PRIVACY POLICY

FRAMTours – Operated by Arctic Tours AS
Last updated: 20.02.2026

1. Data Controller

This website and the services marketed under the brand FRAMTours are operated by:

Arctic Tours AS
Organization Number: NO 936 276 652
Registered in Norway
Email: info@framtours.net
Website: www.framtours.net

Arctic Tours AS (“Company”, “we”, “us”, “our”) acts as the Data Controller for the processing of personal data described in this Privacy Policy pursuant to Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”) and applicable Norwegian data protection legislation.

2. Scope of This Policy

This Privacy Policy applies to personal data collected through:

• Our website
• Online booking system
• Contact forms
• Newsletter subscriptions
• Direct communications with customers
• Cookies and tracking technologies

3. Categories of Personal Data Processed

We may process the following categories of personal data:

3.1 Identification and Contact Data

• Full name
• Email address
• Telephone number
• Residential address
• Nationality
• Date of birth

3.2 Booking and Travel Data

• Passport information (where required)
• Emergency contact details
• Special requests (including dietary or medical information voluntarily provided)
• Travel preferences
• Booking history

3.3 Financial Data

Payments are processed via Stripe. We do not store full credit card information, but we may process:

• Billing address
• Transaction confirmation details
• Payment status

3.4 Marketing Data

• Newsletter subscription information
• Marketing preferences
• Interaction with marketing communications

3.5 Technical and Usage Data

Collected via cookies and similar technologies:

• IP address
• Browser type and version
• Device type
• Operating system
• Website usage data
• Referral URLs
• Interaction with advertising campaigns

4. Legal Bases for Processing (Article 6 GDPR)

We process personal data on the following legal bases:

4.1 Performance of a Contract (Art. 6(1)(b) GDPR)

Processing necessary to:

• Administer bookings
• Provide travel services
• Communicate pre- and post-trip information
• Manage payments

4.2 Compliance with Legal Obligations (Art. 6(1)(c) GDPR)

Processing required to:

• Fulfill accounting and tax obligations under Norwegian law
• Respond to lawful requests from public authorities

4.3 Legitimate Interests (Art. 6(1)(f) GDPR)

Processing necessary for:

• Fraud prevention
• IT security
• Business administration
• Improving website functionality and services

Such processing is carried out only where our legitimate interests are not overridden by your fundamental rights and freedoms.

4.4 Consent (Art. 6(1)(a) GDPR)

Processing based on consent includes:

• Newsletter marketing
• Use of non-essential cookies
• Behavioral advertising (Meta Pixel)

Consent may be withdrawn at any time without affecting the lawfulness of prior processing.

5. Payment Processing

Payments are processed through Stripe Technology Europe Ltd. Stripe acts as an independent data controller for payment transactions and processes personal data in accordance with its own privacy policy and applicable data protection laws.

We do not store full card details on our systems.

6. Booking Management System

We use Rezdy Pty Ltd. as our booking platform and reservation management system. Personal data necessary to process and manage reservations is transferred to Rezdy pursuant to a Data Processing Agreement compliant with GDPR requirements.

7. Cookies and Tracking Technologies

We use cookies and similar technologies, including:

• Google Analytics (website analytics)
• Meta Pixel (advertising and remarketing)

These tools may involve the collection of online identifiers and behavioral data.

Non-essential cookies are deployed only after obtaining valid user consent via our cookie management platform.

You may manage cookie preferences at any time.

8. International Transfers of Personal Data

Given the international nature of our services (including customers located in the UK, USA, China, and other jurisdictions), personal data may be transferred outside the European Economic Area (EEA).

Where such transfers occur, we ensure appropriate safeguards are implemented, including:

• European Commission Standard Contractual Clauses (SCCs)
• Transfers to countries subject to an adequacy decision
• Additional technical and organizational safeguards where necessary

9. Data Retention

Personal data shall not be retained longer than necessary for the purposes for which it was collected.

Retention periods include:

• Booking and accounting data: up to 5 years (in accordance with Norwegian accounting regulations)
• Marketing data: until consent is withdrawn
• Analytics data: according to configured retention settings

Upon expiration of the applicable retention period, data will be securely deleted or anonymized.

10. Data Subject Rights

Pursuant to GDPR, you have the right to:

• Access your personal data (Art. 15)
• Rectify inaccurate data (Art. 16)
• Erase personal data (Art. 17)
• Restrict processing (Art. 18)
• Data portability (Art. 20)
• Object to processing (Art. 21)
• Withdraw consent (Art. 7(3))

Requests may be submitted to: [Insert Contact Email]

You also have the right to lodge a complaint with:

Datatilsynet (Norwegian Data Protection Authority)
www.datatilsynet.no

11. Security Measures

We implement appropriate technical and organizational security measures including:

• SSL encryption
• Secure hosting infrastructure
• Access control policies
• Data processing agreements with service providers
• Regular system updates and monitoring

While we take reasonable steps to protect personal data, no transmission over the Internet can be guaranteed as entirely secure.

12. Third-Party Recipients

Personal data may be disclosed to:

• Payment processors (Stripe)
• Booking system providers (Rezdy)
• Analytics providers (Google)
• Advertising partners (Meta Platforms Ireland Ltd.)
• IT service providers
• Accountants, auditors, and legal advisors
• Public authorities where legally required

All third parties are contractually obligated to process personal data in compliance with applicable data protection legislation.

13. Automated Decision-Making

We do not engage in automated decision-making or profiling that produces legal effects concerning you.

14. Children

Our services are not directed at individuals under the age of 16 without parental consent. Where required, parental authorization must be provided.

15. Amendments

We reserve the right to amend this Privacy Policy at any time. Updates will be published on this page and take effect upon publication.