Privacy policy
1. Privacy policy and data controller
The privacy policy provides information about how To Rom og Kjøkken collects and uses personal data.
This privacy policy was published: 29.08.24
The company’s registered address is Carl Johans gate 5, 7010 Trondheim. You can contact To Rom og Kjøkken at: hege@2rok.no
To Rom og Kjøkken is the data controller for the personal data collected about you.
2. What is personal data
Personal data is anything that describes you or can be linked to you as an individual. It may include contact information (name, phone number, etc.), identification numbers (IP address, customer number, cookie ID, etc.) and information about actions or behavior (pages you have visited, reservations, emails you have received, etc.).
3. Why we collect personal data and its purpose
3.1 Statistics for improving websites and marketing communication
We collect and analyze data about how you and other users use the website. The purpose of this is to find out how the website is used so that we can improve our content and products/services based on this insight.
What data: Behavioral data (which pages you visit, what you click on, etc.), data about your device (type of computer/mobile phone, operating system, browser, etc.), data about your network and location (derived from IP address). All data is linked to an anonymous ID number that is stored in a cookie in your browser (read more about cookies)
Basis for processing: Legitimate interest. We find great value in collecting and analyzing this data material, and consider that it does not pose a major burden on your privacy as long as the information is not linked to other sources of information and contact details.
How we process personal data: We use Google Analytics to collect this data from your browser. The data is stored on Google’s servers, but is owned by us. It is not linked to other tools or sources unless you have given your consent (see other purposes). To minimize the impact on your privacy, the IP address is only stored in an anonymized form (read about IP anonymization), and we set the expiration time for the cookie that identifies you to a maximum of 7 days. Once the cookie has expired, the data will no longer have any link to you as a person. In addition, all individual data will be automatically deleted by Google Analytics after 14 months.
3.2 Tracking conversions for advertising
We measure the results of our marketing by reporting how many contact inquiries, registrations and reservations come from a marketing campaign. The purpose is to be able to optimize and streamline our marketing.
What data: That you have taken a specific action on our website and from which source you came to our website. Also linked to all other data collected for statistics (see above).
Basis for processing: Legitimate interest. Data processing enables us to use our resources as efficiently as possible and to save both effort and money on measures that do not produce results. In cases where it is not possible to collect data without linking the data to other information held by third parties, we rely on your active consent.
How we process personal data: Data processing follows the same principles as for general statistical purposes. Based on legitimate interest, we collect and process data in Google Analytics, and we send data to Google Ads using so-called Consent Mode (data is sent without cookie information). If you have consented to “marketing”, we send data to Google Ads in the usual way.
3.3 Targeting of advertisements
We collect data about your behavior on our website and share this with various advertising providers (data processors), for the purpose of achieving more precise targeting of advertisements.
What data: Behavioral data (what pages you visit, what you click on, etc.), data about your device (type of computer/mobile phone, operating system, browser, etc.), data about your network and location (derived from IP address). All data is linked to an anonymous ID number that is stored in a cookie in your browser. This ID number is a common identifier for you across all the websites you visit, which exchange data with the same advertising providers.
Basis for processing: Consent, which you provide by accepting “marketing” as the purpose (or “all”) when you visit our websites. You can change your consent in the bottom left corner of the page.
How we process personal data: Data is collected from your browser when you visit our pages and sent for storage and processing by Google Ads. Subsequently, you are placed in different “audiences” with these providers, which allows us to buy advertising from them that you will see when you visit other websites in their network. Data about you is also included in your general profile with the provider and is used to describe your interests and estimate other characteristics about you (profiling). If you have provided contact details or other personal information to the provider, the data is also linked to this. This provides a basis for advertisers other than Synlighet who use the same ad network to buy ads with more precise targeting. The consequence for you is that the ads you see will be more adapted to you and your situation. To avoid data about your behavior on our pages being used in this way, you can avoid consenting to the use of cookies for “marketing”. To generally prevent advertising providers from collecting such data and using it to create a profile of you, you can either delete/reject all cookies in your browser, or edit your settings with the provider. Here are links to how you can do this at Google.
3.4 Follow-up of enquiries and sales processes
When you make an enquiry via the contact form, make a table reservation or register for an event/course, we collect the necessary information. You enter what is necessary for booking and payment. The purpose of the collection is to provide you with the best possible service when following up on current and future bookings.
What data: name, telephone number, e-mail address, place of work when booking a work event, address when delivering catering, allergies that are relevant to the serving of food and drink.
Basis for processing: Legitimate interest
How we process personal data: Personal data and interactions are stored in our customer register. This happens automatically when you fill in information on the website yourself, or manually if an inquiry is made via our employees. The employees who process reservations/bookings have access to the information, and it is stored in our customer register for one year.
3.5 Sending of newsletters
By joining our guest club or checking that you want to receive newsletters from us when booking, we collect the necessary information. The purpose of this is to be able to send you relevant information by email about e.g. courses, invitations and offers.
What data: Name, e-mail address
Basis for processing: Consent, which you give by checking “e-mail” when booking or signing up for newsletters. How we process personal data: The data is automatically stored in our mail platform Mailchimp, and will be stored until you unsubscribe yourself.
3.10 Transfer of personal data to recipients in countries outside the EEA
We aim for all processing of personal data to be carried out within the EEA, but we may use suppliers or process personal data outside the EEA. In such cases, transfer and processing outside the EEA shall take place in countries approved by the European Commission or in accordance with a valid legal basis for the transfer of personal data under Chapter V of the GDPR. If the transfer is not to a country approved by the European Commission, the transfer will only take place in accordance with the safeguards set out in Article 46 (2) of the GDPR. If you contact us, you will be informed of the basis used for the transfer. Both the suppliers we use for advertising and analysis (such as Google, etc.) are based in the USA, and data will in many cases be transferred there. We are aware of the challenges and requirements that follow from the “Schrems II” ruling, and are working to find good solutions to this.
4. Your rights
Below are your rights as a data subject. To exercise your rights, you must contact us here: https://www.toromogkjokken.no/kontakt/
We will respond to your inquiry to us as soon as possible. If necessary, we will ask you to confirm your identity or provide additional information before we allow you to exercise your rights towards us. We do this to ensure that we only give access to your personal data to you – and not someone pretending to be you. When it comes to information collected on the basis of you being identified with the use of cookies, such confirmation will be very difficult. We are therefore unable to give you access to this information other than on a general basis, or make changes or deletions. If you delete cookies in your browser, the information we have stored will no longer have any connection to you.
4.2 Information
You have the right to receive information about the personal data we process about you. Through this statement, we inform you about our processing of personal data. You can also contact us if you want more information.
4.3 Access
You have the right to demand access to the personal data processed about you.
4.4 Amendments and deletion
You can also ask us to correct incorrect information we have about you or ask us to delete personal data. We will, as far as possible, comply with a request to delete personal data, but we cannot do this if we still need the data.
4.5 Processing on the basis of consent
If we process personal data on the basis of your consent, you can withdraw your consent at any time. The easiest way to do this is to use the method stated when you gave your consent or contact us.
4.6 Right to restrict or object to processing
You have the right to have the processing restricted in certain cases, such as if:
a) You contest the accuracy of the personal data, for a period enabling us to verify the accuracy of the personal data.
b) The processing is unlawful and you object to the erasure of the personal data and instead request that the use of the personal data be restricted.
c) We no longer need the personal data for the purpose of the processing, but you need it to establish, exercise or defend legal claims.
d) You have objected to processing under Article 21(1) of the GDPR pending the verification of whether our legitimate interests override your privacy.
4.7 The right to data portability
For data that you have provided to us and is necessary to perform a contract with us, and which is processed automatically (i.e. not manually by us), you may request that your personal data be disclosed or transferred to another provider in a structured, commonly used and machine-readable format (data portability).
4.8 Automated decisions, including profiling
There will be no automated decisions as mentioned in GDPR Article 22 (1) and (4) based on your personal data besides what is done during the targeting of ads, see above.
5. General information about retention and storage (deletion) of personal data
We retain personal data for as long as is necessary for the purpose for which the personal data was collected, and delete the data in line with regulatory requirements. How long we process the individual types of information we process is included above where the individual treatments are described.
Instead of deleting the personal data, it may in some cases be relevant to anonymize the personal data. Anonymization means that all identifying or potentially identifying characteristics are removed from data sets that are retained.
This means, for example, that personal data that we process on the basis of your consent will be deleted if you withdraw your consent. Personal data we process in order to fulfill an agreement with you will be deleted when the agreement has been fulfilled and all obligations arising from the contractual relationship have been fulfilled, such as legal obligations related to accounting, follow-up of the customer relationship related to complaints, etc.
6. Complainant
We use the Norwegian Data Protection Authority (Datatilsynet) as the lead supervisory authority for cross-border processing under Article 56 of the GDPR.
If you believe that our processing of personal data is not in accordance with what we have described here or that we are otherwise in breach of data protection legislation, you can complain to the Norwegian Data Protection Authority. However, we ask you to contact us first, so that we can rectify any incorrect processing as quickly as possible.
You can find information about your rights and how to contact the Data Protection Authority on the Data Protection Authority’s website: www.datatilsynet.no.