Privacy policy

Here, we will explain how we collect, use and protect your personal data. We will also explain what rights you have with regards to your personal data and how you can exercise those rights.

We collect and process personal data in accordance with the provisions of Norwegian "Personopplysningsloven" (fully ratified GDPR in force from 2018) and other regulations, which are in force in Norway.

Data controller
"CX Hubs" is the data controller. That means that “CX Hubs” determines the purpose of data collection and processing and data protection.
Our registered office address is:
CX Hubs a.s.
Griffenfeldts gate 17 F
0460 Oslo
Org. nr. NO 919 647 434
fully represented by CEO Dragan Stanojevic.

Data protection officer
We are not obligated to have a designated Data Protection Officer (DPO), but we have data privacy protection in mind at every step, according to GDPR "privacy protection by default".

Our users. What data we collect. Legal basis. What we use it for.
We don’t collect your personal data from third-parties, but only directly from you.
Our website (platform) is designed to serve both consumers in B2C module, as well as business organizations in B2B and B2C modules.

A consumer who visits our platform for their personal or household purposes is not supposed to register and save a personal account since we don’t sell directly to them.

Registered business organization  that is registered in our system needs to include a name of a contact person and relevant email and phone number (that eventually may be a private one). We need to keep these data in order to be in contact with a business organization. Therefore, we treat information pertaining to this person in their business capacity and not their individual private capacity. However, this does not diminish someone’s rights as a data subject explained below.

Retention period
Retention period for all data is 1 (one) full calendar year after all payments have been completed. Be aware that certain kinds of business-related data we keep even after that period due to a legal obligation (e.g. accounting and tax data) depends on legal requirements retention period can be up to 5 years.

Cookie policy
While you are browsing the website anonymously, we store certain cookies to your browser depending on your explicit consent: necessary, preference, statistical and marketing cookies. These cookies contain no personal data. We use consent management platform “Cookie Bot”, which scans the web site on a periodical basis and automatically generates a transparent “Cookie policy” page, where you can find all details regarding your cookie consent. Consent log report is anonymized on their servers in EU certified by ISO 27001.

For more information about cookies and retention time you can find on page "Cookie policy".

Links to other websites
The website may contain a number of links to other websites and online resources that are not owned or controlled by The Company. The Company has no control over, and therefore cannot assume responsibility for the content or general practices of any of these third-party sites and/or services.

Therefore, we strongly advise you to read the privacy policy of any site that you visit as a result of following a link that is posted on our website.

Sharing your personal data
We will not share your information with any third parties for the purposes of direct marketing, or any other purpose that is not mentioned here.

We use data processors who provide services for us and have data processing agreements with them. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

Children’s privacy
We do not knowingly collect information from children (as defined by local law) and we do not target our website to children. If we learn that we accidentally collected any information from children, we will purge it immediately.

Data processors
The data processor is a company that processes someone’s personal data on behalf of the controller.

We rely on the data processors who assist in the service we offer to you as a customer. We have mandatory Data Processing Agreements (DPA) that regulate information security, personal data protection and confidentiality.

  • "Hertzner", Germany – "Hertzner" is a hosting company (infrastructure processor). Our web servers, databases, SMTP service and backups are hosted within Hertzner’s Virtual Private Servers VPS. All data is stored inside EU, in the datacenter in Germany and Finland. Hertzner’s steps to ensure it is GDPR compliant include data hosting in European Union, ISO 27001 certified, Data Processing Agreement (DPA) signed.
  • "Cookie Bot", Denmark - service does not collect, store or process any personal data. Therefore, under the EU General Data Protection Regulation Article 28. they are not a data processor.
  • "Easy accounting", Oslo, Norway – Accounting service, which use an accounting software sub-processor "Cleandesk" AS, Oslo, Norway.

Information security
We have adopted physical, technical, and administrative measures that are designed to prevent unauthorized access or disclosure, maintain data accuracy, and ensure appropriate use of the personal information.

  • We have signed separate "Data Processing Agreements" (DPA) with data processors that regulate information security, personal data protection and confidentiality.
  • Cloud based solutions are located in EU in controlled facilities which have limited access in.
  • We limit access to the information in our IT system to only those with a business reason to do so.
  • The website stores your password encrypted, so no one except you can see that.
  • When we transmit confidential or sensitive information over the internet, we protect it using encryption and other safeguards, unless you request or authorize otherwise.
  • We will never ask you for your password in an unsolicited phone call or in an unsolicited email.

Your rights as a data subject
Your rights are as follows:

The right to be informed
As a data controller, we are obliged to provide clear and transparent information about our data processing activities. This is provided by this privacy policy and any related communications we may send you.

The right of access
You may request a copy of the personal data we hold about you free of charge. Once we have verified your identity and, if relevant, the authority of any third-party requester, we will provide access to the personal data we hold about you as well as the following information:

  • The source of the personal data (directly, or from third-party)
  • The categories of personal data concerned
  • The purposes of the processing
  • The retention period or envisioned retention period for that personal data
  • The recipients to whom the personal data has been disclosed
If there are exceptional circumstances, that should be explained.

The right to rectification (correction)
If your personal data are inaccurate or incomplete, you may exercise your right to correct or complete this data. This may be used with the right to restrict processing to make sure that incorrect/incomplete information is not processed until it is corrected.

The right to erasure (the "right to be forgotten")
Where no overriding legal basis or legitimate reason continues to exist for processing personal data, you may request that we delete the personal data. We will take all reasonable steps to ensure erasure.

The right to restrict processing
You may ask us to stop processing your personal data. We will still hold the data, but will not process it any further. This right is an alternative to the right to erasure. If one of the following conditions applies you may exercise the right to restrict processing:

  • The accuracy of the personal data is contested.
  • Processing of the personal data is unlawful.
  • We no longer need the personal data for processing, but the personal data is required for part of a legal process.
  • The right to object has been exercised and processing is restricted pending a decision on the status of the processing.

The right to data portability
This right is only available if the original processing was on the basis of consent, the processing is by automated means and if the processing is based on the fulfilment of a contractual obligation.

The right to object
You have the right to object to our processing of your data where:

  • Processing is based on legitimate interest.
  • Processing is for the purpose of direct marketing.
  • Processing involves automated decision-making and profiling.

Your request
If you are concerned about your privacy, or you would like to exercise your rights as the data subject, please download a contact form below, fill-in, and attach it to the email to with specific request explained.

To process your request, we are legally obligated to ask you to provide two valid non-contradictory forms of identification for verification purposes.

Be aware that it takes up to 30 days to send to you a complete answer.

Data protection authority
In case that you believe you cannot exercise your right in communication with us, we are obligated to inform you that you have a right to complain to The Norwegian Data Protection Authority:

Postboks 458 Sentrum
0105 Oslo, Norway
Phone: +47 22 39 69 00

Change of the privacy policy
If there are any changes in how we use your private data, notification by email will be made to those affected by the change. Any changes to our privacy policy will be posted on our website 30 days prior to these changes taking place.

Last updated: the 1st of March 2022.