Back

Privacy Policy

1.INTRODUCTION AND PURPOSE

1.1.This privacy policy (the “Privacy Policy”) applies between Noord Mind AB, reg. no. 559523-7511 (“Noord”), and participants (“Participant”) in connection with the use of Noord's services, visits to Noord's website, participation in retreats, contact via email, booking systems or via Noord's social media pages (collectively referred to as the “Channels”).

1.2.Noord is the data controller for the processing of personal data (“Personal Data”) that takes place in connection with the Participant's interaction with Noord through the Channels, or that is otherwise provided to us directly by the Participant or via third parties.

1.3.The purpose of this Privacy Policy is to ensure that you as a Participant feel safe in how we handle your Personal Data in accordance with:

·The General Data Protection Regulation (EU 2016/679 - “GDPR”),

·supplementary Swedish legislation, such as the Act (2018:218) with supplementary provisions to the GDPR, and

·applicable guidelines from the Swedish Data Protection Authority and the European Commission.

1.4.By using Noord's services or otherwise communicating with us via the Channels, you consent - where required - to your Personal Data being processed in accordance with this Privacy Policy, to the extent that the processing is necessary for us to provide our services, fulfill legal obligations or otherwise based on our legitimate interest.

1.5.If you do not provide the necessary information, or do not provide explicit consent where required, some of Noord's services or features may be restricted.

1.6.Any changes to this Privacy Policy will be communicated via the Noord website or other relevant channel. The latest version is always available at www.noorddarkness.com. Noord will review this policy at least once a year and in case of major changes in processing, technology or case law.

2.DATA CONTROLLER AND CONTACT DETAILS

2.1.Noord Mind AB, reg. no. 559523-7511, is the data controller for the processing of Personal Data in accordance with this Privacy Policy.

2.2.If you have questions about how we process your Personal Data, want to exercise your rights under the GDPR, or have other privacy-related comments, you are welcome to contact us via:

E-mail: hello@noorddarkness.com
Address: Noord Mind AB, c/o The Park, Hagaplan 4, 113 68 Stockholm
Website: www.noorddarkness.com

2.3.We process all matters relating to personal data promptly and in accordance with applicable data protection legislation.

3.PERSONAL DATA PROCESSING, PURPOSES AND LEGAL BASIS

3.1.Personal data means any information that can be directly or indirectly attributed to an identifiable natural person. When Noord provides services, handles bookings or communicates with Participants, we process personal data in accordance with this Privacy Policy.

3.2.Noord processes Personal Data in order to:

·Administering bookings, expressions of interest and contact requests from the Participant

·Provide and follow up on services such as retreats, calls and options

·Communicate important information before, during and after participation in the retreat

·Enable payment and fulfill legal obligations (e.g. accounting requirements)

·Improve quality, measure customer satisfaction and monitor the use of our services

·Conduct research and development related to retreat experiences (if separate consent is given). Any research will only be carried out with specific and informed consent in accordance with section 4.5.

·To enable targeted and relevant marketing of our services (where applicable)

3.3.The legal basis for Noord's processing of Personal Data is essentially:

·Performance of contract (e.g. when booking a retreat or call)

·Consent of the Participant (e.g. for health data, marketing or research)

·Legal obligation (e.g. accounting obligation under Swedish law)

·Noord's legitimate interest (e.g. for communication, development of services, or handling of complaints) when this outweighs the interests of the data subject

3.4.In some cases, sensitive data - such as data concerning health or allergies - is only processed when necessary to provide the service and after explicit consent from the Participant. More on this under point 4.

4.SENSITIVE PERSONAL DATA

4.1.According to the EU General Data Protection Regulation (GDPR), sensitive personal data means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used to uniquely identify a person, and data concerning health, sex life or sexual orientation.

4.2.Noord may process sensitive personal data in the following contexts:

·Health data and needs related to physical or mental health that the Participant voluntarily provides in the Health Declaration, in order to enable safe and customized participation in the retreat (e.g. when adapting meals or assessing safety).

·Biometric and psychometric data where the Participant has actively chosen the optional Premium Biometric & Psychometric Package in accordance with section 3.8 of the General Terms and Conditions. This data collection may include movement patterns, resting positions, physiological signals (e.g. heart rate variability) and self-reports. The data is only used to promote recovery, self-regulation and self-awareness.

·Noord does not use biometric data for the purpose of uniquely identifying the Participant, but only for the purpose of enabling individual feedback, analysis and self-regulation in the context of the retreat.

4.3.All processing of sensitive data is done according to:

·Article 9(2)(a) of the General Data Protection Regulation (GDPR) - which means that the data subject has given explicit consent to the processing for one or more specific purposes.

·Act (2018:218) with supplementary provisions to the EU Data Protection Regulation, in particular Chapter 2 § 3 and § 5.

4.4.The Participant must explicitly consent to the processing of sensitive personal data, either through the Health Declaration or through the separate selection of the Premium Biometric & Psychometric Package. Without consent, no such data processing will take place, with the exception of the health data necessary for the mandatory security assessment under the Health Declaration. This information is necessary for Noord to assess whether participation is appropriate and safe based on physical and mental conditions. Participants who do not provide the necessary information in the Declaration of Health may be denied participation in the retreat.

4.5.If data from the biometric option is also to be used for research purposes, separate informed consent is required. Noord does not process such data for research without specific consent. In this case, the participant will be informed of the purpose, type of data, storage period and possible further use in connection with the consent request. Any further use of non-anonymized data for research purposes requires a new and informed consent. The de-identification of biometric data is done according to standard ethical research principles, and only approved research partners have access to this type of information.

5.INFORMATION TO OTHERS

5.1.Noord does not share Personal Data with third parties without the Participant's express permission other than as set out in this Privacy Policy or in accordance with applicable law. Exceptions are made if Noord is required to disclose information by law, government decision or within the framework of an ongoing legal, administrative or collection procedure in which Noord is a party.

5.2.The participant's Personal Data may be shared with other companies within the Noord Group, including but not limited to Noord Ark AB (reg. no. 559347-2793) and Noord MindTech AB (reg. no. 559446-7223), if it is necessary to provide agreed services, handle support cases or to develop the business. Such sharing always takes place within the framework of applicable data protection rules.

5.3.Noord uses subcontractors and partners for technical and operational functions, including but not limited to hosting, booking systems, data storage, customer support, and payment solutions. These actors act as data processors and may only process Personal Data on behalf of Noord and in accordance with data processing agreements. Only data that is necessary to provide the service in question is shared.

5.4.For certain additional services, such as payment or third-party measurement and feedback tools, the Participant may be redirected to external suppliers who are independent data controllers. In these cases, these providers are responsible for the further processing of the Participant's data. Noord refers the Participant to the respective supplier's own privacy policy for information on their processing.

5.5.In some cases, Noord may enter into research collaborations with trusted external actors such as universities or research institutes. No identifiable personal data will be shared with such parties without the prior and informed consent of the Participant. However, Noord may share anonymized and/or aggregated data, which cannot be linked to an individual, for research or analysis purposes. Examples of third-party recipients may include universities conducting approved research, providers of technical platforms for data collection (e.g. wearables), or certified feedback tools used during the retreat. Any such sharing will only take place after separate, informed consent.

5.6.If the Participant has chosen to participate in the Premium Biometric & Psychometric Package, and consented to this under the terms of the booking flow, certain non-identifiable or aggregated data may be used for analysis and development purposes by both Noord and its research partners. Any participation in research involving identifiable data always requires specific written consent.

6.STORAGE AND DELETION OF PERSONAL DATA

6.1.Noord will retain Personal Data only for as long as necessary to fulfill the purposes for which the data was collected under this Privacy Policy, including to provide contracted services, comply with legal obligations, or handle future requests, e.g. for follow-up support or participant certificates.

6.2.Participant contact details, data from the Health Declaration and data linked to retreat participation are normally stored for up to 12 months after the end of the service, unless longer storage is required by mandatory law, such as the Accounting Act (which requires storage for 7 years).

6.3.Biometric and psychometric data collected under an approved Premium option will be deleted or de-identified within 6 months after the end of the retreat, unless separate consent is given for longer storage for research purposes. De-identified and aggregated data can then be stored for a longer period of time in order to improve Noord's operations and support tools.

6.4.Noord implements regular deletion procedures where Personal Data that is no longer necessary for the purpose is anonymized or securely deleted, in accordance with applicable data protection legislation and guidance from the Swedish Data Protection Authority.

6.5.The Participant has the right to request the deletion of his/her Personal Data at any time in accordance with Article 17 of the GDPR (“right to be forgotten”), with the exception of data that must be retained by law or that is necessary for Noord to defend itself against legal claims.

7.SECURITY AND PROTECTION OF PERSONAL DATA

7.1.Noord takes appropriate technical and organizational security measures to protect Personal Data against unauthorized access, unlawful processing, accidental loss, destruction or damage. These measures include encryption, access controls, logging and regular security audits.

7.2.Only specifically authorized employees and subcontractors with a duty of confidentiality have access to Personal Data to the extent necessary for them to perform their tasks in relation to Noord's Services. All processing is carried out on a “need-to-know” basis.

7.3.Sensitive data such as Health Declaration information and biometric/psychometric data are subject to particularly high security requirements. These data are handled in separate systems with limited access, and stored encrypted when technically possible.

7.4.In the event of a personal data breach (e.g. data breach), Noord will comply with the applicable rules of the General Data Protection Regulation (GDPR) and notify the data subjects concerned and the supervisory authority (the Privacy Protection Authority) if necessary in accordance with Articles 33-34 of the GDPR.

8.RIGHT TO REQUEST INFORMATION (REGISTER EXTRACTS)

8.1.The Participant has the right to request an extract from the register showing what personal data Noord processes about him/her, in accordance with Article 15 of the General Data Protection Regulation (GDPR). The request must be in writing, signed by the Participant and sent by post to the address indicated in section 14 of this Policy.

8.2.In the request, the Participant should specify the data requested, such as the contact channels, time periods or contexts to which the processing relates, in order for Noord to provide the relevant information.

8.3.Extracts from the register are provided free of charge once (1) per calendar year. In case of repeated or manifestly unfounded requests, Noord may charge an administrative fee or refuse the request, in accordance with Article 12(5) of the GDPR.

8.4.Noord will normally send the register extract within 30 days of receiving the request. If the request is extensive or if there are obstacles, this period may be extended by a further 30 days in accordance with Article 12(3) GDPR. The participant will then be informed of the reasons for the delay.

9.RIGHT TO RECTIFICATION

9.1.The participant has the right to have inaccurate or incomplete personal data rectified without undue delay, in accordance with Article 16 of the GDPR. This also applies to the updating of contact details or other data affecting participation in the retreat

9.2. To request rectification, the Participant should contact Noord via the contact details provided in section 14. A request for rectification should be clear and contain the correct information to replace previous data.

9.3.Noord may refuse a correction if the information is correct or if the request is manifestly unfounded or unreasonable. In such cases, the Participant will be informed of the reasons for the refusal.

9.4.If a correction is made, Noord will also inform the recipients (e.g. subcontractors or partners) who previously had access to the data, unless this is impossible or requires disproportionate effort.

10.RIGHT TO ERASURE (“RIGHT TO BE FORGOTTEN”)

10.1. According to Article 17 of the GDPR, the participant has the right to request the erasure of his/her personal data in the following cases:

·The data is no longer necessary for the purposes for which it was collected or processed.

·The processing is based on consent that the Participant withdraws, and no other legal basis exists.

·The processing is for direct marketing purposes and the Participant objects to further processing.

·The Participant objects to processing based on legitimate interest, and there are no overriding legitimate grounds.

·The processing is in breach of data protection legislation.

·Erasure is necessary to comply with a legal obligation under EU or national law.

10.2. To request erasure, the Participant must contact Noord in writing using the contact details in section 14. The request must be clear and contain relevant justification as to why erasure is requested.

10.3. Noord can refuse a request for erasure if:

·The processing is necessary for compliance with a legal obligation (e.g. accounting obligation under the Accounting Act).

·The data is required to establish, exercise or defend legal claims.

10.4. If erasure takes place, Noord will, where appropriate, inform the recipients to whom the data was previously disclosed, unless this would involve a disproportionate effort.

11.RIGHT TO RESTRICTION OF PROCESSING

11.1. The participant has the right to request the restriction of the processing of personal data under Article 18 of the GDPR in the following cases:

·The participant contests the accuracy of the data. Processing will then be restricted for the period during which Noord verifies the accuracy of the data.

·The processing is unlawful, but the Participant objects to the deletion of the data and requests a restriction of use instead.

·Noord no longer needs the data for the purposes of the processing, but the Participant needs them to establish, exercise or defend legal claims.

·The Participant has objected to processing on the basis of legitimate interest, pending verification of whether Noord's interest outweighs that of the Participant.

11.2. Restriction means that the data in question may be stored but not otherwise processed, except:

·with the consent of the Participant

·to establish, exercise or defend legal claims

·to protect the rights of another natural or legal person

·for an important public interest of the EU or a Member State

11.3.Noord informs the Participant before a restriction expires.

12.RIGHT TO OBJECT

12.1.The Participant has the right to object at any time to the processing of his/her Personal Data where such processing is based on the legitimate interest of Noord (balancing of interests). Such an objection shall be made in writing and contain specific information about the processing to which the Participant objects. Once an objection has been made, Noord may only continue to process the Personal Data if there are compelling legitimate grounds that override the interests, rights and freedoms of the Participant, or if the processing is for the establishment, exercise or defense of legal claims.

12.2.If the Participant's Personal Data is processed for direct marketing purposes, the Participant always has the right to object to such processing. When such an objection is made, Noord will immediately cease the relevant processing for marketing purposes.

13.RIGHT TO DATA PORTABILITY

13.1.If the Participant has provided his/her Personal Data to Noord, the Participant has, in certain cases, the right to receive it in a structured, commonly used and machine-readable format, and to transmit it to another controller (“data portability”).

13.2.The right to data portability only applies:

·to Personal Data that the Participant has provided to Noord; and

·when the processing is based on consent or to fulfill an agreement between the Participant and Noord.

13.3.The right does not apply in cases where the processing is based on a balance of interests or legal obligation, or if it is not possible to transfer the data securely and correctly for technical reasons.

14.RIGHT TO LODGE A COMPLAINT WITH THE AUTHORITY

14.1.If the Participant believes that Noord is processing Personal Data in violation of applicable data protection rules, the Participant has the right to lodge a complaint with the supervisory authority. In Sweden, it is the Integrity Protection Authority (IMY) that exercises supervision under the Data Protection Regulation (GDPR).

14.2.Noord recommends that the Participant contacts Noord in the first instance to allow for internal investigation and resolution before taking the matter to IMY.

15.SECURITY

Noord takes all reasonable and necessary technical and organizational security measures in accordance with applicable data protection legislation to protect Personal Data against unauthorized access, accidental or unlawful loss, alteration, unauthorized disclosure or other unlawful processing.

16.AUTOMATED DECISIONS AND PROFILING

16.1.Noord may in some cases use automated processing of biometric or psychometric data (e.g. sensory activity, movement patterns or self-reports) for the purpose of providing feedback to the Participant. This may include the automatic analysis, categorization or visualization of experiential data, as a support for self-regulation and reflection.

16.2.Such processing is never carried out for the purpose of taking decisions that have legal or otherwise significant consequences for the Participant. All automated analyses support self-reflection and are not used as a basis for denying, granting or changing the Participant's rights. Noord explicitly confirms that no automated analysis is used to make decisions that affect the Participant's rights, access to the retreat or other important issues. All analyses are used exclusively to support self-reflection.

16.3.Noord does not use automated decision-making within the meaning of Article 22(1) of the GDPR, i.e. processing that leads to solely automated decisions with legal or otherwise significant effect, without prior human review.

17.COOKIES AND LOG STATISTICS

Noord uses cookies on its website to improve the user experience and ensure that the website functions properly. Cookies are also used to collect anonymous log statistics about visitors, for example to analyze traffic, identify popular pages and understand user behavior. You can choose to delete or block cookies at any time via your browser settings. For more information on how Noord uses cookies, please refer to our specific [Cookie Policy].

18.CONTACT DETAILS AND REQUEST FOR RIGHTS

To exercise their rights under this Privacy Policy - such as requesting a register extract, correction, deletion or data portability - the Participant must send a written, signed request to Noord by post to:

Noord Mind AB
GDPR-ärende
c/o The Park, Hagaplan 4, 113 68 Stockholm
Sweden

The request should include:

·Name and contact details
·Copy of valid ID document (e.g. passport or driving license)
·Clear description of the right the Participant wishes to exercise

For general questions about this policy or Noord's processing of Personal Data, the Participant can contact Noord via e-mail: hello@noorddarkness.com