Privacy Policy

Introduction and Data Controller Information

NRWY AS is committed to protecting your personal data. We design and manage private travel experiences across the Nordic region and handle all personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

NRWY AS, based in Bergen, Norway, acts as the Data Controller for all personal data collected through our website and service interactions.

For privacy-related inquiries, contact us at: hello@nrwy.no

Information Collection: Categories and Methods

We collect personal data only when provided directly by you or your authorized representative. We do not purchase data or track you across other websites.

We collect data for the following purposes:

• Contact and enquiry formsName, company or agency (if applicable), email, phone number, and travel details.
• Journey design and operationsTraveler names, dates of birth, and addresses required to arrange services.
• Special requirementsHealth, dietary, or accessibility information only when necessary to deliver services safely. This data is handled with additional care.
• Newsletter subscriptionsEmail address and record of consent.
• Website analyticsWe use Google Analytics 4 to understand general website usage. Data is anonymized. IP addresses are not stored in identifiable form.

Legal Basis for Processing

We process personal data based on the following legal grounds:

• Enquiries and journey designLegitimate Interest. You contact us, and we respond to provide the requested service.
• Special requirementsExplicit Consent under Article 9 GDPR.
• Newsletter subscriptionsExplicit Consent.
• Website analyticsConsent via cookie banner.

Data Sharing and Third-Party Processors

We share necessary data with selected suppliers to deliver travel services. This includes hotels, transport providers, and guides. Only essential data is shared.

We use the following processors:

• NetlifyWebsite hosting and form handling. Data may be stored in the United States. Transfers are protected through Standard Contractual Clauses (SCCs).
• Google AnalyticsProcesses anonymized usage data under GDPR-compliant agreements.

Data Retention

We retain data only as long as necessary:

• Enquiry dataUp to three years after last contact.
• Newsletter dataUntil you unsubscribe or request deletion.
• Analytics dataAccording to Google Analytics settings.

Data Security

We apply appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or misuse.

Our practices comply with the Norwegian Personal Data Act and GDPR.

Cookies

We use limited cookies for analytics purposes.

• Analytics cookiesOnly activated with your consent.
• Preference storageIf you decline cookies, your choice is stored locally in your browser.
• Managing preferencesYou can reset preferences by clearing local storage for nrwy.no.

Your Rights

You have the following rights under GDPR:

• Access your data
• Correct inaccurate data
• Request deletion
• Request data portability
• Object to processing
• Withdraw consent at any time

We respond to requests within 30 days.

Supervisory Authority

If you believe your data is not handled correctly, you may contact the Norwegian Data Protection Authority:

Datatilsynet
datatilsynet.no

Updates and Contact

We may update this policy from time to time. Significant changes will be communicated where relevant.

For questions or requests: