GDPR Privacy Statement for TradeWpower AS

Privacy Statement for TradeWpower AS

Last Updated: August 2025
Version: 2.0

Your privacy matters to us

TradeWpower AS is committed to protecting your personal data and respecting your privacy rights under the General Data Protection Regulation (GDPR) and Norwegian data protection law. This privacy statement explains how we collect, use, share, and protect your personal information when you use our energy analysis services, visit our website, or interact with us.

This statement applies to all personal data processing activities conducted by TradeWpower AS as a data controller. We have designed our data protection practices following the principles of data protection by design and by default, ensuring your privacy is protected from the outset.

1. Data Controller and Contact Information

Data Controller:
TradeWpower AS
Organization Number: 919 948 000
Holsjordet 88
2613 Lillehammer, Norway
Email: post@tradewpower.no
Phone: +47 928 46 276

Data Protection Officer:
Ivan Føre Svegaarden
Email: post@tradewpower.no
Phone: +47 928 46 276

Our Data Protection Officer is available to answer questions about our privacy practices and can be contacted directly by data subjects, employees, and supervisory authorities. The DPO operates independently in matters relating to data protection.

Norwegian Data Protection Authority:
For questions or complaints about our data processing, you may also contact:
Datatilsynet
PO Box 458 Sentrum
0105 Oslo, Norway
Website: www.datatilsynet.no

2. Personal Data We Process

2.1 Categories of Personal Data

We process the following categories of personal data in connection with our energy analysis services:

Customer Information:

  • Name, title, and company affiliation
  • Business contact details (email, phone, address)
  • Customer ID and account information
  • Communication preferences and marketing consents
  • Correspondence and communication history

Billing and Financial Data:

  • Invoice addresses and billing information
  • Payment details and transaction history
  • Credit assessment information, where applicable
  • VAT numbers and tax identification

Service Usage Data:

  • Energy consumption patterns and analysis data
  • Analysis reports and service utilization
  • Login credentials and authentication data
  • Service preferences and configurations

Website and Technical Data:

  • IP addresses and device identifiers
  • Browser type and version
  • Operating system information
  • Cookie identifiers and similar tracking technologies
  • Website interaction data (pages visited, click patterns)
  • Geographic location (country/region level)

Marketing and Analytics Data:

  • Newsletter subscriptions and preferences
  • Event registrations and participation
  • Marketing campaign responses
  • Website behaviour for service improvement

2.2 Sources of Personal Data

We collect personal data from:

  • Website registration and payment forms for service subscriptions and analysis purchases
  • Contact forms on our website and direct email communications for relationship management
  • Accounting systems for billing and financial record keeping
  • Automatic collection through cookies and similar technologies when you use our website
  • Third parties, including business partners, public registers, and credit reference agencies
  • Service interactions when you use our energy analysis platforms

3. Legal Basis and Purposes of Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

3.1 Contract Performance (Article 6(1)(b))

Purposes:

  • Providing energy analysis services
  • Managing customer accounts and relationships
  • Processing payments and billing
  • Customer support and service delivery
  • Fulfilling contractual obligations

3.2 Legal Obligations (Article 6(1)(c))

Purposes:

  • Compliance with Norwegian accounting and tax laws
  • Anti-money laundering and know-your-customer requirements
  • Energy sector regulatory reporting
  • Responding to lawful requests from authorities
  • Maintaining legally required records

3.3 Legitimate Interests (Article 6(1)(f))

We have conducted legitimate interest assessments for the following purposes, determining that our interests do not override your rights and freedoms:

Business Operations:

  • Fraud prevention and security monitoring
  • IT system security and network protection
  • Business intelligence and service improvement
  • Internal administration and group reporting

Marketing and Communications:

  • Direct marketing to existing business customers
  • Relevant service updates and industry insights
  • Event invitations and professional networking
  • Market research and customer satisfaction surveys

You have the right to object to processing based on legitimate interests (see Section 8).

3.4 Consent (Article 6(1)(a))

Purposes:

  • Marketing to prospects and non-customers
  • Non-essential cookies and tracking technologies
  • Optional service features requiring additional data
  • Participation in voluntary programs

You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

4. Cookie Policy and Website Tracking

4.1 Cookie Consent Requirements

Following Norwegian E-Com Act requirements (effective January 2025), we obtain your active, explicit consent before placing non-essential cookies. Our cookie management platform allows granular control over different cookie categories.

4.2 Types of Cookies We Use

Strictly Necessary Cookies (No consent required):

  • Session management and authentication
  • Security features and fraud prevention
  • Load balancing and technical performance
  • Retention period: Session or maximum 24 hours

Functional Cookies (Consent required):

  • Language and region preferences
  • User interface customisation
  • Enhanced functionality features
  • Retention period: 12 months

Analytics Cookies (Consent required):

  • Google Analytics 4 (with enhanced privacy settings)
  • Website performance measurement
  • User behaviour analysis for improvements
  • Retention period: 26 months

Marketing Cookies (Consent required):

  • LinkedIn Insight Tag for B2B marketing
  • Facebook Pixel for advertising effectiveness
  • Remarketing and audience building
  • Retention period: 90 days

4.3 Managing Cookie Preferences

You can manage your cookie preferences at any time through our Cookie Settings panel, accessible via the cookie icon on our website. You may also control cookies through your browser settings, though this may affect website functionality.

4.4 Third-Party Analytics Tools

Google Analytics: We use Google Analytics 4 with the following privacy safeguards:

  • IP anonymization enabled
  • Google Signals disabled
  • Data retention limited to 26 months
  • No data sharing with Google for product improvements
  • Processing under EU-US Data Privacy Framework

Social Media Analytics: LinkedIn and Facebook analytics are only activated with your explicit consent. We have joint controller agreements with these platforms, defining data protection responsibilities.

5. Data Recipients and Sharing

5.1 Categories of Recipients

We share your personal data only when necessary with:

Service Providers (Data Processors):

  • Cloud hosting providers (servers in EEA)
  • Payment processing services
  • Email and communication platforms
  • IT support and maintenance providers
  • Marketing automation tools

Business Partners:

  • Energy market data providers
  • Distribution network operators (where required)
  • Joint service delivery partners
  • Professional advisors (lawyers, auditors)

Authorities and Legal Entities:

  • Norwegian Tax Administration
  • Energy regulatory authorities
  • Law enforcement (upon lawful request)
  • Courts and dispute resolution bodies

5.2 Third-Party Processor Requirements

All our data processors are bound by GDPR Article 28 agreements, ensuring:

  • Processing only on our documented instructions
  • Confidentiality obligations for all personnel
  • Implementation of appropriate security measures
  • Prior authorisation for sub-processors
  • Assistance with GDPR compliance
  • Return or deletion of data upon termination

We maintain a register of processors and conduct regular compliance reviews.

6. International Data Transfers

6.1 Transfer Mechanisms

When transferring personal data outside the EEA, we ensure appropriate safeguards:

EU-US Data Privacy Framework: For certified US service providers Standard Contractual Clauses (2021): For other international transfers Transfer Impact Assessments: Conducted for all third-country transfers, Supplementary Measures: Additional technical and organisational safeguards where required

6.2 Specific Transfer Scenarios

United States: Primarily for Google Analytics and cloud services under DPF or SCCs with supplementary measures Other Countries: Case-by-case assessment with appropriate safeguards

You may request information about specific transfers and safeguards by contacting our DPO.

7. Data Retention Periods

We retain personal data only as long as necessary for specified purposes:

Data Category Retention Period Legal Basis
Customer contracts 7 years after termination Legal claims limitation
Billing and accounting records 5 years Norwegian Accounting Act
Trading data 5 years Regulatory requirements
Email correspondence 3 years Business documentation
Marketing preferences Until withdrawal + 2 years Suppression lists
Analytics data 14 months or anonymised Service improvement
Security logs 12 months Security monitoring
Job applications 6 months Recruitment purposes

After retention periods expire, data is securely deleted or anonymised using industry-standard methods.

8. Your Data Protection Rights

Under GDPR, you have the following rights regarding your personal data:

8.1 Right of Access (Article 15)

Request confirmation of processing and receive a copy of your personal data along with information about how it’s processed. First copy free; reasonable fee for additional copies.

8.2 Right to Rectification (Article 16)

Request correction of inaccurate data or completion of incomplete data.

8.3 Right to Erasure (Article 17)

Request deletion when data is no longer necessary, processing is unlawful, or you withdraw consent. Subject to legal retention requirements.

8.4 Right to Restriction (Article 18)

Request limited processing while we verify accuracy, investigate unlawful processing, or assess legitimate interests.

8.5 Right to Data Portability (Article 20)

Receive your data in structured, machine-readable format for consent or contract-based processing.

8.6 Right to Object (Article 21)

  • Direct Marketing: Absolute right to object anytime
  • Legitimate Interests: Object subject to our compelling legitimate grounds
  • Profiling: Object to automated decision-making with significant effects

8.7 Right to Withdraw Consent

Withdraw consent anytime without affecting prior processing lawfulness.

8.8 How to Exercise Your Rights

Contact Methods:

Response Timeline: Within one month, extendable by two months for complex requests. Identification: We may request identity verification proportionate to data sensitivity Fees: Generally free; reasonable administrative fee for manifestly unfounded or excessive requests

8.9 Supervisory Authority Complaints

You may lodge complaints with Datatilsynet at www.datatilsynet.no or any competent EU supervisory authority.

9. Data Security Measures

9.1 Technical and Organisational Measures

We implement appropriate security measures based on risk assessment, including:

Infrastructure:

  • Website hosted on servers operated by ProIsp AS
  • WordPress platform with SSL encryption
  • Data centres located within the EEA
  • Regular backup and disaster recovery procedures

Technical Safeguards:

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256)
  • Multi-factor authentication for system access
  • Regular security updates and vulnerability scanning
  • Network segmentation and firewall protection
  • Intrusion detection and prevention systems
  • Regular penetration testing and security audits

Organisational Safeguards:

  • Staff training on data protection and security
  • Confidentiality agreements for all personnel
  • Access controls based on the least privilege principle
  • Regular security awareness programs
  • Incident response procedures
  • Business continuity planning

9.2 Data Breach Response

In case of a personal data breach:

  • Authority Notification: Within 72 hours to Datatilsynet if risk exists
  • Individual Notification: Without undue delay if high risk to your rights
  • Breach Register: We maintain records of all incidents
  • Remediation: Immediate measures to contain and resolve breaches

Report security concerns to: post@tradewpower.no

10. Marketing Communications and Preferences

10.1 B2B Marketing Approach

For business contacts, we rely on legitimate interests for relevant professional communications. This includes:

  • Industry insights and market updates
  • Service announcements and improvements
  • Professional event invitations
  • Energy sector thought leadership

10.2 Managing Your Preferences

Email Footer: One-click unsubscribe in all marketing emails Contact Us: Email post@tradewpower.no to update preferences Suppression Lists: We maintain do-not-contact lists indefinitely

10.3 Third-Party Marketing

We do not sell or rent your data to third parties for their marketing purposes.

11. Automated Decision-Making and Profiling

We use limited automated processing for:

  • Fraud detection and prevention
  • Service personalization
  • Risk assessment for credit decisions

You have the right to a human review of computerised decisions with legal or significant effects. Contact our DPO to request human intervention or challenge automated decisions.

12. Updates to This Privacy Statement

We review this statement regularly and update it to reflect:

  • Changes in our data processing activities
  • New legal requirements or guidance
  • Improved transparency and clarity
  • Feedback from stakeholders

Notification of Changes: Material changes communicated via email or website notice Version History: Previous versions available upon request Review Frequency: Annual review minimum

13. Additional Information for Specific Services

13.1 Energy Analysis Platform

Additional processing for platform users includes:

  • Energy consumption data modeling
  • Market price analysis and forecasting
  • Performance benchmarking reports
  • Custom analysis report generation

13.2 Analysis Services

For analysis service customers:

  • Consumption pattern modeling
  • Predictive analytics for optimization
  • Benchmarking against anonymized datasets
  • Custom report generation

14. Questions and Concerns

We welcome questions about our privacy practices. Contact us through:

Data Protection Officer:

  • Email: post@tradewpower.no
  • Phone: +47 928 46 276
  • Post: TradeWpower AS, Holsjordet 88, 2613 Lillehammer

General Privacy Inquiries:

Response Commitment: We aim to respond to all privacy inquiries within 5 business days.

Document Control:

  • Effective Date: August 10, 2025
  • Review Date: August 10, 2026
  • Document Owner: Data Protection Officer
  • Approval: Ivan Føre Svegaarden, Chief Executive Officer