Skip to content

Privacy policy

Last updated: 4 May 2026

1. Data controller

NordicRoam, based in Torsken, Senja, Norway. Contact: hello@nordicroam.com. We comply with GDPR (EU 2016/679) and Norwegian Personopplysningsloven.

2. What we collect

Email (when you sign up), session cookie (auth), magic-link tokens (15 min), IP hash (abuse prevention; never raw IP), saved trips data (only what you create), affiliate click metadata (anonymous unless logged in), push subscription endpoints (only if you opt in).

3. Legal basis

GDPR art. 6(1)(b) — service delivery (saved trips, login). 6(1)(a) — consent (analytics, marketing email, push notifications). 6(1)(f) — legitimate interest (abuse prevention, debugging).

4. Third parties

Resend (email delivery, EU/US Data Privacy Framework). Neon (Postgres hosting, EU-Central). Vercel (CDN/hosting, multi-region). Anthropic (AI itinerary generation, US — only the prompt content you submit, never your email or saved trips). Meta Pixel (only after you click 'Accept' on cookie banner).

5. Retention

Account data: until you delete your account. Magic-link tokens: 15 minutes. Sessions: 30 days. IP hashes: rotated daily. Affiliate click logs: 13 months for attribution. Newsletter subscribers: until unsubscribe.

6. Your rights

Access, rectification, deletion, portability, objection, withdrawal of consent. Email hello@nordicroam.com to exercise. We respond within 30 days. You can also complain to Datatilsynet (datatilsynet.no).

7. Cookies

See our separate cookies page at /legal/cookies. Essential cookies (auth, beta gate) are set without consent. Analytics + ad pixels only after consent.

8. Changes

Material changes are announced via email to active users. The 'Last updated' date at top tracks revisions.