Privacy Policy

Last updated: 21 January 2026

This Privacy Policy explains how Syntheva AS (“we”, “us”, “our”) collects and uses personal data when you use shop.syntheva.no (the “Website”), create an account, or place an order.

Who we are (Data Controller)

Controller: Syntheva AS
Address: PO Box 77, Orkanger, Norway
Email: info@syntheva.no

What personal data we collect

  • Data you provide
    Account data: name, email address, password (stored as a secure hash, not plaintext), and account-related settings.
    Order data (guest or account): name, billing/shipping address, email, phone number (if provided), items purchased, order notes, and order history.
    Support data: messages you send us and any information you include.
  • Data collected automatically
    Technical/security data: IP address and basic access logs (e.g., timestamps, pages requested) used for security, troubleshooting, and fraud prevention.
    Session/cart data: essential first-party cookies / session identifiers used to keep your cart and login working (see our Cookie Policy).
  • Payment data
    Payments are processed by Stripe. We do not store full payment card details on our servers. Stripe processes payment data in accordance with its own privacy documentation.

Why we use your data (purposes + legal bases)

We process personal data only when we have a valid GDPR legal basis (Article 6).

  • To provide the webshop and fulfill orders (checkout, payment status, shipping, returns)
    Legal basis: Contract — GDPR Art. 6(1)(b).
  • To create and manage your account
    Legal basis: Contract — GDPR Art. 6(1)(b).
  • Customer support & communication (order confirmations, delivery updates, answering requests)
    Legal basis: Contract (Art. 6(1)(b)) and/or Legitimate interests (Art. 6(1)(f))
  • Security, abuse prevention, and fraud prevention
    Legal basis: Legitimate interests — GDPR Art. 6(1)(f).
  • Accounting and legal compliance (bookkeeping, tax, consumer-law obligations)
    Legal basis: Legal obligation — GDPR Art. 6(1)(c).
  • Newsletter / marketing emails (only with opt-in)
    If you tick the checkbox to subscribe, we’ll send newsletters and product updates. The checkbox is optional and not required to purchase.
    Legal basis: Consent — GDPR Art. 6(1)(a). You can withdraw consent at any time.

Also, you have the right to object to direct marketing at any time.

Who we share data with (processors)

We only share personal data with parties that are necessary to run the shop:

  • Payment processing: Stripe (to process payments and handle payment-related fraud/security).
  • Shipping and delivery: Posten/Bring, DHL (to deliver your order and provide tracking).
  • Hosting / infrastructure: our hosting provider may process limited personal data as a processor to provide hosting and operational stability (access is restricted and controlled).

We do not sell personal data and do not share it for third-party advertising.

International transfers (outside the EEA)

Some service providers (notably Stripe) may process personal data outside the EEA. Where that happens, appropriate safeguards (such as EU Standard Contractual Clauses) may be used.

How long we keep your data (retention)

We keep personal data only as long as necessary:

  • Orders, invoices, and bookkeeping records: generally 5 years after the end of the financial year (some specific cases can require longer).
  • Account data: until you delete your account, or until it’s no longer needed (we may keep certain purchase/financial records as required by law).
  • Support messages: typically for 12 months to handle follow-ups and warranty/return questions.
  • Security logs: typically for 12 months unless needed to investigate incidents.

Your rights (EEA/UK)

  • You have rights to access, rectification, erasure, restriction, portability, and to object in certain cases.
  • If processing is based on consent, you can withdraw it at any time (and it won’t affect prior lawful processing).
  • You can object to direct marketing at any time.
  • You can lodge a complaint with a supervisory authority.

To exercise your rights, contact: info@syntheva.no

Security

We use appropriate technical and organizational measures to protect personal data (e.g., HTTPS, access controls, and least-privilege internal access).

Children

The Website is NOT intended for children under 18. If you believe a child has provided personal data, contact us so we can delete it.

Changes to this policy

We may update this policy from time to time. The “Last updated” date shows the latest revision.

Contact

Syntheva AS
Address: PO Box 77, Orkanger, Norway
Email: info@syntheva.no