Privacy Policy

1. Privacy statement and data controller

The privacy policy informs about how Natural State AS collects and uses personal data.

This privacy policy was published: 9th of November 2022.

This declaration applies to the Norwegian operations of Natural State. The head office's address is St. Halvards gate 33, 0192 Oslo. Contact details for our data protection officer are: admin@naturalstate.no.

Natural State AS is responsible for the processing of the personal data collected about you.


2. What is personal data

Personal data is everything that describes you or that can be linked to you as an individual. It may include contact details (such as name and telephone number), identification numbers (such as IP address, customer number and cookie ID) and information about actions or behavior (such as products you have purchased, pages you have visited and emails you have received).

3. Why we collect personal data, and the purpose of it

3.1 Statistics for the improvement of websites and marketing communications

We collect and analyze data about how you and other users use the website. The purpose of this is to find out how the websites are used, so that we can improve our content and our services based on this insight.

What data: Data about behavior (for example, which pages you visit and what you click on), data about your device (for example, type of computer/mobile phone, operating system and browser), data about your network and location (derived from IP address) . All data is linked to an anonymous ID number which is stored in a cookie in your browser. Read more about cookies.

Basis for processing: Legitimate interest. We find great value in collecting and analyzing this data material, and consider that it does not pose a major burden on your privacy as long as the information is not linked to other sources of information and contact details.

This is how we process personal data: We use Google Analytics to collect this data from your browser. The data is stored on Google's servers, but is owned by us. They are not linked to other tools or sources unless you have given consent (see other purposes). To minimize the consequences for privacy, the IP address is only stored in anonymized form (read about IP anonymization), and we set the expiration time for the cookie that identifies you to a maximum of 7 days. When the cookie has expired, the data will no longer have any link to you as a person. In addition, all individual data will be deleted automatically by Google Analytics after 14 months.

3.2 Tracking Conversions for Advertising

We measure the results of our marketing by reporting how many contact inquiries and sales come from a marketing campaign. The purpose is to be able to optimize and make our marketing more efficient.

Which data: That you have carried out a specific action on our website, and from which source you came to our website. Also linked to all other data that is collected for statistics (see above).

Basis for processing: Legitimate interest. Data processing enables us to use our resources as efficiently as possible, and save both effort and money on measures that do not produce results. In cases where the data collection cannot be carried out without the data being linked to other information held by third parties, we rely on your active consent.

This is how we process personal data: Data processing follows the same principles as for general statistical purposes. Based on legitimate interest, we collect and process data in Google Analytics, as well as that we send data to Google Ads using so-called Consent Mode (data is sent without cookie information). If you have given consent to "marketing", we send data to Google Ads in the usual way, as well as to Facebook, Bing and any other advertising providers (more about advertising below).

3.3 Targeting of advertisements

We collect data about your behavior on our websites and share this with various advertising providers (data processors), with the aim of achieving more precise targeting of advertisements.

What data: Data about behavior (which pages you visit, what you click on, etc.), data about your device (type of computer/mobile phone, operating system, browser, etc.), data about your network and location (derived from IP address). All data is linked to an anonymous ID number which is stored in a cookie in your browser. This ID number t is a common identifier for you across all websites you visit that exchange data with the same ad providers.

Processing basis: Consent, which you give by accepting "marketing" as a purpose (or "all") when you visit our websites. You can change your consent on our cookie page.

This is how we process personal data:

Data is collected from your browser when you visit our pages, and sent for storage and processing by the advertising provider. We use several different providers, including Google Ads, Google Marketing Platform, Facebook, Microsoft Bing, LinkedIn. Next, you will be placed in various "target groups" with these suppliers, which gives us the opportunity to buy advertising from them that you will see when you visit other websites in their network.

Therefore, you will be able to see advertisements for Natural State in many different places after you have visited our pages. Data about you is also included in your general profile with the supplier, and is used to describe your interests and estimate other characteristics of you (profiling). If you have provided contact details or other personal information to the supplier (e.g. Facebook), then the data is also linked to this. This provides a basis for advertisers other than Natural State who use the same advertising network to buy ads with more precise targeting. The consequence for you is that the advertisements you see will be more adapted to you and your situation. To avoid data about your behavior on our pages being used in this way, you can avoid consenting to the use of cookies for "marketing". To generally avoid advertising providers collecting such data and using this to create a profile on you, you can either delete/reject all cookies in your browser, or edit your settings at the provider. Here are links to how you can do this at Google, Facebook and LinkedIn.

3.4 Direct marketing and networking

Natural State is a knowledge and service provider that markets deliveries through knowledge dissemination to those who want to be part of our network. We offer knowledge through in-depth cases, technical articles and webinars that are made available via e-mail communication. Access to this material is given to anyone who agrees to receive newsletters from us.

What data: We collect information such as name, e-mail address, company name, as well as history of your interactions with Natural State through e-mail communication (including opening and clicking) and website visits.

Processing basis: Active consent

This is how we process personal data: When you fill in a form on naturalstate.no, your information is stored in HubSpot, which is the tool we use to send out e-mail communications and record interactions with our own network. When you open the emails and click on links in them, information about this is also stored. HubSpot also stores cookies in your browser that identify you in order to link information about your activities on our website to your profile.

You can withdraw your consent to receive email at any time. You do this by clicking on "change settings'' at the bottom of an email you have received from Natural State. You give consent to tracking using cookies on our website through the cookie information displayed on your first visit, and this can be changed on our cookie page.

3.5 Job applications

In connection with recruitment processes, we collect and take care of information about applicants.

What data: Contact information for applicants such as name, email address and telephone number, as well as documents applicants themselves share with Natural State, such as CVs, references, application letters.

Basis for processing: Legitimate interest

This is how we process personal data: Data about job seekers is collected via finn.no's job seeker portal or via email directly to Natural State. Natural State advertises positions through finn.no's job applicant portal where personal information is made available from the applicant as long as the application process is ongoing. In the case of an open application, we encourage you to send your application to the general manager or agency manager by email. Documents received from job applicants are stored for a maximum of two years, with the rationale being that Natural State regularly recruits new employees, so that new opportunities may arise that make previous applicants eligible for reassessment.


3.6 Follow-up of inquiries and sales processes

When you contact us, via the contact form and chat on the website or via e-mail and telephone, we take care of your personal data for follow-up and the sales process.

What data: name, telephone number, email address, company, as well as interactions you have had with us including visits to our website.

Basis for processing: Legitimate interest, as well as consent (to the use of cookies for marketing, to record your visits to our website).

This is how we process personal data: Personal data and interactions are stored in HubSpot. This happens automatically if you fill in a form on our website, and we register you manually if you contact us via another channel All Natural State employees who have customer contact have access to this information. If you do not become a regular customer or other business partner with us, and are not registered for the newsletter, we will delete your information within two years after we last had contact with you.

3.7 Follow-up of customers, business partners

In order to provide good follow-up and fulfill contractual terms, we collect and store personal information about our customers and partners.

What data: contact details such as email address, telephone, name, as well as interactions you have had with us including visits to our website.

Basis for processing: Legitimate interest, as well as consent (to the use of cookies for marketing, to record your visits to our website).

This is how we process personal data:

Personal information and data about interactions on naturalstate.no are taken care of in HubSpot. All Natural State employees who have customer contact have access to this information.

3.8 Evaluation and follow-up after courses and webinars

In order to be able to improve deliveries and to be able to follow up participants on courses and webinars, we collect personal information that participants provide themselves through a survey afterwards and a chat log during the course and webinar.

What data: Natural State uses Zoom for conducting video-based courses and webinars. Here, participants have the opportunity to chat with the speaker. The chat log will be saved to be able to take care of and follow up inquiries via chat.

In connection with course evaluation, Natural State will be able to send out a survey to course participants through the Surveymonkey tool. The answers are anonymous.

Basis for processing: Legitimate interest

This is how we process personal data: Personal data that is made available in the chat log in connection with webinars and courses is stored for up to one year.

3.9 Transfer of personal data to recipients in countries outside the EEA

It is a goal for us that all processing of personal data must be carried out within the EEA, but it may be that we use suppliers or process personal data outside the EEA. In such cases, transfer and processing outside the EEA must take place in a country approved by the European Commission or in accordance with a valid legal basis for the transfer of personal data according to GDPR chapter V. If transfer does not take place to a country approved by the European Commission, transfer will only take place in accordance with the guarantees set out in GDPR article 46 (2). You can find out which basis is used for transfer if you contact us. Both the suppliers we use for advertising and analysis (such as Google, Facebook etc.) as well as our customer system HubSpot are based in the USA, and data will in many cases be transferred there. We are familiar with the challenges and requirements arising from the "Schrems II" ruling, and are working to find good solutions to this.

4. Your rights

Below are your rights as a registered user. To exercise your rights, you must [fill in how the data subject must proceed, e.g. contact us, see contact information above].

We will respond to your inquiry as soon as possible, and at the latest within 30 days. If it takes longer than 30 days, you will be notified.

If necessary, we will ask you to confirm your identity or provide additional information before we allow you to exercise your rights with us. We do this to be sure that we only give access to your personal data to you - and not to someone pretending to be you. When it comes to information collected on the basis that you are identified with the use of cookies, such confirmation will be very difficult. We cannot therefore give you access to this information other than on a general basis, or carry out changes or deletions. If you delete cookies in your browser, the information we have stored will no longer be associated with you.

4.2 Information

You have the right to receive information about the personal data we process about you. Through this declaration, we inform you about our processing of personal data. You can also contact us if you want more information.


4.3 Access

You have the right to demand access to the personal data processed about you.

4.4 Change and deletion

You can also ask us to correct incorrect information we have about you or ask us to delete personal data. We will as far as possible accommodate a request to delete personal data, but we cannot do this if we still need the data.

4.5 Processing on the basis of consent

If we process personal data on the basis of your consent, you can withdraw your consent at any time. The easiest way to do this is to use the method indicated when you gave your consent or to contact us.

4.6 Right to limit or object to processing

You have the right to have the processing restricted in certain cases, such as if:

a) You dispute the correctness of the personal data, for a period that enables us to check the correctness of the personal data.

b) The processing is illegal, and you object to the deletion of the personal data and instead request that the use of the personal data be restricted.

c) We no longer need the personal data for the purpose of the processing, but you need it to establish, enforce or defend legal claims.

d) You have objected to processing according to GDPR article 21 no. 1 pending the check of whether our legitimate interests take precedence over your privacy.

4.7 The right to data portability

For information which you have provided to us and which is necessary to carry out an agreement with us, and which is processed automatically (i.e. not manually by us), you can request to have the personal data about you handed over or transferred to another supplier in a structured, commonly used and machine-readable format (data portability).

4.8 Automated decisions, including profiling

No automated decisions will be made as mentioned in GDPR article 22 no. 1 and 4 based on your personal data, apart from what is done during the targeting of advertisements, see above.

5. General information on the storage and storage (deletion) of personal data

We keep personal data for as long as is necessary for the purpose for which the personal data was collected, and delete the data in line with requirements in the regulations. How long we process the individual types of information we process is included above where the individual treatments are mentioned.

Instead of deleting the personal data, it may in some cases be relevant to anonymise the personal data. Anonymization means that all identifying or potentially identifying characteristics are removed from data sets that are taken care of.

This means, for example, that personal data that we process on the basis of your consent will be deleted if you withdraw your consent. Personal data we process to fulfill an agreement with you is deleted when the agreement has been fulfilled and all obligations arising from the contractual relationship have been fulfilled, such as e.g. statutory obligations related to accounting, follow-up of the customer relationship related to complaints, etc.

6. Security of the processing

We place a high priority on the security of personal data in our business and will implement all required technical and organizational measures to secure your personal data. All processing will be encrypted if possible, and not available to anyone other than those who need personal data for their tasks.

We handle information so that it is correct, accessible and handled according to the degree of sensitivity of the information. We also employ a number of security technologies and information security procedures to protect your personal information from unauthorized access, use or disclosure. Where necessary, risk assessments are carried out.

We have entered into data processing agreements with all our suppliers who process personal data, where they undertake the same level of security as we have for our processing of personal data.

We limit access to your personal data to the staff or third parties who will process the data on our behalf. These parties are subject to strict confidentiality requirements and we can impose sanctions or terminate the agreement if these requirements are not complied with.

Routines have been established for handling breaches of information security and routines (breach of privacy), and if there is a breach that entails a risk to the privacy of the personal data concerned, we will send a notice of deviation to the Norwegian Data Protection

Authority as quickly as possible and at the latest within 72 hours of the breach discovered. If the breach entails a high probability for the privacy of those affected by the breach, we will also notify them.

7. Complaints

We use the Norwegian Data Protection Authority as the leading supervisory authority for cross-border processing according to Article 56 GDPR.

If you believe that our processing of personal data is not in accordance with what we have described here or that we are in breach of privacy legislation in other ways, you can complain to the Norwegian Data Protection Authority. However, we ask you to contact us first, so that we can rectify any incorrect processing as quickly as possible.

You can find information about your rights and how to contact the Norwegian Data Protection Authority on the Norwegian Data Protection Authority's website: www.datatilsynet.no.

8. Changes

Should there be a change to our services or changes to the regulations on the processing of personal data, this may result in changes to the information you have provided here. If we have your contact details, we will make you aware of these changes. Otherwise, updated information will always be available on our website.