Privacy is the right to privacy and the right to decide over one’s own personal information.
Personal information is information and assessments that can be linked to an individual. Extend AS (hereinafter simply referred to as Extend) processes personal data as an employer, as a provider of services, for marketing purposes and in connection with visits to our websites, www.extend.no and www.extendnorway.com. Privacy is important to us as a supplier and we are concerned with protecting the integrity, availability and confidentiality of personal information. This privacy statement provides additional information about what personal information is collected, how the information is collected and protected, and what rights you have if personal information about you is registered with us. What processing of personal data is carried out by Extend:
Extend processes personal information about customers and suppliers, in addition to any third party that is necessary for the implementation of contractual obligations. Among the information that is processed is contact information about customers and suppliers. Contact information means the name of the contact person, e-mail address, telephone number and job title. We also collect contact information from our websites from potential customers who want closer contact with us and often a demo of our system. Contact information means the name of the contact person, e-mail address, telephone number and job title. The legal basis for such treatment is GDPR Article 6 letter b, c and f, as well as GDPR Article 9 letter a and b. The personal information is stored in a separate database and deleted five years after the end of the customer relationship. Extend may share personal information about customers and suppliers with our parent company Confirma Software or any of our sister companies in the Confirma-Software group in the Nordic region.
Extend may use sub-processors. As a result of our services, we act as a data processor for a large number of customers. We are therefore based on a general permit for the use of sub-processors, cf. GDPR Article 28. This is agreed with the customer in our data processor agreement. When using sub-data processors, we confirm that these are subject to the same obligations with regard to the protection and use of personal data and other customer data as Extend. Suppliers who act as sub-processors for Extend must be able to document good internal routines for privacy and information security through certifications, a report from an independent audit of the supplier, or other relevant documentation. An overview of sub-data processors used by Extend follows in the table below. It is emphasized that which sub-data processors are used depends on which services we provide, and will therefore vary from customer to customer.
|Company name||Type of processing
||Type of service
||Location of data center||Website|
|IT Sjefen||Provider of IT infrastructure, including operation of applications, storage and backup of data||All||Norway||www.itsjefen.no|
|Soldi AS||Processing of customer data, supplier data and employee data. Uses the system suppliers Visma and Tripletex as subcontractors||Accounting and payroll services, and travel invoices||Norway||www.soldi.no|
|Fogbugz||Storage of customer data||Support system||US||www.fogbugz.com|
|Doghouse||Storage of customer data||Website provider||Norway||www.doghouse.no|
Extend processes personal information as part of personnel administration. The personal information that is processed in this connection includes personal information, salary information, information about relatives, and education / position level. The legal basis for this processing is fulfillment of the employment contract, cf. GDPR Article 6 letter b and c. Personal data associated with personnel administration is stored as long as the person is employed by Extend, and is deleted 1.5 years after the person has left Extend. Extend also receives personal information from jobseekers in connection with positions we have advertised or which are submitted as open applications. These are retained as long as they are assessed in connection with. an application process and will be deleted as soon as they are considered irrelevant.
Extend processes personal data for marketing purposes.
It is possible to voluntarily subscribe to newsletters, seminar invitations and other professional material from Extend. If there is no existing customer relationship, this means that you agree to receive regular e-mails with the newsletters you have chosen to subscribe to. The legal basis for this treatment is GDPR Article 6 letter a.You can withdraw your consent for the storage of your contact information at any time. Extend will then delete your contact information from the address list of the relevant newsletter. In cases where there is an existing customer relationship, Extend has a legitimate interest in marketing to its customers. The legal basis for this treatment is GDPR Article 6 letter f. You can request to be deleted from our mailing list at any time. In order to send the newsletters to the right person, it is necessary to register with your name and e-mail address, company name and job title, and when registering for one of our seminars, we will also ask for your telephone number. This information is stored in a separate database and will not be passed on to others. You can request access to this information at any time and request that the information will be deleted. The personal information we have stored about you, the consent you have given us to receive our newsletters and seminar invitations is stored as long as you are a subscriber.
When using the forms on extend.no or extendnorway.com, you must provide your name and e-mail address. The information is stored in the website’s database which is managed by Extend’s marketing staff, and it will not be passed on to others outside Extend. The information is deleted as the contact ends. It is possible to buy products from Extend. In order for us to be able to process your inquiry, it is necessary that you provide information about you and your company. The legal basis for this treatment is GDPR Article 6 letter b.
Extend stores contact information for potential customers in a separate database. The information is taken from publicly available sources, such as companies’ websites. The purpose of this processing of personal data is to conduct marketing for our services and coordinate this marketing work. The legal basis for this treatment is GDPR Article 6 letter f. Extend has a legitimate interest in marketing itself to potential customers. If you do not want to be part of the Extends address register, you can request to be deleted from this. The personal information related to potential customers is deleted if the customer wishes so, or it is clarified that a future collaboration is not relevant. The information is stored further if a customer relationship is established or potential customers think it is okay with further follow-up.
On Extend’s websites http://www.extend.no and http://www.extendnorway.com we log information about all visitors using Google Analytics. The information that is logged is not linked to the visitor and can not be traced back to you as an individual. The information is collected to better understand how our users use the website, so we can adapt the pages optimally to you as a user. Like most other websites, we use a method where the information is stored in a cookie on your PC. Most browsers are set to accept cookies from websites. You can delete stored cookies by following the deletion instructions in your browser. Information about this can be found in the help function in your browser. Please note that restricting access to cookies may affect the functionality of our website.
The cookie on our website is from Google Analytics (first-party cookie). It is set to delete automatically after 24 months if you do not return to the site. It is possible to opt out of all registration in Google Analytics by installing an add-on in the browser: Google Analytics Opt-out Browser Add-on Extend uses the analysis tool Google Analytics to study traffic, usage patterns and trends on the website. The data collected is used to optimize the user experience and customize the content of the website. Google’s policies for the use of Google Analytics do not collect personal information about users. The data collected is stored on Google’s servers. You can read more about how Google collects and protects data here.
Our website is not designed for or aimed at children under 13, and we will never knowingly collect or maintain information about children under 13.
Extend will take care of different functions for different customers. Where we are responsible for full operation and other services, we have a full data processor agreement with our customers that regulates the relationship. In cases where the customer operates the system themself and we are only involved in performing occasional services, this is regulated through a simpler data processor agreement.
Extend collects information once a year on how we deliver our services via an annual user survey. All data is anonymized by presentation to external parties. Extend collects data from potential customers annually. Data is collected that a third-party market analysis company that processes data anonymously and data that is passed on to Extend is anonymised.
We do not transfer personal data to countries outside the EU / EEA without written approval from the data controller. When transferring to a third country, an agreement must be entered into on the basis of transfer, for example the Data Inspectorate’s standard contracts for the transfer of personal data outside the EU / EEA, Binding Corporate Rules (BCR) or Privacy Shield.
Extend does not disclose personal information to others unless required by law.
We are concerned with information security, and have implemented routines to ensure the confidentiality and integrity of our customers’ data. Extend has security mechanisms that involve both organizational and technical measures such as role and access management and requirements for built-in privacy in our IT systems. Extended information about the security in Extend is available to our customers upon requests.
Extend’s processing of personal data is regulated by the Personal Data Act and associated regulations. Your rights related to our processing of personal data are set out in, among other things, GDPR Chapter III. Below are some of the most important rights:
Anyone who requests it is entitled to know what kind of processing of personal data Extend carries out, as well as basic information about these processes. Such information is provided in this privacy statement. It is only in cases where Extend is responsible for processing that we can manage requirements for access. In cases where Extend is the data processor, requests for access must be directed to the data controller. As a data processor, we can not provide access to personal information to the data subject without the client being informed and approving the access. If you are registered in Extend’s systems, you have the right to know what information about you is registered and what security measures are available during the processing as long as such access does not impair security. You can demand that the data controller elaborate on the information as mentioned above to the extent that this is necessary for you to be able to safeguard your own interests.
If Extend processes personal data about you that is incorrect, incomplete or which it is not permitted to process, you may, within the limits stipulated in the Personal Data Act, the EU Privacy Regulation (GDPR) and other legislation, demand that personal data be corrected or deleted. Furthermore, you can demand deletion if the processing of personal data is no longer necessary to fulfill the purpose for which it was collected, or if the processing is based on your consent and you withdraw this. The treatment will be necessary if it is required by law. Extend shall respond to inquiries about access or other rights pursuant to GDPR Articles 15, 16, 17 and 20 without undue delay, and no later than 30 days from the day the inquiry was received, unless special circumstances make it impossible to respond to the inquiry within this the deadline. In that case, the Extend shall provide a preliminary answer with information about the reason for the delay and the probable time for when an answer can be given.
Extend has a information security manager who assists with guidance so that personal data is processed in a good way and in line with the regulations. The Privacy Ombudsman is a voluntary scheme and is administered by the Norwegian Data Protection Authority. Requests for access, correction and deletion, as well as reports of deviations are handled by the information security manager.
We plan for our customers to use their permanent contact person in Extend for questions regarding Extend’s processing of personal data, and these will involve others in the organization if necessary. Inquiries about requests for access, correction and deletion, and deviation reports should be directed to firstname.lastname@example.org or to Extend AS v / Information Security Manager, PO Box 1237 Pirsenteret, 7462 TRONDHEIM. General requests for privacy from others than customers of Extend shall also be directed to the information security manager.
There may be changes to our privacy statement. We encourage interested parties to regularly review our website for changes.