Main content

Privacy Policy

1. Who we are

This privacy policy describes how Devold of Norway processes personal data about you when you visit devoldprotection.com or interact with us online.

This English-language policy applies to customers across all of Devold's online markets who view our site in English. Localised version is available in Norwegian Bokmål. Country-specific information — including the relevant data protection supervisory authority, applicable local marketing-law conditions, and statutory accounting-retention periods — is set out in section 10 (Country annexes).

Data controller

Devold of Norway AS Org. no. 984 636 318. Devold-vegen 16, 6030 Langevåg, Norway Telephone: +47 70 19 77 00

Contact for privacy inquiries: post@devold.no

2. Scope of this policy

This policy applies to personal data we process through our online operations on devoldprotection.com, including customer service inquiries received online and our digital marketing activities.

Separate privacy notices apply to:

  • Processing in our physical retail stores (including our brand store in Oslo and our outlet stores in Langevåg, Valldal, Vestby, Stavanger, Hellesylt and Dyrkorn) and at events;
  • Processing in connection with employment and job applications;
  • Processing carried out by separate Devold-branded sites operated under different legal frameworks (e.g., Devold Retail AS).

3. The personal data we process, why, and on what legal basis

We process different categories of personal data depending on how you interact with us. This section describes the main processing activities, the categories of data involved, the purposes, and the legal basis under Article 6 of the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").

3.1 When you visit devoldprotection.com

What we process: technical information about your device and browser (IP address, browser type and version, operating system, screen size, language), pages viewed, navigation patterns, referring URL, and timestamps. We also process cookie identifiers and similar tracking technology identifiers — see section 4 below. When you use the site's search bar, view product listings, or are shown product recommendations, we additionally process your search queries, the products you click and the actions you take on them (such as "added to cart" or "purchased"), together with a pseudonymous user identifier; this is done through our search and recommendation provider Algolia (see section 5.1).

Why we process it:

  • to operate, secure and stabilise the website (legitimate interest);
  • to detect, prevent and respond to attacks, fraud and abuse (legitimate interest);
  • to provide site search, merchandising of category and search-result pages, and "you may also like" / "frequently bought together" product recommendations (legitimate interest in offering relevant and efficient navigation, where this does not rely on profiling cookies; otherwise consent);
  • to measure reach, analyse visitor behaviour, optimise content, and personalise marketing (consent).

Legal basis:

  • Art. 6(1)(f) GDPR — legitimate interest in operating and securing our website — for the strictly necessary technical operation;
  • Art. 6(1)(a) GDPR — your consent, given via the cookie banner — for analytics, marketing measurement, advertising and retargeting cookies and similar technologies. You can withdraw your consent at any time via the cookie preference centre in the website footer.

Retention: technical log data is retained for up to 12 months. Analytics and marketing data is retained for the period specified in our cookie information (see section 4).

3.2 When you contact our customer service

What we process: the contents of your message (email, contact form, social media direct message, or telephone call), your name and contact details, and any other information you choose to share. If you call us, your telephone number may be retained automatically by our telephony system for a short period (see retention below).

Why we process it:

  • to respond to your inquiry, answer your questions, and resolve any issues;
  • to handle complaints, returns and warranty claims;
  • to improve our customer service operations.

Legal basis:

  • Art. 6(1)(b) GDPR — performance of a contract (or pre-contractual steps) — where your inquiry relates to an order or potential order;
  • Art. 6(1)(f) GDPR — our legitimate interest in operating an efficient customer service function — for general inquiries.

Retention: customer service correspondence is retained for up to 3 years from the date of the last communication, after which it is deleted unless legal-hold or warranty rules require longer retention. Telephony metadata (incoming caller numbers) is retained for up to 2 months.

4. Cookies and similar technologies

Devoldprotection.com uses cookies, pixels, tags, local storage and similar technologies. Some are strictly necessary for the website to function (e.g., the shopping cart, language preference, fraud detection); others require your consent under the ePrivacy laws applicable in your country (see section 10).

Our cookie banner appears on your first visit and asks for your consent before non-essential cookies and trackers are set. You can revisit and change your preferences at any time via the "Cookie preferences" link in the website footer.

Full details of the cookies we use — including their purposes, the third parties that may set them, the data they collect, and their retention periods — are available in our separate Cookie Policy, accessible from the website footer.

5. Who we share your data with

We share your personal data with the following categories of recipients, and only to the extent necessary for the purposes described in section 3:

5.1 Our processors (service providers acting on our instructions)

The processors below act on our behalf and are contractually bound by data processing agreements compliant with Art. 28 GDPR:

Netlify, Inc. — Front-end hosting and content delivery network (CDN). Location: EU-based primary edge with US headquarters. Netlify, Inc. is an active participant in the EU-U.S. Data Privacy Framework (DPF) and the UK Extension. Transfers to the US are made under the DPF, supported by EU Standard Contractual Clauses as backstop.

Sanity — Content management system (CMS) and content delivery. Location: EU.

Algolia SAS (Paris, France) — On-site search, search-result merchandising and product recommendations (e.g., "you may also like", "frequently bought together"). Location: EU (Frankfurt cluster). Algolia SAS is the EU-headquartered contracting entity; Algolia, Inc. (US) provides infrastructure and support. We send Algolia search queries, click/conversion events on search results and product listings, a pseudonymous user identifier, and the visitor's IP address (used by Algolia for routing, anti-abuse and approximate geolocation of results). Algolia acts as our processor under Art. 28 GDPR. Remote US-based support access is covered by Algolia's Data Processing Addendum, the EU Standard Contractual Clauses (Decision (EU) 2021/914), and supplementary measures.

ITX — Customer service ticketing. Location: EU.

Columbus Norway — Implementation and integration of Microsoft Dynamics 365 / AX (ERP). Location: EU (Norway).

Google Ireland Ltd. (Google Analytics, Google Tag Manager, Google Ads) — Web analytics, tag management, advertising. Location: EU primary, with onward transfer to Google LLC (US). Transfers to the US are made on the basis of the EU-U.S. Data Privacy Framework (Google LLC is a participant) and supplementary EU Standard Contractual Clauses. We will update this policy if the Data Privacy Framework is invalidated.

Meta Platforms Ireland Ltd. (Facebook Pixel, Instagram, Custom Audiences) — Advertising, retargeting, audience matching. Location: EU primary, with onward transfer to Meta Platforms, Inc. (US). Same DPF + SCC basis as Google. Consent-based.

5.2 Independent controllers we share data with

These recipients act as independent data controllers for the data we share with them — they decide independently how that data is processed once they receive it:

  • Social media platforms when you engage with us through them — Meta (Facebook, Instagram), TikTok, YouTube and Pinterest each operate as independent controllers (and, in some cases, joint controllers with us under Art. 26 GDPR) for data collected through their platforms. Their respective privacy policies apply to that processing.

5.3 Group companies

We are part of the Fenix Outdoor group. To the extent permitted under data protection law, we may share your personal data with other group companies for purposes such as group-level customer relationship management, group marketing analytics, the operation of the membership programme, and the provision of shared services (e.g., logistics, customer service support). Where any such sharing involves joint controllership under Art. 26 GDPR, a summary of the joint controller arrangement and the contact point for exercising your rights is available on request from post@devold.no.

5.4 Authorities and other legitimate disclosures

We may disclose your personal data to public authorities (tax authorities, courts, police, supervisory authorities) when required by law, in response to a valid legal request, or where necessary to establish, exercise or defend legal claims. We may also disclose data to our professional advisers (lawyers, auditors, accountants) under appropriate confidentiality protections.

6. International data transfers

Our default position is that personal data is processed within the European Economic Area (EEA). However, some of the processors and recipients listed in section 5 are established, or have parent companies established, in countries outside the EEA — principally the United States.

Where personal data is transferred outside the EEA, we rely on one of the following legal mechanisms under Chapter V GDPR:

  • Adequacy decisions (Art. 45 GDPR): for transfers to countries the European Commission has determined provide an adequate level of data protection. The current list is at: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en. In particular, transfers to the United States are made to organisations certified under the EU-U.S. Data Privacy Framework (DPF) — which the European Commission designated as adequate on 10 July 2023 — where the receiving organisation is a DPF participant.
  • Appropriate safeguards (Art. 46 GDPR): where no adequacy decision applies (or in addition to it), we rely on the European Commission's Standard Contractual Clauses (SCCs) — Decision (EU) 2021/914 — together with supplementary technical, contractual and organisational measures as required by the Schrems II judgment of the Court of Justice of the European Union (CJEU Case C-311/18).
  • Derogations (Art. 49 GDPR): in limited circumstances — for example, where a transfer is necessary for the performance of a contract concluded in your interest (Art. 49(1)(b)) or where you have given explicit consent to the transfer (Art. 49(1)(a)).

You can request a copy of the safeguards we have in place for any specific transfer by emailing post@devold.no.

7. Your rights

Subject to the conditions and limitations set out in the GDPR, you have the following rights in relation to your personal data:

  • Access (Art. 15 GDPR) — to obtain confirmation of whether we process personal data about you and, if so, a copy of that data together with information about how we process it.
  • Rectification (Art. 16 GDPR) — to have inaccurate personal data corrected and incomplete data completed.
  • Erasure / "right to be forgotten" (Art. 17 GDPR) — to have your personal data deleted in certain circumstances (e.g., where the data is no longer needed for the purposes for which it was collected, or where you withdraw consent and there is no other legal basis).
  • Restriction of processing (Art. 18 GDPR) — to have processing limited in certain circumstances (e.g., while we verify the accuracy of disputed data).
  • Data portability (Art. 20 GDPR) — to receive personal data you have provided to us in a structured, commonly used and machine-readable format, and to have it transmitted to another controller where technically feasible.
  • Objection (Art. 21 GDPR) — to object to processing based on our legitimate interests (Art. 6(1)(f) GDPR), including profiling, on grounds relating to your particular situation. You may also object at any time to processing of your personal data for direct marketing purposes — there are no specific grounds required for that objection, and we will stop processing your data for direct marketing on receipt of your objection.
  • Withdraw consent (Art. 7(3) GDPR) — to withdraw, at any time, any consent you have given us. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
  • Lodge a complaint with a supervisory authority (Art. 77 GDPR) — see section 10 for the relevant supervisory authority in your country.
  • Not be subject to a decision based solely on automated processing (Art. 22 GDPR) — including profiling — that produces legal effects concerning you or similarly significantly affects you. We do not currently make any decisions about you based solely on automated processing that produce such effects.

How to exercise your rights: email post@devold.no with your request. We will respond within one month of receipt (Art. 12(3) GDPR). Where requests are complex or numerous, we may extend that period by a further two months and will inform you of any extension within the first month, along with the reasons for the delay.

We may need to verify your identity before responding, particularly where the request is sensitive or where we have reasonable doubts about who is making the request. We will request the minimum identification data necessary and explain why.

There is no fee for exercising your rights. However, where a request is manifestly unfounded or excessive — in particular because of its repetitive character — we may charge a reasonable fee or refuse to act on the request, in accordance with Art. 12(5) GDPR.

8. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration or disclosure. These measures include encryption of data in transit (TLS), encryption of sensitive data at rest, access controls based on least-privilege principles, logging and monitoring, vendor security assessments, and staff training. We never store full card numbers — all card data is transmitted directly to and stored with our PCI-DSS-certified payment provider, Adyen.

In the event of a personal data breach, we will notify the supervisory authority within 72 hours where required under Art. 33 GDPR, and we will notify you directly where the breach is likely to result in a high risk to your rights and freedoms (Art. 34 GDPR).

9. Children

Devoldprotection.com is not directed at children. We do not knowingly collect personal data from children.

If you believe we have collected personal data from a child under 18, please contact us at post@devold.no and we will delete that data.

10. Country annexes — supervisory authorities and local marketing rules

This section provides country-specific information for our customers in each market.

10.1 Norway

Supervisory authority: Datatilsynet, Postboks 458 Sentrum, 0105 Oslo. https://www.datatilsynet.no/ — Tel. +47 22 39 69 00.

Marketing to existing customers (soft opt-in): Section 15 of the Norwegian Marketing Control Act (markedsføringsloven) permits electronic direct marketing to existing customers for similar goods or services without prior consent, provided you were given a clear and free opportunity to opt out at the time your contact details were collected, and an opt-out is offered in every subsequent message.

Bookkeeping retention: five years from the end of the accounting year (bokføringsloven § 13).

11. Changes to this policy

We may update this policy from time to time. When we make material changes, we will:

  • post the updated policy on devoldprotection.com with a new "Last updated" date;
  • where you have given us your contact details (e.g., as a customer, newsletter subscriber, or programme member), we will notify you of the change in advance, where the change is likely to materially affect you.

Last updated: June 2026