top of page

PRIVACY POLICY FOR MYKIT


Last updated: 11 October 2025
Applies to: www.mykit.no

Data Controller
Mykit AS (org. no. 935 481 937)
Vedafjellveien 1, 4336 Sandnes, Norway
Privacy contact: post@mykit.no

What personal data we process
– Customer data: name, address, email, phone, order and delivery history (for purchases).
– Payment data: transaction ID, amount, card type/mask, payment status. Card numbers are not stored by us. Payments are handled by Stripe.
– Technical data and cookies: IP address (anonymized for analytics), browser/device, usage patterns, and consent status.
– Ad measurement: events for Google Ads and Meta, only if you have given consent.

We do not offer newsletters/CRM and do not use CAPTCHA services at this time.

Purposes and legal bases
– Purchases and delivery (order processing, payment via Stripe, shipping via Posten): Contract (GDPR Art. 6(1)(b)).
– Customer service (inquiries about orders/delivery): Legitimate interests (Art. 6(1)(f)) and/or contract.
– Accounting obligations (bookkeeping and documentation): Legal obligation (Art. 6(1)(c)).
– Analytics and improvement (traffic analysis in Google Analytics 4 with IP anonymization): Legitimate interests (Art. 6(1)(f)); use of cookies requires consent where required.
– Ad measurement (conversion tracking in Google Ads and Meta): Consent (Art. 6(1)(a)).

Sources
Data are primarily collected from you when you make a purchase or contact us. Technical data are collected via cookies and similar technologies as described in this policy and in the cookie settings.

Sharing and recipients (processors)
We use selected providers who process data on our behalf and only under agreement with us:
– Payments: Stripe Payments Europe, Ltd. (Stripe) for payment processing and fraud prevention.
– Shipping: Posten/Bring for transport and tracking.
– Analytics: Google Analytics 4 (with IP anonymization enabled).
– Ads/pixels: Google Ads and Meta, only if you have given consent.
– Operations/hosting/CDN: technical operations provider with access limited to operations.

Transfers outside the EEA
We strive to store and process data within the EEA. Some providers may involve processing outside the EEA. If a transfer occurs, we ensure a valid transfer mechanism (e.g., the EU Standard Contractual Clauses) and appropriate supplementary measures. You may contact us for an overview of the mechanisms in use.

Retention periods
– Order- and payment-related data are stored in accordance with bookkeeping rules (at least 5 years).
– Customer service inquiries are normally stored for up to 24 months after the last contact, unless the law requires longer retention.
– Analytics and ad data are stored in line with your consent and actual cookie lifetimes.
– Suppression lists for reservations/withdrawal of consent are stored as long as necessary to respect your choices.

Cookies and consent
We use necessary cookies for basic functions. Analytics and advertising are activated only if you consent via our EU-compliant consent banner (CMP). You can change or withdraw consent at any time via “Cookie settings” on the website.

Examples of cookies that may be used:
– Necessary: consent_mode, cookie_consent (stores consent choices, typically 6–12 months).
– Necessary: __stripe_mid and __stripe_sid (fraud prevention/payment via Stripe, lifetime up to 1 year/session).
– Analytics (only after consent): _ga and ga* (traffic analysis in GA4, typically up to 2 years).
– Advertising (only after consent): _gcl_au (Google Ads, conversion measurement, typically 90 days) and _fbp (Meta, ad measurement/behavior, typically 90 days).
The actual list may vary over time. The “Cookie settings” panel always shows an up-to-date overview.

Profiling and automated decisions
We do not make automated decisions that produce legal effects concerning you. With consent, we may use website events for basic segmentation to provide more relevant advertising.

Your rights
You have the right to access, rectification, erasure, restriction of processing, data portability, and to object to processing. Where processing is based on consent, you may withdraw your consent at any time. Send inquiries to post@mykit.no. We normally respond within 30 days. You may also lodge a complaint with the Norwegian Data Protection Authority (datatilsynet.no).

Children’s privacy
Our services are aimed at adults. We do not knowingly collect information about children. In Norway, children can consent to information society services from age 13. If you believe we have received information about a child below the age threshold, contact us and we will delete the data.

Security
We use industry-standard technical and organizational measures, including encryption (TLS) in transit, access control and the principle of least privilege, two-factor authentication where available, secure operations/hosting and regular updates, data minimization and deletion according to purpose and deadlines, and data processing agreements with suppliers.

Data Protection Impact Assessments (DPIA)
For new processing activities that may entail high risk to privacy, we carry out risk assessments and DPIAs where required.

Changes
We may update this policy when services or regulations change. The new version will be published on www.mykit.no with an updated date.

bottom of page