Legal
Privacy Policy
Last Updated: March 14, 2026
1. Introduction & Controller Identity
This Privacy Policy explains how Es Investering AS (“we”, “us”, or “our”) collects, uses, and protects personal data when you visit this website and when you contact us about our online business and leadership education programs. Our programs are delivered online and are available across Canada. Administrative operations are based in Norway.
Data Controller (GDPR): Es Investering AS
Registered/Office Address: Rishammeren 20, 8230 Sulitjelma, Norway
Email: [email protected]
Phone: +47 75 64 60 30
We do not appoint a Data Protection Officer (DPO) because we do not conduct large-scale processing of special-category data. If you have questions about privacy, you can contact us using the details above.
2. Personal Data We Collect
We collect personal data in a few straightforward ways:
- Identity and contact data: name, email address, and phone number when you submit a registration or enquiry form.
- Form content: the program you select, optional workshop preferences, and any message you include (for example, learning goals, preferred timelines, and prerequisites questions).
- Technical data: IP address, device type, browser type and version, operating system, language settings, and approximate location derived from IP (city/region level).
- Usage data: pages viewed, time spent, referrer/entry page, clicks and navigation paths, and basic interaction events used to understand content performance.
- Cookies and identifiers: first- and third-party cookies and similar identifiers as described in Section 4 and in our Cookie Policy.
- Conversion events: events related to form submissions and page visits that help us measure whether the website content is useful and whether advertising campaigns are working (when marketing consent is granted).
We do not intentionally collect special-category data (such as health data, political opinions, religious beliefs, or biometric identifiers). Please do not include sensitive personal data in free-text fields. We also do not request government identification numbers or financial account details as part of registration enquiries.
3. Why We Process Personal Data & Legal Bases (GDPR Article 6)
We process personal data only for defined purposes and using appropriate legal bases:
- Responding to enquiries and registration requests (for example, schedules, delivery format, prerequisites): Article 6(1)(b) (steps prior to entering a contract) and, where required, Article 6(1)(a) (consent).
- Providing customer support and administrative communication (replying to emails, clarifying program details): Article 6(1)(b) and/or Article 6(1)(f) (legitimate interests in operating an education service).
- Analytics measurement (understanding how pages are used so we can improve navigation and content): Article 6(1)(a) (consent).
- Marketing and advertising measurement (remarketing, conversion attribution, audience building): Article 6(1)(a) (consent).
- Security and fraud prevention (protecting the site, rate limiting, detecting abuse): Article 6(1)(f) (legitimate interests in securing our systems).
- Legal compliance (where required by applicable law): Article 6(1)(c) (legal obligation).
Automated decision-making and profiling (GDPR Article 22): We do not engage in automated decision-making or profiling that produces legal or similarly significant effects.
4. Cookies & Tracking
We use cookies and similar technologies to keep the site functional, to measure usage, and (with consent) to measure advertising performance. Cookies may be session cookies (deleted when you close your browser) or persistent cookies (stored for a set period). Some cookies are set by us (first-party) and some are set by third parties (third-party).
Essential cookies (always active)
Essential cookies are required for the site to function and for your cookie choices to be remembered. These cookies do not require consent under EEA rules when they are strictly necessary.
- _site_session: used for basic session continuity and security-related features.
- cookie_consent: stores your cookie preference selections.
Typical retention: session to 12 months (depending on the cookie).
Analytics cookies (consent required)
When you accept analytics cookies, we may use Google Analytics 4 (GA4) with IP anonymization to understand site usage patterns (for example, which pages are read most often and which navigation paths are confusing). This helps us improve content and usability. GA4 cookies may include:
- _ga (2 years)
- _ga_XXXXXXXXXX (2 years; GA4 property-specific cookie)
Analytics data retention is set to 14 months.
Marketing cookies (consent required)
When you accept marketing cookies, we may use marketing and advertising technologies to measure campaign performance and show relevant ads. These may include:
- _gcl_au (Google Ads conversion linker, 90 days)
- _fbp (Meta Pixel browser identifier, 90 days)
- _fbc (Meta Pixel click identifier, 90 days when a click ID is present)
Marketing measurement may use cookie identifiers and event data (such as page views and form submissions). In some configurations, events may also be sent server-side (for example, using a conversion API). Where identifiers are used, they may be hashed or pseudonymized depending on the provider and the integration method.
5. Consent (EEA/UK)
Users in the EEA and UK receive a consent notice under GDPR/UK GDPR. Analytics and marketing cookies activate only after explicit, informed, freely given consent (GDPR Article 6(1)(a)). Your consent choice is recorded in the cookie_consent cookie for up to 12 months.
You can withdraw or adjust consent at any time by selecting “Manage cookie preferences” in the website footer, or by clearing cookies in your browser. Withdrawal of consent does not affect the lawfulness of processing that took place before you withdrew consent.
6. Sharing With Advertising & Service Partners
We may share limited personal data with service providers that help us run the website and measure performance. We do not sell personal data.
- Google LLC (Google Analytics 4, Google Ads, Tag Manager, remarketing): cookie identifiers, usage data, conversion events. Privacy: https://policies.google.com/privacy
- Meta Platforms, Inc. (Meta Pixel, Custom/Lookalike Audiences, Conversion API where enabled): page views, conversions, audience signals, identifiers (sometimes hashed). Privacy: https://www.facebook.com/privacy/policy
- Cloudflare (security and performance): IP-based threat detection and content delivery. Privacy: https://www.cloudflare.com/privacypolicy/
We do not permit these providers to use site data for their own independent commercial purposes. They process data under their own terms as service providers and/or independent controllers depending on the specific tool and configuration.
7. International Transfers
We are based in Norway (EEA). Some of our service providers are located outside the EEA/UK, including in the United States. Where personal data is transferred internationally, we rely on appropriate safeguards. Depending on the provider and circumstances, these safeguards may include:
- EU–US Data Privacy Framework (DPF) (primary safeguard where applicable, since July 2023)
- UK Extension to the EU–US DPF
- Swiss–US DPF
- Standard Contractual Clauses (EU 2021/914) as a fallback
- UK International Data Transfer Addendum/IDTA as a fallback
8. Retention
We keep personal data only as long as needed for the purpose it was collected for, and then delete or anonymize it unless we must keep it longer for legal reasons.
- Contact and registration submissions: typically retained for up to 2 years from the last interaction.
- Email correspondence: retained for the duration of the relationship, plus up to 1 year for continuity and auditability.
- Server logs: typically retained for up to 90 days for security and troubleshooting.
- Analytics data: 14 months (configuration setting).
- Marketing cookies: per cookie lifetime described in Section 4 and in the Cookie Policy.
- Consent records: cookie consent records may be retained for up to 3 years for audit and compliance purposes.
- Legal/tax records: retained as required by applicable law (often 6–10 years for certain records such as invoices where relevant).
9. Your Rights (GDPR & UK GDPR)
If you are located in the EEA or UK, you have rights under GDPR/UK GDPR, including:
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
- Right to withdraw consent (Article 7(3))
- Right to lodge a complaint (Article 77)
To exercise a right, email [email protected]. We respond within 30 days, and may extend by up to 60 additional days for complex requests. We may ask for reasonable information to verify identity before acting on a request.
Supervisory authorities: If you are in Norway, you can contact Datatilsynet (Norwegian Data Protection Authority). If you are elsewhere in the EEA, you may contact your local supervisory authority. For general EU information, see the European Data Protection Board: https://edpb.europa.eu. UK residents may contact the Information Commissioner’s Office: https://ico.org.uk.
10. Children
This site is not directed at individuals under 16. We do not knowingly collect personal data from minors. If we learn that we have collected personal data from a child under 16 without verifiable parental consent, we will delete it promptly.
11. Do Not Track
This website does not respond to “Do Not Track” (DNT) browser signals. Third-party providers may have their own DNT handling and opt-out methods.
12. Data Deletion Requests
You can request deletion of your personal data by emailing [email protected] with the subject line “Data Deletion Request”. We aim to complete deletion within 30 days after identity verification, unless we must retain limited information to comply with legal obligations or to establish, exercise, or defend legal claims.
13. Business Transfers
If Es Investering AS is involved in a merger, acquisition, asset sale, financing, reorganization, or insolvency event, personal data may be transferred to a successor entity. If the transfer results in a material change to how personal data is used, we will provide notice on this website.
14. California (CCPA / CPRA)
This section applies to California residents where the CCPA/CPRA is relevant. In the past 12 months, we may have collected the following categories of information:
- Identifiers (name, email, IP address, cookie IDs) shared with service providers and advertising partners for site operations and measurement.
- Internet or network activity (pages viewed, interactions) shared with analytics and advertising providers when consent is granted.
- Inferences (interests based on content viewed) used for advertising measurement and audience creation when consent is granted.
We do not sell personal information as defined by the CCPA. We do share certain data for cross-context behavioral advertising when marketing cookies are enabled. California residents may opt out by adjusting cookie preferences via the cookie preference panel.
California rights may include the right to know, delete, correct, opt out of sale/sharing, and non-discrimination. Requests can be submitted by emailing [email protected] with the subject “California Privacy Request”. We will verify your identity before completing a request. Authorized agents must provide written proof of authorization.
15. Virginia (VCDPA)
Virginia residents may have rights to access, correct, delete, obtain a copy of their data, and opt out of targeted advertising. To submit a request, email [email protected] with the subject “Virginia Privacy Request”.
We do not sell personal data or engage in profiling that produces legal or similarly significant effects. If a request is denied, you may appeal by emailing with the subject “Appeal of Refusal — Privacy Request”. We will respond within 60 days. Unresolved concerns may be directed to the Virginia Attorney General.
16. Nevada
Nevada residents may submit a verified opt-out request by emailing [email protected] with the subject “Nevada Do Not Sell Request”. We do not currently sell personal information under Nevada Revised Statutes Chapter 603A.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If changes are material, we will provide a notice on the homepage for at least 14 days before the update takes effect. The “Last Updated” date at the top of this page will be revised whenever the policy is changed.
18. Contact
Questions, requests, or concerns about this Privacy Policy can be sent to:
Es Investering AS
Rishammeren 20, 8230 Sulitjelma, Norway
Email: [email protected]
Phone: +47 75 64 60 30