Effective date: 01.05.2026 Last updated: 01.05.2026
1. Introduction
This Privacy Policy explains how Innore OÜ (“Innore”, “we”, “us” or “our”) collects, uses, stores and protects your personal data when you:
- visit our website www.innore.eu (or national subdomain such as www.innore.no);
- place an order through our online store or product configurator;
- contact us by email, phone, or via any contact form;
- subscribe to our newsletter;
- act as a business contact of a customer or supplier.
We process personal data in accordance with the EU General Data Protection Regulation (GDPR), the Estonian Personal Data Protection Act (isikuandmete kaitse seadus), and – for users in Norway – the Norwegian Personal Data Act (personopplysningsloven), which implement the GDPR through the EEA Agreement.
2. Data Controller
The data controller is:
Innore OÜ Registration code: 14079548 Registered address: Nirgi tee 9, Reola, Kambja vald, Tartumaa, 61713, Estonia Email: info@innore.eu Phone: +372 58504434
For privacy-related questions, please contact us at: info@innore.eu
3. Categories of Personal Data We Process
3.1. Consumer customers
- Identity data: name, date of birth (where required for delivery);
- Contact details: email, phone number, delivery address, invoicing address;
- Order data: products ordered, configurator inputs (measurements, drawings, selections), order history, communication history;
- Payment data: payment method, billing details, transaction reference (we do not store full card numbers);
- Technical data: IP address, browser type, device identifiers, website interaction data, cookie data;
- Marketing data: newsletter subscription status, communication preferences, campaign response data.
3.2. Business customer contact persons (B2B)
- Professional identity: name, job title, company name, registration code of the company;
- Professional contact: work email, work phone, business address;
- Project data: project-related correspondence, drawings, technical specifications;
- Contract and invoicing data.
3.3. Website visitors
- Technical data as described in section 3.1, to the extent collected through cookies and analytics tools (see section 10).
4. Purposes and Legal Bases of Processing
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Processing and fulfilling orders, including manufacturing Configurator Products | Performance of contract (Art. 6(1)(b)) |
| Delivery of products and arranging carriage | Performance of contract (Art. 6(1)(b)) |
| Customer support and handling complaints | Performance of contract / legitimate interest (Art. 6(1)(b), (f)) |
| Invoicing and accounting | Legal obligation (Art. 6(1)(c)) |
| Compliance with tax, VAT (including Norwegian VOEC), customs and consumer protection obligations | Legal obligation (Art. 6(1)(c)) |
| Communication with business customer contacts regarding projects | Legitimate interest (Art. 6(1)(f)) |
| Direct marketing (newsletters, promotional emails) to existing customers | Legitimate interest (Art. 6(1)(f)), with opt-out at any time |
| Direct marketing to new prospects | Consent (Art. 6(1)(a)) |
| Website analytics (non-essential cookies) | Consent (Art. 6(1)(a)) |
| Establishing, exercising or defending legal claims | Legitimate interest (Art. 6(1)(f)) |
| Fraud prevention and security | Legitimate interest (Art. 6(1)(f)) |
5. Retention Periods
We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law.
| Data category | Retention period |
|---|---|
| Order, contract and invoice data | 7 years after the end of the financial year in which the transaction occurred (Estonian Accounting Act § 12) |
| Customer account data | For the duration of the customer relationship plus 3 years (limitation period for contract claims) |
| Configurator drawings and technical specifications | 7 years (together with the order record) |
| Customer complaints and dispute records | 3 years after final resolution, or longer if required for legal proceedings |
| Warranty and complaint case files (for consumers with 5-year complaint periods) | Duration of the complaint period plus 3 years |
| Marketing data (newsletter subscribers) | Until consent is withdrawn or 3 years of inactivity |
| Website analytics data | Up to 26 months |
| Cookie data | See section 10 |
| Business inquiry data (without a subsequent contract) | Up to 12 months |
After the retention period expires, personal data is securely deleted or anonymised.
6. Recipients of Personal Data
We do not sell your personal data. We share personal data only with trusted third parties to the extent necessary for the purposes described above:
6.1. Categories of recipients
- Logistics and delivery providers: carriers handling delivery of goods to customers (e.g. DHL, DPD, DSV, or other contracted carriers);
- Payment service providers: processors of online payments, card transactions and invoicing;
- Accounting and tax advisors: external accountants handling invoicing, bookkeeping and tax filings;
- IT and hosting providers: providers of website hosting, email services, CRM, ERP and data storage;
- Analytics providers: providers of website analytics and marketing automation (where you have consented);
- Professional advisors: lawyers, auditors and consultants bound by confidentiality;
- Public authorities: tax authorities, customs authorities (including Norwegian customs via VOEC), and supervisory bodies, where required by law.
6.2. Transfers outside the EU/EEA
Some of our service providers may be located outside the EU/EEA or transfer data to third countries (for example, cloud services operated from the United States). In such cases we ensure that transfers take place under appropriate safeguards under GDPR Chapter V, including:
- EU Commission adequacy decisions;
- Standard Contractual Clauses (SCCs) approved by the European Commission;
- additional technical and organisational safeguards where required.
You may request a copy of the relevant safeguards by contacting info@innore.eu.
7. Your Rights as a Data Subject
Under GDPR (and the corresponding Norwegian law for users in Norway), you have the following rights:
- Right of access (Art. 15): to obtain confirmation of whether we process your data, and a copy of that data;
- Right to rectification (Art. 16): to correct inaccurate or incomplete data;
- Right to erasure / “right to be forgotten” (Art. 17): to have your data deleted where one of the grounds in Art. 17 applies (note: this right is limited by our legal obligation to retain transaction and accounting records for 7 years);
- Right to restriction of processing (Art. 18);
- Right to data portability (Art. 20): to receive your data in a structured, commonly used and machine-readable format, and to transmit it to another controller;
- Right to object (Art. 21): to object to processing based on legitimate interests, including direct marketing. You have an unconditional right to object to direct marketing at any time;
- Right to withdraw consent (Art. 7(3)): where processing is based on consent, you can withdraw it at any time (this does not affect the lawfulness of processing before the withdrawal);
- Right not to be subject to automated decision-making (Art. 22): we do not engage in automated decision-making with legal or similarly significant effects on you.
To exercise any of these rights, please contact us at info@innore.eu. We will respond without undue delay and in any event within 1 month of receipt. This period may be extended by 2 further months where necessary, taking into account the complexity and number of requests.
8. Right to Lodge a Complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority.
The competent lead supervisory authority for Innore is:
- Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) Tatari 39, 10134 Tallinn, Estonia info@aki.ee www.aki.ee
You may also lodge a complaint with the data protection authority of your country of residence:
- Norway: Datatilsynet, www.datatilsynet.no
- Finland: Tietosuojavaltuutetun toimisto, www.tietosuoja.fi
- Sweden: Integritetsskyddsmyndigheten (IMY), www.imy.se
9. Data Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure or destruction, including:
- encrypted data transmission (TLS/HTTPS);
- access controls and authentication;
- regular backups and disaster recovery procedures;
- confidentiality obligations for employees and contractors;
- vendor due diligence for third-party processors.
In case of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and, where required, notify affected individuals.
10. Cookies
Our website uses cookies and similar technologies to ensure proper website functionality, to analyse website usage and to improve user experience.
10.1. Categories of cookies used
| Category | Purpose | Consent required | Typical lifetime |
|---|---|---|---|
| Strictly necessary cookies | Basic website functionality (login, shopping cart, security) | No (essential) | Session / up to 12 months |
| Preference cookies | Remembering language, region, configurator state | Yes | Up to 12 months |
| Analytics cookies | Measuring website usage (e.g. Google Analytics) | Yes | Up to 24 months |
| Marketing cookies | Personalised advertising and remarketing | Yes | Up to 12 months |
10.2. Managing cookie preferences
On your first visit to our website, you are presented with a cookie banner where you can accept or reject non-essential cookies. You can change your preferences at any time through the “Cookie settings” link in the website footer or by clearing cookies in your browser.
10.3. Third-party cookies
We may use third-party services (e.g. Google Analytics, Meta Pixel) that place their own cookies. These providers process data under their own privacy policies.
11. Children’s Privacy
Our products and services are not directed at children under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without parental consent, we will delete it promptly.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. The current version is always available on our website with the “Last updated” date. Material changes will be communicated to registered customers by email at least 30 days before taking effect.
13. Contact
For any questions, requests or complaints regarding your personal data, please contact:
Innore OÜ Email: info@innore.eu Address: Nirgi tee 9, Reola, Kambja vald, Tartumaa, 61713, Estonia
Privacy Policy — INNORE AS
Effective date: 01.05.2026 Last updated: 01.05.2026
1. Introduction
This Privacy Policy explains how INNORE AS (“Innore”, “we”, “us”) collects, uses, stores and protects personal data when you:
- visit our website www.innore.no
- place an order in the online store or through the product configurator
- contact us by email, phone, or via a contact form
- subscribe to our newsletter
- act as a contact person for a customer or supplier.
We process personal data in accordance with the EU General Data Protection Regulation (GDPR), which applies in Norway through the EEA Agreement, and the Norwegian Personal Data Act (personopplysningsloven).
2. Data Controller
INNORE AS
- Registration number: 819 337 772
- Registered address: Busedal 17, 1925 Blaker, Norge / Norway
- Email: info@innore.eu
- Phone: +4740342841
For privacy-related questions: info@innore.eu
3. Categories of Personal Data
3.1. Consumer customers
- Identity data: name, date of birth (where necessary for delivery)
- Contact details: email, phone number, delivery address, invoicing address
- Order data: products ordered, configurator inputs (measurements, drawings, selections), order history, communication history
- Payment data: payment method, billing details, transaction reference (full card numbers are not stored)
- Technical data: IP address, browser type, device identifiers, website interaction data, cookie data
- Marketing data: newsletter subscription status, communication preferences, campaign response data.
3.2. Business customer contact persons
- Professional identity: name, job title, company name, registration number
- Professional contact: email, phone, business address
- Project data: project-related correspondence, drawings, technical specifications
- Contract and invoicing data.
3.3. Website visitors
Technical data as described in section 3.1, to the extent collected through cookies and analytics tools (see section 10).
4. Purposes and Legal Bases
| Purpose | Rettslig grunnlag (GDPR art. 6) / Legal basis |
|---|---|
| Behandling og oppfyllelse av bestillinger, inkludert produksjon av Konfiguratorprodukter / Processing and fulfilling orders, including manufacturing of Configurator Products | Oppfyllelse av avtale / Performance of contract (art. 6(1)(b)) |
| Product delivery and transport arrangements | Oppfyllelse av avtale / Performance of contract (art. 6(1)(b)) |
| Customer support and handling of complaints | Oppfyllelse av avtale / berettiget interesse (art. 6(1)(b), (f)) / Performance of contract / legitimate interest |
| Invoicing and accounting | Rettslig forpliktelse / Legal obligation (art. 6(1)(c)) |
| Compliance with tax, VAT, customs and consumer protection obligations | Rettslig forpliktelse / Legal obligation (art. 6(1)(c)) |
| Communication with B2B contact persons regarding projects | Berettiget interesse / Legitimate interest (art. 6(1)(f)) |
| Direct marketing to existing customers | Berettiget interesse, kan trekkes tilbake / Legitimate interest, can be withdrawn (art. 6(1)(f)) |
| Direct marketing to new prospects | Samtykke / Consent (art. 6(1)(a)) |
| Website analytics (non-essential cookies) | Samtykke / Consent (art. 6(1)(a)) |
| Establishing, exercising or defending legal claims | Berettiget interesse / Legitimate interest (art. 6(1)(f)) |
| Fraud prevention and security | Berettiget interesse / Legitimate interest (art. 6(1)(f)) |
5. Retention Periods
We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law.
| Data category | Retention period |
|---|---|
| Order, contract and invoice data | 5 år etter utløpet av regnskapsåret transaksjonen skjedde (bokføringsloven § 13) / 5 years after end of accounting year (Norwegian Accounting Act § 13) |
| Customer account data | Duration of customer relationship + 3 years |
| Configurator drawings and technical specifications | 5 years (with order record) |
| Complaint records and dispute information | 3 years after final resolution, or longer if required for legal proceedings |
| Complaint case files (for 5-year complaint period products) | Complaint period + 3 years |
| Marketing data (newsletter subscribers) | Until consent is withdrawn or 3 years of inactivity |
| Website analytics data | Up to 26 months |
| Cookie data | See section 10 |
| Inquiry data (without subsequent contract) | Up to 12 months |
After the retention period expires, personal data is securely deleted or anonymised.
6. Recipients of Personal Data
We do not sell personal data. We share personal data only with trusted third parties to the extent necessary for the purposes described:
6.1. Categories of recipients
- Logistics and delivery providers: carriers handling delivery of goods
- Payment service providers: processors of online payments, card transactions and invoicing
- Accounting and tax advisors: external accountants
- IT and hosting providers: website hosting, email, CRM, ERP, data storage providers
- Analytics providers: providers of website analytics and marketing automation (with consent)
- Professional advisors: lawyers, auditors, consultants bound by confidentiality
- Public authorities: tax, customs and supervisory authorities, where required by law.
6.2. Intra-group transfer to Innore OÜ (Estonia)
INNORE AS is a subsidiary of INNORE OÜ, an Estonian parent company. To deliver services efficiently, INNORE AS shares certain personal data with INNORE OÜ (registration code 14079548, Nirgi tee 9, Reola, Kambja vald, Tartumaa, Estonia) for the following purposes:
- manufacturing of ordered products (production takes place at INNORE OÜ’s facility in Estonia)
- shared IT systems (CRM, ERP, customer portal)
- group accounting and reporting.
As Estonia is an EEA member state and part of the EU, the transfer is not considered a third-country transfer under GDPR. The same high level of protection applies in both jurisdictions.
6.3. Transfers outside the EEA
Some service providers may be located outside the EEA or transfer data to third countries (e.g. cloud services operated from the USA). In such cases, we ensure transfers take place under appropriate safeguards under GDPR Chapter V, including:
- EU Commission adequacy decisions
- Standard Contractual Clauses (SCCs) approved by the European Commission
- additional technical and organisational safeguards where required.
You may request a copy of the relevant safeguards by contacting info@innore.eu.
7. Your Rights as a Data Subject
Under GDPR and Norwegian data protection law, you have the following rights:
- Right of access (art. 15): to obtain confirmation whether we process your data and a copy of it
- Right to rectification (art. 16): to correct inaccurate or incomplete data
- Right to erasure / “right to be forgotten” (art. 17): to have your data deleted where one of the art. 17 grounds applies (note: this right is limited by our legal obligation to retain transaction and accounting records for 5 years)
- Right to restriction (art. 18)
- Right to data portability (art. 20): to receive your data in a structured, commonly used, machine-readable format
- Right to object (art. 21): to processing based on legitimate interest, including direct marketing. You have an unconditional right to object to direct marketing at any time
- Right to withdraw consent (art. 7(3)): where processing is based on consent, you can withdraw it at any time (this does not affect lawfulness before withdrawal)
- Right not to be subject to automated decisions (art. 22): we do not engage in automated decision-making with legal or similarly significant effects on you.
To exercise these rights, contact us at info@innore.eu. We will respond without undue delay and within 1 month of receipt. This period may be extended by 2 months where necessary, taking into account the complexity and number of requests.
8. Right to Lodge a Complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority.
The competent supervisory authority for INNORE AS in Norway is:
Datatilsynet (Norwegian Data Protection Authority)
Postboks 458 Sentrum, 0105 Oslo
postkasse@datatilsynet.no
www.datatilsynet.no
If the complaint concerns transfer of personal data to INNORE OÜ (Estonia), it may also be addressed to the Estonian supervisory authority: Andmekaitse Inspektsioon (Tatari 39, 10134 Tallinn, Estonia, info@aki.ee, www.aki.ee).
9. Data Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure or destruction, including:
- encrypted data transmission (TLS/HTTPS)
- access controls and authentication
- regular backups and recovery procedures
- confidentiality obligations for employees and contractors
- vendor due diligence for third-party processors.
In case of a personal data breach likely to result in risk to your rights, we will notify the competent supervisory authority within 72 hours and, where necessary, affected individuals.
10. Cookies
Our website uses cookies and similar technologies to ensure proper website functionality, to analyse website usage and to improve user experience.
10.1. Cookie Categories
| Category | Purpose | Consent required | Duration |
|---|---|---|---|
| Strictly necessary** | Basic functionality | No (essential) | opptil 12 måneder / Session / up to 12 months |
| Preferences** | Language, region, configurator state | Yes | Up to 12 months |
| Analytics** | Website usage measurement | Yes | Up to 24 months |
| Marketing** | Personalised advertising | Yes | Up to 12 months |
10.2. Managing Cookies
On your first visit to our website, you are presented with a cookie banner where you can accept or reject non-essential cookies. You can change your preferences at any time through the “Cookie settings” link in the footer or by clearing cookies in your browser.
10.3. Third-party Cookies
We may use third-party services (e.g. Google Analytics, Meta Pixel) that place their own cookies. These providers process data under their own privacy policies.
11. Children’s Privacy
Our products and services are not directed at children under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without parental consent, we will delete it promptly.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. The current version is always available on the website with the “Last updated” date. Material changes are communicated to registered customers by email at least 30 days before taking effect.
13. Contact
For questions, requests or complaints regarding your personal data:
INNORE AS Email: info@innore.eu Address: Busedal 17, 1925 Blaker, Norge / Norway
