Privacy Policy

We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and safeguard your personal data when you use our website or services (such as booking a Northern Lights tour with us). It also outlines your rights under data protection laws (including the EU General Data Protection Regulation - GDPR). By using our services, you agree to the handling of your information as described in this policy.

Personal Data We Collect

We only collect personal information that is necessary for providing our tour services and running our website. This may include:

• Contact Information: Your name, email address, phone number, and country of residence. We collect these when you make an inquiry or booking so we can communicate with you.
• Booking Details: Information related to your reservation, such as tour date, number of participants, preferences (for example, if you inform us of any special needs or requests), and any comments you provide.
• Payment Information: When you book a tour, payment details (credit/debit card information) are processed securely through our payment provider. We do not store your full card number or security code on our servers; we only retain necessary transaction references (such as the last four digits of the card or a transaction ID) to process payments and refunds.
• Identification (if required): In some cases, we might need passport numbers or ID (for example, if a third-party requires it for verification, or for certain legal compliance). Generally, our Northern Lights tours do not require ID collection, but if we ever need it (e.g. for child discount verification or safety reasons), we will only collect what is necessary.
• Communication Records: If you contact us with questions, feedback, or complaints (via email, contact form, phone, or social media), we may keep a record of that correspondence, including your contact details and the content of the communication, to better assist you and improve our services.
• Website Usage Data: When you visit our website, we may collect information about your device and browsing actions through cookies and similar technologies. This can include your IP address, browser type, pages viewed, and the time and date of your visit. (For more details, see our Cookie Policy.) This information helps us understand how users interact with our site and enables us to improve the user experience.
• Location Data: Generally, we do not actively track your precise location, but your IP address might give a broad indication of your region or country when you use our website. This is mainly used for analytics and to show appropriate content (like correct currency or language).
• Marketing Preferences: If you subscribe to our newsletter or opt-in to receive promotional emails, we will collect your name and email and note that you wish to receive marketing communications. We may also note your tour interests (e.g. “Northern Lights tours”) to send relevant content. You can unsubscribe at any time.
• Photos/Videos: On occasion, our guides or photographers may take photos or videos during the tour (for example, a group photo under the Northern Lights). We will only use identifiable images of you for marketing with your consent. If we take photos for you as part of the service (e.g. helping you get a Northern Lights picture), those are provided to you and not used by us unless you give permission. (Any such media we collect with consent would be considered personal data if you are identifiable.)

We strive to minimize the personal data we collect and will ask for consent when required. You have the choice not to provide certain information, but please understand that this may limit our ability to serve you (for instance, if we cannot get your contact info, we cannot confirm your booking).

How We Use Your Personal Data

We will use your personal data only for legitimate business purposes and in accordance with applicable law. The main purposes for which we process your data include:

• Providing Our Services: We use your information to process and manage your tour bookings. This includes reserving your spot, arranging transportation, preparing for any special needs, and providing the tour itself. For example, we use the names on the booking to know our guest list for the tour, and your contact info to send tickets and reach you with any updates.
• Communication: We use your email and/or phone number to send you important messages about your booking. This includes booking confirmations, payment receipts, reminders prior to your tour, and notifications of any changes or cancellations (e.g. due to weather). We may also respond to your inquiries, whether before or after your tour, using the contact information you provided.
• Customer Support: If you reach out with questions, requests, or issues, we will use your info to address your needs. For example, if you email us about a lost item or to request a date change, we will use your booking and contact info to help you.
• Improving Our Services: We might use feedback you provide or information about how you use our website to improve our tours and website. For instance, we may analyze common questions or feedback to make our FAQ more helpful. Website usage data (collected via cookies) helps us understand what pages or information are most useful to visitors, so we can enhance site content and navigation.
• Marketing (with consent): If you have opted in to receive marketing communications, we will use your email to send you newsletters, special offers, or updates about our tours and services. We might also send a follow-up email after your tour inviting you to review us or informing you of future discounts. We will only send promotional emails if you have given consent, and you can opt out at any time. (Transactional emails about your booking are not considered marketing and are sent as part of our service to you.)
• Legal Obligations: We process certain data to comply with legal requirements. For example:
• Keeping financial transaction records for accounting, tax, and audit purposes (your booking payment records must be kept for a certain period as required by Norwegian law).
• If authorities lawfully require information (e.g. for safety, immigration, or law enforcement), we may need to provide it.
• Handling any legal claims – if you were to have an accident and there’s an insurance or legal process, we might need to provide relevant personal information.
• Security and Fraud Prevention: We may use personal data (like IP addresses or transaction information) to monitor and prevent fraud, hacking, or other security issues on our website. This helps protect your data and our business from malicious activity.

We will not use your personal data for any purpose that is incompatible with the original purposes described above, unless we obtain your consent or are required/permitted by law to do so. We do not use your personal data for automated decision-making or profiling that has legal or significant effects on you without your explicit consent.

Legal Basis for Processing (GDPR Compliance)

Under the GDPR (applicable since we operate in Norway and serve international guests), we must have a valid "legal basis" for each use of personal data. Depending on the context, one or more of the following bases apply:

• Contractual Necessity: When you book a tour with us, we enter into a contract to provide you the service. We need to process your personal data (e.g. name, contact, payment) to fulfill this contract – that is, to supply the tour and related services you requested. (GDPR Article 6(1)(b): processing is necessary for the performance of a contract with the data subject.)
• Legitimate Interests: We may process data as needed for our legitimate business interests, provided such use is fair and does not override your rights. For example, improving our services, ensuring IT security, or minor direct marketing to existing customers might fall under this basis. We always consider your privacy rights and will provide an opt-out or seek consent where appropriate. (GDPR Article 6(1)(f): processing is necessary for the purposes of legitimate interests pursued by the controller.)
• Legal Obligation: Some data processing is required for us to comply with laws or regulations. For instance, retaining transaction records for accounting (as required by tax laws), or providing information to authorities if legally compelled. (GDPR Article 6(1)(c): processing is necessary for compliance with a legal obligation.)
• Consent: We rely on your consent for certain types of processing that are not covered by the bases above. The clearest example is sending marketing communications: we will only send you newsletters or promotional offers if you have opted in. Another example is certain cookies on our website that are not strictly necessary – we ask your consent to enable them. If we ever process any sensitive personal data (which we typically do not for standard tour operations), we would also require your explicit consent or another special legal basis. (GDPR Article 6(1)(a): the data subject has given consent to the processing for one or more specific purposes.)

Where we rely on your consent, you have the right to withdraw that consent at any time (for example, you can unsubscribe from our mailing list easily via a link in each email). Withdrawal of consent will not affect the lawfulness of processing done before the withdrawal.

How We Share Your Data

We treat your personal data with care and confidentiality. We do not sell your personal information to third-party companies. However, in certain situations, we do need to share your data with third parties in order to operate our business and provide services to you. The types of third parties with whom we may share data include:

• Service Providers (Processors): We use reputable third-party companies to help us run our operations. These include:
• Payment Processors: to securely handle credit card transactions (for example, Stripe or Nets). Your payment information is transmitted directly to the payment processor; we do not store it, but we receive confirmation of payment.
• Booking Management and IT Services: We may use a booking platform or reservation system, as well as cloud storage or database providers, to organize bookings and store data. These service providers might host your data on cloud servers or provide software we use to manage customer information. They are contractually obligated to protect your data and only use it to provide their service to us.
• Email and Communications Services: We might use an email service (like MailChimp, SendGrid, or similar) to send out booking confirmations and updates, or newsletters (for those who opted in). These services hold your email address and name to send messages on our behalf. They are not allowed to use your email for their own purposes.
• Analytics Providers: We use analytics tools (such as Google Analytics) to gather information about website traffic and usage. These providers set cookies and process usage data (which may include IP address and browsing information). The data shared is mostly aggregated and not tied to your name. It helps us understand our website visitors (e.g. what countries people are browsing from, which pages are popular).
• Web Hosting: Our website is hosted by a third-party hosting company, which means any data you submit through our site (contact forms, booking info) passes through their servers. They are obligated to keep data secure.
• Tour Partners/Subcontractors: For our Northern Lights tours, we primarily operate with our own staff and vehicles. However, occasionally we might partner with or subcontract to another local provider (for example, if you booked through an agent, or if we need an extra vehicle/driver on a very busy night). In such cases, we may share relevant details (like your name and perhaps contact or special needs) with the partner who is helping deliver the service, so that they can fulfill the tour. These partners are typically bound by their own privacy obligations and/or by agreements with us. We only share what is necessary (e.g. they don’t need your email except possibly to coordinate on the day).
• Legal and Safety Reasons: We might disclose personal information to third parties if required to do so by law or if we believe in good faith that such action is necessary to:
• Comply with a legal obligation or respond to valid legal process (e.g. a court order, police request).
• Protect and defend our rights or property, or prevent fraud.
• Act in urgent circumstances to protect the personal safety of customers or the public (for example, providing info to medical personnel in an emergency).
• Business Transfers: This is unlikely, but if our company is ever involved in a merger, acquisition, or sale of assets, your personal data might be transferred to the new owner or partner, in which case we would ensure the continued confidentiality of your personal data and notify you before it becomes subject to a different privacy policy.

When we share data with any third-party “processor” that processes it on our behalf (such as those service providers mentioned), we ensure there is a data processing agreement in place. This contract requires the third party to handle the data securely and only for the purposes we specify. They cannot use your data for their own unrelated purposes.

International Data Transfers

We are based in Norway (which is part of the European Economic Area, EEA) and generally aim to store and process data within the EEA. However, some of our third-party service providers may be located or may store data on servers outside of Norway or the EEA (for example, a US-based email newsletter service or a cloud provider with global data centers). If we transfer your personal data to a country outside the EEA, we will take steps to ensure your data receives an adequate level of protection:

• We will only transfer data to countries that have been deemed to provide an adequate level of data protection by the EU (such as countries with equivalent GDPR laws), or implement one of the safeguards approved by the GDPR. These safeguards might include:
• Standard Contractual Clauses (SCCs): We can sign the European Commission’s approved standard data protection clauses with the receiving party, which legally commit them to protect your data to EU standards.
• Privacy Frameworks or Certifications: If applicable, ensuring the receiver is certified under an approved framework (for instance, any future EU–US data transfer framework, if valid).
• Obtaining your explicit consent for the transfer, in cases where the above safeguards are not in place and the transfer is necessary (though we aim to avoid needing this by using proper safeguards).

For example, if we use Google Analytics, data may be processed on Google’s servers in the United States. We would rely on safeguards like SCCs and Google’s compliance measures to protect that data. Similarly, an email service provider in the U.S. would operate under SCCs or similar. You can contact us if you have questions about our international data transfers or want to learn more about the safeguards in place.

Data Retention (How Long We Keep Your Data)

We will retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or to satisfy legal and business requirements. The retention period can vary depending on the type of information and the purpose of processing. Here are some general guidelines:

• Booking and Transaction Data: For customers who book tours, we will retain your booking records (including contact info, tour details, and payment records) for a minimum of 5 years after the tour date. This retention is required under Norwegian accounting and tax regulations, which mandate that financial records be kept for a certain period (typically five years). We may keep records longer if needed for any legal proceedings or accounting audits.
• Customer Communications: Emails or communications with you are generally retained as long as necessary to address your inquiry or provide customer support. Important communications related to bookings may be kept with your booking record (also up to 5 years or more if needed). General inquiries (when you didn’t book) may be deleted after a shorter period once resolved, typically within 1-2 years.
• Marketing Data: If you have subscribed to our newsletter or consented to marketing, we will retain your contact details for that purpose until you unsubscribe or withdraw your consent. If you opt out, we may keep your email on a suppression list (to ensure we don’t accidentally send you emails) but will no longer actively use it for marketing.
• Website Analytics Data: Data collected via cookies and analytics typically is stored in aggregate form. Raw analytics data (like on Google Analytics) may be retained for a period (e.g. 26 months) as per our settings, but it generally doesn’t personally identify you by name. You can also clear cookies to remove some of that data on your side.
• Legal Requirements and Protection: We may retain data for longer than the periods above if necessary to comply with legal obligations or to protect our rights. For instance, if there’s an incident on a tour, we might keep relevant information until any potential legal/insurance matters are resolved (which could be a few years). Also, if required by law enforcement or during a legal dispute, we will retain data as instructed.

After the applicable retention period ends, and if we have no other valid reason to keep your data, we will either securely delete it or anonymize it (so it can no longer be associated with you). For example, we might anonymize analytics data after a certain time, or remove personal identifiers from old booking records while keeping non-personal statistics (like total tourist numbers per year). Data Minimization: In general, we aim to keep the minimum data necessary. If we print out a manifest for a tour (with names), we destroy it after the tour. If you inquire about availability but don’t book, we might delete your inquiry data after some time if it’s no longer needed. If you wish for us to delete your data sooner, you have the right to request erasure (see “Your Rights” below), and we will comply provided we are not required to keep the data for legal reasons.

Data Security

We take the security of your personal information seriously. We implement appropriate technical and organizational measures to protect your data against unauthorized access, loss, alteration, or disclosure. These measures include:

• Encryption: Our website uses SSL/TLS encryption (HTTPS) to ensure that data transmitted between your browser and our site (such as when you fill in a booking form or payment details) is encrypted. Sensitive information (like payment transactions) is handled through secure, certified payment gateways.
• Access Controls: Personal data is stored in secure systems, and we restrict access to those systems to authorized personnel only. For example, only staff who need to process bookings or manage customer relations have access to booking information. Each authorized person has unique login credentials, and access is protected by passwords and, where possible, two-factor authentication.
• Secure Storage: We store digital data on secure servers (with firewalls and regular security monitoring). Any physical documents (if we ever print booking info or have to note something) are kept in a secure location and shredded when no longer needed.
• Training and Policies: Our team is informed about the importance of data privacy and security. We have internal policies to ensure handling of personal data is done carefully and in line with this policy (for instance, not downloading data to unsecured devices, not sharing data via unsecured channels, etc.).
• Regular Monitoring: We keep our website platform, plugins, and software up to date to protect against vulnerabilities. We also monitor for any suspicious activity. If we use third-party services, we rely on reputable providers with their own strong security measures and regularly review their compliance.

Despite all these precautions, it’s important to note that no method of transmission over the internet or method of electronic storage is 100% secure. We strive to protect your personal data, but we cannot guarantee absolute security. In the unlikely event of a data breach that could potentially compromise your personal data, we will follow all applicable laws regarding breach notification (for example, notifying you and the authorities like the Norwegian Data Protection Authority (Datatilsynet) if required). You also play a role in security: please keep any account credentials or booking references we provide to you confidential. (If our system allows you to log in to view your booking, don’t share your login details with others.) If you suspect any unauthorized access or have security-related concerns, contact us immediately.

Your Rights Under GDPR

As a user of our services and as a data subject under the GDPR (if you are in the EU/EEA or otherwise covered), you have various rights regarding your personal data. We respect and uphold these rights. They include:

• Right to Access: You have the right to request a copy of the personal data we hold about you, as well as information about how we process it. This is often called a “Subject Access Request.” Upon request, we will provide you with a summary of your personal information in our records, typically within 30 days (as required by law).
• Right to Rectification: If you believe any personal data we have about you is incorrect or incomplete, you have the right to request that we correct or update it. For example, if your email address or phone number has changed or we misspelled your name, let us know and we will fix it.
• Right to Erasure: Also known as the “right to be forgotten.” You can ask us to delete your personal data. We will do so provided that the data is no longer needed for the purposes it was collected or we don’t have a legal obligation to keep it. For instance, if you completed a tour with us years ago and we have no legal need to retain your data, you can request deletion. Note: if you have an upcoming booking, we need to keep your data to fulfill it; if you request deletion before a scheduled tour, it may require canceling your booking (we would discuss the implications with you).
• Right to Restrict Processing: You have the right to request that we limit the processing of your data in certain circumstances. For example, if you contest the accuracy of your data, you can request we restrict use of that data until we verify accuracy; or if you object to our processing based on legitimate interest, we may pause processing while we evaluate your request. Restriction might mean we keep the data but don’t use it.
• Right to Object: You have the right to object to certain types of processing. The most common objection is to direct marketing – you can object to receiving marketing emails or targeted advertising, and we will stop using your data for that purpose immediately (no questions asked). You can also object if we were processing your data under a legitimate interest basis and you have a particular reason to stop it; we will comply unless we have a compelling legitimate ground to continue (according to GDPR rules).
• Right to Data Portability: For data that you have provided to us and that we process by automated means under consent or contract (for example, the data you gave us when making a booking), you have the right to get that data in a structured, commonly used, machine-readable format and/or have it transmitted to another controller (e.g. another tour company) if technically feasible. In plain terms, you can ask for a digital file of the basic personal data you gave us.
• Right not to be subject to automated decisions: We do not use automated decision-making or profiling in any way that produces legal effects or similarly significant effects on you without human involvement. But you have the right to not be subject to a purely automated decision that significantly affects you.
• Right to Withdraw Consent: If we are processing any of your data based on your consent, you have the right to withdraw that consent at any time. For example, if you signed up for our newsletter and no longer want to receive it, you can unsubscribe (withdrawing consent for marketing). Withdrawing consent will not affect the lawfulness of any processing we did before you withdrew, and it won’t affect processing under other bases (e.g. we may still process data for a booking under contract necessity even if you withdraw consent for marketing).
• Right to Lodge a Complaint: If you believe we have not complied with data protection laws or have infringed your rights, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Norwegian Data Protection Authority (Datatilsynet). You can contact them through their website or by phone. If you reside in another EEA country, you may contact your local data protection authority instead. We would, however, appreciate the chance to address your concerns directly before you approach a regulator, so please feel free to contact us with any complaints or issues.

To exercise any of your rights, please contact us (see the “Contact Us” section below). We may need to verify your identity before fulfilling certain requests (to ensure we don’t disclose data to the wrong person). This might involve asking for information or identification. We will respond to your request as soon as possible, and at least within the legally required timeframes (usually one month, extendable by two more months for complex requests – but we aim to be faster). Please note that some rights have limitations. For example, the right to erasure is not absolute – we may have to refuse deletion if we have a compelling legal reason to keep data (but we will explain such reasons to you if applicable). Similarly, data portability applies to specific data types only. Nonetheless, we are committed to honoring your rights to the fullest extent possible.

Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to provide and improve our services, as described in our Cookie Policy. Cookies are small text files placed on your device that help the site function and gather information about your visit. For example, cookies allow us to remember your language preferences or analyze how visitors navigate our site. Some cookies are necessary for the site to work (e.g. for navigating pages or booking a tour), while others are optional and used for analytics or advertising. When you first visit our site, you will be presented with a cookie consent banner where you can choose which non-essential cookies to accept. You can change your preferences at any time via our website’s cookie settings or through your browser settings. For detailed information on the cookies we use, the purposes they serve, and how you can manage or disable them, please refer to our Cookie Policy (available on our website). By using our site after seeing the cookie notice, you consent to the use of cookies as described (unless you opt to disable them).

Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make changes, we will post the updated policy on this page and adjust the “Last updated” date at the bottom. If changes are significant, we may also notify you directly (for example, by email if you have an account or booking with us, or by a prominent notice on our website). We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of our services or website after any update to this policy will constitute your acceptance of the changes, to the extent permitted by law.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please do not hesitate to contact us. We are here to help.

• Email: privacy@ourauroratours.com (example email)
• Phone: +47 xxxx xxxx (ask for the data privacy officer/manager)
• Address: Tromsø, Norway (full address would be listed here)

Attn: Data Protection Officer/Privacy Manager (if applicable) We will gladly assist you with inquiries about the data we hold about you or any other privacy-related questions. Your trust is important to us, and we want you to feel safe and comfortable using our services.