At a glance

We have tried to make this policy as readable as possible. If you only read one section, read this:

  • We are the controller: Cloudline AS, org. no. NO 898 795 802 MVA, Grønland 14, 5918 Frekhaug, Norway.
  • We only collect what we need to deliver the course, take payment and keep the service safe.
  • We do not sell personal data to anyone.
  • You can request access, correction or deletion at any time by emailing support@teorikurs.no.
  • The service runs on servers in the EU (France and the Netherlands). Some vendors are US-based — see below for how we protect that transfer.

1. Who is the data controller?

Cloudline AS is the controller of personal data processed through Teorikurs.no.

Company
Cloudline AS
Organisation number
NO 898 795 802 MVA
Postal address
Grønland 14, 5918 Frekhaug, Norway
Contact for privacy questions
support@teorikurs.no

Cloudline AS has not appointed a data protection officer. Privacy enquiries are answered directly by the company via the email address above.

2. What personal data do we process?

We process different categories of data depending on how you use the service:

Account data
Email address, first name, last name, language preference and account settings (read-aloud, subtitles, readability mode).
Authentication data
Passwords, login links and refresh tokens are stored in a form that cannot be reversed back to the original text — neither we nor anyone who obtains the database can read them directly. Login links are valid for at most 15 minutes; refresh tokens for up to 30 days.
Course progress
Pages you have read, exercises you have answered, your answers (correct/incorrect), test results, last page visited in each course.
Payment data
Order number, amount, currency, purchase date, which course/duration was bought, and a reference to the Stripe payment. We never see your card number — it is handled by Stripe.
Technical data
IP address, action timestamps, audit-log events (login, payment, access granted/revoked). Used for security, debugging and legal compliance.
Feedback
If you submit feedback on a course: rating, comment, and whether you consented to having your name shown alongside the feedback.

3. Why do we process the data?

We need a lawful basis for every processing activity. Here is the overview:

PurposeLawful basis (GDPR)
Create and operate user accountContract (art. 6(1)(b)) — necessary to deliver the service
Store course progress and exercise answersContract (art. 6(1)(b))
Send login links, receipts and operational noticesContract (art. 6(1)(b))
Text-to-speech synthesis of course contentContract (art. 6(1)(b))
Process payments via StripeContract (art. 6(1)(b))
Retain receipts and accounting recordsLegal obligation (art. 6(1)(c)) — Norwegian Bookkeeping Act § 13: 5 years
Audit log of login, payment and admin actionsLegitimate interest (art. 6(1)(f)) — information security and fraud prevention, recitals 47 and 49
Logging IP addresses for debugging and abuse protectionLegitimate interest (art. 6(1)(f))
Publishing feedback with your nameConsent (art. 6(1)(a)) — opt-in checkbox on the feedback form

We do not process special categories of personal data (health, religion, political views, etc.) and we do not perform automated decision-making or profiling that produces legal effects for you (GDPR art. 22).

4. Who do we share data with?

We use a few selected sub-processors to deliver the service. Each is bound by a data processing agreement with us or by equivalent terms. We never sell data to anyone.

ProviderPurposeData sentLocation
OVH SASHosting of application and databaseAll data stored in the serviceFrance (EU)
Stripe Payments Europe Ltd.Payment processingEmail, name, order info; card details entered directly with StripeIreland (EU) + USA (DPF + SCCs)
Postmark (ActiveCampaign LLC)Sending email (login links, receipts, notices)Email address, name, email contentUSA (DPF + SCCs)
Microsoft Azure (Speech Services + Blob Storage)Text-to-speech synthesis and audio cachingThe course text to be read aloud and the resulting audio files (no user identifier is sent)Netherlands (West Europe)
Vipps MobilePay ASSign-in via Vipps (optional)Vipps user ID, email, name, phone numberNorway (EEA)

We update this list when it changes. Material changes are announced on this page and, where relevant, by email.

5. Transfers outside the EEA

Some of the sub-processors above (Stripe, Postmark) are US companies. Transfer of personal data to the US takes place under the EU-US Data Privacy Framework (DPF), with EU Commission Standard Contractual Clauses (2021/914 Module 2) as a backup. In 2026 we have chosen to limit the use of US vendors to what we need to run the service, and we follow the Norwegian Data Protection Authority's assessments on an ongoing basis. If the legal basis for transfer to the US changes, we will evaluate alternative providers.

6. How long do we keep the data?

We only keep data for as long as it is necessary for the purpose or required by law.

Data typeRetention period
Account and profile dataFor as long as the account is active; deleted within 30 days of a deletion request
Course progress, exercise answers, test resultsDeleted together with the account
Magic-link tokensMaximum 15 minutes; deleted on use
Refresh tokens30 days from issue
Audit log2 years, then automatically deleted (standard IT-security window for incident investigation)
Receipts and order records5 years after the end of the accounting year (Norwegian Bookkeeping Act § 13)
Published feedbackIndefinitely as part of the service; user ID is anonymised on account deletion
Server and access logs30 days

7. Your rights

Under the GDPR you have the following rights when we process personal data about you:

Right of access
You can request a copy of the personal data we hold about you.
Right to rectification
You can ask us to correct inaccurate or incomplete data.
Right to erasure (“right to be forgotten”)
You can ask us to delete your data. Note that we cannot delete receipts we are required to retain under the Bookkeeping Act — these are kept only for the legally required period.
Right to restriction
You can ask us to temporarily stop using the data while an objection is being handled.
Right to data portability
You can request a machine-readable copy of the data you have provided to us.
Right to object
You can object to processing based on legitimate interest.
Right to withdraw consent
Where processing is based on consent (for example publishing your name in feedback), you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Right to lodge a complaint with the Norwegian Data Protection Authority
If you believe we process your data in breach of the privacy rules, you can complain to Datatilsynet (datatilsynet.no).

To exercise any of these rights, write to support@teorikurs.no. We normally respond within a week.

8. Cookies

We set both strictly necessary cookies and — with your consent — analytics and marketing cookies. You can change your consent at any time via 'Manage consent' at the bottom of the page.

Necessary cookies have a legal basis under the Norwegian Electronic Communications Act § 2-7b (service function). Analytics and marketing cookies require consent under the same provision, which you give us via the consent banner.

Your consent is stored in the tk_consent cookie for 180 days, after which we ask again.

9. Children and young people

The theory course is primarily aimed at people old enough to begin driver education. In practice that means people typically start studying theory from around age 15 (basic traffic course and moped/light motorcycle) and from 16 for cars. Under the Norwegian Personal Data Act § 5, children under 13 must have parental consent to use information society services. The service is not directed at children under 13, and we do not knowingly collect personal data from children under 13. If we become aware that we hold such data without consent, we will delete it.

10. Security

We use technical and organisational measures to protect your data: TLS on all traffic, storage of passwords and one-time tokens in a form that cannot be reversed to the original text, automatic refresh-token rotation with revocation on suspected abuse, a strict Content Security Policy, audit logging of security-relevant actions and regular dependency updates.

Security breaches

If a personal data breach occurs that may pose a risk to your rights and freedoms, we will notify the Norwegian Data Protection Authority within 72 hours of becoming aware of it, and notify you directly if the risk is high.

11. Changes to this policy

We may update this privacy policy. Material changes are announced on this page and, where practical, by email. The date of the most recent update appears at the top of the page.

12. Contact us

Questions about privacy, or requests for access, correction or deletion, can be sent to support@teorikurs.no. You can also complain to the Norwegian Data Protection Authority via their website at datatilsynet.no.