (1)(f) | 2 years from last contact |
*Data may be stored longer if necessary for legal claims.
3. Where the data come from
We receive data directly from you when you book, register or contact us. Analytics and marketing data are collected via cookies, see section 7.
4. Sharing of data and transfer outside the EEA
| Category | Provider | Purpose |
|---|---|---|
| Booking system | LatePoint (USA)* / Twilio (USA)* | Manage bookings |
| Payment | Stripe Payments Europe | Card and mobile payment |
| Email/newsletter | Mailchimp (Intuit Inc., USA)* | Sending newsletters |
| Analytics | Google Tag Manager* / Google Analytics* / Microsoft Clarity* | Statistics on website use |
| Marketing | Meta Pixel* / Google Ads* | Targeted advertising |
| Consent management | CookieYes (CookieYes Limited, UK) | Handle cookie banner and log consent |
*Marked service involves transfer to the USA based on the Data Privacy Framework or SCC. The UK currently has a valid adequacy decision.
5. Storage and security
All traffic is encrypted (TLS). Access is role‑ and need‑based. Regular backups are taken, and employees and processors are subject to confidentiality.
6. Automated decisions and profiling
We make no automated decisions that have legal effect or similarly significant impact on you.
7. Cookies
From 1 January 2025, section 3‑15 of the Electronic Communications Act requires active, voluntary and unambiguous consent for all non‑essential cookies. We use CookieYes to display a banner with the choices “Accept all”, “Necessary only” or “Decline”. You can change your choice at any time via “Cookie settings”.
Cookie matrix
| Name | Provider | Purpose | Expiry | Type |
|---|---|---|---|---|
| CookieLawInfoConsent | CookieYes | Stores overview of consent status | 11 months | First‑party |
| viewed_cookie_policy | CookieYes | Stores your consent choice | 11 months | First‑party |
| cookielawinfo-checkbox-necessary | CookieYes | Stores choice about necessary cookies | 11 months | First‑party |
| cookielawinfo-checkbox-functional | CookieYes | Stores choice about functional cookies | 11 months | First‑party |
| cookielawinfo-checkbox-performance | CookieYes | Stores choice about performance cookies | 11 months | First‑party |
| cookielawinfo-checkbox-analytics | CookieYes | Stores choice about analytics cookies | 11 months | First‑party |
| cookielawinfo-checkbox-advertisement | CookieYes | Stores choice about marketing cookies | 11 months | First‑party |
| _ga | Google Analytics | Distinguishes unique users | 2 years | First‑party |
| _ga_* | Google Analytics | Preserves session state | 2 years | First‑party |
| _gid | Google Analytics | Distinguishes users | 24 h | First‑party |
| _gcl_au | Google Ads | Stores and tracks conversions | 90 days | First‑party |
| _fbp | Meta Pixel | Stores and tracks visits to the site | 90 days | First‑party |
| _clck | Microsoft Clarity | Preserves Clarity user ID and preferences | 1 year | First‑party |
| _clsk | Microsoft Clarity | Links multiple page views to one session | 24 h | First‑party |
| CLID | Microsoft Clarity | Identifies the first time Clarity observed the user | 1 year | Third‑party |
| ANONCHK | Microsoft Clarity | Checks whether MUID is transferred to ANID (advertising) | 10 min | Third‑party |
| MR | Microsoft Clarity | Determines whether MUID should be updated (advertising) | 7 days | Third‑party |
| MUID | Microsoft Clarity | Unique browser ID for analytics and advertising | 1 year 24 days | Third‑party |
| SM | Microsoft Clarity | Synchronizes MUID across Microsoft domains | Session | Third‑party |
Necessary cookies are always set. Others require consent. Declining does not affect the booking function but may reduce personalisation.
8. Your rights
- Access to your own data
- Rectification of incorrect data
- Deletion or restriction where the law allows
- Data portability
- Objection to processing based on legitimate interest or marketing
- Withdrawal of consent at any time
Inquiries: support@stu.no. We reply within 30 days.
9. Right to complain
You can complain to the Norwegian Data Protection Authority, PO Box 458 Sentrum, 0105 Oslo, www.datatilsynet.no.
10. Changes to the policy
Material changes will be announced on stu.no