1. What This Policy Covers

This privacy policy applies to the Sanna Regnskap AS website (sanna.co) and any associated services such as:

• contact forms and email inquiries

• newsletters and email lists

• use of cookies and analytics tools

It does not apply to accounting assignments or customer agreements – these are covered by separate data processing agreements between Sanna Regnskap AS and individual customers.

2. Data Controller

Sanna Regnskap AS
Org. no: 935 989 493
Address: Valkyriegata

Email: hei@sanna.co

3. Google OAuth Authentication

We use Google OAuth 2.0 for secure authentication. When you sign in with Google:

Data we collect from Google:

• Email address

• Full name

• Profile picture (optional)

How we use this data:

• To create and authenticate your account

• To communicate with you about your accounting services

• To display your profile in the application

Your control:

• You can revoke our access at any time via Google Account Permissions

• Revoking access will prevent you from logging in, but your account data remains until you request deletion

Limited Use:
Sanna's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Google Privacy:
Learn more about how Google handles your data in Google's Privacy Policy.

4. What Information We Collect

We only collect personal information necessary to provide services on the website. This may include:

• Contact Information: name, email, company, phone number

• Payment Information: invoice details, product, amount and status

• Communication: content of inquiries via contact form or email

• Technical Information: IP address, browser, device and usage patterns (via cookies and analytics tools)

5. Purpose and Legal Basis

Purposes and legal basis (GDPR)

Respond to inquiries and manage customer relationships
Legal basis: Art. 6 (1)(b) – contract / pre-contractual measures.

Payment, invoicing and delivery
Legal basis: Art. 6 (1)(b).

Security and fraud prevention
Legal basis: Art. 6 (1)(f) – legitimate interest.

Website analysis and improvement
Legal basis: Art. 6 (1)(a) – consent via cookie banner.

Email marketing (newsletters)
Legal basis: Art. 6 (1)(a) – consent.

Accounting and bookkeeping obligations
Legal basis: Art. 6 (1)(c) – legal obligation.

6. Cookies

We use:

• Necessary cookies for the website to function

• Optional cookies for analytics and marketing, only if you consent via the banner

You can change or withdraw consent at any time via your browser settings.

7. Sharing Personal Information

We only share personal information with trusted third-party providers who assist us with operating the website and related services:

• Hosting and email providers

• CRM systems / newsletter services (if applicable)

All providers are subject to data processing agreements and can only process data according to our instructions.

8. Transfers Outside EEA

If personal information is transferred outside the EEA, this is secured through valid transfer mechanisms (e.g. EU Standard Contractual Clauses) and any additional measures.

9. Retention Period

• Purchase and invoice data: minimum 5 years after end of fiscal year

• Inquiries: normally deleted within 12 months after last contact

• Newsletter data: stored until you withdraw consent

• Analytics and technical data: deleted or anonymized after a short time

10. Your Rights

You have the right to:

• request access, rectification or erasure of information

• restrict processing or object to it

• obtain data portability

• withdraw consent at any time

Complaints can be sent to the Norwegian Data Protection Authority (www.datatilsynet.no).

11. Children

The services on the website are not directed at children under 13 years of age.

12. Changes

This policy may be updated. Significant changes will be announced via the website.