PRIVACY POLICY

Last updated on: March 17 2025.

‍

C SPESIALIST AS, organization number 818 576 552, with registered address at Sørkedalsveien 10 C, 0369 Oslo, Norway (subsequently referred to as "C Spesialist", “we” or “us" ) is committed to complying with data protection legislation introduced by the General Data Protection Regulation (EU Regulation 2016/679) and the Norwegian Personal Data Act no. 38/2018.

‍

This privacy policy regulates privacy matters and personal data processing when it comes to:

using cspesialist.no website (the “Website”);
using our services (the "Services") or our Products (the "Products") presented on our Website;
participating or giving your approval to be a subject in our referral program conducted through our platform hosted at webflow.com (the “Platform);
processing data of our customers, partners, service providers or anyone else with whom we are doing business.

DEFINITIONS

The terms listed below have the following meanings:

‍

Personal data means information that relates to identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, etc.;
Processing means any operation or set of operations which is performed on personal data, such as collection, recording, organizing, structuring, storage, adaptation or destruction;
Data Subject (or you) is an identified or identifiable natural person who can be identified, directly or indirectly, based on particular personal data.
Applicable Law means the General Data Protection Regulation (EU Regulation 2016/679) hereinafter refer to as the "GDPR", and the Norwegian Personal Data Act no. 38/2018 which implements the GDPR.

INTRODUCTORY STATEMENT

We respect your privacy and are committed to protecting it through our compliance with this Privacy Policy. This Privacy Policy describes the types of personal data we may collect from you or that you may provide and how we use, protect, and disclose that information.

We keep our Privacy Policy under regular review and as a result it may be amended from time to time without notice due to changes in the Applicable Law or in our policies. Any change to our Privacy Policy will apply from the date it was made. As a result, we encourage you to review this Privacy Policy regularly. If we make changes to our Privacy Policy, we will make the updated version available on the Website and Platform and update the "Last updated on" section above.

BEFORE USING OR ACCESSING OUR WEBSITE, PLATFORM, PRODUCTS OR SERVICES (INCLUDING EMAIL COMMUNICATIONS) PLEASE READ THIS PRIVACY POLICY CAREFULLY TO UNDERSTAND OUR POLICIES AND PRACTICES REGARDING YOUR PERSONAL DATA AND HOW WE WILL TREAT IT.

THE DATA YOU MAY PROVIDE US WITH MAY INCLUDE SENSITIVE PERSONAL DATA. THIS INCLUDES INFORMATION THAT RELATES TO YOUR HEALTH OR SPECIFIC MEDICAL PROCEDURES NECESSARY FOR ACCESSING OUR SERVICES OR PRODUCTS. BY PROVIDING US WITH SENSITIVE PERSONAL DATA, YOU GIVE US YOUR EXPLICIT CONSENT TO PROCESS THIS SENSITIVE PERSONAL DATA AS SET OUT IN THIS PRIVACY POLICY. BY ACCESSING OR USING OUR WEBSITE, PLATFORM, SERVICES OR PRODUCTS, YOU AGREE TO OUR PRIVACY POLICY. IF YOU DO NOT ACCEPT OUR PRIVACY POLICY TERMS, PLEASE DO NOT USE OUR WEBSITE, PLATFORM, SERVICES OR PRODUCTS.

‍

WHAT PERSONAL DATA WE PROCESS

Visiting of our Website is possible without any indication of personal data. However, if you want to access or use our Services or Products via our Website or be part of our referral program with our affiliates through the Platform, processing of personal data will become necessary.

We only collect and retain as much personal data as needed for specific, identified purposes described in this Privacy Policy and we will not use it in any way that is incompatible with those purposes.

‍

Thus, the personal data we may process from you may include the following categories:

Identity data: name; surname; date of birth.
Contact data: address; phone number; email address.
Medical data: details of Services, Products and/or treatment/analyses/tests you have received from us or which have been received from a third party and referred on to us; notes and reports about your health and any treatment and care you have received and/or need, including about clinic and hospital visits and medicines administered; patient feedback and treatment outcome information you provide.
Identity and contact data of your next of kin: the name and contact details (including phone number) of your next of kin. Where you have named someone as your next of kin and provided us with personal data about that individual, please note that it is your responsibility to ensure that that individual is aware of and accepts the terms of this Privacy Policy.
Technical and system-generated data: IP address; browser version; pages you visited on our Website or Platform; date and time when pages were visited; log files; third party account identifier; user ID; password; cookie identifiers; device screen resolution; device type; device identifiers; device operating system.
Account and profile information: settings; preferences.
Payment information: information you give us when you make a payment to us, such as financial transactions or credit card information, payment method.
Customer history and customer engagement: order and delivery information; shopping cart movements; discount codes; loyalty program information; active products and agreements as well as products and services you have had in the past, how much and how often they are used; status of products/services.
Customer activity: reading and action history from apps, websites or electronic communications we send out.
Cookies: Certain information which you submit may also be collected to enable us to better understand our customers and to improve and help provide a better experience of our Website, Platform, Services and Products. We may use cookies to do this. We may also use other companies to set cookies on our Website and Platform and gather cookie information for us – please see more information about cookies in our Cookies Policy.

In most cases, personal data is collected directly from you or generated in connection with your use or access of our Website, Platform, Services or Products.

HOW AND FOR WHAT PURPOSES WE USE PERSONAL DATA

Provision of our Services and Products

We use your personal data to fulfill our agreements with you, i.e. when you have ordered a Service or Product from us. The legal basis for the processing are: Contract execution (article 6.1 letter B of the GDPR); Legitimate interest (article 6.1 letter F of the GDPR).

We will use your personal data in order to provide you with the medical Services ordered by you and monitor the outcome of your medical treatment/analyses by us and any treatment associated with your care. Sensitive personal data related to your health will be stored in our EPJ (electronic patient journal) and only be disclosed to those involved with your treatment or care, or in accordance with the Applicable Law and guidelines of professional or regulatory bodies.

‍

Using our Website or our Platform

We use your personal data to provide you with our Website and Platform, i.e. when you visit our Website or Platform, or when you book a medical Service through our Website, or when you participate or you give your approval to be a subject in our referral program hosted by us on the Platform. The legal basis for the processing are: Legitimate interest (article 6.1 letter F of the GDPR); Data Subject consent (article 6.1 letter A of the GDPR).

‍

Customer relationship management

We use your personal data to manage our customer relationship with you. This may include customer service, complaint handling and error correction regarding your customer relationship. The legal basis for the processing are: Contract execution (article 6.1 letter B of the GDPR); Legitimate interest (article 6.1 letter F of the GDPR).

‍

Customized user experience

We adapt the user experience and communication to your customer relationship and we use personal data for this. The legal basis for the processing is: Legitimate interest (article 6.1 letter F of the GDPR).

‍

Analysis, business development and service improvement

We are constantly working to develop and improve our Services and Products. Much of this work involves analyzing various forms of personal data, such as customer activity, customer history and account and profile information. The legal basis for the processing is: Legitimate interest (article 6.1 letter F of the GDPR).

‍

Sales and marketing

We use personal data in connection with the sale and marketing of our Products and Services, for example by you receiving emails from us. The legal basis for the processing are: Legitimate interest (article 6.1 letter F of the GDPR); Data Subject consent (article 6.1 letter A of the GDPR)). You have the opportunity to opt out of some of this processing by, for example, opting out of receiving emails from us. In addition, we may also ask you for consent to use your personal data for so-called profiling, where we infer interests and needs based on your personal data. The purpose of profiling is to make our marketing more relevant.

‍

System monitoring, error correction, etc.

We monitor our systems for errors and problems. Part of these processes involves storing and processing personal data. The legal basis for the processing is: Legitimate interest (article 6.1 letter F of the GDPR).

‍

Security, fraud detection and criminal activity

We process personal data in our work to protect our users and ourselves against fraudulent activity, abuse and criminal activity. The legal basis for the processing is: Legitimate interest (article 6.1 letter F of the GDPR).

‍

Comply with legal obligations

In some cases, we are legally required to process personal data for the purpose of other legal obligations. An example of this is information related to sales, which we are obliged to record and store in accordance with the Norwegian Accounting Act. The legal basis for the processing is: Legal obligation (article 6.1 letter C of the GDPR).

‍

HOW LONG DO WE STORE PERSONAL DATA

We will only retain personal data for as long as necessary to fulfill the purpose for which it was collected or to comply with legal, regulatory or internal policy requirements.

‍

HOW DO WE PROTECT PERSONAL DATA

We process personal data in a way that assures an appropriate level of security, including protection against unauthorized processing, destruction, accidental loss, or damage, while applying suitable organizational and technical measures under industry standards.

The transmission of information via the internet cannot be guaranteed as completely secure. However, we ensure that any information transferred to our Website or Platform is via an encrypted connection. Once we have received your information, we will use strict procedures and security features for prevention of unauthorized access. We conduct assessments to ensure the ongoing security of our information systems and our physical security complies with industry standards.

Our Website and Platform are hosted on Amazon Web Services servers from Europe and United States and are regularly audited and monitored for unauthorized access. Our hosting provider uses approved data transfer mechanisms to transfer personal information to adequate countries designated by the European Commission, such as the EU-U.S. Data Privacy Framework and Standard Contractual Clauses (SCCs). In addition we have in place a Data Processing Agreement with our hosting provider which establish the compliance with the Applicable Law of the personal data transfers.

All our personnel and contractors are subject to confidentiality agreements. Only authorized personnel have granted minimum access on a need-to-have basis to personal data.

Any payment transactions on our Website or Platform will be processed securely by third party payment processors. Where we have given you (or where you have chosen) a password that enables you to access certain parts of our Website or Platform, you are responsible for keeping that password confidential.

‍

HOW DO WE SHARE OR TRANSFER PERSONAL DATA

In order to provide and facilitate access to our Website, Platform, Services and Products, we may share your personal data (to the extent necessary) with our subsidiaries, affiliates, agents, contractors, debt collection agencies, insurers, appropriate professional bodies, service providers and other third parties we use to support our business or collaborate with and who are bound by contractual obligations to keep personal information confidential and use it only for the purposes of providing services for or with us. This may include also sharing your personal data with the Norwegian government approved EPJ (electronic patient journal) and our regulators.

Sensitive personal data (including information relating to your health) will only be disclosed to third parties in accordance with this Privacy Policy. Where applicable, it may be disclosed to any person or organization who may be responsible for meeting your medical expenses or their agents. It may also be provided to external service providers and regulatory bodies (unless you object) for the purpose of clinical audit to ensure the highest standards of care and record keeping are maintained.

We may share with your medical insurer information about your treatment/analyses, its clinical necessity and its cost, only if they are paying for all or part of your treatment with us. We provide only the information to which they are entitled.

We may be requested – and in some cases can be required – to share certain information (including personal data and sensitive personal data) about you and your care with medical regulators and/or medical insurers, for example if you make a complaint, or the conduct of a medical professional involved in your treatment is alleged to have fallen below the appropriate standards and the regulator wishes to investigate. We will ensure that we do so within the framework of the Applicable Law and with due respect for your privacy.

In an emergency and if you are incapacitated, we may also process your personal data (including sensitive personal data) or make such personal data available to third parties on the basis of protecting your ‘vital interest’ (i.e. your life or your health).

We may participate in national audits and initiatives to help ensure that patients are getting the best possible outcomes from their medical treatment and care. The highest standards of confidentiality will be applied to your personal data in accordance with the Applicable Law. Any publishing of this data will be in an anonymized, statistical form. Anonymous or aggregated data may be used by us, or disclosed to others, for research or statistical purposes.

‍

Personal data that we collect from you may be transferred to, and stored at, a destination in or outside the European Economic Area (the “EEA”), with respect to the provisions of the Applicable Law. For the purpose of making our Services and Products available to our customers, we may share data with our contractors and service providers, who act either as: (i) a processor or controller based in or outside of the EEA who provide - development services, IT and system administration services, software testing services or support services; or (ii) a processor or joint controller including lawyers, bankers, auditors and insurers; or (iii) staff operating outside the EEA who work for us or for one of our suppliers. We will take all steps reasonably necessary to ensure that your information is treated securely and in accordance with this Privacy Policy and the Applicable Law. Where we transfer your personal data outside the EEA, we will ensure that there are adequate protections in place for your rights, in accordance with the Applicable Law. By submitting your personal data, and in providing any personal data to us, you agree to this transfer, storing or processing. The legal basis for the processing are: Legitimate interest (article 6.1 letter F of the GDPR); Data Subject consent (article 6.1 letter A of the GDPR).

We retain the right to share your personal data as part of change in control, merge or sale, or in preparation for any of these events related to us. Any third party which further acquire us or part of our business will be entitled to continue to use your data, but only in the manner set out in this Privacy Policy, unless you agree otherwise.

‍

WHAT ARE YOUR RIGHTS RELATED TO YOUR PERSONAL DATA

Under the Applicable Law, you have the following rights related to your personal data :

Right to be informed: You have the right obtain information about the processing of your personal data.
Right of access: You have the right to request and obtain a copy of your personal data collected during your use or access of our Website, Platform, Services or Products.
Right to rectification: You have the right to ask for incorrect, inaccurate or incomplete personal data pertaining to you to be corrected.
Right to erasure: You have the right to request that personal data be erased when it’s no longer needed or if processing it is unlawful. Your can request the deletion of your personal data when the following grounds apply: (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) if you withdraw your consent and there is no other legal basis for processing; and (iii) there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to article 21 paragraph 2 of the GDPR. Please note that, according to the GDPR, we may not delete your personal data insofar as the processing is necessary for: (i) the exercise of the right to free expression and information; (ii) compliance with a legal obligation which stipulates the processing obligation under Norwegian law and European Union law applicable to us; and (iii) the establishment, exercise or defense of a right in court.
Right to restriction of processing: You have the right to request the restriction of the processing of your personal data in specific cases.
Right to data portability: You have the right to receive your personal data processed by us in a structured, commonly used and machine-readable format and you have the right to send it to another controller.
Right to object: You have the right to object to the processing of your personal data for marketing purposes or on grounds relating to your particular situation. We will no longer process your personal data, unless we demonstrate that we have legitimate and compelling reasons justifying the processing and prevailing over the interests, rights and freedoms of the Data Subject, or that the purpose is to establish, exercise or defend a right of ours or a third party in court.
Rights in relation to automated decision-making and profiling: You have the right to request that decisions based on your personal data and that significantly affect you are made by natural persons, not only by computers.
Right to file a complaint with a supervisory authority. You have the right to submit a complaint related to the processing of your personal data with a competent data protection supervisory authority. We hope you will first let us know if you have any complain about the processing of your personal data by us. Nevertheless, the contact details for the Norwegian Data Protection Authority are as follows: Datatilsynet, P.O. Box 458 Sentrum, NO-0105 Oslo, www.datatilsynet.no.

Please note that, regarding exercising any of the aforementioned rights, if we are the data processor and not the data controller of your personal data, we will direct your request to the data controller in cause. Additionally, please note that we are entitled to charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

‍

HOW TO CONTACT US

To exercise any of your rights, or if you have any questions or concerns related to our Privacy Policy, you may send us your request by email at post@cspesialist.no.

AGE LIMITATION

Our Website, Platform, Services and Products are addressed generally for persons who are above 16 years of age. We do not knowingly process any personal data from Data Subjects under 16 years of age, and any such data shall be immediately deleted upon detection, unless (i) processing of personal data of Data Subjects under 16 years of age is explicitly allowed by the national personal data protection law applicable to such Data Subjects' personal data; and (ii) the Data Subject under 16 years of age consented to the processing of its personal data or, where lawfully required, the consent was given by the parent or tutor of the Data Subject under 16 years of age. If you learn that anyone younger than 16 years old has provided us with personal data, please contact us to verify.

‍

LINKS TO OTHER WEBSITES

We are not responsible for the practices employed by websites or services linked to or from our Website or Platform, including the information or content contained therein. Please remember that when you use a link to go from our Website or Platform to another website or service, our Privacy Policy does not apply to third-party websites or services. Your browsing and interaction on any third-party website or service, including those that have a link or advertisement on our website, are subject to that third party’s own rules and policies.