Privacy Policy
NorskLast updated: March 17, 2026
1. Data Controller
Boksmart AS Organization number: 930 561 924 Østervågkaien 21, 4006 Stavanger, Norway Email: [email protected]
2. Data We Collect
We collect and process the following categories of personal data:
- Publisher administrator information: name, email address, and login credentials.
- Author information: name, email address, and bank account details (for royalty payments).
- Book metadata: titles, ISBNs, prices, and related publication data.
- Sales and order data: order details, inventory levels, and sales figures from connected sales channels.
3. Purpose of Processing
All personal data is processed solely to deliver the Boksmart service, including:
- Administration of publisher and author accounts.
- Calculation and payment of royalties to authors.
- Tracking book sales, orders, and inventory across connected sales channels.
- Sending transactional emails (account invitations, royalty statements).
4. Legal Basis
We process personal data on the following legal bases under the GDPR:
- Performance of a contract (Art. 6(1)(b)): processing is necessary to fulfill the service agreement with publishers.
- Legitimate interest (Art. 6(1)(f)): processing of author data necessary for the publisher’s legitimate business operations (royalty administration).
5. Data Sources
We receive data from the following sources:
- User input: information entered directly by publisher administrators and authors.
- Forlagssentralen (FS): book metadata, order data, and inventory data synchronized automatically.
- Shopify: product and order data retrieved via the Shopify API solely for sales tracking. Publishers authorize this connection via OAuth and can disconnect at any time.
- WooCommerce: order and product data synchronized via API integration.
- Sentraldistribusjon (SD): order and inventory data synchronized via SFTP.
6. Sub-processors
We use the following third-party providers to deliver our service:
| Provider | Purpose | Location |
|---|---|---|
| Hetzner | Application hosting and database | EU |
| Postmark (ActiveCampaign) | Transactional email delivery | US (SCCs in place) |
| Stripe | Subscription payments | US (SCCs in place) |
| Sentry | Error monitoring | US (SCCs in place) |
7. Cookies
Boksmart only uses a strictly necessary session cookie to maintain your login session. We do not use any tracking, analytics, or marketing cookies. Strictly necessary cookies are exempt from consent requirements under the ePrivacy Directive.
8. Your Rights
Under the GDPR, you have the right to:
- Access your personal data.
- Rectify inaccurate or incomplete data.
- Erase your personal data (“right to be forgotten”).
- Restrict processing of your data.
- Data portability — receive your data in a structured, machine-readable format.
- Object to processing based on legitimate interest.
- Lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) at datatilsynet.no.
To exercise any of these rights, contact us at [email protected].
9. Data Retention
We retain personal data for as long as your account is active and the service agreement is in effect. Upon termination, all data is deleted within 30 days, in accordance with our service agreement.
10. International Transfers
We store data within the EU/EEA where possible. Where data is transferred outside the EU/EEA (see sub-processors above), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.
11. Changes to This Policy
We may update this privacy policy from time to time. Material changes will be communicated to registered users via email. The “Last updated” date at the top reflects the most recent revision.
12. Contact
For questions about this privacy policy or our data processing, contact us at: [email protected]