Privacy Policy
Last Updated: March 12, 2026
1. Introduction & Controller Identity
This Privacy Policy explains how Esi Eiendom AS (“we”, “us”, or “our”) collects, uses, and protects your personal data when you visit our website and when you contact us about online education programs, workshops, webinars, or learning resources.
Esi Eiendom AS is the data controller for processing described in this policy. Our registered contact details are:
- Legal entity: Esi Eiendom AS
- Address: LitleĂĄsvegen 77, Nyborg, 5132, Norway
- Email: [email protected]
- Phone: +47 55 50 12 84
Effective Date: March 12, 2026. We do not currently appoint a Data Protection Officer (DPO). If you have questions about this policy or want to exercise your rights, contact us using the details above.
2. Personal Data We Collect
We collect personal data that you provide directly and data that is collected automatically when you interact with the website. The exact set of data depends on what you do (for example, browsing pages versus submitting a registration request).
- Identity and contact data: full name, email address, phone number.
- Form content: selected program, preferred workshop topic (if provided), comments or message content, and any scheduling notes you include.
- Technical data: IP address, browser type and version, device identifiers, operating system, language settings, time zone, and approximate location derived from IP.
- Usage data: pages viewed, time spent on pages, referrer/exit pages, and click paths. This information helps us understand which learning pages are useful and where site navigation can be improved.
- Cookies and identifiers: essential cookies needed for site continuity and your cookie preference record, plus optional analytics and marketing cookies if you consent.
- Conversion events: events such as form submission attempts and completed requests, used to measure whether information pages and registration flows are working properly.
We do not intentionally collect special-category data (such as health information, religious beliefs, political opinions, or biometric data), financial account details, or government identification numbers through our standard registration and contact forms. Please do not include such information in your message.
3. Why We Process Your Data & Legal Basis (GDPR Article 6)
We process personal data only where we have a lawful basis under the GDPR (and related Norwegian data protection rules). The purposes and legal bases include:
- Responding to contact and registration requests: to reply to your inquiry, coordinate enrollment, confirm program format details, and provide learning materials information.
Legal basis: GDPR Art. 6(1)(b) (steps prior to entering into a contract) and, where required, Art. 6(1)(a) (consent).
- Website performance and analytics (optional): to understand how visitors use the site and to improve content structure, navigation, and page clarity.
Legal basis: GDPR Art. 6(1)(a) (consent).
- Marketing/remarketing (optional): to measure advertising performance and show relevant messages to people who have interacted with the site (for example, reminding visitors about a program page).
Legal basis: GDPR Art. 6(1)(a) (consent).
- Security and fraud prevention: to protect the website, detect abuse, and reduce spam submissions or malicious traffic patterns.
Legal basis: GDPR Art. 6(1)(f) (legitimate interests), balanced against your rights and interests.
- Legal compliance: to comply with legal obligations and handle lawful requests from authorities.
Legal basis: GDPR Art. 6(1)(c) (legal obligation).
Automated decision-making (GDPR Article 22): We do not engage in automated decision-making or profiling that produces legal or similarly significant effects. Any optional advertising audiences are used to deliver and measure ads, not to make decisions about eligibility, credit, employment, or similar matters.
4. Cookies & Tracking
Cookies are small text files stored on your device. We use a three-category model: essential cookies (always active), and optional analytics and marketing cookies (only active with consent). Some tracking can also occur through pixel tags and server-side events, depending on which options you accept.
Essential cookies (always active)
Essential cookies are required for basic site operation and to store your cookie consent choice. These cookies do not require consent.
- _site_session for session continuity (retention: session).
- cookie_consent to store your cookie preferences (retention: 12 months).
- CSRF protection and similar security mechanisms (retention: session to 12 months, depending on implementation).
Analytics cookies (optional)
If you consent, we may use analytics to measure traffic and improve site content. Our standard analytics implementation is Google Analytics 4 (GA4) with IP anonymization where supported.
- Examples: _ga (2 years), _ga_XXXXXXXXXX (2 years; GA4 property identifier), with analytics data retention typically set to 14 months.
- Data types: page views, approximate location, device/browser information, and interaction events.
Marketing cookies (optional)
If you consent, marketing cookies help measure advertising performance and support remarketing and audience creation (such as custom and lookalike audiences) on platforms like Google and Meta.
- Examples: _gcl_au (Google Ads, 90 days), _fbp (Meta Pixel, 90 days), _fbc (Meta click identifier, 90 days when present).
- Use cases: conversion attribution (for example, measuring completed registration requests), frequency control, and relevant messaging for people who have visited program pages.
Beyond cookies, marketing and analytics tools can use pixel tags and similar technologies. If enabled, data may be sent from your browser and, in some configurations, from our server to these providers (for example, conversion events). Where server-side events are used, identifiers may be pseudonymized or hashed where supported (for example, hashed email) to improve matching accuracy while reducing raw identifier exposure.
For more detail and a cookie list, please review our Cookie Policy.
5. Consent (EEA/UK)
Users in the EEA and UK receive a consent notice under GDPR/UK GDPR. Analytics and marketing cookies activate only after explicit, informed, freely given consent (GDPR Art. 6(1)(a)). Your consent choice is recorded in the cookie_consent browser cookie (retention: 12 months).
You may withdraw consent at any time by using “Manage cookie preferences” in the footer or by clearing cookies in your browser. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
6. Sharing With Advertising & Service Partners
We share personal data only to run the website, deliver our online education communications, and (if you consent) measure and improve marketing. We do not sell personal data.
- Google LLC (Google Analytics 4, Google Ads, Google Tag Manager, remarketing): cookie identifiers, usage data, and conversion events.
- Meta Platforms, Inc. (Meta Pixel, Custom/Lookalike Audiences, Conversion API): page views, conversion events, audience membership signals, and where configured, hashed identifiers.
- Cloudflare (CDN/security): IP-based threat detection and performance optimization.
We do not permit these providers to use site data for their own independent commercial purposes. They process data as service providers (and in some cases as separate controllers for their platform operations) under their respective terms and privacy policies.
7. International Transfers
We are based in Norway, and we may use service providers that process data outside the EEA/UK, including in the United States (for example, Google and Meta). Where personal data is transferred internationally, we rely on appropriate safeguards such as:
- EU-U.S. Data Privacy Framework (DPF) (primary safeguard where applicable, since July 2023).
- UK Extension to the EU-U.S. DPF and Swiss-U.S. DPF where applicable.
- Standard Contractual Clauses (EU 2021/914) as a fallback.
- UK International Data Transfer Agreement (IDTA) as a fallback for UK-related transfers.
We also apply technical and organizational measures intended to reduce transfer risks, such as minimizing data fields, restricting access, and using pseudonymization or hashing where supported.
8. Retention
We keep personal data only for as long as necessary for the purposes described above, then delete or anonymize it. Typical retention periods include:
- Contact and registration submissions: up to 2 years from the last interaction, unless a longer period is needed to manage an ongoing relationship or a legal obligation.
- Analytics data: typically 14 months (configuration-dependent).
- Marketing cookies: for the lifetime of the cookie (for example, 90 days) unless you withdraw consent sooner.
- Email correspondence: relationship duration plus up to 1 year where needed for continuity and recordkeeping.
- Server/security logs: typically up to 90 days, unless required longer for security investigations.
- Consent records: up to 3 years for audit and compliance documentation.
- Legal/tax retention: where required by law (for example, invoices where applicable), typically 6–10 years depending on the obligation.
9. Your Rights (GDPR & UK GDPR)
If GDPR (or UK GDPR) applies, you have the following rights, subject to legal limitations:
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
- Right to withdraw consent at any time (Article 7(3))
- Right to lodge a complaint with a supervisory authority (Article 77)
To exercise your rights, email [email protected]. We aim to respond within 30 days. For complex requests, this may be extended by up to 60 additional days where permitted. We may request information needed to verify identity before completing a request.
Supervisory authorities: Norway is supervised by the Norwegian Data Protection Authority (Datatilsynet). You can also find general EU guidance via the European Data Protection Board:
- https://www.datatilsynet.no/
- https://edpb.europa.eu/
- UK Information Commissioner's Office (ICO): https://ico.org.uk/
10. Children
This site is not directed at individuals under 16. We do not knowingly collect personal data from minors. If we learn that we have collected data from a child under 16 without verifiable parental consent, we will delete it promptly.
11. Do Not Track
This website does not respond to “Do Not Track” (DNT) browser signals. Third-party providers may have their own handling of browser privacy signals, which is described in their privacy documentation.
12. Data Deletion Requests
To request deletion of your personal data, email [email protected] with the subject line “Data Deletion Request”. We will confirm receipt and may request additional details to verify identity. Requests are typically completed within 30 days, unless retention is required by law or necessary to establish, exercise, or defend legal claims.
13. Business Transfers
In a merger, acquisition, asset sale, financing, or insolvency, personal data may be transferred to a successor entity. If such a transfer materially changes how personal data is used, we will provide notice on the website.
14. California (CCPA / CPRA)
This section applies if you are a California resident and the CCPA/CPRA applies to our processing. Over the past 12 months, we may have collected the following categories of personal information:
- Identifiers: name, email, IP address, cookie IDs.
- Internet/network activity: browsing and interaction data on our site.
- Inferences: interests or preferences derived from interactions (used only where marketing consent is given).
We do not sell personal information as defined by the CCPA. We may share data for cross-context behavioral advertising if you enable marketing cookies. California residents may opt out of sharing for targeted advertising by using our cookie preferences panel.
Your rights may include the right to know, delete, correct, and opt out of sale/sharing, and the right to non-discrimination. To submit a request, email [email protected] with the subject “California Privacy Request”. We will verify your identity before completing the request. Authorized agents must provide written proof of authorization.
15. Virginia (VCDPA)
If you are a Virginia resident and the VCDPA applies, you may have rights to access, correct, delete, obtain a copy of your data, and opt out of targeted advertising. We do not sell personal data or engage in profiling that produces legal or similarly significant effects.
Submit requests via [email protected] with the subject “Virginia Privacy Request”. If we decline to take action, you may appeal by emailing with the subject “Appeal of Refusal — Privacy Request”. We will respond to appeals within 60 days. If an appeal is denied, you may contact the Virginia Attorney General.
16. Nevada
Nevada residents may submit a verified opt-out request by emailing [email protected] with the subject “Nevada Do Not Sell Request”. We do not currently sell personal information under Nevada Revised Statutes Chapter 603A.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in legal requirements, our services, or our data practices. Material changes will be announced via a site notice at least 14 days before taking effect, where appropriate. The “Last Updated” date at the top of this page reflects the current version.
18. Contact
For privacy questions, requests, or complaints, contact:
- Esi Eiendom AS
- LitleĂĄsvegen 77, Nyborg, 5132, Norway
- [email protected]
- +47 55 50 12 84