Shapemaker Privacy Policy

This Privacy Policy ("Privacy Policy"), last revised on May 09, 2022, is prepared by Shapemaker AS ("Shapemaker", "we", "our" and "us") to ensure that you receive the information we are required to provide to you, and which is necessary for you to exercise your rights under the General Data Protection Regulation (the "GDPR") and the Norwegian data protection legislation (together "data protection legislation").

The Privacy Policy provides information on how personal data is processed in relation to the Shapemaker services, including your rights under applicable data protection legislation and other relevant information relating to our processing of your personal data.

1. Contact information

As a controller, we process your personal data through the Shapemaker services. If you have any questions about this Privacy Policy, including how we process personal data, or would like to submit a request to exercise your rights, please contact us at:

Chief Commercial Officer and Co-Founder: Ingrid Sofie Øvrum Sem

2. The purpose of processing personal data

Shapemaker processes data for the following purposes:

2.1  To provide our services

To provide our services, including access management, it is necessary to process personal data. The personal data we collect for this purpose is the name of the contact person affiliated with the customer, name of users affiliated with the customer, customer address, e-mail address and/or telephone number to the contact person or user, and IP addresses ("Customer Data").

Furthermore, to provide our invoicing and support we may process the personal data connected to the payment information and payment history of the contact person of the businesses and agencies ("Purchasing Data").
The legal basis for the processing of Customer Data is to fulfill an agreement in accordance with Article 6 (1) b) of the GDPR.

The legal basis for the processing of Purchasing Data is based on our obligations under the bookkeeping legislation, in accordance with Article 6 (1) c) of the GDPR.

2.2 For marketing purposes

If you sign up for our e-mail newsletter, your name and e-mail address will be processed and stored ("Marketing Data"). The purpose of processing this data is to reach existing, potential, and former customers and collaboration partners to market our services.

The legal basis for the processing of Marketing Data for this purpose is consent, in accordance with Article 6 (1) a) of the GDPR. When we have requested your consent to the processing of Marketing Data, you can withdraw it at any time.

3. Security

As a controller, we are responsible for the security and confidentiality of the personal data we process. We have implemented appropriate technical and organizational measures ensuring that personal data is processed at a level of security appropriate to the risk, e.g. ensuring confidentiality, availability, and integrity of the personal data.

4. Recipients of the personal data

We do not disclose and/or share your personal data with third parties except where it is necessary for fulfilling our legal obligations.

We may use data processors to assist us in providing our services. For example, we use Google to host our services. Under such circumstances, we will enter into data processing agreements with data processors which inter alia obligates the data processor to implement technical and organizational measures to ensure an appropriate level of security, confidentiality, and integrity of the personal data, as well as to only process the relevant personal data in accordance with data protection legislation.

As a general rule, we do not process personal data outside the EU/EEA. The exception is in cases where we deliver services to customers in countries outside the EU/EEA area. In such cases, we may transfer personal data to our partners outside the EU/EEA, but only with a valid legal basis, such as  Standard Contractual Clauses adopted by the EU Commission ("SCCs").

We will not disclose your personal data to any third parties than the third parties described above, unless we are required to do so under applicable law, or if it is necessary to establish, exercise, or defend legal claims.

5. The data subject’s rights

As a data subject you have the following rights when we process personal data about you:

  • Access. You may contact us if you want to obtain confirmation with respect to whether or not we are processing your personal data, as well as access to and further information regarding our processing of your personal data. You may also request a copy of the personal data we are processing about you.
  • Correcting personal data (rectification). You may request us to rectify and/or complete inaccurate or incomplete personal data.
  • Erasure (the right to be forgotten). You may request us to erase your personal data. We will respect and comply with your request unless we among other things are prohibited from deleting your personal data under mandatory retention requirements, or if the personal data is necessary for the establishment, exercise, or defense of legal claims.
  • Restriction. You may also request the restriction of our processing of your personal data in accordance with the criteria under data protection legislation. If the processing has been restricted, such personal data will, with the exception of storage, only be processed with your consent or for the exercise or defense of legal claims or for the protection of the rights of another person, or for reasons of important public interest.
  • Object. You are entitled to object to certain processing activities. You are furthermore, on grounds relating to your particular situation (for example, a specific need for protection of your identity), entitled to object to the processing of personal data based on legitimate interests, which we will comply with, unless there exist compelling legitimate grounds for our processing which override your interest, or if our processing is necessary for the establishment, exercise or defense of legal claims.
  • Data portability. If we process your personal data based on consent or based on our performance of a contract, and the processing is carried out by automated means, you may request us to transfer the personal data to you or another controller, in a structured, commonly used, and machine-readable format.

Please note that the above rights may be subject to further exceptions and limitations in accordance with the data protection legislation.

You may contact us at: if you wish to exercise any of the above rights. Please note that we may request additional information from you if such information is necessary to confirm your identity.

6. Retention and deletion

The storing of personal data will take place as long as it is necessary for the purpose of the processing. We will not store your personal data beyond this unless there is another legal basis for the processing.
More specifically, we will delete or anonymize personal data in accordance with the following procedures:

  • The Customer Data will be processed as long as we have an active customer relationship with you or your employer. As a general rule, the information will be deleted 1 year after the end of your latest purchase.  
  • The Purchasing Data will, depending on the nature of the documentation, be stored for either 3 ½ or 5 years in accordance with the Bookkeeping Act.
  • The Marketing Data will be processed for as long as we have your consent. You can withdraw your consent at any time.

7. The Norwegian Data Protection Authority and other Supervisory Authorities

The Norwegian Data Protection Authority has inter alia been established to supervise Norwegian companies' processing of personal data. You may contact us at any time if you have any questions or complaints regarding our processing of your personal data. You may also file a complaint to the Norwegian Data Protection Authority, or a data protection authority in the EU/EEA Member State of your habitual residence, place of work, or the place of the alleged data protection infringement.

You can obtain the contact details of the Norwegian Data Protection Authority on the following website: You may also find more information on your rights and the data protection legislation on this website.

8. Changes

We may update this Privacy Policy from time to time. This Privacy Policy will, for example, be updated to comply with any legislative amendments or if we make changes to our processing of personal data.

An updated version of this Privacy Policy will be published on our website if any revisions to the Privacy Policy are made. This Privacy Policy is effective from the date stated initially.