Emax United

Privacy Policy

Last updated: 09.05.2026

This privacy policy describes how EMAX United AS (org. no. 937 059 914) processes personal data in connection with membership and use of our services.

1. Data Controller

EMAX United AS is the data controller for personal data processed in connection with membership in EMAX United. We have not appointed a dedicated Data Protection Officer, but you can direct any privacy-related questions to us directly.

Contact: EMAX United AS
Email: member@emaxunited.com

2. What Personal Data We Process

We process the following categories of personal data:

  • Identity and contact: name, email address, phone number
  • Address: street, postcode, city, country
  • Profile: short biography (optional), language preference, region
  • Company information (for organisation memberships): company name, organisation number, company type, address, VAT status. This is primarily fetched from the Norwegian Brønnøysund Register Centre based on the organisation number you provide.
  • Membership: role within the organisation, product entitlements
  • Payment information: handled by Stripe; we store a customer ID and invoice history, but never card numbers or full payment data
  • Forum activity: threads, posts and reactions you publish in the member forum (visible to other signed-in members)
  • Change history: we keep a history of changes to your account so that we can demonstrate what changed and when

3. Purpose of Processing

Personal data is processed for the following purposes:

  • Administration of membership and delivery of membership benefits
  • Access to and use of membership agreements
  • Sharing of necessary information with partners who offer membership benefits
  • Invoicing, payment and collection
  • Account security and prevention of misuse
  • Transactional communication about your membership (sign-in, receipts, important notices)
  • Improving and developing the service based on aggregated, anonymous usage
  • Fulfillment of legal obligations (in particular accounting)

4. Sharing of Personal Data and Sub-processors

We rely on the following sub-processors and partners:

  • Stripe, Inc. — payment processing (card data is handled by Stripe and is never transmitted to us)
  • Postmark (ActiveCampaign LLC) — transactional email delivery, including magic-link sign-in emails
  • Hetzner Online GmbH (Germany) — server and database hosting; all personal data is stored on Hetzner's infrastructure in Germany
  • Brønnøysund Register Centre (Brønnøysundregistrene) — we read publicly available company information when you provide an organisation number; no personal data is sent to them
  • Partners who offer membership agreements and benefits (only the information necessary)
  • Accountants and advisors
  • Public authorities where required by law

Sharing only occurs to the extent necessary for the purpose. We have data-processing agreements in place with sub-processors where required, and we require shared personal data to be handled in accordance with this policy.

5. Legal Basis for Processing

Processing is based on the following grounds:

  • Contract (GDPR Art. 6(1)(b)) — for delivering the membership
  • Legal obligation (Art. 6(1)(c)) — particularly accounting and bookkeeping
  • Legitimate interest (Art. 6(1)(f)) — for account security, abuse prevention, and product development
  • Consent, where required

6. Communication

We currently send only transactional email related to your membership — magic-link sign-in, receipts, and important account notices. We do not send newsletters or marketing emails today.

Should we introduce newsletters or marketing communications in the future, this will be based on consent with a clear opt-out mechanism.

7. Cookies and Local Storage

We do not use any third-party cookies, tracking pixels, or advertising technology.

Your browser stores the following items locally (in localStorage) for the service to function:

  • auth — sign-in token (JWT) that keeps you logged in; valid for up to 7 days at a time
  • privacy.acknowledged — confirmation that you have seen this privacy notice
  • Language preference — to remember whether you prefer Norwegian or English

You may clear these in your browser at any time. Clearing auth will sign you out.

8. Analytics

We use a self-hosted instance of Umami for anonymous, aggregate usage analytics. It is configured to minimise data collection:

  • Pageviews (email addresses and sign-in tokens are stripped from URLs before storage)
  • Functional events (e.g. signup completed, subscription started) — we do not record detailed behavioural patterns
  • Aggregate session attributes (region, role, sector, organisation type) tied to a non-identifying UUID

We do not use:

  • Third-party cookies
  • Browser or device fingerprinting
  • Cross-site tracking

9. Data Location and Transfers

Personal data is stored on servers operated by Hetzner Online GmbH in Germany (within the EU/EEA).

Stripe processes payment data under the EU Standard Contractual Clauses. Postmark sends email from infrastructure that includes servers in the United States; the email content and your address are transmitted to Postmark in order to deliver magic-link emails and receipts.

10. Storage and Deletion

We store personal data for as long as necessary for the purpose of the processing:

  • Account data: for as long as the membership is active; deleted on request when the purpose no longer exists
  • Accounting records (invoices, transactions): a minimum of 5 years, per the Norwegian Bookkeeping Act § 13
  • Sign-in tokens: expire automatically within 7 days, or when you sign out
  • Backups: after deletion, your data may persist in backups for up to 30 days before being purged

Data is deleted or anonymised when the purpose no longer exists.

11. Security

We apply, among others, the following technical measures:

  • All data in transit is encrypted (TLS)
  • We do not store passwords — sign-in is via one-time magic links sent to email
  • Sessions expire automatically

12. Your Rights

You have the right to:

  • Access your own personal data
  • Correct inaccurate data
  • Delete data where conditions are met
  • Restrict processing
  • Data portability where relevant
  • Object to processing based on legitimate interest

To exercise these rights, contact member@emaxunited.com — we respond to rights requests within 30 days (GDPR Art. 12(3)) free of charge.

Complaints may be directed to the Norwegian Data Protection Authority (Datatilsynet) .

13. Changes

This privacy policy may be updated as needed. Significant changes will be communicated in an appropriate manner.

14. Structural Changes

In the event of a merger, sale or other reorganisation, personal data may be transferred as part of the business, in accordance with applicable data protection legislation.