Privacy Policy
Transparency about how we process your personal data — what we collect, why, for how long, and the rights you have.
Who we are
The GLØDI platform — glodi.no with its clinic pages, booking experience, and portals — is operated by Nordic Cognitive Labs AS, org. no. 933 866 327 (“GLØDI”, “we”). This policy explains how we process personal data about visitors, customers, clinics, practitioners, partners, and distributors, in accordance with the General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act. Questions? Reach us at [email protected].
In short
We never sell your data
Personal data is shared only with the vendors needed to deliver the service — never sold or rented to third parties.
Your clinic owns your treatment record
Health and treatment data belongs to the clinic you visit. GLØDI stores it securely on the clinic's behalf and never uses it for its own purposes.
You control marketing
Newsletters and offers are sent only with your consent, and you can unsubscribe at any time with one click.
Self-service access and deletion
On My Page you can download your data and submit an erasure request yourself — no emails, no waiting.
No hidden tracking
Analytics cookies are set only if you accept them in the banner. Necessary cookies are used solely for login and security.
Strict access control
Data is isolated per clinic, encrypted, and access-controlled. Staff see only what they need to do their job.
Our two roles: data controller and data processor
GLØDI both delivers its own services to you and operates systems on behalf of clinics. Who is responsible for the processing depends on which data is involved:
GLØDI is the data controller
For data where GLØDI determines the purposes and means:
- Your GLØDI account and login details
- Your booking history across clinics on My Page
- GLØDI's own marketing and newsletters
- Website usage, cookies, and analytics
- Security, abuse prevention, and troubleshooting
- Subscriptions and billing for clinics (business customers)
The clinic is the controller — GLØDI is the processor
For data the clinic registers about you as its customer. GLØDI processes this only on the clinic's documented instructions, governed by a data processing agreement:
- The customer register and treatment history at each clinic
- Treatment notes, consultation forms, and consents
- Treatment photos (before/after)
- Messages between you and the clinic
- Campaigns and follow-ups the clinic sends via the platform
If you want access to or erasure of data a clinic has registered about you, the clinic makes that decision — GLØDI gives both you and the clinic the tools to handle it directly in the platform. Your data is never shared across clinics.
1. What data we process
We only process data that is necessary to deliver the services. What is registered depends on how you use GLØDI:
Website visitors
Technical information such as IP address, browser and device type, and page views. Analytics data is collected only if you consent to analytics cookies.
Customers
Name, email, and phone number, account settings, bookings and purchase history, gift cards, reviews, messages with the clinic, consents, and notification preferences.
Health and treatment data
Treatment notes, consultation forms, and treatment photos registered by the clinic. These are special categories of data and are covered in their own section below.
Payment details
Payments are handled by our payment providers. GLØDI never stores full card numbers — we only receive confirmation that a payment succeeded, plus references for receipts and settlements.
Clinics, practitioners, and partners
Identity and contact details, qualifications and authorisations, calendar and activity data, and data needed for settlements and reporting.
Distributors
Company and contact details, catalogue and order data, delivery events, and settlement data.
2. Purposes and legal bases
All processing has a defined purpose and a legal basis under GDPR Article 6 (and Article 9 for health data):
Delivering the service
Handling bookings, payments, gift cards, events, and customer relationships, and giving you access to My Page. Basis: contract, Art. 6(1)(b).
Health data and treatment records
Processed only with your explicit consent (Art. 9(2)(a)), or as part of health care where the clinic is subject to health legislation (Art. 9(2)(h) and the Health Personnel Act). The clinic is responsible for this processing.
Legal obligations
Retention of accounting records, record-keeping duties, and disclosure where legally required. Basis: legal obligation, Art. 6(1)(c).
Marketing
Newsletters and offers by email or SMS are sent with your consent (Art. 6(1)(a)), or within an existing customer relationship for similar services under the Norwegian Marketing Control Act § 15 — always with easy unsubscribe.
Security and improvement
Troubleshooting, abuse prevention, statistics, and service improvement. Basis: legitimate interest, Art. 6(1)(f) — you may object to such processing.
In plain terms: “contract” means the processing is required to deliver what you ordered; “consent” means you actively said yes and can withdraw at any time; “legal obligation” means the law requires it of us; “legitimate interest” means we have a genuine need that has been balanced against your privacy — and that you can object to.
3. Health data, treatment records, and photos
GLØDI is built for clinics that keep treatment records — so this category is held to stricter requirements than anything else:
Only with explicit consent
The clinic registers health data, treatment notes, and consultation answers only with your explicit consent, or where health legislation provides a basis as part of health care.
The clinic controls the record
The treatment record is kept and owned by the clinic as data controller. Access is limited to staff involved in your treatment and follow-up.
Photos
Before/after photos are used solely to document your treatment. They are never used in marketing without your separate, explicit consent.
Never for our own purposes
GLØDI never uses health or treatment data for its own purposes, analytics, or marketing, and the data is never shared across clinics.
AI-assisted record keeping
Where the clinic uses AI assistance (for example speech-to-text when writing treatment notes), the content is processed by our sub-processors solely to deliver the feature — it is never used to train AI models.
4. Marketing and communication
Consent first
Electronic marketing (email/SMS) is sent with your prior consent. The existing-customer exception in the Marketing Control Act § 15 is used narrowly — only for services similar to those you have already purchased.
Easy unsubscribe
Every marketing message includes an unsubscribe link, and you can manage channels and categories in the notification settings on My Page.
Two senders
GLØDI's own marketing is GLØDI's responsibility. Campaigns and follow-ups from your clinic are sent on the clinic's behalf — the clinic is then the controller and GLØDI the processor.
Service messages
Booking confirmations, reminders, and receipts are not marketing — they are sent as part of the agreement for the service you ordered.
5. Who we share data with
We never sell your personal data. We share it only with vendors necessary to deliver the service — all bound by data processing agreements under GDPR Article 28 — and with authorities where the law requires it:
Payments — Stripe and Vipps MobilePay
Card and Klarna payments are processed by Stripe (Ireland/USA); Vipps payments by Vipps MobilePay (Norway). Card data is stored with the payment provider, never with GLØDI.
SMS — Twilio
Delivery of SMS notifications and reminders (USA, with EU safeguards).
Hosting and storage — Google Cloud
Servers, database, and file storage for the entire platform, hosted in the EEA (Nordics). Email is delivered via Google.
AI and speech-to-text — Google and Anthropic
Used only for AI features the clinic has adopted. The content is never used to train the models.
Error tracking — Sentry
Technical error reports (EU region) so we can fix issues quickly.
Analytics — Google Analytics
Only if you have consented to analytics cookies.
Content delivery — Cloudflare
Fast delivery of public images and media.
Accounting — Fiken
When your clinic has connected the platform to its accounting system, sales and settlement data is transferred there. This is controlled by the clinic.
Public authorities
Only under a legal duty of disclosure, for example to tax authorities or police with legal grounds.
6. Transfers outside the EEA
Main rule
The platform is hosted and stored in the EEA: servers in Sweden and file storage in Finland (Google Cloud, Nordics). Some vendors — including Stripe, Twilio, Anthropic, Cloudflare, and certain Google services (such as analytics and email delivery) — may still process data in the USA.
Transfer safeguards
All transfers out of the EEA rely on a valid basis under GDPR Chapter V: the EU-U.S. Data Privacy Framework and/or the EU Standard Contractual Clauses (SCCs) with supplementary measures where needed.
Access to the safeguards
You can contact us for more information about the transfer bases.
7. How long we keep data
We never keep data longer than necessary for the purpose — after that it is deleted or anonymised:
Your account
For as long as the account is active. You can request deletion at any time; data is then deleted or anonymised unless statutory retention requires otherwise.
Accounting records
Receipts, invoices, and settlements are kept for 5 years after the end of the accounting year, as required by the Norwegian Bookkeeping Act.
Treatment records and health data
Kept as long as health legislation requires. The clinic is responsible for record retention under the Health Personnel Act and the Patient Records Act.
Marketing consents
Until you withdraw them. The opt-out itself is kept so your objection continues to be honoured.
Technical logs
A short period, for security and troubleshooting only.
8. Your rights
As a data subject you have the following rights under the GDPR — exercising them is always free of charge:
- Access: know what data we hold about you, and receive a copy.
- Rectification: have inaccurate or incomplete data corrected.
- Erasure: have your data deleted (“the right to be forgotten”), unless statutory retention requires otherwise.
- Restriction: require processing to be restricted in certain situations.
- Data portability: receive your data in a machine-readable format.
- Objection: object to processing based on legitimate interest, including direct marketing.
- Withdraw consent: at any time, without affecting the lawfulness of processing up to that point.
- Automated decisions: you have the right not to be subject to purely automated decisions with legal effect — GLØDI makes no such decisions.
We respond to requests within 30 days (for complex cases the deadline may be extended by up to two months — you will be informed). If your request concerns data a clinic has registered about you, the clinic makes the decision; we make sure both you and the clinic have the tools to handle it in the platform.
Self-service on My Page
You don't need to send an email to exercise your rights. Under “Account & privacy” on My Page you can download a copy of your data, submit an erasure request, manage consents, and control your notification preferences.
Open privacy settings9. Cookies
We use two categories of cookies, in line with the Norwegian Electronic Communications Act § 2-7b:
Necessary
Required for login, security, the cart, and remembering your consent choice. These cannot be switched off.
Analytics (optional)
Google Analytics is set only if you consent in the banner. Everything is off by default (Google Consent Mode v2), your choice is remembered for six months, and you can change your mind at any time.
You can change which cookies you allow at any time:
10. Security
Encryption
All traffic is encrypted (TLS), and data is encrypted at rest as well.
Access control and isolation
Role-based access control for all staff, and strict data isolation between clinics — one clinic can never see another clinic's customers.
Traceability
Key actions are logged so unauthorised use can be detected and followed up.
Breach handling
In the event of a personal data breach we notify the Norwegian Data Protection Authority within 72 hours, and affected clinics and data subjects without undue delay.
11. Children and minors
Age limit
Booking and holding an account require you to be over 18 or have a guardian's consent. We do not direct marketing at children.
12. Changes to this policy
Notice of material changes
This policy is updated as needed. Material changes are announced on the platform or by email, and the date at the top always shows the current version.
Right to complain to Datatilsynet
If you believe we process your personal data in breach of the rules, we would appreciate the chance to resolve it — please contact us first. You always have the right to complain directly to the Norwegian Data Protection Authority (Datatilsynet).
Datatilsynet, Postboks 458 Sentrum, NO-0105 Oslo · Phone: +47 22 39 69 00 · [email protected] · datatilsynet.no
Questions about privacy?
Get in touch if you have questions about this policy, want details about transfer safeguards, or wish to exercise your rights.
Email: [email protected]
We normally reply within 24 hours on weekdays, and no later than 30 days for formal data subject requests.