At GapSolutions Norge AS and PersonvernPraktikerne.no (org. no. 996 848 639), we are committed to ensuring you know exactly how your personal data is processed. We want to make it as easy as possible for you to understand what data we collect, why we collect it, and how we protect it.
There's a philosophy embedded in our name: we are practitioners. We believe privacy is best when it's built into your existing routines – not as a separate compliance project on the side. That same thinking guides this statement.
Content
- Who is responsible for your personal data?
- What information do we collect — and why?
- Use of systems and suppliers
- How do you withdraw consent?
- How do we protect your personal data?
- How long do we store your personal data?
- Your rights
- Transfer of data outside the EU/EEA
- Right of appeal
- Appendix - Full Supplier Overview with Links
Who is responsible for your personal data?
GapSolutions Norge A/S is the data controller for the personal data we collect and use ourselves — typically in connection with marketing, sales, customer follow-up, and general business communication.
GapSolutions Norge A/S is wholly owned by the holding company Erik Net-Working Invest AS (hereinafter ENWIAS). ENWIAS also manages business collaborations with external partners. When we process your data—whether the contact was made through one of these collaborations or directly—GapSolutions Norge A/S is always the data controller.
What we are NOT responsible for
When you as a customer use a software solution that we facilitate or sell licenses for, the vendor of the solution and you as the customer are the parties in the GDPR-related role distribution concerning personal data processed within the solution itself. GapSolutions Norge A/S is then not a party to that processing.
Specifically, that means:
- Personal data that you or your employees enter into a SaaS solution we provide is processed by the solution provider as a data processor, with you as the data controller. A separate data processing agreement will be entered into between you.
- If billing for such solutions goes directly between you and the supplier, then billing data and contact information are also their responsibility in that context – not ours.
- Our role as a distributor or advisor normally does not involve access to personal data within the solution itself—beyond possible user IDs and the like.
Operations and Contact Person
PersonvernPraktikerne is managed daily by Erik Horn. The company occasionally engages external consultants for selected assignments. Erik is your point of contact for all privacy-related inquiries. We have not appointed a dedicated Data Protection Officer (DPO) – as a small business, we are not obligated to do so – but you still have one clear contact person for all your requests.
For questions about how we process your information, you can contact us at:
Email: hei@personvernpraktikerne.no
Phone +47 922 92 400
We normally reply within three business days, and at the latest within 30 days — which is the deadline GDPR sets for access requests.
2. What information do we collect — and why?
2.1 Purpose of the Treatment
We use your information to:
- Send newsletters to those who have consented to this
- Deliver the products and services you have purchased
- Manage your customer relationships or your course attendance
- Follow up on customer and potential customer questions and requests
- Drive sales and meeting bookings towards potential customers in our B2B target group
2.2 What We Collect - Sorted by Legal Basis
Consent (GDPR Article 6(1)(a)):
- When you sign up for our newsletter
- When you consent to marketing cookies via the consent banner
Agreement (GDPR Article 6(1)(b)):
- When purchasing products or services (portal solution, consulting hours, courses)
Legitimate interest (GDPR Article 6(1)(f)):
- When you contact us through the website, email or phone
- When we follow up on previous business contacts via our CRM system
- Contact details from open sources for telemarketing and appointment setting in the B2B segment
Legally required (GDPR Article 6(1)(c)):
- Accounting and invoicing data, stored in accordance with the Norwegian Bookkeeping Act
2.3 We process the following types of personal data
- Name and email — for sending of newsletters and general business contact
- Phone/mobile — when relevant to the customer relationship or business dialogue
- Company name and position — to place the contact in the correct business context
- Course participation — administrative data for managing course progress
- Payment Information — invoice details for service purchase
- Interaction data from the websites — via cookies (only with consent)
- Communication data — when you contact us for support, advice, or inquiries
2.4 In table form
| Purpose | Legal basis | What we treat | In which systems |
|---|---|---|---|
| Send newsletters to those who have consented | Consent (Art. 6.1.a) | Name, email | Brevo, Microsoft 365 |
| Deliver the products and services you have purchased | Agreement (Art. 6.1.b) | Name, phone, email, company, position, payment information | Tripletex, Microsoft 365 |
| Manage customer relationships or course participation | Legitimate interest (Art. 6.1.f) | Name, phone, email, company, title | GapPortalen, Twenty CRM, Tripletex, Microsoft 365 |
| Follow-up questions and requests | Legitimate interest (Art. 6.1.f) | Name, phone, email, company | Twenty CRM, Microsoft 365 |
| Sales and meeting booking in the B2B target audience | Legitimate interest (Art. 6.1.f) | Name, phone, email, company, title | Twenty CRM, Booking code, Microsoft 365, Cal.com |
| Accounting and invoicing | Legally required (Art. 6.1.c) | Billing details, payment data | Tripletex |
3. Use of systems and suppliers
To deliver our services, we use several systems and providers. We have consciously chosen EU-based solutions wherever possible and kept the number of providers low.
- GapPortalen (GAPSolutions A/S, Denmark) — The SaaS portal for privacy and GDPR that we provide to Norwegian customers. GAPSolutions A/S is the data controller for the solution itself and uses Hetzner as a subcontractor for data center operations. We normally do not have access to personal data the customer enters into the portal.
- Twenty CRM Self-hosted CRM solution on our own server within the EU/EEA, for contact management
- Brevo — sending of newsletters and promotional emails (EU-based)
- Cal.com — Meeting booking (EU-hosted, integrated with Microsoft 365)
- Booking code — telephone sales and appointment setting in the B2B segment
- Microsoft 365 — email, web meetings, document management
- Tripletex — Accounting and invoicing
- Domain shop — domain management and administration, email server, and web hosting
- Complianz — handling of cookie consent on websites
- Matomo — Analysis of website traffic, planned self-hosted (with consent only). Implementation in 2026
- BYOD — Apple/Mac/iPhone and Google/Android Erik primarily uses the Apple ecosystem (Mac, iPhone, iCloud). External consultants may use other platforms, typically Google/Android. Both platforms can therefore handle email and calendar related to our business.
All suppliers are subject to a data processing agreement and have committed to complying with GDPR. A full list with short descriptions and links to the respective privacy policies can be found in the appendix at the bottom.
We do not use Google Analytics, and we do not use Cloudflare. These are conscious choices—we want to keep data flow simpler and closer to the EU than standard setups typically allow.
4. How do you withdraw consent?
If you have consented to receive newsletters from us, you can withdraw your consent at any time by clicking the «Unsubscribe» button at the bottom of the newsletter. You can also send us a short message:
Email: hei@personvernpraktikerne.no
Phone +47 922 92 400
You can similarly withdraw consent for marketing cookies by clicking on the cookie icon at the bottom of the website and changing your settings.
5. How do we protect your personal data?
We take information security seriously — it's half of our job, after all.
Specifically, that means:
- Access Control — kun Erik has permanent access to the contact details in Twenty CRM. External consultants can get access for specific assignments, and accesses are logged
- Encryption — all data is transferred encrypted (HTTPS/TLS) and stored encrypted on servers
- Two-factor authentication — on all administrative accesses
- Backups — daily automatic backup of critical systems
- Self-hosted CRM Twenty runs on our own server within the EU/EEA, not on a third-party cloud service
- Microsoft 365 with EU data centers — Email and documents are primarily stored within the EU/EEA
We continuously review our security measures and update them as the threat landscape or practices change.
6. How long do we store your personal data?
We store your personal data for as long as it is necessary to fulfill the purposes we have described, or for as long as required by law.
- Customer data — as long as you are a customer with us, and for up to two years after the end of the customer relationship to support follow-up and any potential claims
- Prospect data — two years after last contact, or when the registered person requests deletion
- Accounting data — five years, in accordance with the accounting act
- Newsletter list — you remain on the list until you unsubscribe. We also consider removing you if you haven't opened a newsletter in six months
- Course participation — two years after completion of the course, for documentation and follow-up
When the storage period expires, we delete the data—or anonymize it if we need to retain aggregated statistics.
7. Your Rights
You have several rights regarding your personal data:
- Access — you can ask to know what information we have about you
- Correction — you can request that incorrect information be corrected
- Deletion — you can request that information that is no longer necessary be deleted
- limitation You can request that treatment be limited while a case is being clarified
- Protest — you can object to processing based on legitimate interest
- Data portability — you can request your data be transferred to another provider. Since we primarily only process contact details, this will rarely be practically relevant
To exercise these rights, contact us at hei@personvernpraktikerne.no. We will respond within three business days, and no later than 30 days.
8. Transfer of data outside the EU/EEA
We generally do not transfer personal data outside the EU/EEA. All data is stored and processed primarily in Norway or within the EU/EEA.
In some cases, situations may arise where data is temporarily transferred outside the EU/EEA — for example, for technical support from vendors located outside the EU/EEA. In such cases, we ensure that the necessary safeguards are in place (typically the EU Commission's Standard Contractual Clauses, SCCs) that provide a level of protection equivalent to that required by GDPR.
Microsoft 365, Apple/iCloud, and Google may in some cases process data outside the EU/EEA. All have their own mechanisms for lawful transfer as described in their respective privacy policies (links in appendix).
9. Right of Appeal
If you believe we are not processing your information in accordance with the law, you can complain to the Norwegian Data Protection Authority:
The Norwegian Data Protection Authority
postkasse@datatilsynet.no
+47 22 39 69 00
datatilsynet.no
We appreciate you bringing any concerns to us first – that way, we can usually resolve them without them escalating.
Do you have questions?
If you have any questions about how we process your personal data, or wish to exercise your rights, please feel free to contact us. We are available to help.
GapSolutions Norway A/S
PrivacyPractitioners.no
Appendix — Supplier Overview
| Supplier | What they do for us | Personal data handlers | Privacy Policy |
|---|---|---|---|
| GAPSolutions A/S (DK) | Delivers the GapPortal, which we market to Norwegian customers. Processes portal customers' own data directly with the customer. Uses Hetzner as a subcontractor for data center operations. | Contact Information Between Our Companies | gapsolutions.dk/privacy-policy/ |
| Twenty | Self-hosted CRM system on our own server within the EU/EEA | Contact information, email, interaction data | twenty.com/legal/privacy |
| Brevo | Sending of newsletters and campaign emails | Name, email, click data | brevo.com/legal/privacypolicy/ |
| Cal.com | Meeting booking | Name, email, meeting information | cal.com/privacy |
| Booking code | Telemarketing and appointment setting in the B2B segment | Prospect Personal Data (CRM) | bookingkoden.no/privacy |
| Microsoft 365 | Email, web meetings, document management | Email, document content, calendar data | privacy.microsoft.com |
| Tripletex | Accounting and Invoicing | Billing details, contact information | tripletex.no/privacy-policy/ |
| Domain shop | Domain, email, and web hosting management | Contact information, technical information (IP addresses) | domene.shop/terms#privacy |
| Complianz | Cookie Consent Management on Websites | Technical data, consent status | complianz.io/privacy-statement/ |
| Matomo | Website traffic analysis (self-hosted, scheduled 2026) | Anonymized IP, page visits, click data | matomo.org/privacy-policy/ |
| Apple/iCloud | Mac, iPhone, email, calendar, office support (BYOD) | Email, calendar data, contact information | apple.com/legal/privacy/no/ |
| Android phone, email, calendar, office support (BYOD) | Email, calendar data, contact information | policies.google.com/privacy |
Version log
Version 3.0 - effective from 2026-04-27
Changes from v2.5: updated vendor list (HubSpot → Twenty, Cookie Information → Complianz, WPMUDEV → Domeneshop, Cloudflare and Webberne removed, Brevo, Cal.com, Matomo added, Google mentioned as BYOD platform). LinkedIn removed from vendor overview — Erik's LinkedIn profile is a personal account, not part of the company's personal data processing. Contact address updated to hei@personvernpraktikerne.no, clarified ENWIA role, new visual presentation with table of contents. Wittario is not included in this version — will be added when the course platform is actively used.
Previous versions: v2.5 — effective as of 2024-10-29 | v1.21 — previous version