Privacy Policy

Last updated: 18 March 2026

1. Introduction

ArcticTrail ("we", "our", or "us"), operated by Jørgen Bakkehaug, Ropnesvegen 43, 9107 Kvaløya, Norway, is the data controller responsible for your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and campervan rental services, in accordance with the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act (personopplysningsloven).

2. Information we collect

We collect the following categories of personal information:

• Identity data: full name, date of birth
• Contact data: email address, phone number, postal address
• Driver information: driver's license number, issuing country, license category
• Booking data: rental dates, vehicle, selected extras, booking history
• Payment data: billing address, last four digits of card (full card details are processed directly by Stripe and never stored by us)
• Communications: emails and messages you send us
• Technical data: IP address, browser type, and pages visited, collected automatically when you use our website

3. Legal basis for processing

We process your personal data on the following legal grounds under GDPR Article 6:

• Performance of a contract (Art. 6(1)(b)): processing your booking, managing your rental, and handling payments
• Legal obligation (Art. 6(1)(c)): retaining accounting records, complying with insurance requirements, and cooperating with law enforcement when required
• Legitimate interests (Art. 6(1)(f)): preventing fraud, improving our services, and maintaining the security of our systems
• Consent (Art. 6(1)(a)): sending promotional communications — you may withdraw consent at any time

4. How we use your information

We use the information we collect to:

• Process and manage your campervan rental bookings
• Send booking confirmations, reminders, and updates
• Process payments and issue refunds
• Verify your identity and driving licence eligibility
• Handle modifications, cancellations, and disputes
• Comply with legal and regulatory obligations
• Detect and prevent fraud or misuse
• Send promotional communications (only with your consent)

5. Data processors and third parties

We do not sell your personal information. We share data only where necessary with the following processors and parties, each bound by appropriate data protection agreements:

• Stripe (USA): payment processing. Stripe is certified under the EU–US Data Privacy Framework. See stripe.com/privacy
• Resend (USA): transactional email delivery (booking confirmations, reminders). Data is processed under standard contractual clauses
• Insurance providers: your driver and booking details are shared when required to arrange or process insurance claims
• Law enforcement and authorities: when required by applicable law or a court order

6. International data transfers

Some of our data processors (Stripe, Resend) are based in the United States. Where personal data is transferred outside the European Economic Area, we ensure appropriate safeguards are in place — either through an adequacy decision, the EU–US Data Privacy Framework, or Standard Contractual Clauses approved by the European Commission.

7. Data security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. Payment card data is processed entirely by Stripe and is never stored on our servers. Access to booking data is restricted to authorised personnel only.

8. Data retention

We retain your personal information only for as long as necessary for the purposes described in this policy. Specifically:

• Booking and payment records: 7 years, as required by Norwegian accounting law (bokføringsloven)
• Driver's licence information: deleted within 30 days of the rental end date
• Marketing consent records: retained until you withdraw consent
• Technical/log data: up to 90 days

9. Automated decision-making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you. Booking eligibility is assessed by our team, not by automated systems.

10. Cookies

Our website uses only essential cookies required for core functionality (such as session management and payment processing). We do not use tracking cookies, analytics cookies, or third-party advertising cookies without your explicit consent.

11. Your rights

Under GDPR and Norwegian privacy law, you have the following rights:

• Access: request a copy of the personal data we hold about you
• Rectification: request correction of inaccurate or incomplete data
• Erasure: request deletion of your data where we no longer have a legal basis to retain it
• Restriction: request that we limit how we process your data in certain circumstances
• Portability: receive your data in a structured, machine-readable format
• Objection: object to processing based on legitimate interests
• Withdraw consent: withdraw marketing consent at any time without affecting prior processing

To exercise any of these rights, contact us at support@arctictrail.no. We will respond within 30 days. We may need to verify your identity before acting on a request.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For significant changes, we will notify affected customers by email where possible.

13. Contact and complaints

If you have questions about this Privacy Policy or wish to exercise your rights, contact us:

ArcticTrail
Ropnesvegen 43, 9107 Kvaløya, Norway
Email: support@arctictrail.no
Phone: +47 400 31 175

If you are not satisfied with our response, you have the right to lodge a complaint with the Norwegian Data Protection Authority:

Datatilsynet
Postboks 458 Sentrum, 0105 Oslo, Norway
www.datatilsynet.no
Email: postkasse@datatilsynet.no