Privacy Policy – NordStrict

Effective Date: May 2026

1. Data Controller

The data controller responsible for processing your personal data through this website is:

NordStrict
Contact email: contact@nordstrict.studio
Location: Norway

Note: To protect operational security and personal privacy, physical identification data is restricted and managed strictly in accordance with GDPR principles of data minimization. Official communication regarding legal identity is handled directly via our verified email address.

2. Personal Data We Collect & Strict Minimization

Depending on your interaction with us, we may process the following data:

Information provided through contact forms (Name, Contact handle, Message content).
Technical data such as IP address and browser information collected by hosting providers or security infrastructure.
Special Categories of Personal Data (Intake & Session Forms): Detailed preferences, boundaries, technical specifications, and safety protocols provided voluntarily by the user for session preparation.

        Data Retention & Legal Archive Policy (Consent & Intake Forms):

        While we practice strict data minimization for routine communications, your explicitly signed Liability Waivers, Consent Agreements, and the associated safety boundaries (Intake Forms) are securely encrypted and archived. This archive is maintained strictly for the establishment, exercise, or defense of potential legal claims, in alignment with the Norwegian Statute of Limitations. This data is legally necessary to document and prove consensual participation under SSC/RACK principles. It is never used for marketing or active processing post-session and remains in a secure, dormant state.

3. Purpose of Data Processing

We process personal data for the following explicit purposes:

To respond to inquiries and maintain structured communication with users.
To safely design, prepare, and execute personalized services.
To protect the security, integrity, and proper functioning of our technical systems.
To prevent malicious automated abuse (spam/bots).

4. Legal Basis for Processing

We process personal data based on the following legal frameworks under the GDPR:

Your explicit consent (Article 6(1)(a) GDPR).
Performance of a contract or pre-contractual measures (Article 6(1)(b) GDPR) to prepare your session layout.
Our legitimate interests (Article 6(1)(f) GDPR) in securing our digital infrastructure and validating user requests.
The establishment, exercise, or defense of legal claims (Article 9(2)(f) GDPR) to securely archive your consent, boundaries, and liability waivers.

5. Data Recipients & Third-Party Tools

Your data is processed confidentially and is only accessed by technical infrastructure providers required to operate the platform:

Website hosting providers (OVH Cloud).
Secure email service infrastructure.

Google reCAPTCHA v3:
We use the Google reCAPTCHA v3 service on our website to protect our contact forms against spam, automated bots, and malicious abuse. This service analyzes the user's technical behavior on the website (including mouse movements, typing cadence, and device parameters) to evaluate whether the interaction originates from a human or an automated script. The data collected during this analysis is transmitted directly to Google LLC. This processing is based on our legitimate interest (Article 6(1)(f) GDPR) in securing our platform. For more details, please view the Google Privacy Policy and Terms of Service.

We absolutely never sell, rent, or share your personal data with unauthorized third parties.

6. Data Transfers Outside the EEA

We do not transfer personal data outside the European Economic Area (EEA), which includes the European Union and Norway. All data processing and storage remain strictly localized within compliant EEA datacenters.

7. Your Rights

Under the General Data Protection Regulation (GDPR), you hold the following absolute rights:

Right to access and review your stored data.
Right to request correction of inaccurate data.
Right to request permanent deletion of your data (“right to be forgotten”), except where data retention is legally required for the defense of potential liability claims (e.g., archived Consent Forms).
Right to restrict or object to the processing of your data.
Right to data portability.

To fully exercise any of your rights, or to request the manual purge of your routine contact data, contact us directly at: contact@nordstrict.studio.

8. Data Security

We implement strict, industry-standard technical and organizational security measures to protect all communications against unauthorized access, loss, alteration, or disclosure. Archived consent forms are kept in a dormant, encrypted state.

9. Changes to This Policy

We reserve the right to modify this Privacy Policy at any time to align with legal updates or infrastructure upgrades. The latest active version will always be accessible directly via this page.