Controller and contact information
This notice explains how Bedre Bedrift AS (dba. NoTies Consulting) processes your personal data as per the General Data Protection Regulation (GDPR).
Controller and contact information:
- Company name: Bedre Bedrift AS (dba. NoTies.Consulting)
- Company number: Foretaksregisteret 921 119 224 MVA (π³π΄ registered limited liability company)
- Email address: ntcwebsite[curly]pm.me
PS: I write "we" below but it's just me, Rie, running this business. :) Just reach out if you have any questions.
This notice was last updated: December 2025.
How we get your personal data
We typically process personal data about potential and existing customers, vendors and processors, for example when you:
- use our website(s), like this one
- buy and use our products or services, like DPO Hub, a workshop or speaking gig, or the DPO Hub Community
- subscribe to our free newsletter The Rieview (and maybe also request access to the digital archive)
- sign up for and participate in our events, free or paid
- respond to a survey
- share your contact details and interact with us via phone, text, email, our website(s) or LinkedIn
Sharing your personal data is voluntary, but if you choose not to, weβll likely be unable to provide you with our services. We don't rent, buy or sell personal data from or to others, use automated decisions or profiling in the processing of your personal data, or use marketing or ads cookies on our websites.
Purpose, lawful basis and retention periods
We only process your personal data when we have a purpose and a lawful basis as per the GDPR Article 6(1) β in our case:
- a) Your consent, for example for newsletters
- b) We have a contractual obligation (contract) with you, for example to deliver speaking services or digital products
- c) We have a legal obligation, typically related to accounting, bookkeeping, taxes and other business operations
- f) We believe we have a legitimate interest, typically to continually improve and run an effective business
For easy reading, we've left out the Article references below. Just reach out if you have any questions.
We process personal data when:
You visit our website(s)
We operate the following websites:
- πͺπΊ Built with Ghost CMS (privacy policy), hosted on Digital Ocean with data stored in the EEA: noties.consulting and dpohub.eu
- πΊπΈ Built with Kajabi CMS (privacy policy), hosted on AWS with data stored in the US: join.dpohub.eu (cookie notice) and community.dpohub.eu (cookie notice)
We use privacy-first Fathom Analytics (privacy policy) across all sites. Your IP address and User-Agent are only processed briefly; we don't track which pages you view, only time and total requests per IP. Our Kajabi sites have native analytics that can't be disabled, covering only (individual) page views and optins. Either way, we never see your IP address. The lawful basis for website analytics is our legitimate interest to improve our websites and keep our business sustainable.
We aim to limit third-country transfers and don't use marketing or ads cookies on any of our sites.
You subscribe to The Rieview newsletter
On join.dpohub.eu/yes you can sign up for The Rieview, a free newsletter with Rie's unfiltered thoughts on building DPO foundations (not fighting fires), practical insights from CJEU rulings she's actually read, Grumpy GDPR podcast exclusives, and occasional product promotions. Sent 1-2 times monthly, or when inspiration strikes.
You must share your email address to receive the newsletter β name is optional (Rie thinks it's nice to know who's subscribing!). When you sign up, we're notified by email and Kajabi (hosted on AWS with data stored in the US β privacy policy) stores your record with signup date and time, email address, name, consent confirmation and newsletters received, opened and links clicked. If you reply to a newsletter, it lands in Rie's Proton inbox.
Kajabi's newsletter metrics (opens/clicks) can't be disabled. If this concerns you, please don't subscribe β follow Rie's LinkedIn posts instead.
We process your personal data to deliver emails, build relationships and optimise content for all subscribers, hopefully converting some of you to customers to run a viable business. The lawful basis is your consent. You can easily withdraw it by unsubscribing via the link in any newsletter, and your data is usually deleted within a few days, at most within a month.
PS: Rie used an EEA-based service before but switched to a US one for several reasons. First, however, she redid a complete GDPR due diligence and risk assessment of Kajabi, including all six forms (vendor, system, privacy policy, DPAg, and more). Listen to our Grumpy GDPR podcast discussion for more details.
You purchase our products or services
The personal data we process depends on the product or service and payment method. For invoicing, we typically process your name, email address, company name, billing address, VAT number, order details, payment details, purchase/offer history and similar. Stripe handles all our online payments and currently only applies to DPO Hub, see the dedicated notice here.
We process this data to deliver the products and services you've purchased and to manage the customer relationship. The lawful bases are contract and legal obligations related to accounting, tax and other business rules we must follow.
We keep the data for as long as we have a legal obligation. Norwegian law requires us to store business records, which may include personal data, for at least five years for accounting and tax purposes. We also store data from customer projects and engagements for up to five years after the customer relationship ends, based on our legitimate interest in documenting deliverables and defending ourselves against legal claims.
You purchase access to DPO Hub
DPO Hub lives on dpohub.eu and runs on Ghost CMS (privacy policy), hosted on Digital Ocean with data stored in the EEA. Please read the dedicated DPO Hub notice here.
You join the DPO Hub Community
The DPO Hub Community lives on community.dpohub.eu (cookie notice) and runs on Kajabi CMS (privacy policy), hosted on AWS with data stored in the US.
The Community is a space to exchange thoughts, ideas and interact with other members β meaning you'll share plenty of personal data!
To get access, you must create an account with a password and share your email address, full name and accept the terms. When you sign up, Kajabi creates and stores your account with added date and time, email address, name, terms confirmation, granted or purchased offers, payment information, products, product progress, sign-in count, last activity date and time, emails received, opened and links clicked. If you reply to an email, it lands in Rie's Proton inbox.
Kajabi's email metrics (opens/clicks) can't be disabled. If this concerns you, please don't join the Community β engage with Rie and others on LinkedIn instead.
The Community is part of a paid product, so we must process your personal data to give you access. The lawful basis is contract, which you enter into when you submit the signup form and accept the terms. You can end your access by cancelling the paid product or ask to be removed.
If you leave the Community, your account will be deleted from the platform, but your profile will only show as inactive and your interactions will remain visible. You can change your profile name and delete any of your contributions before you leave.
Currently, there's no way to delete all your data automatically, so if you want your contributions removed, you must do it yourself. By joining the Community, you agree to this under the terms, and we process your personal data on that basis. We otherwise rely on our legitimate interest in facilitating a dynamic and lively community and keeping a complete conversation history for members.
PS: We're in dialogue with Kajabi to get a better erasure process in place.
ποΈ You guest the Grumpy GDPR podcast
If you're one of our awesome podcast guests, we'll process your name, email, correspondence, calendar invites and everything related to the actual recording, including audio.
We do this to manage the dialogue around the episode, record it and share the final audio. After youβve agreed to be a guest, our lawful basis for publishing is our legitimate interest in sharing the audio with our privacy and data protection community to support continued learning.
As a general rule, we donβt delete episodes, so the recording will remain available for as long as the podcast exists (hopefully for a long time!). If you want to request deletion of your contribution for any reason, please reach out so we can discuss.
PS: Note that the controllers for this particular processing are your hosts MiloΕ‘ Novovic and Rie Aleksandra Walle.
You communicate with us
If you contact us β whether through our website (contact form, blog comments, chat), email, phone, social media or by giving us your business card β we process your personal data. Depending on how you reach out, this may include your name, contact details, IP address and any other information you choose to share.
We use this to respond to your enquiries and, when needed, to keep records in case of complaints or legal claims. The lawful basis is our legitimate interest for these same purposes. We review this data regularly and delete it when appropriate β typically within three years, or five years if required by Norwegian accounting rules.
You attend an event
If you attend our free events, we process your name and contact details. For paid events, we also collect order and payment information as described above. We use this data to manage your registration and attendance and, where relevant, payment. The lawful basis is consent for free events, or contract and legal obligations related to accounting, tax and other business rules for paid events.
We may also use your data to send you an evaluation of the event, invite you to other relevant events and/or offer relevant products and services. The lawful basis is our legitimate interest to offer you things we think you'll find useful. If you don't wish to receive such messages, you can easily opt out β for example through an unsubscribe link in our emails. We keep this data for up to two years after you attended, unless you subscribe to our newsletter or become a customer.
You respond to a survey
Responding to our evaluations and surveys is voluntary. We process your name, contact details and any other information you choose to share to gather feedback and improve our products, services and customer service. The lawful basis is consent. We keep this data until you ask us to delete it, or no later than two years after you responded.
You supply services to or collaborate with us
If you enter into an agreement with us as a vendor, partner or processor, we process your name, contact details and correspondence. We use this data to enter into and manage the agreement and to respond to your enquiries. The lawful bases are contract and legal obligations related to accounting, tax and other business rules we must follow.
We keep the data for as long as we have a legal obligation. Norwegian law requires us to store business records, which may include personal data, for at least five years for accounting and tax purposes. We also store data from collaboration projects for up to five years after the it ends, based on our legitimate interest in defending ourselves against legal claims.
Whom we share personal data with
To run our business efficiently and securely, we sometimes share your personal data with other parties:
- Public authorities we must report to (in Norway)
- Our accountant
- Processors: providers of services that process your personal data on our behalf
- IT support, if necessary
We enter into a data processing agreement with anyone who processes data on our behalf.
We use processors for:
- Email, calendar and digital meetings
- Accounting/bookkeeping and invoicing
- Cloud storage
- Our websites with online stores, payments and web portals
- Newsletters
- Project management, timekeeping, digital notebook and scheduling
- Webinars
- Signing documents electronically
- Surveys and customer satisfaction feedback
To protect our business we don't publish all the details about our processors. If you'd like to know more about our processing and whom we share your personal data with, please contact us.
We conduct rigorous due diligence on every processor before deciding to use them, as well as regular audits of existing ones in line with the Danish DPA's methodology.
Transfer of personal data outside the EU/EEA
We thoroughly vet every processor we use, including their website quality and security, privacy notice, data processing agreement, general GDPR information, whether they have a DPO and (if applicable) a European representative, use of sub-processors, known security or privacy breaches and technical and organisational security measures.
We also risk assess each, especially those located in or storing data in third countries. Finally, we assess the processor against the specific processing activity. All use of processors and storage of personal data in third countries has been thoroughly considered and risk assessed and chosen because there weren't a viable EEA-based option.
We currently use these processors from outside the EEA, with HQ country/country of storage in parenthesis:
- Proton (Switzerland/Switzerland & Germany)
- Fastmail (Australia/USA)
- Microsoft (USA/Europe)
- Stripe (USA/USA)
- Kajabi (USA/USA)
See above for details on personal data processed for each.
We use Proton for email correspondence and calendar invites (Fastmail for archive purposes for now), Microsoft OneDrive as cloud provider, Forms for surveys, and Teams for meetings and webinars. When you register for a meeting, you must accept their terms.
Kajabi, Stripe and Microsoft are certified under the EU-US Data Privacy Framework. Fathom Analytics is based in Canada and falls under their adequacy decision. Standard Contractual Clauses (SCCs) cover the rest.
If you have any questions about our use of third country-based processors, just reach out.
Information security
We do take information security seriously, it's not just a generic statement here. For example, we take regular backups (including externally stored ones), use SSL on our websites, strong passwords, a password manager, encryption and two-factor authentication to secure all our data and prevent unauthorised persons from accessing, altering, deleting, or in any way affecting the data we store, including your personal data.
We only allow others to access or process your personal data in line with our instructions and only when necessary, for example when we need IT support.
We've implemented a policy for technical and organisational measures and a routine for managing data breaches. If we experience a personal data breach and it poses a medium to high risk for the people affected, we'll notify π³π΄ Datatilsynet and other relevant authorities within 72 hours. If the risk is deemed high for the people affected, we'll also notify directly, if possible.
Your data protection rights
- Access and rectification: You can request access to or a copy of the information we process about you and ask us to rectify any incorrect data.
- Erasure or restriction: You may ask us to delete and/or restrict our processing of your data.
- Object to processing: You may ask us to stop processing your data.
- Data portability: You may ask us to transfer your data to you or to another organisation.
- If youβre unhappy about how we process your data, you have a right to complain to a data protection authority (in Norway: Datatilsynet). But please contact us first as we're sure we can resolve whatever issue you have.
Also note that you can always ask for any right under the GDPR, but we might not be able to fulfill your request, for example where we're required by law to process certain personal data, or we believe we have a legitimate interest to do so.
Please contact us if you have any questions about or want to exercise one of your rights. You are entitled to a reply within a month, but we'll most likely respond way faster!