Skip to content

Last updated: 27-05-2025

We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and safeguard your personal data when you use our website or services (such as booking a Northern Lights tour with us). It also outlines your rights under data protection laws (including the EU General Data Protection Regulation, or GDPR). By using our services, you agree to the handling of your information as described in this policy.

Personal Data We Collect

We only collect personal information that is necessary for providing our tour services and running our website. This may include:

  • Contact Information: Your name, email address, phone number, and country of residence. We collect these when you make an inquiry or booking so we can communicate with you.
  • Booking Details: Information related to your reservation, such as tour date, number of participants, preferences (for example, if you inform us of any special needs or requests), and any comments you provide.
  • Payment Information: When you book a tour, payment details (credit/debit card information) are processed securely through our payment provider. We do not store your full card number or security code on our servers; we only retain necessary transaction references (such as the last four digits of the card or a transaction ID) to process payments and refunds.
  • Identification (if required): In some cases, we might need passport numbers or ID (for example, if a third-party requires it for verification, or for certain legal compliance). Generally, our Northern Lights tours do not require ID collection, but if we ever need it (e.g. for child discount verification or safety reasons), we will only collect what is necessary.
  • Communication Records: If you contact us with questions, feedback, or complaints (via email, contact form, phone, or social media), we may keep a record of that correspondence, including your contact details and the content of the communication, to better assist you and improve our services.
  • Website Usage Data: When you visit our website, we may collect information about your device and browsing actions through cookies and similar technologies. This can include your IP address, browser type, pages viewed, and the time and date of your visit. (For more details, see our Cookie Policy.) This information helps us understand how users interact with our site and enables us to improve the user experience.
  • Location Data: Generally, we do not actively track your precise location, but your IP address might give a broad indication of your region or country when you use our website. This is mainly used for analytics and to show appropriate content (like correct currency or language).
  • Marketing Preferences: If you subscribe to our newsletter or opt-in to receive promotional emails, we will collect your name and email and note that you wish to receive marketing communications. We may also note your tour interests (e.g. "Northern Lights tours") to send relevant content. You can unsubscribe at any time.
  • Photos/Videos: On occasion, our guides or photographers may take photos or videos during the tour (for example, a group photo under the Northern Lights). We will only use identifiable images of you for marketing with your consent. If we take photos for you as part of the service (e.g. helping you get a Northern Lights picture), those are provided to you and not used by us unless you give permission. (Any such media we collect with consent would be considered personal data if you are identifiable.)

We strive to minimize the personal data we collect and will ask for consent when required. You have the choice not to provide certain information, but please understand that this may limit our ability to serve you (for instance, if we cannot get your contact info, we cannot confirm your booking).

How We Use Your Personal Data

We will use your personal data only for legitimate business purposes and in accordance with applicable law. The main purposes for which we process your data include:

  • Providing Our Services: We use your information to process and manage your tour bookings. This includes reserving your spot, arranging transportation, preparing for any special needs, and providing the tour itself.
  • Communication: We use your email and/or phone number to send you important messages about your booking. This includes booking confirmations, payment receipts, reminders prior to your tour, and notifications of any changes or cancellations (e.g. due to weather).
  • Customer Support: If you reach out with questions, requests, or issues, we will use your info to address your needs.
  • Improving Our Services: We might use feedback you provide or information about how you use our website to improve our tours and website.
  • Marketing (with consent): If you have opted in to receive marketing communications, we will use your email to send you newsletters, special offers, or updates about our tours and services. We will only send promotional emails if you have given consent, and you can opt out at any time.
  • Legal Obligations: We process certain data to comply with legal requirements, such as keeping financial transaction records for accounting, tax, and audit purposes, providing information to authorities where lawfully required, and handling any legal claims.
  • Security and Fraud Prevention: We may use personal data (like IP addresses or transaction information) to monitor and prevent fraud, hacking, or other security issues on our website.

We will not use your personal data for any purpose that is incompatible with the original purposes described above, unless we obtain your consent or are required/permitted by law to do so. We do not use your personal data for automated decision-making or profiling that has legal or significant effects on you without your explicit consent.

Legal Basis for Processing (GDPR Compliance)

Under the GDPR (applicable since we operate in Norway and serve international guests), we must have a valid "legal basis" for each use of personal data. Depending on the context, one or more of the following bases apply:

  • Contractual Necessity: When you book a tour with us, we enter into a contract to provide you the service. We need to process your personal data (e.g. name, contact, payment) to fulfill this contract. (GDPR Article 6(1)(b).)
  • Legitimate Interests: We may process data as needed for our legitimate business interests, provided such use is fair and does not override your rights, such as improving our services, ensuring IT security, or minor direct marketing to existing customers. (GDPR Article 6(1)(f).)
  • Legal Obligation: Some data processing is required for us to comply with laws or regulations, such as retaining transaction records for accounting. (GDPR Article 6(1)(c).)
  • Consent: We rely on your consent for certain types of processing that are not covered by the bases above, the clearest example being sending marketing communications and enabling non-essential cookies. (GDPR Article 6(1)(a).)

Where we rely on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing done before the withdrawal.

How We Share Your Data

We treat your personal data with care and confidentiality. We do not sell your personal information to third-party companies. However, in certain situations, we do need to share your data with third parties in order to operate our business and provide services to you, including service providers (payment processors, booking and IT services, email and communications services, analytics providers, and web hosting), tour partners or subcontractors where necessary to deliver the service, and authorities where required by law or to protect safety. In the unlikely event of a merger, acquisition, or sale of assets, your personal data might be transferred to the new owner, in which case we would ensure the continued confidentiality of your personal data.

When we share data with any third-party processor that processes it on our behalf, we ensure there is a data processing agreement in place requiring the third party to handle the data securely and only for the purposes we specify.

International Data Transfers

We are based in Norway (part of the European Economic Area, EEA) and generally aim to store and process data within the EEA. However, some of our third-party service providers may store data outside the EEA. If we transfer your personal data to a country outside the EEA, we will take steps to ensure your data receives an adequate level of protection, such as relying on EU adequacy decisions or Standard Contractual Clauses (SCCs) approved by the European Commission, or obtaining your explicit consent where appropriate.

Data Retention (How Long We Keep Your Data)

We will retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or to satisfy legal and business requirements:

  • Booking and Transaction Data: retained for a minimum of 5 years after the tour date, as required under Norwegian accounting and tax regulations.
  • Customer Communications: retained as long as necessary to address your inquiry or provide support; general inquiries that do not lead to a booking are typically deleted within 1-2 years.
  • Marketing Data: retained until you unsubscribe or withdraw consent.
  • Website Analytics Data: typically stored in aggregate form, with raw analytics data retained per our analytics settings (e.g. 26 months).
  • Legal Requirements: retained longer where necessary to comply with legal obligations or to protect our rights.

After the applicable retention period ends, and if we have no other valid reason to keep your data, we will either securely delete it or anonymize it. If you wish for us to delete your data sooner, you have the right to request erasure (see "Your Rights" below), and we will comply provided we are not required to keep the data for legal reasons.

Data Security

We take the security of your personal information seriously and implement appropriate technical and organizational measures to protect your data against unauthorized access, loss, alteration, or disclosure. These include SSL/TLS encryption (HTTPS) for data in transit, secure and certified payment gateways, access controls restricting data to authorized personnel, secure storage with firewalls and monitoring, staff awareness of data privacy, and keeping our platform and software up to date.

Despite all these precautions, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security. In the unlikely event of a data breach that could compromise your personal data, we will follow all applicable laws regarding breach notification, including notifying you and the Norwegian Data Protection Authority (Datatilsynet) where required.

Your Rights Under GDPR

As a data subject under the GDPR, you have various rights regarding your personal data, which we respect and uphold:

  • Right to Access: request a copy of the personal data we hold about you and information about how we process it.
  • Right to Rectification: request that we correct or update inaccurate or incomplete data.
  • Right to Erasure: ask us to delete your personal data where it is no longer needed and we have no legal obligation to keep it.
  • Right to Restrict Processing: request that we limit the processing of your data in certain circumstances.
  • Right to Object: object to certain processing, including direct marketing, which we will stop immediately.
  • Right to Data Portability: receive the data you provided in a structured, commonly used, machine-readable format.
  • Right not to be subject to automated decisions: we do not use automated decision-making that produces legal or similarly significant effects without human involvement.
  • Right to Withdraw Consent: withdraw consent at any time where processing is based on consent.
  • Right to Lodge a Complaint: lodge a complaint with a supervisory authority. Our lead authority is the Norwegian Data Protection Authority (Datatilsynet).

To exercise any of your rights, please contact us (see "Contact Us" below). We may need to verify your identity before fulfilling certain requests, and we will respond within the legally required timeframes (usually one month). Some rights have limitations; where we cannot fully comply, we will explain why.

Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to provide and improve our services, as described in our Cookie Policy. When you first visit our site, you will be presented with a cookie consent banner where you can choose which non-essential cookies to accept. You can change your preferences at any time via our website's cookie settings or through your browser settings. For detailed information, please refer to our Cookie Policy.

Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make changes, we will post the updated policy on this page and adjust the "Last updated" date. If changes are significant, we may also notify you directly. Your continued use of our services or website after any update will constitute your acceptance of the changes, to the extent permitted by law.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please do not hesitate to contact us. We are here to help.

  • Email: post@northernlightssafari.com
  • Address: Tromsø, Norway

We will gladly assist you with inquiries about the data we hold about you or any other privacy-related questions. Your trust is important to us, and we want you to feel safe and comfortable using our services.