Privacy Policy

When you visit this website, we collect personal data only through actions you take and through the minimal technical processing needed to serve the site securely. We do not use analytics cookies, advertising pixels, or third-party tracking scripts. Our fonts are self-hosted. Below is the complete list of personal data Styrvik processes through this website.

Contact form submissions. When you submit the contact form, we collect the following fields that you provide: your name, your email address, your company name (if you choose to enter it), and your message.

Spam protection (Cloudflare Turnstile). When you load the contact form, Cloudflare Turnstile runs an invisible challenge to distinguish human visitors from automated bots. This generates an ephemeral challenge token and transmits your IP address to Cloudflare for verification. The token is not stored after the verification is complete.

Rate limiting (Cloudflare Workers KV). To prevent abuse of the contact form, we store a pseudonymised hash of your IP address (created using a daily-rotated cryptographic salt) in a globally distributed key-value store operated by Cloudflare. This hash cannot be reversed to recover your IP address without the salt. It expires automatically after 15 minutes.

IP hash on the submission record. The same pseudonymised IP hash described above is stored alongside your contact form submission as an audit-trail identifier. This is classified as pseudonymised personal data, not anonymous data.

Submission timestamp. When you submit the contact form, we record the date and time of your submission for record-keeping purposes.

Browser identification (User-Agent header). When you submit the contact form, your browser automatically sends a standard identification header (the User-Agent string) with the request. We store a truncated version of this header, limited to the first 512 characters, alongside your submission. This is not something you actively type or submit -- it is sent by every web browser as part of normal web traffic. We retain it for abuse detection and contact-form diagnostics. It is deleted together with the parent submission record. Legal basis: Article 6(1)(f) -- legitimate interest in detecting patterns of misuse.

Web analytics (Cloudflare Web Analytics). We use Cloudflare Web Analytics, a cookie-free, edge-level analytics service. It derives approximate visitor counts from request metadata at Cloudflare's network edge. It does not set cookies, does not store personal identifiers, and does not track individual visitors across sessions or pages.

No data beyond the categories listed above is collected through this website. There is no cross-session tracking, no device fingerprinting, and no persistent client-side identifier of any kind.

Every piece of data we collect has a stated purpose and a legal basis under GDPR Article 6. We do not process personal data for any purpose other than those listed here.

Contact form data (name, email, company, message). Purpose: to respond to your enquiry about Styrvik's consulting services and to manage follow-up on the topics you raised. Legal basis: Article 6(1)(b) — processing necessary to take steps at your request prior to entering into a contract.

Pseudonymised IP hash (rate limiting and audit trail). Purpose: to enforce per-IP rate limiting on the contact form and to maintain an audit trail for abuse detection. Legal basis: Article 6(1)(f) — legitimate interest in protecting the website from automated abuse. Our legitimate interest does not override your rights because the hash is pseudonymised, expires quickly for rate-limiting purposes, and is deleted with the parent submission record.

Cloudflare Turnstile challenge token and IP address. Purpose: to verify that the contact form is submitted by a human visitor, not an automated bot. Legal basis: Article 6(1)(f) — legitimate interest in preventing spam and protecting the integrity of the contact form. The IP address is transmitted to Cloudflare solely for the challenge verification and is processed under Cloudflare's Data Processing Agreement.

Browser identification (User-Agent header). Purpose: to detect patterns of automated or abusive submissions and to support diagnostics if the contact-form pipeline encounters an error. Legal basis: Article 6(1)(f) -- legitimate interest in protecting the website from misuse and maintaining service reliability. Our legitimate interest does not override your rights because the header is truncated to 512 characters (reducing information content), is an operational field your browser sends automatically (not data you actively provide), and is deleted with the parent submission record.

Web analytics aggregates. Purpose: to understand website traffic at an aggregate level (page views, referrers, device types, countries). Legal basis: Article 6(1)(f) — legitimate interest in measuring the effectiveness of the website. No personal identifiers are collected or stored by this service.

We do not send marketing emails. We do not send marketing emails, newsletters, or promotional communications to people who submit the contact form. We respond to your message and follow up only on what we discussed. This commitment is consistent with the statement on our contact page. If Styrvik ever introduces a marketing mailing list, it will require separate, explicit opt-in and will never draw from contact-form submissions.

Where your data is stored. Contact form submissions are stored in a database hosted in the EU region, operated by Turso (ChiselStrike, Inc.). The website is served from Cloudflare's EU edge points of presence to EU visitors. Transactional email is sent from Resend's EU sending region. Runtime data residency for all visitor personal data is the European Union.

Who can access your data. Access to submitted data is restricted to the data controller — Gabriel Barcia, sole director of Styrvik AS. No employees or contractors have access. We implement technical and organisational measures appropriate to the risk, consistent with GDPR Article 32, including encrypted connections (HTTPS/TLS on every leg of the data flow), parameterised database queries, and pseudonymisation of IP addresses.

How long we keep your data. We apply the following retention periods:

• Contact form submissions (status: new). Retained for 12 months from the date of submission. If the enquiry has not been responded to within 12 months, the submission is automatically deleted.
• Contact form submissions (status: replied/in conversation). Retained for the duration of the active conversation. Once the enquiry is resolved and marked closed, the 12-month deletion clock begins from the date of closure.
• Contact form submissions (status: closed). Automatically deleted 12 months after the enquiry was marked as resolved.
• Pseudonymised IP hash (rate-limiting counter). Automatically expires after 15 minutes. No manual deletion required.
• Pseudonymised IP hash (on submission record). Deleted together with the parent submission record at the end of its retention period.
• Financial records. If your enquiry leads to a consulting engagement, certain records (such as invoices) are retained for 5 years for primary accounting documentation and 3.5 years for secondary documentation, as required by Norwegian law (Bokføringsloven section 13). These obligations override the 12-month default.

After the applicable retention period, your data is permanently deleted. We do not archive deleted records.

Under the GDPR and the Norwegian Personal Data Act (Personopplysningsloven), you have the following rights regarding your personal data. To exercise any of these rights, email us at hello@styrvik.com. We will respond within one month, as required by GDPR Article 12(3).

• Right of access (Article 15). You have the right to request a copy of the personal data we hold about you and information about how we process it.
• Right to rectification (Article 16). You have the right to request correction of any inaccurate personal data we hold about you.
• Right to erasure (Article 17). You have the right to request deletion of your personal data. We will comply unless a statutory retention obligation applies (for example, Bokføringsloven for financial records).
• Right to restriction of processing (Article 18). You have the right to request that we restrict the processing of your personal data in certain circumstances, such as while we verify the accuracy of data you have contested.
• Right to data portability (Article 20). You have the right to receive your personal data in a structured, commonly used, machine-readable format such as CSV or JSON. You may also request that we transmit the data directly to another controller where technically feasible.
• Right to object (Article 21). You have the right to object to our processing of your personal data where we rely on legitimate interest (Article 6(1)(f)) as the legal basis. This applies to the pseudonymised IP hash, the browser identification header, and the web analytics processing described in this policy. On receiving an objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

If you are not satisfied with our response, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) at datatilsynet.no.

Automated decision-making. We do not engage in automated decision-making or profiling as defined in GDPR Article 22. No decision producing legal or similarly significant effects is made about you by automated means.

The data controller for personal data collected through this website is:

Styrvik AS
Stavanger, Norway
Email: hello@styrvik.com

Company registration with Foretaksregisteret (the Norwegian Register of Business Enterprises) is pending. The organisation number will be published on the imprint page once registration is complete.

Styrvik AS does not have a dedicated Data Protection Officer (DPO). This is not required for our scale and type of processing under GDPR Article 37 — we do not carry out large-scale systematic monitoring of individuals, nor do we process special categories of personal data. All data protection enquiries are handled directly by the data controller.

To exercise any of your rights described in this policy, or to ask a question about how we handle your data, email hello@styrvik.com. We will acknowledge your request promptly and respond substantively within one month.

This website uses zero cookies. We do not set analytics cookies, advertising cookies, session cookies, or third-party tracking cookies. We do not embed third-party content that sets cookies — no social media widgets, no external font services, no video embeds. Our fonts are self-hosted and our JavaScript libraries are bundled locally.

Cloudflare Turnstile, which we use for spam protection on the contact form, operates without setting cookies. It uses an ephemeral JavaScript challenge token that is submitted with the form and discarded after verification.

Cloudflare Web Analytics, which we use for aggregate traffic measurement, is cookie-free by design. It derives visitor approximations from edge request metadata without storing any persistent identifier in your browser.

Because we do not use any cookies that require consent under the Norwegian Electronic Communications Act (ekomloven section 2-7b, implementing ePrivacy Directive Article 5(3)), no cookie consent banner is displayed on this website.

If this changes in the future — for example, if we introduce a service that requires cookies — we will update this policy and implement an appropriate consent mechanism before any consent-requiring cookies are deployed.

Styrvik uses three third-party services that process personal data on our behalf. Each operates under a Data Processing Agreement (DPA) in accordance with GDPR Article 28. The agreements are each vendor's standard published instrument.

Cloudflare, Inc. (San Francisco, USA)
Cloudflare provides website hosting (Cloudflare Pages), spam protection (Turnstile), rate limiting (Workers KV), and web analytics (Web Analytics). Personal data processed: Turnstile challenge token and visitor IP address (for challenge verification), pseudonymised IP hash (for rate limiting), and aggregate page-view data (no personal identifiers). Cloudflare serves EU visitors from EU edge points of presence. DPA: cloudflare.com/trust-hub/gdpr

Turso (ChiselStrike, Inc.) (USA)
Turso provides the database that stores contact form submissions. Personal data processed: name, email address, company name, message, pseudonymised IP hash, and truncated user-agent string. Data is stored in the EU region. DPA: turso.tech/legal

Resend, Inc. (USA)
Resend provides transactional email delivery. When you submit the contact form, a notification email containing your submission is sent to the data controller. Personal data processed: name, email address, company name, and message content. Email is sent from Resend's EU sending region. DPA: resend.com/legal/dpa

Cross-border transfers. All three processors are US-incorporated companies. While runtime data residency for visitor personal data is the EU — the database is in the EU, the email is sent from the EU, and EU visitors are served from EU edge infrastructure — each vendor's US parent company retains control-plane access to its EU infrastructure. Under GDPR Chapter V, this control-plane access may constitute a cross-border transfer of personal data to the United States. Each vendor's Data Processing Agreement with Styrvik includes Standard Contractual Clauses (SCCs) as the lawful transfer mechanism covering this scenario.

We do not use any processor for marketing, advertising, or behavioural tracking purposes. If we add new processors in the future, we will update this policy before the processor begins processing personal data.