Privacy Policy

The data controller responsible for the processing described here is:

• Legal name: [TBD SOON]
• CVR no.: [TBD SOON]
• Registered address: [TBD SOON]
• Contact for privacy questions: info@norynn.eu

We have not appointed a formal Data Protection Officer, as we do not meet the thresholds set in Article 37 GDPR. All privacy enquiries are handled through the email above.

We only collect the data we actually need. Specifically:

• Order and contact data. Your name, delivery and billing address, email, order contents. Used to process and deliver your order and to reply to you.
• Payment data. Payment details are collected and processed directly by Stripe. NORYNN does not see or store your full card number.
• Account data (if you create one). Email, password (hashed), order history, saved addresses.
• Customer-service correspondence. Emails and messages you send us, and our replies, so we can help you and follow up later if needed.
• Technical data. IP address, browser type, and timestamps appear in server and security logs. Used to keep the site available and secure.

We do not knowingly collect data from people under 16. Please do not provide us with personal data of a child.

We rely on the following legal bases under Article 6(1) GDPR:

• Contract — Art. 6(1)(b). Taking and fulfilling your order; managing returns; answering questions about your purchase.
• Legal obligation — Art. 6(1)(c). Keeping accounting, invoicing and tax records as required by Danish bookkeeping and tax law.
• Legitimate interest — Art. 6(1)(f). Securing the site, preventing fraud and misuse, and maintaining basic technical logs.
• Consent — Art. 6(1)(a). When we need it — for example, if you subscribe to a future newsletter or if we ever add non-essential cookies. You can withdraw consent at any time without affecting past processing.

We share personal data only with the service providers we need to run the shop. Each of them acts as a processor under a written data processing agreement:

• Stripe — payment processing.
• Shipping carriers — to deliver your parcel (name, address, contact details).
• Email provider — to send order confirmations and customer-service replies.
• Hosting and infrastructure — the servers that run the website and the Medusa backend.
• Accountant — for bookkeeping and tax reporting, limited to invoice data.

We do not sell your personal data and we do not share it for unrelated marketing by third parties.

Most of our processing takes place within the EU/EEA. Stripe, however, may process some data in the United States. These transfers are protected by:

• Stripe's certification under the EU-U.S. Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795 of 10 July 2023); and
• the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as a fallback, via Stripe's Data Transfers Addendum.

You can review Stripe's Data Processing Agreement at stripe.com/legal/dpa and their privacy policy at stripe.com/privacy.

We keep personal data only as long as we have a reason to. Typical retention periods:

• Orders, invoices, accounting: five (5) years after the end of the relevant financial year, as required by the Danish Bookkeeping Act.
• Customer-service correspondence: up to two (2) years after the case is closed.
• Account data: as long as the account exists, plus up to two (2) years of inactivity.
• Technical / security logs: up to 90 days.
• Newsletter subscription (if you subscribe): until you unsubscribe or withdraw consent.

When a period ends, data is deleted or irreversibly anonymised.

Under the GDPR you have the following rights regarding your personal data:

• access (Art. 15) — receive a copy of the data we hold about you;
• rectification (Art. 16) — correct inaccurate data;
• erasure (Art. 17) — "right to be forgotten", within the limits set by law;
• restriction of processing (Art. 18);
• data portability (Art. 20) — for data you have provided to us;
• objection (Art. 21) — in particular to processing based on our legitimate interests;
• withdrawal of consent (Art. 7(3)) — at any time, without affecting past processing.

Send an email to info@norynn.eu describing what you would like to do. We may ask for additional information to confirm your identity before acting on certain requests. We will respond within one month, in line with Article 12 GDPR.

If you believe our processing of your personal data does not comply with the law, you have the right to lodge a complaint with the Danish Data Protection Agency:

Datatilsynet
Carl Jacobsens Vej 35, 2500 Valby, Denmark
datatilsynet.dk

If you live in another EU/EEA country, you may also contact your local data protection authority.

Our site currently uses only the cookies and local storage that are strictly necessary to run the shop — for example, to keep your cart, to handle checkout and payment with Stripe, and to remember your region and language preference. Because these are strictly necessary under Article 5(3) of the ePrivacy Directive, no consent banner is shown.

If in the future we introduce analytics, marketing or any other non-essential trackers, we will update this Policy and show a consent banner giving you a genuine, equally easy choice between accepting and rejecting.

We protect personal data with appropriate technical and organisational measures, including TLS encryption for all traffic to and from the site, access controls within our own systems, and carefully chosen processors. No system is perfect — if you ever suspect a problem, please tell us at info@norynn.eu.

We may update this Privacy Policy as our business evolves or as the law requires. The "Last updated" date at the top always shows when the Policy was most recently revised. The version in force when you interact with us governs that interaction.

For reference, see also our Terms and Conditions and Refund & Return pages.