Privacy policy

Last updated 8 January 2025

Norselab Group AS (hereinafter referred to as "Norselab" or “we”) is committed to protecting your individual rights and keeping your personal data safe in accordance with the Data Protection Regulation (Regulation (EU) 2016/679).

This policy covers all the companies in Norselab Group, and the work done by our data processors. When referring to Norselab throughout this document, we include the following companies:

  • Norselab Credit Strategies AS
  • Norselab Investment Management AS
  • Norselab Impact AS

Norselab, represented by the Chief Executive Officer, is the data controller of the company with which you have entered into an agreement.

This privacy policy describes how we collect, disclose, and otherwise process your personal data. It also outlines your privacy rights regarding access, correction, and deletion of your personal information.

Changes in our services or regulatory changes may lead to changes to this privacy policy. The latest version will always be available at https://norselab.com/privacy-policy.

1. What is personal data?

Personal information is pieces of information that can be linked to you as a person. Name, date of birth, e-mail addresses and company names are examples of personal information.

2. Purpose of processing personal data

At Norselab, we ensure that there is a legal basis for processing your personal data. We collect and verify your information prior to entering into an agreement with you. Once an agreement is established, we use your personal data to document, administer, and execute tasks necessary to deliver the agreed services in compliance with the legal requirements applicable to investment firms in Norway.

In certain cases, we may process personal data based on a legitimate interest that outweighs your interest in data protection. This includes processing your data for direct marketing purposes and sending invitations to meetings and other relevant events.

3. Sources of information

We collect personal data from various sources to ensure compliance with legal requirements. We primarily gather information directly from you or your company through agreements and correspondence.

We may also collect personal data from other external sources, including publicly available records and other external databases. This is particularly relevant when performing mandatory due diligence checks to prevent money laundering. Such information may be retrieved from sanctions lists maintained by international organizations like the EU, as well as registers held by governmental agencies such as the Norwegian National Population Register (“Folkeregisteret”) and the Norwegian Tax Administration (“Skatteetaten”). We also use commercial information providers to obtain details about beneficial owners and politically exposed persons (“PEPs”).

4. The Use of Personal Data

We process your personal data to comply with the legal obligations and purposes described below.

  1. To verify your identity: For this purpose, we use contact information and identity information.
  2. For anti-money laundering and prevention of criminal activities: We will process personal data to prevent, detect, resolve, and handle fraud and other criminal activities and to fulfill the investigation and reporting obligations for suspicious transactions. For this purpose, we use identity information and anti-money laundering information (information about political exposure and sanctions from PEP and sanctions lists, as well as from other financial institutions and banks).
  3. To conduct suitability tests: For this purpose, we use identity information and financial information.
  4. To provide investment services: For this purpose, we use contact information and identity information, financial information, investment goals, investment history, and dialogue history.
  5. To manage your customer relationship: For this purpose, we use contact information, identity information, financial information, investment goals, investment history, and dialogue history.
  6. To document our investment services: For this purpose, we use communication.
  7. For accounting purposes: For this purpose, we use investment history.
  8. Sales, marketing, and reporting: For this purpose, we use contact information and investment history.
  9. To compile statistics and understand market trends: For this purpose, we Google Analytics and Hubspot functionality.
  10. For internal control routines, troubleshooting, and maintenance of operational and security systems: For this purpose, we use contact information.

The legal basis for purposes 1, 2, 3, 4, 5, and 7 is that it is necessary to fulfill our agreement with you and to comply with our legal obligations under the Securities Trading Act, the Anti-Money Laundering Act, and the Accounting Act. The legal basis for purpose 6 is to comply with our obligations related to investment services under the Securities Trading Act.

The legal basis for purpose 8 is to offer you customized offers and information. If we have an existing client relationship with you, we have a legitimate interest to send you marketing material about our services corresponding to the services the client relationship is based on. If we do not have an existing client relationship, the legal basis for the marketing will be your consent.

The legal basis for purpose 9 is a legitimate interest that outweighs the individual's privacy. We compile statistics and map market trends to improve and further develop our services. As far as practically possible, we try to do this with anonymous information, without knowing that the information is specifically linked to you.

The legal basis for purpose 10 is a legitimate interest that outweighs the individual's privacy. Norselab’s interest in processing your personal data in such a context is justified by our legal obligation to fulfill the security requirements imposed by the General Data Protection Regulation (GDPR) and the ICT Regulations.

5. Security measures

We are dedicated to keeping your personal data safe and secure. Our security measures maintain appropriate technical, physical, and organizational measures to protect the data against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure, or access.

We regularly assess the security of systems used for handling personal data and have agreements with our service providers to ensure adequate information security. Access to personal data is limited to personnel who need it to perform their job duties. Additionally, we have established internal IT guidelines and provide regular training to our employees on security and the use of IT systems.

5. Retention period

Retention periods vary based on the type of information and how it is used. We will keep your data for as long as necessary for the purposes for which it was collected and processed or as required by laws and regulations.

Legal Basis: Securities Trading Act and related regulations
Category of Personal Data: Documentation and information required to be retained under the Securities Trading Act and regulations, including customer information.
Retention Period: Minimum five years after termination of the client relationship.

Legal Basis: Anti-Money Laundering Act
Category of Personal Data: Retention of information related to customer due diligence and suspicious transactions.
Retention Period: Retention of information related to customer due diligence and suspicious transactions.

Legal Basis: Accounting Act and related regulations
Category of Personal Data: Retention of accounting material.
Retention Period: Up to 10 years.

7. Disclosure of Personal Data to external parties

We will only share your personal data on a strict need-to-know basis with authorized third parties, as required by statutory obligation and to fulfill the agreement with you. This may include public authorities, Norselab Group companies (with your consent), our service providers, and business partners such as custodians, distributors, IT providers, legal counsel, and accountants.

Our agreements with these service providers are strictly governed and include Data Processing Agreements that set out requirements for security and use of personal data.

8. Transfer of personal data to other countries

In some cases, we may transfer personal data to countries outside the EU and EEA. We only transfer personal data to countries outside the EU and EEA that the European Commission considers providing an adequate level of protection or to subcontractors who have committed to protecting your personal data through the EU's standard contractual clauses. Where necessary, we have implemented additional technical and organizational measures to achieve an adequate level of protection.

9. Your Rights

You have the following rights in respect of the personal data processed about you:

  1. Access your personal data: You have the right to access the personal data processed by Norselab. This includes a copy of the data and information about how we process your personal data.
  2. Rectification: You have the right to request that personal data be corrected if they are incomplete or incorrect.
  3. Erasure: You have the right to request Norselab to delete personal data on you in certain situations. The right to erasure does not apply if Norselab needs the data to fulfill the purpose for which the data was collected or because processing is necessary to fulfill a legal obligation or to establish, exercise, or defend a legal claim.
  4. Restricted processing: If you dispute the accuracy of the personal data Norselab processes, you believe the processing is unlawful, or you believe the processing is no longer necessary to achieve the purpose of the processing, you have the right to request that the processing be restricted. The same applies if you have objections to the processing.
  5. Withdraw consent: If the processing of personal data is based on consent, you have the right to withdraw your consent at any time.
  6. Object to processing: You can object to the processing of personal data if the processing in based on Norselab’s legitimate interest, including direct marketing and profiling in connection to such marketing.
  7. Data portability: You have the right to receive the personal data you have provided to Norselab in a structured, commonly used, and machine-readable format. You also have the right to transmit those data to another controller if the processing is based on consent or contract and is carried out by automated means.
  8. Complain: If you believe that our processing of your personal data is in violation of GDPR, you have the right to file a complaint with the Norwegian Data Protection Authority (“Datatilsynet”). Contact information and procedures are available at www.datatilsynet.no.

10. How We Use Cookies

We use cookies on our websites. These help us customise the content specifically to you. To save cookies, you must accept them when visiting norselab.com. You have the right to revoke cookie consent at any time. We use services from Cookiebot and Norse.co to administer this functionality on norselab.com.

11. Contact us

If you have any questions regarding this privacy policy or wish to exercise your right, you may contact us at hello@norselab.com.

We will respond to your inquiry as soon as possible and are committed to providing you with feedback within 30 days.