Privacy Policy

1. Legal Controller and Link to Other Policies

1.1 Data Controller

Personal data on this website is processed by the site operator given in Terms & Conditions.

1.2 This Privacy Policy forms part of the legal framework governing the online shop together with:

  • Terms & Conditions

  • Cookie Policy

2. Types of Personal Data We Process

2.1 The Company may collect and process the following categories of data:

  • Email address (for delivery of digital download links)

  • Name and billing address (when provided to Stripe/PayPal receipts)

  • Country and location data for VAT calculation on digital services

  • IP address and technical identifiers

  • Order history and license type chosen

  • Communication data from emails or contact forms

  • Newsletter consent (optional)

2.2 We do not store full credit-card or PayPal credentials. These are handled exclusively by PCI-compliant processors.

3. Purpose and Legal Basis (GDPR Article 6)

3.1 Performance of Contract

Data is processed to:

  • complete payment via payment service providers such as Stripe and/or PayPal,

  • generate secure transaction records,

  • send your purchased photographs, e-books, and digital files via link sent by email,

  • document which image license was selected (Consumer + Business buyers).

Legal basis: GDPR Art. 6(1)(b).

3.2 Legal Obligations

  • VAT bookkeeping under EU digital-service rules (OSS/MOSS)

  • Storage of invoices according to Norwegian Accounting Act / Bokføringsloven.

Legal basis: GDPR Art. 6(1)(c).

3.3 Legitimate Interest

  • fraud prevention

  • enforcement of license terms

  • customer support.

Legal basis: GDPR Art. 6(1)(f).

3.4 Consent

  • newsletters

  • marketing cookies

  • testimonials.

Legal basis: GDPR Art. 6(1)(a). Consent can be withdrawn at any time.

4. Consumers and Business Buyers

4.1 We serve both:

  • Consumers (B2C) protected by EU/EEA consumer law

  • Business Buyers (B2B).

4.2 Data necessary to verify buyer category and attribution obligations is retained as part of contract documentation.

4.3 B2B buyers providing valid VAT number may be processed under EU reverse-charge VAT rules.

5. Retention Periods

5.1 Necessary shop data

  • Email + order ID + license kept 5 years for VAT and Norwegian bookkeeping.

5.2 Analytics cookies

  • Aggregated anonymous data: 24 months (only with consent).

5.3 Marketing / newsletter

  • 12 months after last interaction or until consent withdrawn.

5.4 Copyright enforcement logs

  • kept 3 years after resolved case.

5.5 Withdrawal of consent deletes optional categories immediately but does not affect mandatory invoice retention.

6. Third-Party Data Processors

6.1 The Company uses the following processors:

Stripe

Stripe Payments Europe Ltd.
Role: payment processing (PCI)
Data: confirmation token, IP, country for VAT
Safeguards: Data Processing Agreement with Norwegian Company.

PayPal

PayPal Europe S.à r.l. et Cie, S.C.A.
Role: payment processing
Data: payment confirmation, IP/country, email receipt
Safeguards: PayPal DPA + EU Standard Contractual Clauses.

6.2 Email delivery system

Shop platform sends secure download links using Stripe/PayPal session identifiers.

6.3 No other sharing occurs unless required by law.

7. International Transfers

7.1 Data is primarily processed within EU/EEA.

7.2 Stripe/PayPal may use global infrastructure with EU-approved safeguards (SCC + DPA).

8. Your Rights (GDPR Chapter III)

You have the right to:

  • access your personal data

  • rectification

  • deletion (“right to be forgotten”)

  • restrict processing

  • data portability

  • object to legitimate-interest processing

  • withdraw consent to newsletters.

You may lodge complaint with Datatilsynet (Norwegian Data Protection Authority).

9. Security

9.1 We use encrypted HTTPS and secure email-link generation.

9.2 Customers must keep links confidential in accordance with T&C.

10. Credit Requirement Data

10.1 When a license requires attribution, we process minimal data to document compliance and to contact the buyer if credit is missing.

10.2 Such notices are contractual communications, not marketing.

11. Children

11.1 The shop is not directed to children under 16 without parental consent.

12. Automated Decisions

12.1 Fraud filters in Stripe/PayPal may involve automated risk assessment.

13. Changes

13.1 The Company reserves the right to update its policies to remain compliant with Norwegian/EU regulations.

14. DMCA / EU Notice Procedure

Copyright enforcement and privacy-related takedown follow notice procedure in Terms & Conditions.

Kultariro

Embracing yesterday, today and forever!

Contact

Newsletter

sales@kultariro.com

© 2026. All rights reserved.

Terms & conditions