Privacy Policy
Last Updated: August 10, 2025
1. Introduction
This Privacy Policy explains how Thelma Biotel AS (“we”, “us”, “our”) collects, uses, and protects personal data when you use our website and related services. As a Norwegian company, our processing is governed by the General Data Protection Regulation (GDPR), which we apply globally.
Address: Klæbuveien 196B, 7037 Trondheim, Norway
Org.nr: 993 452 890
Email: [email protected]
2. How we collect and use your information
Our data processing is described by purpose and legal basis. We use the minimum personal data needed and apply short retention periods.
A. Processing based on our legitimate interests (GDPR Art. 6(1)(f))
- Website delivery, security & fraud prevention.
We host our website and a reverse proxy for analytics on our server hosted on DigitalOcean App Platform (EU region). When you visit, your device necessarily shares network identifiers (e.g., IP address, user agent, request metadata) with our server and DigitalOcean’s networking layer to route traffic, balance load, detect abuse, and keep the service secure.
Analytics boundary: Our reverse proxy drops client IP information (including in X-Forwarded-For/similar headers) before any analytics or session replay processing. Full IPs are not stored by our analytics platform. - Error tracking & performance.
We collect pseudonymous error reports (e.g., stack traces, timing) to identify and fix technical problems. These reports are not designed to identify you and never record form inputs. - Regional compliance check (one-time, coarse).
A single country-level check derived from your IP address may be used to apply appropriate privacy settings. The result is used immediately and is not stored long-term.
Right to object: You may object to processing based on legitimate interests (see Section 5).
B. Processing based on your consent (GDPR Art. 6(1)(a))
These are off until you opt in via our banner/settings. You can change your choices at any time.
- Analytics (pseudonymous).
Purpose: understand site usage to improve features and content.
Data: page views, events (click/scroll), device/browser, session ID, pseudonymous identifier.
IP handling: full IPs are not stored by analytics.
Retention: 12 months. - Session replays / experience improvement (pseudonymous).
Purpose: diagnose usability issues, and optimize user experience
Data: page layouts, clicks, scrolls. Keystrokes and form inputs are masked and not recorded.
Retention: 12 months. - Email newsletter (Mailchimp).
If you sign up (footer form), we process your email address to send updates. Legal basis: consent. Unsubscribe at any time via the link in any email or by contacting us. Emails may include standard open/click measurement to improve content.
Where we rely on consent, you may withdraw it at any time via Manage Cookies or the unsubscribe link/email; withdrawal does not affect processing already performed.
C. Processing to comply with law (GDPR Art. 6(1)(c))
We may retain minimal records necessary to demonstrate compliance (e.g., proof of consent, records of rights requests and responses).
3. Cookies, Similar Technologies, and Your Choices
We use cookies, localStorage, and similar technologies.
- Strictly necessary (always on): required to provide the website, keep it secure, route traffic, and remember your privacy choices.
- Non-essential (only with consent): analytics and session replays.
On your first visit we ask for consent for non-essential technologies. We do not activate them until you agree. You can withdraw or adjust consent any time via “Manage Cookies” (persistent link in the footer). We keep a record of consent to demonstrate compliance
Below is a detailed list of the specific technologies used on our website.
A. Strictly Necessary Technologies
These are used to remember your privacy choices and do not require your consent.
| Name | Storage Type | Provider | Purpose | Expiration |
|---|---|---|---|---|
| cookie_consent | localStorage | Thelma Biotel | Stores your specific consent choices (e.g., for analytics) so we don't have to ask you again on every visit. | Persistent |
B. Technologies Used with Your Consent (Analytics & Experience Improvement)
These are only activated if you explicitly opt-in to the relevant categories. The dynamic part of the name (phc_...) is a unique key for our website.
| Name | Storage Type | Provider | Purpose | Expiration |
|---|---|---|---|---|
| ph_..._posthog | Cookie, localStorage, sessionStorage | PostHog | Contains your unique, anonymous user ID (distinct_id), current session information, and other properties needed for analytics. | Cookie: 1 year localStorage: Persistent sessionStorage: Session |
| __ph_opt_in_out_... | localStorage | PostHog | Remembers your choice to opt-in to tracking, ensuring your preferences are respected. | Persistent |
4. Data Sharing and Third-Party Processors
We do not "sell" or "share" your personal information with third parties for marketing or advertising purposes.
Processors: We use the following processors to run this website and related services:
- Hosting & infrastructure:DigitalOcean (App Platform, EU region: AMS3). DigitalOcean provides the compute/network infrastructure that serves this website and our reverse proxy. In the course of providing hosting, they may process network metadata (e.g., IP addresses in connection logs) and request content transiently as part of routing and delivering traffic. We do not use DigitalOcean for analytics or marketing.
- Analytics & session replays:PostHog EU Cloud: We use PostHog's EU-based cloud service (eu.posthog.com) under a contractual agreement that ensures data is processed only on our instructions and is stored within the European Economic Area (EEA).
- Mailchimp (Intuit) – email newsletter provider (processor).
Data processed: email address, consent status, send/engagement metrics (opens/clicks).
Location & transfers: may be processed outside the EEA; safeguarded by EU Standard Contractual Clauses (SCCs). We minimize what we send to Mailchimp and use it only for newsletters.
Universal IP Address Anonymization: To ensure the highest standard of privacy, we use a technical privacy shield. This means your personal IP address is dropped before analytics are sent to our analytics platform. This robust anonymization is a fundamental, always-on feature for all users.
5. Your Privacy Rights
We extend the rights granted to individuals under GDPR to all our users globally. These rights include:
- The Right to Access: You can request a copy of the data we hold about you.
- The Right to Rectification: You can ask us to correct inaccurate data.
- The Right to Erasure (Right to be Forgotten): You can request that we delete your personal data.
- The Right to Restrict Processing: You can ask us to limit how we use your data.
- The Right to Data Portability: You can request your data in a machine-readable format.
- The Right to Object: You can object to our processing of your data based on legitimate interest.
- The Right to Lodge a Complaint: If you believe our data processing infringes regulations, you have the right to lodge a complaint with a supervisory authority. As our company is based in Norway, our lead supervisory authority is the Norwegian Data Protection Authority (Datatilsynet).
How to Exercise Your Rights: To make a request regarding your data, please contact us at [email protected]. To fulfill a deletion or access request for analytics data, we will need you to provide the unique PostHog distinct_id from your browser to verify your identity.
6. Region-Specific Information
For US Residents
We recognize the privacy rights afforded to residents of US states like California. For a detailed overview, please see our US Privacy Choices page. We do not "sell" or "share" personal information as defined by the California Consumer Privacy Act (CCPA), and we honor the Global Privacy Control (GPC) signal.
For Residents of China
To ensure compliance with China's Personal Information Protection Law (PIPL), we do not collect or process personal information for analytics or tracking purposes from users identified as being in mainland China. If you are in mainland China and believe we processed your personal information, please contact us at [email protected].
7. Data Security and Retention
We employ appropriate technical and organizational measures to secure your data against unauthorized access, loss, or destruction. We retain analytics and session recording data for a period of 12 months, after which it is automatically deleted. Data related to other inquiries is retained only for as long as necessary to resolve the matter.
8. Children
Our services are not directed to children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us data, contact us and we will take appropriate steps.
9. Changes to This Policy
This Privacy Policy may be updated periodically. All changes will be posted on this page with an updated revision date.
10. Contact Us
For questions regarding this Privacy Policy or our data practices, you can contact us at [email protected]