Nordic Curator
Plan my trip
Privacy

Privacy policy.

How we collect, use and protect the information you share when planning a Norway journey with us.

Last updated: 12 April 2026 · Governing law: Norway · Supervisory authority: Datatilsynet

In short
  • We collect only the information you give us in a trip-planning enquiry - and use it only to reply to you and, if you proceed, to introduce you to the Norwegian operator who will run your journey.
  • We do not sell, share or rent contact data to anyone.
  • We do not run ad-retargeting pixels. We do not run a marketing mailing list.
  • Our website analytics are cookieless by default (consent-managed) and stripped of personal identifiers.
  • You have the full set of GDPR rights, including access, correction, deletion and a complaint to the Norwegian Data Protection Authority (Datatilsynet).

1. Who we are

Nordic Curator is an editorial travel referral studio operated by Nordic Curator AS, a Norwegian company registered in Oslo (organization number on request). For the purpose of European data protection law, we are the data controller for the personal data you share with us through this website and our subsequent correspondence.

Contact for privacy matters: hello@nordiccurator.com

2. What we collect

We deliberately keep the data we hold to the minimum that lets us do our work. There are three categories:

  • Trip-planning data you give us. Your name, email, the dates and region you have in mind, the kind of journey you want, the number of travelers, dietary or accessibility requirements you mention, and any free-text notes you write in the enquiry form.
  • Technical data automatically collected by our hosting. Your IP address (held briefly for security/abuse-prevention by Cloudflare, our edge host), your browser type and your approximate country - used to deliver the right regional content. We do not store this data ourselves.
  • Aggregate website analytics. Page views, referring source, anonymous device class. We use Plausible Analytics (cookieless, no personal identifiers) and Google Analytics 4 in cookieless Consent Mode v2 (no advertising or personalisation signals are sent).

We do not collect passport numbers, payment-card data, or any special-category data (health, religion, political opinions). If a Norwegian operator we introduce you to needs that information for the booking, you provide it to them directly, under their own terms.

3. Why we hold it (lawful basis)

Under GDPR Article 6, our processing rests on:

  • Pre-contractual interest (Art. 6(1)(b)). When you ask us to plan a journey, we use your data to respond to the enquiry - this is processing necessary to take steps at your request before entering into a contract with the Norwegian operator we introduce you to.
  • Legitimate interest (Art. 6(1)(f)). For aggregated website analytics, for protecting our website against abuse, and for keeping a record of our editorial referrals (which is also how we are paid). Our interest is balanced against your rights; you can object at any time.
  • Consent (Art. 6(1)(a)). Where we ever ask for it specifically - currently only for non-essential cookies, where we default to denied unless you opt in.

4. Who we share it with

We share the minimum needed, with two narrow groups:

  • The Norwegian operator you choose. When you accept a recommendation and we make the introduction, we send the operator your name, contact details, and the relevant trip context (dates, group size, dietary or accessibility notes). They take over as the data controller from that point and operate under their own terms.
  • Technical processors. Resend (transactional email), Supabase (database hosting in the EU), Cloudflare (edge hosting and security), Plausible Analytics (EU-hosted, cookieless), Google Analytics 4 (cookieless mode), and our chat-assistant provider for the on-page conversation. Each operates under a written data-processing agreement.

We do not sell, rent, or share your data with advertisers, marketing networks, list brokers, or any third party for their own use.

5. How long we keep it

  • Active enquiries: retained for up to 24 months from your last contact, in case you come back to plan.
  • Completed bookings: retained as a referral record for up to 5 years, as required by Norwegian commercial accounting law (Bokføringsloven).
  • Server logs: typically 30 days, longer only for active security investigations.
  • Aggregate analytics: retained indefinitely in anonymised form (no personal identifiers).

6. International transfers

Our infrastructure is hosted in the European Economic Area where possible. Where a processor is established outside the EEA (for example, certain Cloudflare and Google services), the transfer is covered either by an EU adequacy decision or by Standard Contractual Clauses with appropriate supplementary measures, as required following the Schrems II ruling. We use IP-hashing on stored consent records as a Schrems II-aligned safeguard.

7. Your rights

Under GDPR Articles 15-22 and the Norwegian Personal Data Act (Personopplysningsloven), you have the right to:

  • Access the personal data we hold about you.
  • Correct any data that is wrong or out of date.
  • Delete your data ("the right to be forgotten"), subject to legal record-keeping obligations.
  • Restrict or object to processing where we rely on legitimate interest.
  • Data portability - to receive a machine-readable copy of the data you have given us.
  • Withdraw consent at any time where consent is the lawful basis.

To exercise any of these rights, email hello@nordiccurator.com. We aim to respond within five working days and at the latest within the 30-day GDPR window.

You also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) if you believe we have handled your data improperly.

8. Cookies and tracking

This site uses the minimum technical cookies needed for basic functionality (for example, remembering your preferred currency and region). All analytics scripts run in cookieless Consent Mode v2 by default - that is, no personal identifiers, no advertising signals and no cross-site tracking unless you specifically opt in.

We do not use Meta Pixel, Google Ads remarketing, or any other ad-retargeting technology.

9. Children

Our service is intended for adults planning travel. We do not knowingly collect personal data from anyone under 16. If you become aware that a child has provided us with personal information, please contact us so we can delete it.

10. Changes to this policy

We will update this policy from time to time, particularly as we add features or change processors. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be highlighted at the top of the page for at least 30 days.

Questions?

Write to hello@nordiccurator.com and we will respond within five working days.