Privacy Policy.

This Privacy Policy describes how Havellen & Dahl AS ("HD Arctic", "we", "us", or "our") collects, uses, and protects your personal information when you visit hdarctic.com or book any of our services. We comply with the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act (Personopplysningsloven).

Data Controller.

The company responsible for your personal data under GDPR is:

For privacy-related questions or to exercise your rights under GDPR, contact us at hello@hdarctic.com. We respond within 30 days as required by law — usually within 24 hours.

What We Collect.

We collect the minimum information needed to deliver our services. Nothing more.

Information you provide directly

• Booking and contact details — name, email address, phone number, and any travel preferences or special requirements you share when submitting a booking, concierge request, or contact form.
• Travel information — arrival and departure dates, party size, dietary requirements, mobility considerations, and any other preferences you share to help us design your trip.
• Payment information — when you book a package, payment is processed by Stripe. Card numbers and full payment details never touch our servers; we only receive a confirmation token and the transaction amount.
• Communications — emails, WhatsApp messages, or other written exchanges between you and us. We keep these for service quality and to honour your preferences across future trips.

Information collected automatically

• Technical data — IP address, browser type, device type, and operating system. Used purely to ensure the site works on your device and to detect abuse.
• Usage data — pages visited, time on site, referring URL. We don't currently use third-party analytics (no Google Analytics, no Meta pixel). If we add this in the future, we'll update this policy and ask for your consent first.
• Strictly necessary cookies — small files used to keep the site running, including session cookies and Stripe's payment cookies. See our Cookie Policy for the full list.

How We Use It.

We use your personal data for specific, limited purposes:

• To deliver your booking — coordinating accommodation, activities, transfers, and any concierge arrangements you have requested.
• To communicate with you — confirmations, pre-arrival information, in-trip support, and post-trip follow-up. If you opted in to our newsletter, occasional editorial updates and seasonal package releases.
• To process payment — via Stripe, the payment processor required to charge your card and issue receipts.
• To improve our service — understanding what guests value, where the experience could be better, and which packages resonate.
• To meet legal obligations — Norwegian tax, accounting, and consumer-protection laws require us to keep certain records for fixed periods.

We do not sell your data, share it for advertising purposes, or use it for any purpose not listed here.

Legal Basis.

Under GDPR, every use of personal data must have a legal basis. We rely on the following:

• Performance of a contract — when you book a package, we need your information to deliver the services you've paid for.
• Legitimate interest — for things like service improvement, fraud prevention, and post-trip communication directly related to your stay.
• Consent — for newsletter signups and any optional marketing communications. You can withdraw consent at any time by emailing us or clicking unsubscribe.
• Legal obligation — when retention or disclosure is required by Norwegian tax, accounting, or consumer law.

Sharing With Partners.

To deliver your trip, we share necessary information with carefully selected partners:

• Accommodation providers — Radisson Blu Hotel Tromsø (default for all packages) and any other hotel or residence used for your booking. Shared: name, arrival/departure dates, party size, any relevant accommodation preferences.
• Activity partners — primarily Best Arctic (our exclusive activity partner). Shared: name, party size, scheduled activity, any dietary or mobility considerations relevant to that activity.
• Transfer providers — drivers and shuttle operators. Shared: name, flight or pickup details, contact number.
• Payment processor (Stripe) — handles all card payments. See Stripe's Privacy Policy.
• Form submission service (Web3Forms) — receives concierge and contact form submissions and forwards them to our inbox. See Web3Forms' Privacy Policy.
• Email service — if we send transactional or branded confirmation emails, this is done through a transactional email provider. The provider only sees your email address and the booking details we send.
• Legal and regulatory authorities — only if legally required (e.g. tax authorities, court order).

We share only the minimum information needed for each partner to do their job. We never share your data with third-party advertisers.

International Transfers.

Some of our partners (notably Stripe and our hosting providers) are based outside the European Economic Area, primarily in the United States. When personal data is transferred outside the EEA, we ensure adequate protection through:

• Standard Contractual Clauses approved by the European Commission, or
• Adequacy decisions by the European Commission for countries deemed to provide adequate data protection, or
• The partner's own EU–US Data Privacy Framework certification.

If you'd like more detail on a specific transfer, ask us at hello@hdarctic.com.

Data Retention.

We keep your data only as long as we need it:

• Booking and contact data — for as long as you're an active or potential guest, plus 5 years after your last booking for accounting and consumer protection law compliance.
• Financial records — 5 years from the end of the financial year, as required by Norwegian Bookkeeping Act (Bokføringsloven).
• Communications — typically 3 years, to provide consistent service across return trips.
• Newsletter subscribers — until you unsubscribe, plus a short retention period to honour your unsubscribe request.
• Web logs and technical data — typically less than 30 days.

Your Rights.

Under GDPR, you have specific rights over your personal data. We honour all of them.

To exercise any of these rights, email hello@hdarctic.com. We'll respond within 30 days (often within 24 hours). There's no fee for reasonable requests.

Security.

We protect your personal data with appropriate technical and organisational measures:

• Encryption in transit — TLS/HTTPS across all pages and form submissions.
• Encryption at rest — for data stored on our servers and at our hosting and email providers.
• Access controls — only the team members who need access to your data have it, and authentication is enforced everywhere.
• Payment data isolation — credit card details never reach our servers; Stripe handles them entirely.
• Regular backups — to protect against data loss, with backups encrypted.
• Breach notification — in the unlikely event of a data breach affecting you, we'll notify you and Datatilsynet within 72 hours as required by GDPR.

Cookies.

We use a minimal set of cookies — strictly necessary ones to keep the site running and to process payments. We don't currently use analytics or advertising cookies.

For the full list of cookies we use, including those set by Stripe and other partners, and instructions on how to manage them, see our Cookie Policy.

Children.

Our services are intended for adults (18 and over) booking on behalf of themselves and their party. We don't knowingly collect data from anyone under 16. If you believe a child has submitted personal data to us, contact hello@hdarctic.com and we'll delete it immediately.

Changes to This Policy.

We may update this Privacy Policy from time to time — to reflect changes in our services, law, or best practice. The "Last updated" date at the top of this page tells you when it was most recently revised. Material changes will be communicated to existing customers by email.

Contact Us.

Privacy questions, data requests, or anything else — we respond within 24 hours.