Privacy Policy for Rebel .no

Last updated: August 26, 2025

Legal framework

We process personal data in accordance with the General Data Protection Regulation (GDPR, EU 2016/679) and the Personal Data Act . For cookies and similar technologies, we follow the Electronic Communications Act and applicable guidance from the Norwegian Data Protection Authority/Nkom. You have the rights described below, including the right to withdraw consent , object to direct marketing and complain to the Norwegian Data Protection Authority .

Who we are (data controller)

Rebel U2 AS (corporation number 922 031 584) is the data controller for data processed via rebel.no and associated sites.
Address: Universitetsgata 2, 0164 Oslo, Norway
E-mail: ada@rebel.no | Telephone: +47 909 36 513
Data Protection Officer (DPO): dpo@rebel.no (dedicated contact point for data protection)

In some cases, Rebel Arena AS may act as its own data controller or joint data controller together with Rebel U2 AS (e.g. joint event marketing). The essence of the division of responsibilities: common purpose (event/marketing), common target groups and channels; Rebel U2 AS handles the website and CRM, Rebel Arena AS handles event data/delivery. Both parties offer points of contact and safeguard rights.

What we collect and why (purpose and basis for processing)

Enquiries / booking requests (form, email, phone)
Data: name, email, telephone, company, content of the inquiry.
Purpose: respond to inquiries, provide offers, follow-up.
Basis: agreement (to enter into/fulfill), or legitimate interest (effective customer dialogue).

CRM and sales follow-up (Lime CRM)
Data: name, email, telephone, company, inquiry history, offer/agreement data and meeting notes.
Purpose: customer dialogue, follow-up of leads and customers, offers and agreement administration.
Basis: agreement (to enter into/fulfill), legitimate interest (effective sales/customer dialogue), and possibly legal obligation (accounting).
Flow: Form submissions (Squarespace Forms) are sent via email and/or synced to Lime CRM as our data processing tool .

Inspections and appointment booking (Acuity / Squarespace Scheduling)
Data: contact info, desired time, preferences.
Purpose: plan and conduct an inspection.
Basis: agreement (order/delivery).

Newsletter and marketing (Mailchimp)
Data: email, name (optional), engagement data (opens/clicks).
Purpose: to send news and offers.
Basis: consent (can be withdrawn at any time via unsubscribe link).

Event and membership administration (Nexudus)
Data: contact information, orders, participations, invoice.
Purpose: manage customer relationships and events.
Basis: agreement and legal obligations (accounting), possibly legitimate interest (operation/security).

Analysis and measurement (Google Analytics 4)
Data: page usage, device/session ID, approximate geography; GA4 does not store IP addresses.
Purpose: understand website usage and improve services.
Basis: consent (non-essential cookies/trackers are not loaded without consent).

Ad measurement and targeting (Google Ads tag, Meta Pixel, LinkedIn Insight Tag)
Data: page views, clicks/conversions, ad referrals and pseudonymous identifiers; may involve profiling and building target audiences.
Purpose: to measure the effect of advertisements and display relevant messages.
Basis: consent .
Automated decisions: We do not make decisions based solely on automated processing that have legal effects or similarly significant effects on individuals.
(If applicable: When using Customer Match, we only process contact lists where the recipients have previously consented to marketing from us.) Security and operations (logs, anti-abuse)
Data: technical logs (errors, security events).
Purpose: prevent misuse, ensure operation.
Basis: legitimate interest .

Child

Our services are not directed at children. In Norway, the age of valid consent to information society services is 13 years as of today. If we receive information from children under 13, it will be deleted without undue delay or processed with verified parental consent.

Storage times

• Enquiries/leads: up to 12 months from last dialogue (shorter by reservation).

• Customer relationship/agreement data (incl. event): ongoing + 3 years (bookkeeping requirements may require longer storage).

• Newsletter (Mailchimp): until you withdraw consent ; we maintain a blacklist to respect reservations.

• GA4 event data: 2 or 14 months (controlled in GA4 settings; see cookie chapter).

• Security logs: as short as possible, typically 90–180 days .

Sharing and recipients (data processors)

We use the following data processors/suppliers: Squarespace for website design and publishing (CMS/hosting), Domaineshop for domain/DNS, Squarespace Scheduling/Acuity for appointment bookings for inspections, Lime Technologies (Lime CRM) for customer dialogue and sales follow-up, Google ( GA4/Tag Manager/Google Ads ) for analysis, tag management and ad measurement, Meta (Pixel) and LinkedIn (Insight Tag) for ad measurement, Mailchimp for newsletters and Nexudus for events/memberships. Agreements (data processor/supplier agreements) exist with all relevant suppliers.

Transfers outside the EU/EEA

Some suppliers are located in the United States. We base transfers on the EU–US Data Privacy Framework (DPF) where the supplier is certified (e.g. Google, Meta, LinkedIn, Squarespace, Lime, Intuit/Mailchimp), and otherwise the EU Standard Contractual Clauses (SCC) . Links to the suppliers' certification/policy can be found in a separate overview on the website.

Your rights

You can request access , rectification , erasure , restriction , data portability , and object to processing (including direct marketing ). You can withdraw consent at any time.
Contact: dpo@rebel.no . You also have the right to complain to the Norwegian Data Protection Authority (datatilsynet.no).

Information security

We use HTTPS , access control, ongoing updates, and risk-based measures to protect data.

Notification of personal injury

We assess all security incidents. In the event of a privacy breach, we notify the Norwegian Data Protection Authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to pose a risk to individuals. In the event of a high risk, affected individuals are notified without undue delay.

Notification channel (alert)

Rebel has a notification channel at rebel.no/alert for employees, tenants and business contacts. Access is limited to authorized recipients. Information is processed to follow up on notifications; stored only as long as necessary for follow-up/obligations. Analytical/marketing cookies are not used on the notification page.

Changes

We may update this text. Significant changes will be notified on the website.

Cookie Policy for Rebel .no

Consent and governance

We use a consent solution (CMP) that gives you real choices: Accept all , Decline all or Customize . No non-essential cookies/trackers are loaded before consent. Withdrawing consent is as easy as giving it – you can change your choices at any time via the "Cookie settings" link in the footer. We do not use a "cookie wall" for access to content.

Categories we use

• Necessary (operation/security): loaded without consent.

• Performance and analysis: requires consent.

• Advertising: requires consent.

Analysis storage times

In GA4 , the default choice for event data is 2 or 14 months . We use the shortest period that meets our analysis needs (typically 14 months ). Note that some demographic/interest data in GA4 may have a shorter retention period.