Privacy Policy

This Privacy Policy explains how GPSR Desk, operated by Bjorvand Solutions, collects, uses, stores, and shares personal data.

1. Who we are

The data controller is:

2. What personal data we collect

We may collect:

Account and contact data

• name
• email address
• business name
• country
• store URL
• platform used, such as Etsy or Shopify

Order and payment data

• product purchased
• payment status
• billing details
• transaction records
• tax-related information

We do not intentionally store full card details. Payments are handled by Stripe.

Intake and product data

You may submit:

• product category
• product type details
• manufacturer details
• Responsible Person details
• supplier information
• product identifiers
• warnings or instructions
• product images
• packaging or label images
• invoices, certificates, or documents
• marketplace listing information

Some of this may include personal data about you, your suppliers, manufacturers, or Responsible Person contacts.

Communication data

• emails
• support requests
• feedback
• messages sent through forms

Technical and analytics data

• IP address
• device and browser data
• pages visited
• referral source
• approximate location
• cookies or similar technologies

3. How we use personal data

We use personal data to:

• provide audits, reports, checklists, and exports
• process payments
• deliver customer support
• contact you about your purchase
• manage intake forms and submitted documents
• improve the service
• prevent fraud and abuse
• comply with accounting, tax, legal, and regulatory obligations
• send marketing emails where legally allowed

4. Legal bases

We process personal data under one or more of these legal bases:

• Contract: to provide the service you purchased or requested.
• Legal obligation: to keep accounting, tax, and transaction records.
• Legitimate interests: to operate, improve, secure, and market the service.
• Consent: where required, such as optional marketing emails or non-essential cookies.

5. Third-party personal data you submit

If you submit personal data about someone else, such as a manufacturer, supplier, or Responsible Person, you confirm that you have a lawful basis or permission to provide it to us.

Do not upload sensitive personal data unless clearly necessary.

6. Service providers

We may share personal data with service providers that help us operate the business, including:

• payment processors, such as Stripe
• hosting providers
• database and file storage providers
• form tools
• email providers
• analytics providers
• AI service providers
• security and error monitoring tools
• accountants, lawyers, or professional advisors

These providers may process data only as needed to provide their services to us.

7. International transfers

Your data may be processed outside Norway, the EU, EEA, or UK if our service providers operate internationally.

Where required, we rely on lawful transfer mechanisms such as adequacy decisions, standard contractual clauses, or equivalent safeguards.

8. Retention

We keep personal data only as long as needed for the purpose it was collected.

Typical retention periods:

• payment, invoice, and accounting records: as required by accounting and tax law
• audit reports and intake data: up to 24 months unless a longer period is needed for support, legal protection, or an active customer relationship
• support emails: up to 24 months
• marketing data: until you unsubscribe or object
• analytics data: according to the analytics provider's retention settings

You can request deletion, but we may need to keep some data where required by law or for legitimate business protection.

9. Your rights

Depending on where you live, you may have the right to:

• access your personal data
• correct inaccurate data
• request deletion
• restrict processing
• object to processing
• request data portability
• withdraw consent
• complain to a data protection authority

If you are in Norway, you can contact Datatilsynet. If you are in another EU/EEA or UK jurisdiction, you may contact your local data protection authority.

10. Marketing emails

You can unsubscribe from marketing emails at any time by clicking the unsubscribe link or contacting us.

Transactional emails related to purchases, reports, support, or legal notices may still be sent.

11. Cookies and analytics

We may use cookies and similar technologies for:

• essential website functionality
• checkout and fraud prevention
• analytics
• remembering preferences
• improving the website

Non-essential cookies will be used only where legally allowed.

12. Security

We use reasonable technical and organizational measures to protect personal data.

No system is 100% secure. You are responsible for avoiding unnecessary sensitive uploads and keeping your own accounts secure.

13. AI processing

Some submitted information may be processed using AI tools to help generate summaries, checklists, snippets, and reports.

We do not use AI to make binding legal decisions about your compliance status.

You should not submit confidential, sensitive, or legally privileged information unless necessary.

14. Children

The service is intended for business users and is not directed at children.

15. Changes to this Privacy Policy

We may update this Privacy Policy. The updated version will be posted on this page with a new "Last updated" date.