πŸš€ Join the waitlist

Privacy Policy

Draft β€” for legal review. Last updated 28 March 2026.

1. Introduction

This policy explains what personal data we collect, why, how long we keep it, and your rights. It applies when you pre-order, visit our website, or contact us. We comply with the GDPR and Norwegian data protection laws.

2. Controller Information

Data Controller:
Alva Technologies AS
Gaustadalleen 21, 0349 Oslo, Norway
Organization Number: 933 627 810
Email: post@alva.as
Privacy inquiries: post@alva.as

3. What Data We Collect
3.1 Identification Data

Name, email, phone, postal address. When: Pre-orders, account creation, support.

3.2 Payment Data

Transaction ID, order reference, billing address. We don't store card numbers. Stripe handles that. When: Pre-order payment.

3.3 Order Data

Products, dates, amounts, delivery address, order history. When: You place a pre-order.

3.4 Device and Usage Data

Energy consumption, app usage, device performance. When: Active product use (not at pre-order stage).

3.5 Technical Data

IP address, browser, OS, log data, referrer info. When: Website visits (via PostHog).

3.6 Communication Data

Support messages, feedback, email correspondence. When: You contact us.

3.7 Marketing Preferences

Email subscription status, consent records. When: You sign up for communications.

4. Why We Process Your Data
4.1 Contract Performance (Art. 6(1)(b))

Processing pre-orders, managing accounts, customer support, refunds, order confirmations.

4.2 Legal Obligations (Art. 6(1)(c))

Tax/accounting laws, consumer protection, legal requests, fraud prevention.

4.3 Legitimate Interests (Art. 6(1)(f))

Fraud prevention, product improvement, analytics (PostHog), protecting legal rights.

4.4 Consent (Art. 6(1)(a))

Marketing emails, surveys, targeted communications. Withdraw anytime.

5. How Long We Keep Your Data
  • Order and transaction data β€” 5 years after transaction (Norwegian Accounting Act)
  • Payment confirmation data β€” 7 years (Tax law requirements)
  • Marketing consent records β€” Until withdrawn (GDPR requirement)
  • Cookie consent records β€” 5 years (Norwegian ePrivacy requirements)
  • Device/usage data β€” 12 months after account closure (Service optimization)
  • Customer support records β€” 3 years after closure (Warranty and support history)
  • Website analytics data β€” 12-26 months (Service improvement)
  • Log files and technical data β€” 30-90 days (Security and troubleshooting)

Data is securely deleted or anonymized when retention periods expire.

6. Who We Share Data With
6.1 Processors
  • Stripe β€” payments (PCI DSS compliant)
  • AWS β€” cloud hosting
  • PostHog β€” analytics
  • Customer.io β€” email (transactional + marketing)
  • Shipping partners β€” delivery and tracking
6.2 Legal Authorities

We disclose data when required by law, court order, or governmental request.

6.3 What We Don't Do

We don't sell, trade, or share your data with competitors or unrelated marketing companies.

6.4 Data Protection

All processors have signed GDPR Article 28 Data Processing Agreements.

7. International Data Transfers

Data is processed within the EEA. If transferred outside, we use EU adequacy decisions, Standard Contractual Clauses (Art. 46(2)(c)), or the EU-US Data Privacy Framework.

8. Your Rights Under GDPR

Your rights:

  • Access (Art. 15) β€” Get a copy of your data. We respond within 1 month.
  • Rectification (Art. 16) β€” Fix inaccurate data. Update your profile or contact us.
  • Erasure (Art. 17) β€” Request deletion. We may retain data if legally required.
  • Restrict Processing (Art. 18) β€” Limit processing while we verify accuracy.
  • Data Portability (Art. 20) β€” Get your data in portable format.
  • Object (Art. 21) β€” Object to processing for legitimate interests or marketing.
  • Withdraw Consent (Art. 7) β€” Stop consent-based processing anytime.
  • Automated Decisions (Art. 22) β€” We don't use automated decision-making that affects your access.
How to Exercise Your Rights

Email privacy@alva.as with your name and a clear description. We respond within 1 month and may verify your identity.

9. Data Security

We use encryption (TLS/SSL in transit, at rest for sensitive data), role-based access, firewalls, intrusion detection, regular audits, and staff training.

9.1 Breach Notification

If a breach occurs, we notify Datatilsynet within 72 hours and affected individuals without undue delay if there is high risk.

9.2 Limitations

No system is 100% secure. Keep your login credentials confidential.

10. Children's Data

Our services aren't for children under 16. We don't knowingly collect their data. If we find data from a child without consent, we delete it. Parents can contact us about their child's data.

11. Cookies and Similar Tracking

See our separate Cookie Policy for detailed information about cookies, including types, purposes, and how to manage them.

12. Changes to This Privacy Policy

We may update this policy. Material changes: email notification. Minor updates just change the "Last updated" date.

13. Complaints and Supervisory Authority

If you think we violated your data protection rights, complain to Datatilsynet.

Datatilsynet (Norwegian Data Protection Authority)
Email: postkasse@datatilsynet.no
Phone: +47 22 39 69 00
Address: Datatilsynet, Postboks 8177 Dep., 0034 Oslo, Norway
Website: datatilsynet.no

Outside Norway? You can also complain to your local data protection authority.

14. Contact Us

Email: post@alva.as
Mail: Alva Technologies AS, Gaustadalleen 21, 0349 Oslo, Norway

We acknowledge within 5 business days, respond within 1 month.

Your GDPR Rights Summary
  • Access β€” Get a copy of your data. Email privacy@alva.as.
  • Rectification β€” Correct inaccurate data. Update profile or email.
  • Erasure β€” Request data deletion. Email privacy@alva.as.
  • Restrict Processing β€” Limit how we use data. Email privacy@alva.as.
  • Data Portability β€” Receive data in portable format. Email privacy@alva.as.
  • Object β€” Opt out of certain processing. Email privacy@alva.as.
  • Withdraw Consent β€” Stop consent-based processing. Update preferences or email.
  • Complain β€” File complaint with authority. Contact Datatilsynet.

Document Version 1.0 DRAFT. Last updated 28 March 2026. Effective date to be confirmed after legal review. Status: for legal review, not yet in effect.