Privacy policy
This page explains what personal data Teorikurs.no processes about you, why we process it, who we share it with, how long we keep it, and what rights you have.
At a glance
We have tried to make this policy as readable as possible. If you only read one section, read this:
- We are the controller: Cloudline AS, org. no. NO 898 795 802 MVA, Grønland 14, 5918 Frekhaug, Norway.
- We only collect what we need to deliver the course, take payment and keep the service safe.
- We do not sell personal data to anyone.
- You can request access, correction or deletion at any time by emailing support@teorikurs.no.
- The service runs on servers in the EU (France and the Netherlands). Some vendors are US-based — see below for how we protect that transfer.
1. Who is the data controller?
Cloudline AS is the controller of personal data processed through Teorikurs.no.
- Company
- Cloudline AS
- Organisation number
- NO 898 795 802 MVA
- Postal address
- Grønland 14, 5918 Frekhaug, Norway
- Contact for privacy questions
- support@teorikurs.no
Cloudline AS has not appointed a data protection officer. Privacy enquiries are answered directly by the company via the email address above.
2. What personal data do we process?
We process different categories of data depending on how you use the service:
- Account data
- Email address, first name, last name, language preference and account settings (read-aloud, subtitles, readability mode).
- Authentication data
- Passwords, login links and refresh tokens are stored in a form that cannot be reversed back to the original text — neither we nor anyone who obtains the database can read them directly. Login links are valid for at most 15 minutes; refresh tokens for up to 30 days.
- Course progress
- Pages you have read, exercises you have answered, your answers (correct/incorrect), test results, last page visited in each course.
- Payment data
- Order number, amount, currency, purchase date, which course/duration was bought, and a reference to the Stripe payment. We never see your card number — it is handled by Stripe.
- Technical data
- IP address, action timestamps, audit-log events (login, payment, access granted/revoked). Used for security, debugging and legal compliance.
- Feedback
- If you submit feedback on a course: rating, comment, and whether you consented to having your name shown alongside the feedback.
3. Why do we process the data?
We need a lawful basis for every processing activity. Here is the overview:
| Purpose | Lawful basis (GDPR) |
|---|---|
| Create and operate user account | Contract (art. 6(1)(b)) — necessary to deliver the service |
| Store course progress and exercise answers | Contract (art. 6(1)(b)) |
| Send login links, receipts and operational notices | Contract (art. 6(1)(b)) |
| Text-to-speech synthesis of course content | Contract (art. 6(1)(b)) |
| Process payments via Stripe | Contract (art. 6(1)(b)) |
| Retain receipts and accounting records | Legal obligation (art. 6(1)(c)) — Norwegian Bookkeeping Act § 13: 5 years |
| Audit log of login, payment and admin actions | Legitimate interest (art. 6(1)(f)) — information security and fraud prevention, recitals 47 and 49 |
| Logging IP addresses for debugging and abuse protection | Legitimate interest (art. 6(1)(f)) |
| Publishing feedback with your name | Consent (art. 6(1)(a)) — opt-in checkbox on the feedback form |
We do not process special categories of personal data (health, religion, political views, etc.) and we do not perform automated decision-making or profiling that produces legal effects for you (GDPR art. 22).
4. Who do we share data with?
We use a few selected sub-processors to deliver the service. Each is bound by a data processing agreement with us or by equivalent terms. We never sell data to anyone.
| Provider | Purpose | Data sent | Location |
|---|---|---|---|
| OVH SAS | Hosting of application and database | All data stored in the service | France (EU) |
| Stripe Payments Europe Ltd. | Payment processing | Email, name, order info; card details entered directly with Stripe | Ireland (EU) + USA (DPF + SCCs) |
| Postmark (ActiveCampaign LLC) | Sending email (login links, receipts, notices) | Email address, name, email content | USA (DPF + SCCs) |
| Microsoft Azure (Speech Services + Blob Storage) | Text-to-speech synthesis and audio caching | The course text to be read aloud and the resulting audio files (no user identifier is sent) | Netherlands (West Europe) |
| Vipps MobilePay AS | Sign-in via Vipps (optional) | Vipps user ID, email, name, phone number | Norway (EEA) |
We update this list when it changes. Material changes are announced on this page and, where relevant, by email.
5. Transfers outside the EEA
Some of the sub-processors above (Stripe, Postmark) are US companies. Transfer of personal data to the US takes place under the EU-US Data Privacy Framework (DPF), with EU Commission Standard Contractual Clauses (2021/914 Module 2) as a backup. In 2026 we have chosen to limit the use of US vendors to what we need to run the service, and we follow the Norwegian Data Protection Authority's assessments on an ongoing basis. If the legal basis for transfer to the US changes, we will evaluate alternative providers.
6. How long do we keep the data?
We only keep data for as long as it is necessary for the purpose or required by law.
| Data type | Retention period |
|---|---|
| Account and profile data | For as long as the account is active; deleted within 30 days of a deletion request |
| Course progress, exercise answers, test results | Deleted together with the account |
| Magic-link tokens | Maximum 15 minutes; deleted on use |
| Refresh tokens | 30 days from issue |
| Audit log | 2 years, then automatically deleted (standard IT-security window for incident investigation) |
| Receipts and order records | 5 years after the end of the accounting year (Norwegian Bookkeeping Act § 13) |
| Published feedback | Indefinitely as part of the service; user ID is anonymised on account deletion |
| Server and access logs | 30 days |
7. Your rights
Under the GDPR you have the following rights when we process personal data about you:
- Right of access
- You can request a copy of the personal data we hold about you.
- Right to rectification
- You can ask us to correct inaccurate or incomplete data.
- Right to erasure (“right to be forgotten”)
- You can ask us to delete your data. Note that we cannot delete receipts we are required to retain under the Bookkeeping Act — these are kept only for the legally required period.
- Right to restriction
- You can ask us to temporarily stop using the data while an objection is being handled.
- Right to data portability
- You can request a machine-readable copy of the data you have provided to us.
- Right to object
- You can object to processing based on legitimate interest.
- Right to withdraw consent
- Where processing is based on consent (for example publishing your name in feedback), you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
- Right to lodge a complaint with the Norwegian Data Protection Authority
- If you believe we process your data in breach of the privacy rules, you can complain to Datatilsynet (datatilsynet.no).
To exercise any of these rights, write to support@teorikurs.no. We normally respond within a week.
8. Cookies
We set both strictly necessary cookies and — with your consent — analytics and marketing cookies. You can change your consent at any time via 'Manage consent' at the bottom of the page.
Necessary cookies have a legal basis under the Norwegian Electronic Communications Act § 2-7b (service function). Analytics and marketing cookies require consent under the same provision, which you give us via the consent banner.
Your consent is stored in the tk_consent cookie for 180 days, after which we ask again.
9. Children and young people
The theory course is primarily aimed at people old enough to begin driver education. In practice that means people typically start studying theory from around age 15 (basic traffic course and moped/light motorcycle) and from 16 for cars. Under the Norwegian Personal Data Act § 5, children under 13 must have parental consent to use information society services. The service is not directed at children under 13, and we do not knowingly collect personal data from children under 13. If we become aware that we hold such data without consent, we will delete it.
10. Security
We use technical and organisational measures to protect your data: TLS on all traffic, storage of passwords and one-time tokens in a form that cannot be reversed to the original text, automatic refresh-token rotation with revocation on suspected abuse, a strict Content Security Policy, audit logging of security-relevant actions and regular dependency updates.
Security breaches
If a personal data breach occurs that may pose a risk to your rights and freedoms, we will notify the Norwegian Data Protection Authority within 72 hours of becoming aware of it, and notify you directly if the risk is high.
11. Changes to this policy
We may update this privacy policy. Material changes are announced on this page and, where practical, by email. The date of the most recent update appears at the top of the page.
12. Contact us
Questions about privacy, or requests for access, correction or deletion, can be sent to support@teorikurs.no. You can also complain to the Norwegian Data Protection Authority via their website at datatilsynet.no.