Norden ExplorePrivacy Policy
Last updated: October 18, 2025
Summary
This policy explains what data we collect, why, how long we keep it, who we share it with, where it is processed, and your rights under the EU/EEA General Data Protection Regulation (GDPR).
Who We Are (Controller)
Norden Explore (“Norden Explore”, “we”, “us”) is the data controller for personal data processed via our website, Node-RED coordination flows, and AI-assisted itinerary services (“Services”).
- Email: privacy@nordenexplore.com
- Website: www.nordenexplore.com
- Postal address: Skovbrinken 9, 4060 Kirke Såby, Denmark
Scope
This policy covers personal data we collect from you when you use our site or Services, contact us, or receive emails from us. It does not cover third-party sites we link to.
What We Collect
Data you provide
- Identity and contact: name, email.
- Trip details: origin, destination(s), dates, group size, budget, preferences.
- Optional info: dietary needs, accessibility notes, interests.
- Communications: messages, feedback, email replies.
We ask you to avoid sharing special categories of data (e.g., health data beyond high-level dietary or accessibility notes). If such data is provided, we will delete or minimize it unless strictly necessary and with your explicit consent.
Data collected automatically
- Technical data: IP address, country/region, device, OS, browser, referrer.
- Usage data: pages visited, timestamps, interactions, approximate location.
- Cookies/SDKs: strictly necessary; analytics only with consent (see Section 12).
Purposes and Legal Bases
| Purpose | Examples | Legal basis |
|---|---|---|
| Deliver Services | Create and send itineraries; respond to requests | Art. 6(1)(b) contract or steps prior to a contract |
| Service improvement & analytics | Measure feature usage; fix problems | Art. 6(1)(a) consent (analytics cookies); or Art. 6(1)(f) legitimate interests for strictly aggregated, cookie-less metrics |
| Security & fraud prevention | Prevent abuse; keep systems secure | Art. 6(1)(f) legitimate interests; Art. 6(1)(c) legal obligations |
| Communications | Trip emails, operational notices | Art. 6(1)(b) contract; Art. 6(1)(f) legitimate interests |
| Marketing (optional) | Updates or offers | Art. 6(1)(a) consent; you may opt out anytime |
AI & Automated Processing
We use AI to assist itinerary drafting. Inputs typically include destination, dates, constraints, preferences, and non-sensitive notes. We do not rely on automated decision-making that produces legal or similarly significant effects (Art. 22 GDPR). Human review is part of our process.
Data Minimization
We only request data needed to plan a trip. Optional fields are clearly marked. You can choose not to share them.
Sub-Processors (Processors)
We use vetted providers under written data processing terms and, where applicable, Standard Contractual Clauses (SCCs):
- Neon (PostgreSQL, EU) – stores trip requests, itinerary drafts, minimal logs (encrypted at rest).
- Vercel – hosts our web/app; limited technical logs.
- Email provider (e.g., Resend or SendGrid) – sends emails and delivery logs.
- Amadeus API – retrieves flight/hotel availability based on itinerary parameters.
- OpenAI API – generates itinerary suggestions from non-sensitive trip inputs.
We maintain an internal record of current processors and will update this section when materially changed. Data Processing Addendum (DPA) available upon request.
International Transfers
Where data is transferred outside the EEA (e.g., to the US), we rely on SCCs or other valid transfer mechanisms and implement supplementary safeguards where necessary. You can request a copy of relevant SCCs (commercially confidential terms may be redacted).
Security
- TLS for data in transit; encryption at rest for stored data (e.g., database encryption).
- Least-privilege access, MFA for administrative accounts, and audit logging.
- Regular updates and vulnerability remediation.
Retention
| Category | Default retention | Rationale |
|---|---|---|
| Itineraries & trip requests | Up to 12 months | Trip servicing and improvements |
| Email delivery logs | Up to 6 months | Troubleshooting and abuse prevention |
| Server/security logs | 30 days | Security, reliability |
You can request earlier deletion; see Section 15.
Cookies & Consent
We use strictly necessary cookies for core functionality. Analytics and marketing cookies run only with your consent. You can change your preferences anytime via our cookie banner or browser settings. We respect the choices stored in our consent manager and signal them to integrated services (e.g., GA4 Consent Mode).
Children
Our Services are not intended for individuals under 18. We do not knowingly collect children’s data.
Sharing
We do not sell personal data. We share data only with processors listed above, with your consent, as required by law, or to protect rights, safety, and security.
Your GDPR Rights
- Access your data and receive a copy
- Rectify inaccurate or incomplete data
- Erase data (“right to be forgotten”)
- Restrict or object to processing in certain cases
- Data portability (machine-readable copy)
- Withdraw consent at any time (does not affect prior lawful processing)
To exercise rights, email privacy@nordenexplore.com. We may need to verify your identity. We aim to respond within 30 days.
Complaints
You can lodge a complaint with your local EU supervisory authority. In Denmark: Datatilsynet (Danish Data Protection Agency).
Data Breach Handling
We monitor for security incidents. If a breach creates a risk to your rights and freedoms, we will notify the competent authority and, where required, affected individuals without undue delay, including relevant facts and measures taken.
Changes to This Policy
We may update this policy to reflect changes to our practices or legal requirements. We will post the new version with an updated “Last updated” date and, if changes are material, provide a clear notice.
Contact
Norden ExploreEmail: privacy@nordenexplore.com
Website: www.nordenexplore.com
Postal address: Skovbrinken 9, 4060 Kirke Såby, Denmark