Privacy policy for maco.io

Maksimer will process personal data as part of our business operations. We are committed to handling personal data in a secure and lawful manner.

Our processing of personal data as a data controller is based on the nature and purpose of our business, which is to build, develop, and grow integrated online stores. Information about the personal data we process, the legal basis for the processing, the purpose of the processing, and the retention period, among other details, can be found below.

We may also process personal data in ways not mentioned below. In such cases, we will inform the individuals concerned through means other than this statement.

Additionally, we may act as a data processor for our customers in connection with our services. This means that our customers are responsible for the processing. See more details about this below.

If you have any questions or wish to know more about our processing of personal data, please feel free to contact us – see contact information below.

1 RESPONSIBLE FOR PROCESSING PERSONAL DATA
Maksimer AS is the data controller, meaning we determine why and how personal data will be processed for the activities described below. However, this does not apply when we act as a data processor, i.e., when we process personal data on behalf of our customers – see Section 4.

Contact information for the Data controller:
Maksimer AS, Bergen
Edvard Griegs Vei 3C, 5059 Bergen
Phone: +47 55 91 31 35
Email: post@maksimer.no
Organization Number: 979 498 047

2 PROCESSING OF PERSONAL DATA
We collect and use personal data for various purposes depending on who you are and how we interact with you.
All processing of personal data must comply with applicable privacy regulations, including the Personal Data Act and the General Data Protection Regulation (GDPR).

Personal data refers to any information about a natural person that can directly or indirectly identify them (the latter is referred to as the “data subject”).

Processing of personal data includes any activity performed with personal data, such as collection, registration, organization, structuring, storage, adaptation, alteration, transfer, or deletion.

If we act as a data processor, i.e., processing personal data on behalf of others, you will receive information about the processing from the data controller. However, you may still contact us regarding the processing of your personal data, and we will refer you to the appropriate data controller. See also below for more details about our role as a data processor.

Below are the processing activities we conduct as a data controller in our business:

2.1 Communication and contact
We process personal data about individuals who contact us to respond to and document the communication and to reach out to others. This applies to all forms of communication, including physical and digital, written and oral.

In such cases, we process names, phone numbers, email addresses, and any personal data included in the inquiry, including history or logs of the interaction.

The processing of data is based on our legitimate interest in handling personal data for the above purposes (see GDPR Article 6(1)(f)). We have assessed that our legitimate interest in maintaining contact with external parties, documenting our business activities, and responding to inquiries outweighs the data subjects’ privacy interests.

Providing personal data is voluntary but necessary for us to respond to inquiries.

We retain the information until we believe no further follow-up will occur, typically for two years.

2.2 Email
We use email as a communication tool that contains personal data. The processing is based on our legitimate interest in using email as a work tool and communication solution (see GDPR Article 6(1)(f)) and ensuring that the privacy interests of the data subjects do not outweigh these interests. The personal data processed in emails depends on the purpose and content of the email. Emails are deleted when they are no longer necessary, and we have measures in place to ensure regular deletion of emails. Our security solutions also have access to emails, but only for automated processing.

2.3 Information and marketing
If you request information or subscribe to newsletters, we will send you information about our products and services, offerings from partners, newsletters, and other information and marketing materials. In such cases, we will process your email address and any information you provide to us in this context.

We process personal data to inform you about services and products that may be of interest to you, and the processing is based on your consent (GDPR Article 6(1)(a)). You may withdraw your consent at any time by using the unsubscribe options in the communications you receive or by contacting us to opt out of direct marketing and/or profiling under GDPR Article 21(2).

We only process personal data necessary to send communications, such as your email address and name, to make the communication more personal and ensure it reaches the correct recipient. Your email address and the information you have provided are not used for purposes other than sending the newsletter.

The processing continues until you have received the requested information or withdrawn your consent. Afterward, your personal data will be deleted.

2.4 Information about services
We may also send out information about our services and products that do not involve marketing. This will be done regardless of whether you have provided consent, and personal data will be processed on the basis that we are either fulfilling an agreement with you as an existing customer (GDPR Article 6(1)(b)) or based on our legitimate interest in informing our users and contacts about our services (GDPR Article 6(1)(f)). Alternatively, we may process the data based on your consent (GDPR Article 6(1)(a)).

The purpose of this processing is to keep you updated about the products and services you receive and to follow up on purchases of products or services. The processing of personal data will continue as long as you receive our services.

2.5 Existing and potential customers, suppliers, and partners

We process personal data about contact persons at existing and potential customers (in business relationships), suppliers, and other partners for sales and marketing activities, managing relationships with suppliers and others, preparing, executing, and documenting services, and evaluating the use of services. In these cases, we process names, contact information, company names, and information related to the interaction with the company the individual represents.

The processing of personal data is based on our legitimate interest (GDPR Article 6(1)(f)) in managing relationships with our customers, partners, and suppliers, and we have assessed that our interest outweighs the privacy interests of the individuals.

We also store and disclose information where we have a legal obligation to do so, for example, under accounting and tax legislation.

Data is retained and processed as long as necessary, for example, to document matters related to the services provided.

In many cases, it will be necessary for us to collect personal data to enter into agreements with customers and suppliers, including documenting that an agreement has been made. If we do not receive the required information, we will not be able to enter into agreements.

Providing personal data is voluntary for contact persons. If we collect personal data from other sources, it will mainly include contact information (such as name, address, phone number, and email address), position, role, employer, and, where relevant, skills and references. The source of such information will typically be the contact person’s employer, for example, from the employer’s website. In some cases, we may obtain references from others to assess the suitability of suppliers and partners.

We retain the data until the relationship with the customer, supplier, or partner ends, or until the contact person ceases to be a contact person, with the exceptions mentioned above.

2.6 Recruitment
When recruiting for new positions with us, we will process personal data related to CVs, applications, references, interview notes, results from reference checks, and similar documentation.

We may use job application services to manage submitted applications, in which case these services act as our data processors. If you create a profile with such a job application service, that service will be the data controller, and their privacy policy will apply for the processing of personal data within their platform. The processing of personal data is based on the consent you provide to the job application service (GDPR Article 6(1)(a), where such consent is obtained, or on the grounds outlined below.

The basis for processing personal data during recruitment is that the processing is necessary to take steps prior to potentially entering into an employment agreement with the job applicant (GDPR Article 6(1)(b)).

If we conduct additional background checks beyond contacting the references you have provided—such as by researching your history or performing other searches—this processing of personal data will be based on our legitimate interest in ensuring that the most suitable candidate is hired for the position (GDPR Article 6(1)(f)). For such cases, we have assessed that our legitimate interest in recruiting new employees outweighs individual privacy concerns.

We encourage you not to include sensitive personal data, such as information about health, religion, political opinions, or trade union membership, in your application.

In cases where we process sensitive personal data, such processing will be based on your consent (GDPR Article 9(2)(a)). Consent can be withdrawn at any time, and withdrawing your consent will not affect the lawfulness of processing conducted before the withdrawal.

Personal data will be deleted as soon as the recruitment process is completed, unless you have given consent for longer retention.

2.7 Events
For participants in events, contact information and the specific event they are attending will be registered and processed to identify participants, facilitate necessary communication, and potentially issue invoices for participation fees.

Processing of personal data will be carried out to fulfill an agreement with the participant (GDPR Article 6(1)(b)). For participants representing a company, the processing will be based on our legitimate interest (GDPR Article 6(1)(f)) in organizing events as part of our business operations. In such cases, we have assessed that our legitimate interest outweighs individual privacy concerns.

If food and/or beverages are served, we may collect information about preferences, which may indicate health or religious beliefs. This information will only be processed by us and will be deleted immediately after the event. Such data will be processed based on consent.

2.8 Social media
We interact with stakeholders and others through social media. For example, we have established a Facebook page where we are jointly responsible with Facebook for the processing of personal data related to this platform. On our Facebook page, personal data is processed when you post on the page, comment on posts, or “like”/follow the page.

Our purpose for processing personal data through Facebook is to communicate with those who wish to engage with us or interact on our Facebook page in other ways (see also section 2.2 on communication).

In this context, we process your name and any other information associated with your Facebook account that you have shared, as well as anything you post or comment on our Facebook page and the fact that you have “liked” or follow our page. What you choose to share on the Facebook page is entirely up to you and voluntary.

We kindly ask that you refrain from sharing personal information in posts or comments on our page, particularly personal data about others, such as by “tagging” or mentioning individuals.

We process personal data on social media, such as Facebook, based on our legitimate interest in communicating with the public via social media (GDPR Article 6(1)(f)). We have assessed that this communication is necessary for us to interact with the public and handle inquiries we receive, and that the privacy of the individuals does not outweigh these interests.

The information will be processed as long as the posts/comments remain available on the social media platform. You can delete your posts or comments at any time.

2.9 Use of websites

Our websites and services use cookies to collect information aimed at improving the customer experience and providing functionality within our services. We also use this information to offer visitors recommendations and service customizations tailored to your interests. This customization is based on visitor behavior, such as services used, links clicked, or information read, as well as the behavior of other users with similar usage patterns. Additionally, cookies are used to deliver personalized marketing on our websites, in ad networks, and on social media. Wherever feasible, we aim to do this using anonymous data, ensuring it is not directly linked to individual visitors.

A cookie is a text file or data stored in your browser’s memory when you visit or interact with a website. It may also refer to a numerical or alphanumeric identifier that can recognize your browser or device when you use the website (referred to as cookies for simplicity).

You can prevent cookies from being stored in your browser. Many browsers or devices are set to accept cookies automatically, but you can adjust the settings to block cookies. However, disabling cookies may result in suboptimal website functionality, as most cookies are essential for providing a functional user experience.

We also use tools other than cookies to collect information, such as your IP address, browser type, operating system, and the date and time of your visit to our websites and services. This data is used to analyze trends and improve the usability of our website and services.

We process this data based on your consent (GDPR Article 6(1)(a)). The information will be processed until you withdraw your consent, which can be done by revisiting and adjusting the consent options on our website.

The specific cookies used are listed in the pop-up box that appears the first time you visit the website, or you can click the circle at the bottom left of the page to review and update your cookie preferences.

Essential and functional cookies, as well as cookies for statistical purposes, are processed based on our legitimate interest (GDPR Article 6(1)(f)) in tailoring the website to our users. We have assessed that this interest outweighs individual privacy concerns. However, we ensure the privacy of visitors by only using aggregated data for statistics, which cannot identify individuals.

The collected data will be retained for as long as necessary to fulfill the purposes outlined above.

3. PROCESSING BASED ON CONSENT
If we process personal data based on your consent, as described above, you may withdraw your consent at any time without affecting the legality of processing performed before the withdrawal. Please contact us if you wish to withdraw your consent.

Note that if you withdraw your consent, we may still process all or parts of the data if another legal basis for processing exists.

4. RETENTION AND STORAGE (DELETION) OF PERSONAL DATA
We retain personal data for as long as it is necessary for the purpose for which the data was collected and delete the data in accordance with regulatory requirements. The duration of data retention varies depending on how the data was collected and the purpose for which it was collected.

When we delete the data is specified in the sections above where individual processing activities are described, or the retention period is based on the following criteria:

  • Whether we have a legal or contractual obligation to retain the data, such as addressing potential claims against us.
  • Whether the data is necessary for our business operations.
  • Where the processing is based on consent, when the consent is withdrawn.

When we no longer have an ongoing legitimate need to process your personal data, it will be deleted or anonymized as quickly as possible in accordance with applicable law.

In some cases, instead of deleting the personal data, it may be appropriate to anonymize it. Anonymization means removing all identifying or potentially identifying characteristics from the dataset being retained.

This means, for example, that personal data processed based on your consent will be deleted if you withdraw your consent. Personal data processed to fulfill an agreement with you will be deleted once the agreement is fulfilled, and all obligations arising from the agreement, such as legal requirements for accounting or follow-up related to complaints, have been met. Personal data processed due to legal obligations will be deleted as soon as we are no longer required by law to retain it.

5. PROCESSING OF PERSONAL DATA AS PART OF SERVICES
Our customers who use our services are the data controllers for the personal data processed through the use of those services, such as when we host websites and online stores for customers. In such cases, we process personal data on behalf of the customer and act as a data processor. A data processing agreement has been established between us and our customers to regulate our processing of personal data on their behalf.

The information in this privacy policy also applies to our processing of personal data concerning our customers’ customers, particularly regarding the disclosure and transfer of personal data, as well as security and technical measures. The deletion of personal data depends on when our customer decides to delete the data. We will never use information or data from our services unless explicitly instructed or approved by our customers.

We send emails to contact persons using our services and to our customers to provide information about the services, such as technical updates, upgrades, and new features, in addition to emails automatically generated by our services. Recipients of these emails can opt out or inform us that they do not wish to receive such communications.

Below, we provide a general description of the processing activities performed within our services. Individual data controllers may process personal data differently or have different processing requirements within the services. The data controller is responsible for informing users about the specific processing activities performed, even though we act as the data processor. However, we have made this information available to make it easier for users to understand the processing activities conducted.

Purpose of the Processing
The purpose of processing personal data within the service is to deliver the functions and perform the tasks intended by the service, such as websites, online stores, and similar functionalities.

Processing activities in the service
The following processing of personal data is carried out within the service:

  • Registration of personal data associated with users of the service and others registered in the service (personal data), as detailed below.
  • Integration with other systems, which may involve compilation, modification, and transfer of personal data to these systems.
  • Calculating statistics and analyses presented in reports. These reports do not contain personal data.
  • Backup of data (including personal data).
  • Operational personnel use their administrative access to perform user support and operational maintenance on the data and resources (servers, databases, user accounts, etc.) managed by the data controller.

Personal data collected and processed
The following categories of personal data are processed for the individuals mentioned above: name, email, phone number, and username of users of the service, including information on whether an account is registered within the service.

The data collected depends on the service provided. For example, an online store may collect information about purchases, deliveries, payment details, complaints, contact with the store, etc. Additionally, the service may collect and process logs and usage history from websites/online stores, communication sent out, and technical information about the devices used to access the service.

The legal basis for processing personal data depends on the purpose set by our customer as the data controller. Typically, the processing is conducted to fulfill an agreement with the user, meet a legal obligation (e.g., accounting requirements), or support a legitimate interest of the business, such as maintaining contact with potential and existing customers or recording activity on websites/online stores.

Processing activities where we are the Data controller
We act as the data controller for certain personal data processed in connection with our services. These activities include:

System monitoring and error correction
We monitor our systems for errors and issues, which may involve storing and processing personal data. The legal basis for processing personal data for this purpose is our legitimate interest in ensuring our systems and solutions function without errors or issues.

Security
We process personal data as part of efforts to protect our solutions and services, users, and ourselves from security breaches, fraud, misuse, etc. The legal basis for this processing is our legitimate interest and obligations under data protection regulations to ensure personal data security (e.g., GDPR Articles 24 and 32) and our obligations under data processing agreements with our customers.

Compliance with legal obligations
We may be required to process personal data to fulfill other legal obligations, such as securing data related to legal disputes or complying with disclosure requirements. The legal basis for this processing is that it is necessary to fulfill a legal obligation imposed on us.

Communication with users
We may send information about the solution to its users, including details on availability, functionality, and other relevant updates. These communications are based on our legitimate interest in keeping users informed about the solution. You may opt out of such communications, but we recommend against doing so, as you may miss important updates.

Your rights
If we act as the data processor in the processing of personal data as described above, you must contact the data controller to exercise your rights. However, the rights you have will generally be the same as those listed below. If you contact us, we can assist in directing you to the data controller, provided we have this information.

If we are the data controller, you can find more information about your rights below, and you are welcome to contact us to exercise them.

6. TRANSFER OR DISCLOSURE OF PERSONAL DATA TO OTHERS
We do not share personal data with others except as mentioned in this statement and unless there is a legal basis for doing so. Such legal bases typically include an agreement with or consent from the data subject or a legal obligation requiring us to disclose the information. This may include public authorities, such as tax collection agencies (if necessary), accountants/auditors, and other parties essential to our operations, such as banking institutions.

We use data processors to collect, store, or otherwise process personal data on our behalf. In such cases, we have entered into agreements to ensure your rights and the security of your personal data throughout all stages of the processing.

If required by law or if there is suspicion of criminal activity in connection with the use of our services, the personal data we have stored about you may be disclosed to public authorities, such as the police, during investigations.

If personal data is subject to transfer to another organization in connection with a merger, financing, reorganization, or dissolution transaction involving all or part of our business, such transfer will only occur if the parties involved have entered into an agreement that limits the collection, use, and sharing of the personal data to purposes directly related to the transaction. This includes provisions on whether the transaction proceeds or not, and the personal data will only be used by the parties to execute and complete the transaction. If another company acquires us, our business, or our assets, that company will have access to the personal data we have collected and will assume the rights and obligations regarding your personal data as described in this privacy statement.

7. TRANSFER OF PERSONAL DATA TO RECIPIENTS IN COUNTRIES OUTSIDE THE EEA
Our goal is to ensure that all processing of personal data takes place within the EEA. However, there may be instances where we use suppliers or process personal data outside the EEA. In such cases, the transfer and processing outside the EEA (third countries) will only occur in countries approved by the European Commission or in accordance with a valid legal basis for the transfer of personal data under GDPR Chapter V.

If the transfer does not take place to a country approved by the European Commission, it will only occur under the safeguards outlined in GDPR Article 46(2). You may contact us to learn about the legal basis used for such transfers.

8. SECURITY OF PROCESSING

We prioritize the security of personal data highly in our operations and implement all required technical and organizational measures to safeguard your personal data.

We handle information to ensure it is accurate, accessible, and managed according to its sensitivity. Additionally, we employ various security technologies and information security procedures to protect personal data from unauthorized access, use, or disclosure. Risk assessments are conducted for the processing of personal data.

We have entered into data processing agreements with all our suppliers who process personal data, requiring them to maintain the same level of security as we do for our processing of personal data.

Access to personal data is restricted to personnel or third parties who process the data on our behalf. These parties are bound by confidentiality obligations.

Procedures are in place for handling information security breaches (data protection breaches). If a breach occurs that poses a risk to the privacy of the individuals whose data is affected, we will report the incident to the Norwegian Data Protection Authority (Datatilsynet) as soon as possible and no later than 72 hours after discovering the breach. If the breach presents a high risk to the privacy of the affected individuals, we will also notify those individuals.

9. YOUR RIGHTS WHEN WE PROCESS PERSONAL DATA ABOUT YOU

Below are your rights regarding the processing of your personal data. To exercise your rights, please contact us using the contact information provided above or by following the instructions below. We will respond to your inquiry as quickly as possible, and no later than within one month. If it takes longer than one month, we will notify you.

We may ask you to confirm your identity or provide additional information before we allow you to exercise your rights with us. This is to ensure that we only provide access to your personal data to you—and not to someone pretending to be you.

The rights below apply where we act as the data controller (see above). If we are acting as a data processor for our customers, and you are using services provided by one of our customers, that customer is responsible for the processing of personal data (data controller). You must contact the service provider to exercise your rights regarding your personal data. In such cases, your rights will generally be as described below.

9.1 Right to information
You have the right to be informed about the personal data we process about you. This privacy statement provides details about our processing of personal data. You can also contact us if you wish to obtain more information. If we have disclosed your data to others, we are obligated to inform the recipient about any request to correct or delete personal data (see section 9.3 below) or to restrict processing (see section 9.5 below), unless doing so is impossible or involves disproportionate effort. We are also obligated to inform you of such disclosures if you request it.

9.2 Right to access
You have the right to request access to the personal data processed about you. Contact us if you wish to request access. If requested, you will also receive a copy of the personal data we process about you. We may ask you to specify which data you wish to receive a copy of, to facilitate the process. When providing a copy of your personal data, we may ask you to verify your identity to ensure we do not disclose personal data to unauthorized individuals. The data will be provided in digital format unless you request it in another form.

9.3 Right to rectification and erasure
You may ask us to correct inaccurate information we have about you or request that we delete personal data. We will accommodate requests to delete personal data wherever possible, but we may not do so if the data is still needed for legitimate purposes.

9.4 Processing based on consent
If we process personal data based on your consent, you may withdraw your consent at any time. The easiest way to do this is by using the method indicated when you provided consent or by contacting us.

9.5 Right to restrict or object to processing
You have the right to request that we restrict the processing of your personal data under certain conditions, as outlined in GDPR Article 21. When processing is restricted, the personal data will only be stored. If our processing is based on legitimate interests, you have the right to object to the processing of your personal data. If you object, we will stop the relevant processing unless there are compelling legitimate grounds to continue. You may also opt out of the processing of personal data related to marketing, including profiling to the extent it is related to direct marketing (see GDPR Article 22(2)).

9.6 Right to data portability
For information you have provided to us that is necessary to fulfill an agreement with us and is processed automatically (i.e., not manually), you can request to have your personal data delivered to you or transferred to another provider in a structured, commonly used, and machine-readable format (data portability).

9.7 Automated processing, including profiling
No automated processing, including profiling, will be carried out based on your personal data that produces legal effects or significantly affects you. See GDPR Article 22(1) and (4).

9.8 Right to notification
If a data breach occurs, meaning a breach of personal data security that results in a high risk to your privacy, we will notify you without undue delay.

10. COMPLAINTS
If you believe that our processing of personal data is not in accordance with what we have described here or that we are otherwise violating data protection laws, you can file a complaint with the Norwegian Data Protection Authority (Datatilsynet). However, we encourage you to contact us first so that we can correct any issues as quickly as possible.

You can find information about your rights and how to contact the Norwegian Data Protection Authority on their website: www.datatilsynet.no.

11. CHANGES
If there are changes to how we process personal data or changes to the regulations governing data processing, this may result in changes to the information provided here. If these changes directly affect you and are significant to your privacy, we may contact you if we have your contact information. Otherwise, you will always find the latest version of this privacy statement on our website.