Privacy Policy
Last updated: June 2026
1. Introduction
This Privacy Policy explains how Dombestein Data ("I", "me", "we") collects, uses and protects personal data in connection with this website and the services offered. The goal is to be transparent, understandable, and respect your rights under applicable data protection law, including the EU/EEA General Data Protection Regulation (GDPR).
This policy covers:
- Visitors to the website dombesteindata.net and related subpages;
- People who contact Dombestein Data (for example by e-mail or via a contact form);
- Clients and collaboration partners in connection with web development and software projects.
2. Who is responsible for your data?
The data controller for the processing described in this policy is:
Dombestein Data
E-mail: isak@dombesteindata.net
For some client projects (for example, systems developed for Ad Fontes), Dombestein Data may also act as a data processor on behalf of that client. In those cases, the client is the data controller, and a separate Data Processing Agreement (DPA) will apply in addition to this policy.
3. What data is collected?
The amount of personal data collected is intentionally kept to a minimum. Depending on how you interact with Dombestein Data, the following categories may be processed:
3.1 Contact information
- Name
- E-mail address
- Other information you choose to include in a message
3.2 Usage and technical data
When you visit this website, basic technical information is processed automatically:
- Basic request metadata processed by hosting and security providers
This information is largely handled by the hosting and infrastructure providers (for example Cloudflare) as part of providing a secure and stable service.
3.3 Client and project data
For clients and collaboration partners, additional information may be processed:
- Contact persons and roles;
- Project-related communication and documentation;
- Billing and payment details where relevant.
4. Purposes and legal bases
Personal data is only processed when there is a legal basis under GDPR. The main purposes and corresponding legal bases are:
4.1 Responding to enquiries and communication
When you contact Dombestein Data, your contact details and message are used to respond and follow up. The legal basis is GDPR Article 6(1)(f) - legitimate interest in answering enquiries and maintaining contact with potential and existing clients.
4.2 Entering into and fulfilling agreements
For client projects, personal data may be processed to enter into, manage, and fulfil contracts. The legal basis is GDPR Article 6(1)(b) - necessary for the performance of a contract or to take steps at your request before entering into a contract.
4.3 Security, troubleshooting and abuse prevention
Technical logs and limited IP data may be processed to maintain security, prevent misuse, and troubleshoot errors. The legal basis is GDPR Article 6(1)(f) - legitimate interest in protecting the service, users and infrastructure.
5. Sources of data
Most personal data is obtained directly from you, for example when you:
- Send an e-mail or use a contact form;
- Act as a contact person for a client project;
- Use a system developed and operated by Dombestein Data on behalf of a client.
In some cases, contact information may be provided by your employer or student organisation if they designate you as a contact person in a project.
6. Sharing and use of processors
Personal data is not sold and is only shared where necessary to provide services or when required by law. Trusted third-party providers (data processors) are used for hosting, e-mail delivery and similar infrastructure.
Typical categories of processors include:
- Hosting and infrastructure (Cloudflare Pages, Workers and Turnstile);
- Transactional e-mail (Resend).
With each processor, appropriate data protection agreements are in place, and only the minimum necessary personal data is shared.
7. International transfers
Some service providers are based outside the EU/EEA, or may process data in countries such as the USA. In these cases, one or more of the following safeguards are relied on:
- Data centres located within the EU/EEA where available;
- EU Standard Contractual Clauses (SCCs) and supplementary measures;
- Other legally recognised transfer mechanisms where applicable.
For more information about these providers and links to their documentation, see the relevant project-specific documentation or contact Dombestein Data.
8. Retention
Personal data is kept only for as long as necessary for the purposes described above, or as required by law (for example, accounting rules).
- General enquiries are normally kept for a limited period, then deleted when follow-up is complete.
- Messages submitted through the contact form are retained for as long as necessary to respond and follow up on the enquiry.
- Project-related data is retained for the duration of the project and a reasonable period afterwards (for example for documentation, error tracing or contractual obligations).
- Legal documentation such as invoices may be stored for up to 5 years in line with Norwegian bookkeeping requirements.
9. Security
Appropriate technical and organisational measures are used to protect personal data, including:
- Use of reputable hosting providers with strong security practices;
- Encryption of data in transit (HTTPS);
- Access control and principle of least privilege for accounts and tools;
- Regular updates of software and dependencies.
No system can be completely risk-free, but the aim is to keep risk at a reasonable and proportional level.
10. Your rights
Under GDPR, you have several rights regarding your personal data. These include:
- Right of access - to know what data is processed about you and to receive a copy;
- Right to rectification - to have incorrect or incomplete data corrected;
- Right to erasure - to request deletion of data in certain situations;
- Right to restriction - to request that processing is temporarily limited;
- Right to object - to object to processing based on legitimate interests;
- Right to data portability - for some data processed on the basis of consent or contract.
To exercise your rights, contact Dombestein Data at isak@dombesteindata.net. You may be asked to provide information to confirm your identity before your request is handled.
11. Complaints
If you believe your personal data has been processed in violation of data protection rules, you have the right to lodge a complaint with your local supervisory authority. In Norway, this is:
Datatilsynet
Website: www.datatilsynet.no
12. Changes to this policy
This Privacy Policy may be updated from time to time, for example if services change or if legal requirements are updated. The latest version will always be available on this page, with the "Last updated" date shown at the top.