Privacy Policy

Transparency about how we process your personal data — what we collect, why, for how long, and the rights you have.

Who we are

The GLØDI platform — glodi.no with its clinic pages, booking experience, and portals — is operated by Nordic Cognitive Labs AS, org. no. 933 866 327 (“GLØDI”, “we”). This policy explains how we process personal data about visitors, customers, clinics, practitioners, partners, and distributors, in accordance with the General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act. Questions? Reach us at [email protected].

Last updated: 8 July 2026

In short

We never sell your data

Personal data is shared only with the vendors needed to deliver the service — never sold or rented to third parties.

Your clinic owns your treatment record

Health and treatment data belongs to the clinic you visit. GLØDI stores it securely on the clinic's behalf and never uses it for its own purposes.

You control marketing

Newsletters and offers are sent only with your consent, and you can unsubscribe at any time with one click.

Self-service access and deletion

On My Page you can download your data and submit an erasure request yourself — no emails, no waiting.

No hidden tracking

Analytics cookies are set only if you accept them in the banner. Necessary cookies are used solely for login and security.

Strict access control

Data is isolated per clinic, encrypted, and access-controlled. Staff see only what they need to do their job.

Our two roles: data controller and data processor

GLØDI both delivers its own services to you and operates systems on behalf of clinics. Who is responsible for the processing depends on which data is involved:

GLØDI is the data controller

For data where GLØDI determines the purposes and means:

  • Your GLØDI account and login details
  • Your booking history across clinics on My Page
  • GLØDI's own marketing and newsletters
  • Website usage, cookies, and analytics
  • Security, abuse prevention, and troubleshooting
  • Subscriptions and billing for clinics (business customers)

The clinic is the controller — GLØDI is the processor

For data the clinic registers about you as its customer. GLØDI processes this only on the clinic's documented instructions, governed by a data processing agreement:

  • The customer register and treatment history at each clinic
  • Treatment notes, consultation forms, and consents
  • Treatment photos (before/after)
  • Messages between you and the clinic
  • Campaigns and follow-ups the clinic sends via the platform

If you want access to or erasure of data a clinic has registered about you, the clinic makes that decision — GLØDI gives both you and the clinic the tools to handle it directly in the platform. Your data is never shared across clinics.

1. What data we process

We only process data that is necessary to deliver the services. What is registered depends on how you use GLØDI:

Website visitors

Technical information such as IP address, browser and device type, and page views. Analytics data is collected only if you consent to analytics cookies.

Customers

Name, email, and phone number, account settings, bookings and purchase history, gift cards, reviews, messages with the clinic, consents, and notification preferences.

Health and treatment data

Treatment notes, consultation forms, and treatment photos registered by the clinic. These are special categories of data and are covered in their own section below.

Payment details

Payments are handled by our payment providers. GLØDI never stores full card numbers — we only receive confirmation that a payment succeeded, plus references for receipts and settlements.

Clinics, practitioners, and partners

Identity and contact details, qualifications and authorisations, calendar and activity data, and data needed for settlements and reporting.

Distributors

Company and contact details, catalogue and order data, delivery events, and settlement data.

2. Purposes and legal bases

All processing has a defined purpose and a legal basis under GDPR Article 6 (and Article 9 for health data):

Delivering the service

Handling bookings, payments, gift cards, events, and customer relationships, and giving you access to My Page. Basis: contract, Art. 6(1)(b).

Health data and treatment records

Processed only with your explicit consent (Art. 9(2)(a)), or as part of health care where the clinic is subject to health legislation (Art. 9(2)(h) and the Health Personnel Act). The clinic is responsible for this processing.

Legal obligations

Retention of accounting records, record-keeping duties, and disclosure where legally required. Basis: legal obligation, Art. 6(1)(c).

Marketing

Newsletters and offers by email or SMS are sent with your consent (Art. 6(1)(a)), or within an existing customer relationship for similar services under the Norwegian Marketing Control Act § 15 — always with easy unsubscribe.

Security and improvement

Troubleshooting, abuse prevention, statistics, and service improvement. Basis: legitimate interest, Art. 6(1)(f) — you may object to such processing.

In plain terms: “contract” means the processing is required to deliver what you ordered; “consent” means you actively said yes and can withdraw at any time; “legal obligation” means the law requires it of us; “legitimate interest” means we have a genuine need that has been balanced against your privacy — and that you can object to.

3. Health data, treatment records, and photos

GLØDI is built for clinics that keep treatment records — so this category is held to stricter requirements than anything else:

Only with explicit consent

The clinic registers health data, treatment notes, and consultation answers only with your explicit consent, or where health legislation provides a basis as part of health care.

The clinic controls the record

The treatment record is kept and owned by the clinic as data controller. Access is limited to staff involved in your treatment and follow-up.

Photos

Before/after photos are used solely to document your treatment. They are never used in marketing without your separate, explicit consent.

Never for our own purposes

GLØDI never uses health or treatment data for its own purposes, analytics, or marketing, and the data is never shared across clinics.

AI-assisted record keeping

Where the clinic uses AI assistance (for example speech-to-text when writing treatment notes), the content is processed by our sub-processors solely to deliver the feature — it is never used to train AI models.

4. Marketing and communication

Consent first

Electronic marketing (email/SMS) is sent with your prior consent. The existing-customer exception in the Marketing Control Act § 15 is used narrowly — only for services similar to those you have already purchased.

Easy unsubscribe

Every marketing message includes an unsubscribe link, and you can manage channels and categories in the notification settings on My Page.

Two senders

GLØDI's own marketing is GLØDI's responsibility. Campaigns and follow-ups from your clinic are sent on the clinic's behalf — the clinic is then the controller and GLØDI the processor.

Service messages

Booking confirmations, reminders, and receipts are not marketing — they are sent as part of the agreement for the service you ordered.

5. Who we share data with

We never sell your personal data. We share it only with vendors necessary to deliver the service — all bound by data processing agreements under GDPR Article 28 — and with authorities where the law requires it:

Payments — Stripe and Vipps MobilePay

Card and Klarna payments are processed by Stripe (Ireland/USA); Vipps payments by Vipps MobilePay (Norway). Card data is stored with the payment provider, never with GLØDI.

SMS — Twilio

Delivery of SMS notifications and reminders (USA, with EU safeguards).

Hosting and storage — Google Cloud

Servers, database, and file storage for the entire platform, hosted in the EEA (Nordics). Email is delivered via Google.

AI and speech-to-text — Google and Anthropic

Used only for AI features the clinic has adopted. The content is never used to train the models.

Error tracking — Sentry

Technical error reports (EU region) so we can fix issues quickly.

Analytics — Google Analytics

Only if you have consented to analytics cookies.

Content delivery — Cloudflare

Fast delivery of public images and media.

Accounting — Fiken

When your clinic has connected the platform to its accounting system, sales and settlement data is transferred there. This is controlled by the clinic.

Public authorities

Only under a legal duty of disclosure, for example to tax authorities or police with legal grounds.

6. Transfers outside the EEA

Main rule

The platform is hosted and stored in the EEA: servers in Sweden and file storage in Finland (Google Cloud, Nordics). Some vendors — including Stripe, Twilio, Anthropic, Cloudflare, and certain Google services (such as analytics and email delivery) — may still process data in the USA.

Transfer safeguards

All transfers out of the EEA rely on a valid basis under GDPR Chapter V: the EU-U.S. Data Privacy Framework and/or the EU Standard Contractual Clauses (SCCs) with supplementary measures where needed.

Access to the safeguards

You can contact us for more information about the transfer bases.

7. How long we keep data

We never keep data longer than necessary for the purpose — after that it is deleted or anonymised:

Your account

For as long as the account is active. You can request deletion at any time; data is then deleted or anonymised unless statutory retention requires otherwise.

Accounting records

Receipts, invoices, and settlements are kept for 5 years after the end of the accounting year, as required by the Norwegian Bookkeeping Act.

Treatment records and health data

Kept as long as health legislation requires. The clinic is responsible for record retention under the Health Personnel Act and the Patient Records Act.

Marketing consents

Until you withdraw them. The opt-out itself is kept so your objection continues to be honoured.

Technical logs

A short period, for security and troubleshooting only.

8. Your rights

As a data subject you have the following rights under the GDPR — exercising them is always free of charge:

  • Access: know what data we hold about you, and receive a copy.
  • Rectification: have inaccurate or incomplete data corrected.
  • Erasure: have your data deleted (“the right to be forgotten”), unless statutory retention requires otherwise.
  • Restriction: require processing to be restricted in certain situations.
  • Data portability: receive your data in a machine-readable format.
  • Objection: object to processing based on legitimate interest, including direct marketing.
  • Withdraw consent: at any time, without affecting the lawfulness of processing up to that point.
  • Automated decisions: you have the right not to be subject to purely automated decisions with legal effect — GLØDI makes no such decisions.

We respond to requests within 30 days (for complex cases the deadline may be extended by up to two months — you will be informed). If your request concerns data a clinic has registered about you, the clinic makes the decision; we make sure both you and the clinic have the tools to handle it in the platform.

Self-service on My Page

You don't need to send an email to exercise your rights. Under “Account & privacy” on My Page you can download a copy of your data, submit an erasure request, manage consents, and control your notification preferences.

Open privacy settings

9. Cookies

We use two categories of cookies, in line with the Norwegian Electronic Communications Act § 2-7b:

Necessary

Required for login, security, the cart, and remembering your consent choice. These cannot be switched off.

Analytics (optional)

Google Analytics is set only if you consent in the banner. Everything is off by default (Google Consent Mode v2), your choice is remembered for six months, and you can change your mind at any time.

You can change which cookies you allow at any time:

10. Security

Encryption

All traffic is encrypted (TLS), and data is encrypted at rest as well.

Access control and isolation

Role-based access control for all staff, and strict data isolation between clinics — one clinic can never see another clinic's customers.

Traceability

Key actions are logged so unauthorised use can be detected and followed up.

Breach handling

In the event of a personal data breach we notify the Norwegian Data Protection Authority within 72 hours, and affected clinics and data subjects without undue delay.

11. Children and minors

Age limit

Booking and holding an account require you to be over 18 or have a guardian's consent. We do not direct marketing at children.

12. Changes to this policy

Notice of material changes

This policy is updated as needed. Material changes are announced on the platform or by email, and the date at the top always shows the current version.

Right to complain to Datatilsynet

If you believe we process your personal data in breach of the rules, we would appreciate the chance to resolve it — please contact us first. You always have the right to complain directly to the Norwegian Data Protection Authority (Datatilsynet).

Datatilsynet, Postboks 458 Sentrum, NO-0105 Oslo · Phone: +47 22 39 69 00 · [email protected] · datatilsynet.no

Questions about privacy?

Get in touch if you have questions about this policy, want details about transfer safeguards, or wish to exercise your rights.

Email: [email protected]

We normally reply within 24 hours on weekdays, and no later than 30 days for formal data subject requests.