Legal

Below you will find the legal documents that govern the use of the Bilberry platform, including our privacy policy and data processing agreement.

Privacy Policy

Effective from January 2026

The importance of privacy applies not only to our users but also to those who visit our website. We believe it is important to be open and transparent about what this means in practice. Below you can read how we process personal data and how we fulfill our responsibility to those who visit our website.

Our processing of personal data is based on the General Data Protection Regulation (GDPR). The fundamental criterion is your consent. We do not process your personal data without your active consent. The same applies to third parties — we will never disclose your information to others without informing you and obtaining your explicit consent.

The content of this Privacy Policy applies to everyone who visits our website.

We Are Responsible for Your Personal Data

Bilberry Technologies, hereafter referred to as Bilberry, is responsible for the personal data processed on our marketing website.

We are obligated to ensure that you as a visitor:

  • understand why and how we collect your personal data

  • can give active consent or decline consent to the processing and storage of your personal data

  • have the right to have your personal data deleted from our systems

  • can update your personal data

  • can request access to all personal data we store about you

  • can request that we export your personal data

  • have your personal data stored securely by us

What Are Personal Data and Cookies?

Personal data refers to any information that can identify you personally, such as:

  • name

  • address

  • personal identification number

  • email address

  • and similar information.

In addition to personal data, there are also cookies.

Cookies are small files sent to your computer by your browser (unless you have disabled cookies) when you visit a website. Their purpose is to collect information about how you, as a visitor, use the website, most often so that we can create a more relevant experience for you.

Cookies represent a special category, since the Norwegian Data Protection Authority has not definitively determined whether they should be classified as personal data.

Bilberry chooses to treat cookies as if they were covered by personal data legislation, meaning they are legally handled in the same way as your personal data. We believe privacy is extremely important. At the same time, storing cookies helps us provide a relevant and improved experience for you.

Data Collection from Contact Forms

When you submit our contact form, we collect the information you provide (name, company, email, phone number, and message) together with your IP address and your browser’s user agent string.

This technical data is transferred to our internal systems for handling inquiries and preventing misuse.

IP addresses and user agent data are stored for a maximum of 30 days, after which they are automatically deleted.

The legal basis for this processing is our legitimate interest in managing business inquiries and preventing misuse in accordance with GDPR Article 6(1)(f).

Your contact information (name, email, company, message) is stored for as long as necessary to respond to your inquiry and manage the related business relationship.

Data Processing Agreement (DPA)

Effective from January 2026

This Data Processing Agreement (“DPA”) forms part of Bilberry’s Terms of Service available at bilberry.no/legal and is contractually binding for all customers using the Bilberry platform.

This DPA forms part of the agreement between Bilberry Technologies AS, organization number NO-920 148 867, Vestfjordgata 20, 8300 Svolvær, Norway (“Bilberry”, “Processor”) and the Customer (“Controller”) governing the Customer’s use of the Bilberry platform.

This DPA regulates the processing of personal data by Bilberry on behalf of the Customer in accordance with:

  • the General Data Protection Regulation (EU) 2016/679 (“GDPR”)

  • the Norwegian Personal Data Act

1. Roles of the Parties

The Customer acts as the Data Controller and determines the purposes and means of processing personal data.

Bilberry acts as the Data Processor and processes personal data solely on behalf of the Customer in order to provide the Bilberry software platform and related services.

Bilberry shall only process personal data:

  • in accordance with the Customer’s documented instructions

  • in accordance with the service agreement between the parties

  • in accordance with applicable data protection law

If Bilberry believes an instruction conflicts with applicable law, Bilberry shall inform the Customer without undue delay.

2. Purpose of Processing

Bilberry processes personal data solely for the purpose of providing the Bilberry booking and operations platform.

Processing activities may include:

  • booking management

  • customer communication related to bookings

  • payment and order processing through integrated payment providers

  • reporting and operational administration within the platform

Bilberry does not process Customer data for its own marketing purposes.

3. Categories of Personal Data

Personal data processed through the Bilberry platform may include:

  • names

  • contact information (email and telephone number)

  • booking details

  • transaction information

  • payment information handled through integrated payment providers

Bilberry does not intentionally process special categories of personal data as defined in Article 9 GDPR.

4. Categories of Data Subjects

Personal data processed may relate to:

  • customers booking experiences through the Customer

  • employees or representatives of the Customer

  • partners or suppliers connected to booking operations

5. Duration of Processing

Bilberry processes personal data for the duration of the Customer’s use of the Bilberry platform.

Upon termination of the service agreement:

  • personal data will be deleted or anonymized within 90 days, unless retention is required by law

  • backup copies will be deleted or overwritten in accordance with Bilberry’s internal data retention policies.

6. Security of Processing

Bilberry implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

Security measures include, among others:

  • controlled user authentication and access management

  • logging and monitoring of system access

  • encryption of data in transit

  • secure cloud infrastructure

  • continuous monitoring and maintenance of system security

Bilberry regularly evaluates and updates its security measures.

7. Confidentiality

Bilberry ensures that employees and contractors who have access to personal data are subject to confidentiality obligations and only process personal data where necessary to perform their duties.

Confidentiality obligations remain in force after termination of the agreement.

8. Subprocessors

Bilberry may engage subprocessors to support the operation and delivery of the Bilberry platform, including infrastructure providers, cloud hosting providers, and payment service providers.

Bilberry ensures that all subprocessors are subject to data protection obligations equivalent to those set out in this Data Processing Agreement.

Bilberry remains responsible for the actions of its subprocessors in relation to the processing of personal data.

9. International Transfers

Personal data is primarily processed within the European Economic Area (EEA).

Where personal data is transferred outside the EEA, Bilberry ensures that appropriate safeguards are implemented in accordance with GDPR Chapter V, including:

  • Standard Contractual Clauses approved by the European Commission, or

  • adequacy decisions adopted by the European Commission.

10. Assistance to the Controller

Taking into account the nature of processing, Bilberry shall assist the Customer where reasonably possible with:

  • responding to requests from data subjects exercising their rights under GDPR

  • ensuring compliance with security obligations

  • conducting data protection impact assessments where required.

11. Personal Data Breaches

In the event of a personal data breach affecting Customer data, Bilberry will notify the Customer without undue delay after becoming aware of the breach.

The notification will include information reasonably necessary for the Customer to meet its obligations under GDPR.

12. Audits and Compliance

Bilberry shall make available information necessary to demonstrate compliance with this Data Processing Agreement.

Where reasonably required, the Customer may request documentation regarding Bilberry’s security practices or data protection measures.

13. Return and Deletion of Data

Upon termination of the service agreement, Bilberry shall:

  • delete or anonymize personal data processed on behalf of the Customer within 90 days, unless retention is required by law

  • ensure that any remaining backup data becomes inaccessible and is eventually overwritten.

Bilberry may provide confirmation of deletion upon request.

14. Governing Law

This Data Processing Agreement is governed by Norwegian law.

Disputes shall be resolved in accordance with the governing law and dispute resolution provisions of the main service agreement between the parties.