Guideline for privacy protection
1. Privacy Statement and Data Controller
This privacy statement informs about how Imageshop by Imageshop AS collects and uses personal information.
This privacy statement was published September 10th, 2022
Imageshop AS has its head office located at this address:
Møllendalsveien 1, 5009 Bergen, Norway. Contact information for our privacy commission is: privacy@imageshop.org
Imageshop is responsible for the processing of the personal information collected about you.
2. What is Personal Information?
Personal information is anything that describes you or that can be linked to you as an individual. This may include contact information (IP address, customer number, cookie id etc.) and information about actions and behaviors (purchases, visited sites, emails you have received etc.).
3. Why we Collect Personal Information and the Purpose of it
3.1 Statistics for website and marketing communication improvement
We collect and analyze data about how you and other users use the website. The purpose is to gain knowledge about how the websites are used, so that we can improve our contents and products/services based on this insight.
Which data: Data on behavior (which sites you visit, what you click etc.), data on your terminal (type of computer/phone, operating system, browser etc.) and data on your network and position (derived from IP address). All data are liked to an anonymous ID number, which is stored in a cookie in your browser. (Read more about cookies.)
Basis for processing: Legitimate interest. It is of great value for us to gather and analyze this data material, and consider it not to be of any considerable burden on your privacy, as long as the information is not linked to other sources of information or contact information.
This is how we process the personal information: We use Google Analytics to collect the data from your browser. The data are stored on Google´s servers, but are owned by us. They are not linked to other tools or sources unless you have you have given consent (see other purposes). To minimize the consequences for your privacy, the IP address is only stored in anonymized form (read about IP anonymization), and we set the expiration time for the identifying cookie to a maximum of seven days. When the cookie has expired, the data no longer has any connection to you as a person. In addition, all individual data will automatically be deleted by Google Analytics after 14 months.
3.2 Tracking Conversions for Advertising
We measure the results of our marketing by reporting how many contact inquiries and sales come from a marketing campaign. The purpose is to optimize our marketing and make it more efficient.
Which data: That you have carried out a specific action on our website, and from which source you entered our website. This can also be linked to all other data that is collected for statistics (see above).
Basis for processing: Legitimate interest. Data processing enables us to use our resources as efficiently as possible and save both effort and money on futile measures. In cases where the data collection cannot be done without data being linked to other, third party information, we rely on your active consent.
This is how we process the personal information: The data processing follows the same principles as for general statistical purposes. Based on legitimate interest, we collect and process data in Google Analytics. We also send data to Google Ads using so-called Consent Mode (data is sent without cookie information). If you have consented to “marketing”, we will send data to Google Ads the usual way, in addition Facebook, Bing other advertisement providers (more about advertising below).
3.3 Targeting of Ads
We collect data on your behavior on our websites and share it with advertising providers (data processors), with the aim of achieving more precise ads targeting.
Which data: Data on behavior (which sites you visit, what you click etc.), data on your terminal (type of computer/phone, operating system, browser etc.) and data on your network and position (derived from IP address). All data are liked to an anonymous ID number, which is stored in a cookie in your browser. This ID number is a common identifier for you on all websites you visit, which exchange data with the same marketing providers.
Basis for processing: Consent, which you do by accepting “marketing” as a purpose (or “all”) when visiting out websites, you can change your consent on our cookie site.
How we process personal data: Data is collected from your browser when you visit our web site and is sent for storage and processing by the marketing provider. We use several different providers, including Google Ads, Google Marketing Platform, Facebook, Microsoft Bing and Linkedin. In the next round, you are placed in different “target groups” by the different providers, which gives us the opportunity to buy advertising from them, which you will see when you visit other websites in their network. Thus, you will often see advertisement for Imageshop on many other websites when you have visited our web sites. Data on you is also included in your personal profile with the supplier and is used to describe your interests and estimate other characteristics of you (profiling). If you have submitted contact information or other personal information to the provider (e.g. Facebook), the data will also be linked to this. This provides the basis for advertisers other than Imageshop who use the same ad network to purchase ads with more precise targeting. The consequence for you is that the ads you see will be more adapted to you and your situation. To avoid that the data on your behavior on our websites are is used in this way, you can avoid agreeing to the use of cookies for “marketing”. To avoid that the advertising providers collect such data and use it to create a profile on you generally, you can either delete/reject all cookies in your browser or edit your provider´s setting. Here are links to how you can do this with Google, Facebook and Linkedin.
3.4 Imageshop for Google Workspace Marketplace(TM)
Imageshop offers Imageshop add-ons for Google Workspace(TM) users. Use of the add-on requires access to an Imageshop account and acceptance of the terms and conditions and privacy statement. This add-on does not collect or store data about you as a user, it only gives you access to images from the Imageshop account created for you, by logging in with your username and password.
Encrypted cookies are used to store credentials for the “remember me” function when you log on. The password and username themselves are not stored in the cookie. This add-on does not collect other private information from the user. The login information is sent on a secure channel using an SSL certificate.
Which data we collect: We require username and password for Imageshop to be able to see images inside the Imageshop solution. In addition we collect users locale to be able to show content in the users own language. We do not read or store any information inside the Google Slides(TM) or Google Docs(TM) documents we ask permission for. The permission is only needed to be able to insert images into the document.
Permissions requested when installing Imageshop for Google Docs(TM) and Google Slides(TM)
We have set the permissions as restrictive as possible, and only ask permissions so that we can
| OAuth Scope | What permission is requested | What it is used for |
| documents.currentonly | View and manage the Google Docs(TM) documents that this application is installed in | Applies only to the Google Docs(TM) version of the Add On. Required to modify the document the user is currently editing to insert images. No document data are stored in our solution. |
| presentations.currentonly | View and manage the Google Slides(TM) presentations that this application is installed in | Applies only to the Google Slides(TM) version of the Add On. Required to modify the presentation the user is currently editing to insert images. No document data are stored in our solution. |
| script.container.ui | Display and run third-party web content in prompts and sidebars inside Google applications | Used to run the plugin in the sidebar in the Google applications. |
| script.external_request | Connect to an external service | Used to securely log in and retrieve images from Imageshop. |
The above is only used when the user interacts with the plugin to log in, access images and insert images.
In addition we collect, but do not store, user locale, to show the add on in the user’s language.
3.5 Direct Marketing and Networking
Imageshop AS invite to webinars, convey knowledge and professional information through our network. Access to this material is given to anyone who agrees to receive newsletters from us.
Which data: Vi samler opplysninger som navn, epostadresse, bedriftsnavn, samt historikk over dine interaksjoner med Imageshop gjennom epostkommunikasjon (inkludert åpning og klikk) og besøk på nettsiden.
Basis for processing: Active consent
How we process personal information: When you fill out a form on imageshop.no, your information is stored in Hubspot, which is the tool we use to send out email communications and register interactions with our own network. When you open the emails and click on links in them, information about this is also stored. Hubspot also stores cookies in your browser that identify you in order to link information about your activities on our website to your profile.
You can withdraw your consent to receive email at any time. You do this by clicking on “change settings” at the bottom of an email you have received from Imageshop. Consent to tracking the use of cookies on our website is given through the cookie information displayed on your first visit, and it can be changed on our cookie page.
3.6 Job Applications
In connection with recruitment processes, we collect and store information about applicants.
Which data: Contact information for applicants such as name, email address and telephone number, as well as documents the applicant shares with Imageshop, such as CV, references and application letter.
Basis for processing: Legitimate interest
How we process personal information: Data about jobseekers is collected via finn.no’s jobseeker portal or directly via email to Imageshop. Imageshop advertises positions through finn.no’s jobseeker portal where personal information is made available from the applicant as long as the application process is ongoing. In the case of an open application, we encourage you to send an application to the general manager by email. Documents received from jobseekers are stored for a maximum of two years, on the grounds that Imageshop regularly recruits new employees, so that new opportunities may arise that make previous applicants relevant for new assessment.
3.7 Follow-up of Inquiries and Sales Processes
When you contact us, via contact form and chat on the website or via email and telephone, we take care of your personal information for follow-up and the sales process.
Which data: Name, telephone number, email address and company, as well as interactions you have had with us, including visits to our website.
Basis for processing: Legitimate interest, as well as consent (to the use of cookies for marketing, to register your visits to our website)
How we process personal information: Personal information and interactions are stored in Hubspot. This is done automatically if you fill out the form on our website, and we register you manually if you contact us via other channels. All employees in Imageshop who have customer contact have access to this information. If you do not become a regular customer or other partner with us, nor are you subscribed to the newsletter, we will delete your information within three years after we last had contact with you.
3.8 Follow-up of Customers, Partners
In order to provide good follow-up and fulfill contract terms, we collect and store personal information about our customers and partners.
Which data: Contact information such as email address, telephone, name, as well as interactions you have had with us including visits to our website.
Basis for processing: Legitimate interest, as well as consent (to the use of cookies for marketing, to register your visits to our website)
How we process personal information: Personal information and data about interactions on imageshop.org are stored in Hubspot. All employees in Imageshop who have customer contact have access to this information.
3.9 Evaluation and Follow-up after Courses and Webinars
To be able to improve deliveries and to be able to follow up participants in courses and webinars, we collect personal information that participants themselves provide through a subsequent survey and chat log during courses and webinars.
Which data: Imageshop uses Zoom to conduct video-based courses and webinars. Here, participants have the opportunity to chat with the speaker. The chat log will be saved for us to be able to take care of and follow up inquiries via chat.
Basis for processing: Legitimate interest
How we process personal information: Personal information that is made available in chat logs in connection with webinars and courses is stored for up to one year.
3.10 Transfer of personal data to recipients in countries outside the EU/EEA
It is an objective for us that all processing of personal data should be carried out within the EU/EEA, but it could be that we use suppliers or process personal data outside the EEA. In such cases, transfer and processing outside the EEA shall take place in countries approved by the EU Commission or in accordance with a valid legal basis for the transfer of personal data pursuant to GDPR Chapter V. If transfer does not take place to countries approved by the EU Commission, transfer will only happen in accordance with the guarantees set out in Article 46 (2) of the GDPR. You can be informed of the basis used for the transfer if you contact us. Both the suppliers we use for advertising and analysis (such as Google, Facebook, etc.) and our customer system Hubspot are based in the USA, and data will in many cases be transferred there. We are familiar with the challenges and requirements that follow from the “Schrems II” ruling and are working to find good solutions to this.
4. Your Rights
Below are your rights as registered. To exercise your rights, you must contact us at the address “privacy@imageshop.org”.
We will respond to your inquiry to us as soon as possible, and no later than 30 days. If it takes longer than 30 days, you will be notified.
If necessary, we will ask you to confirm your identity or provide additional information before we allow you to exercise your with regards to us. We do this to make sure that we only give access to your personal information to you – and not someone who pretends to be you. With regard to information collected on the basis that you have been identified with the use of cookies, such a confirmation will be very difficult. We can therefore not give you access to this information other than on a general basis or make changes or deletions. If you delete cookies in your browser, the information we have stored will no longer have any connection to you.
4.1 Information
You have the right to receive information about the personal information we process about you. Through this statement, we inform you about our processing of personal data. You can also contact us if you want more information.
4.2 Access
You have the right to demand access to the personal data that is processed about you.
4.3 Modification and Deletion
You can also ask us to correct incorrect information we have about you or ask us to delete personal information. We will as far as possible accommodate a request to delete personal information, but we cannot do this if we still need the information.
4.4 Treatment on the Basis of Consent
If we process personal data on the basis of your consent, you can withdraw the consent at any time. The easiest way to do this is to use the way stated when you gave your consent or contacted us.
4.5 Right to Restrict or Protest Against the Treatment
You have the right to have the treatment limited in certain cases, such as if:
- You dispute the accuracy of the personal information, for a period that enables us to check the accuracy of the personal information.
- The processing is illegal, and you oppose the deletion of personal data and instead request that the use of personal data be restricted.
- We no longer need the personal information for the purpose of the processing, but you need it to determine, assert or defend legal claims.
- You have protested against processing under Article 21 (1) of the GDPR pending the verification of whether our legitimate interests take precedence over your privacy.
4.6 The Right to Data Portability
For information that you have provided to us and is necessary to carry out an agreement with us, and which is processed automatically (ie not manually by us), you can request that the personal information about you be disclosed or transferred to another provider in a structured, commonly used and machine readable format (data portability).
4.7 Automated Decisions, Including Profiling
No automated decisions will be made as mentioned in GDPR Article 22 (1) and (4) based on your personal information other than what is done during ad targeting, see above.
5. General information on the storage (deletion) of personal data
We store personal information for as long as is necessary for the purpose for it was collected and delete the information in accordance with requirements in the regulations. How long we process the individual types of information we process is included above where the individual treatments are discussed.
Instead of deleting the personal data, in some cases it may be relevant to anonymize the personal data. Anonymization means that all identifying or potentially identifying characteristics are removed from data sets that are kept.
This means, for example, that personal data that we process on the basis of your consent will be deleted if you withdraw your consent. Personal information we process to fulfill an agreement with you is deleted when the agreement has been fulfilled and all obligations arising from the contractual relationship have been fulfilled, such as legal obligations related to accounting, follow-up of the customer relationship related to complaints etc.
6. Safety of Processing
We give high priority to the security of personal information in our business and will implement all required technical and organizational measures to secure your personal information. All processing will, if possible, be encrypted, and not available to anyone other than those who need personal information for their tasks.
We handle information so that it is correct, accessible and handled according to the degree of sensitivity of the information. We also use a range of security technologies and information security procedures to protect your personal information from unauthorized access, use or disclosure. Where necessary, risk assessments are carried out.
We have entered into data processor agreements with all our suppliers who process personal data, where they assume the same degree of security as we have in our processing of personal data.
We restrict access to your personal information to the staff or third parties who process the information on our behalf. These parties are subject to strict confidentiality requirements and we can impose sanctions or terminate the agreement if these requirements are not complied with.
Routines have been established for handling breaches of information security and routines (privacy breaches), and we will, if there are breaches that pose a risk to the privacy of the personal data concerned, send a non-conformance report to the Data Inspectorate as soon as possible and no later than 72 hours after the breach is discovered. If the breach entails a high probability of the privacy of those affected by the breach, we will also notify them.
7. Complaints
We use the Norwegian Data Inspectorate as the leading supervisory authority for cross-border processing in accordance with Article 56 of the GDPR.
If you believe that our processing of personal data is not in accordance with what we have described here or that we in other ways violate the privacy legislation, then you can complain to the Data Inspectorate. However, we ask you to contact us first, so that we can rectify any incorrect treatment as soon as possible.
You can find information about your rights and how to contact the Data Inspectorate on the Data Inspectorate’s website: www.datatilsynet.no.
8. Changes
Should there be changes in our services or changes in the regulations on the processing of personal data, it may lead to a change in the information you have provided here. If we have your contact information, we will notify you of these changes. Otherwise, updated information will always be easily available on our websites.
