Free Shipping
Extended Holiday Returns
  1. Home
  2. Terms Conditions
  3. Security Privacy Policy

Privacy policy

Last updated: December2025

When you use our website, purchase goods from us, subscribe to newsletters, or otherwise contact us, Heymat AS(“Heymat”, “we”, “us”, “our”) processes personal data about you.

This Privacy Policy explains what data we collect, why we collect it, how we use it, and what rights you have under applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and relevant U.S. state privacy laws.

We consider the safe and secure processing of your personal data a top priority.

1.Contact Information

Business name: Heymat AS
Address: Mellomvika 1, 8622 Mo i Rana, Norway
Email: [email protected]
Organization number: Org.nr 916 229 410
Registered with: Brønnøysundregistrene

For U.S. customer support and privacy inquiries:
Email (U.S.): [email protected]

If you have questions about how we process your personal data, please contact us.

2. Personal Data We Collect and the Legal Basis.

We collect different types of information depending on how you interact with us.

2.1. Purchase from our online store

When you place an order, we collect:

  • Name

  • Delivery and billing address

  • Phone number

  • Email address

  • Order details

  • Payment method information (processed by Adyen)

Legal basis:
Contract (GDPR Art. 6(1)(b));
Legal obligation for accounting and financial records.

We use this information to:

  • Process and deliver your order

  • Send order and shipping confirmations

  • Handle returns, complaints, and warranty matters

2.2. Payment processing (Adyen)
Payments are processed by Adyen N.V., a licensed and regulated payment institution.

Adyen receives only the information necessary to carry out your payment securely:

  • Payment method

  • Transaction amount

  • Partial card details / tokenized information

  • Fraud-prevention data

  • Technical information related to the payment

Heymat does not store full payment card details.

Adyen acts as an independent data controller for payment processing and fraud detection.

Legal basis:
Contract + Adyen’s legal obligations.

2.3. Transactional emails (Klaviyo)

We use Klaviyo to send mandatory order-related communications, including:

  • Order confirmation

  • Shipping and delivery updates

  • Return and refund information

  • Important service-related messages

Klaviyo processes:

  • Name

  • Email address

  • Order and delivery details

  • Technical email activity (delivery, bounce, open status)

Legal basis:
Contract — transactional communications are required to complete your purchase.

Klaviyo acts as a data processor, processing only according to our instructions.

2.4. Marketing and newsletters (Klaviyo)

If you subscribe to receive marketing communications, we collect:

  • Email address

  • Name (optional)

  • Activity data (e.g., which emails you open or click)

Legal basis:
Consent — you may unsubscribe at any time.

2.5. Customer inquiries

When you contact us by email, phone, or web form, we collect:

  • Name

  • Email address

  • Phone number

  • Any information you choose to include in your message

  • Order details (if relevant)

Legal basis:
Legitimate interest — necessary for responding to inquiries and providing customer service.

2.6. Cookies and website analytics

We use cookies and similar technologies to:

  • Operate and secure our website

  • Provide core functionality (such as cart and checkout)

  • Improve user experience

  • Analyze traffic and usage

  • Deliver marketing (with consent)

Legal basis:

  • Legitimate interest for necessary cookies

  • Consent for analytics and marketing cookies, where required

A separate cookie notice/banner is provided on our website.


3.Who We Share Your Data With

We share personal data only with trusted service providers necessary for operating our business.

These include:

  • Adyen N.V. — payment processing (independent controller)

  • Klaviyo Inc. — transactional and marketing emails

  • Logistics and shipping partners

  • IT and hosting providers

  • Ecommerce platform providers

  • Accounting and auditing partners

  • Public authorities when required by law

We do not sell personal data and do not allow third parties to use your data for their own marketing.



4. International Data Transfers

Some of our providers (including Klaviyo) may process data outside the EEA.

Where this occurs, we rely on:

  • Standard Contractual Clauses (SCCs)

  • Adequacy decisions

  • Other GDPR-compliant safeguards.

These ensure an adequate level of data protection.


5. Storage Period

We retain personal data only as long as needed for the purposes for which it was collected.

Examples:

  • Order and transaction data: kept for required accounting periods (normally 5 years)

  • Customer accounts: deleted 6 years after last purchase

  • Guest checkout data: up to 12 months

  • Newsletter data: until you withdraw consent

  • Customer service inquiries: up to 12 months

When data is no longer needed, we delete or anonymize it securely.


6. Your Rights (EU/EEA)

You have the right to:

  • Request access to your personal data

  • Request correction

  • Request deletion

  • Withdraw consent

  • Request restriction of processing

  • Object to processing based on legitimate interests

  • Request data portability

To exercise these rights, contact [email protected].

If you believe your data rights have been violated, you can contact Datatilsynet (Norway) or your local EU authority.


7. Changes to This Policy

We may update this Privacy Policy when our services or legal requirements change. Updated versions will be available on our website.


U.S. Privacy Notice (Applies to U.S. Residents)

This section supplements our Privacy Policy for individuals residing in the United States, in accordance with applicable state privacy laws.

Categories of Personal Information We Collect

We may collect:

  • Identifiers (name, email, address, phone number)

  • Commercial information (transaction and purchase history)

  • Internet activity (pages visited, interactions)

  • Customer service information

  • Delivery-related information

We do not collect sensitive personal information as defined in state laws.


Purposes for Using Personal Information
We use personal information to:

  • Process and deliver orders

  • Handle payments (Adyen)

  • Send transactional emails (Klaviyo)

  • Provide customer service

  • Improve our website and business operations

  • Deliver marketing communications (with your consent or where allowed)

Sale or Sharing of Personal Information
Heymat does not sell personal information.

Heymat does not share personal information for targeted or cross-context behavioral advertising.

Your Privacy Rights (U.S.)
Depending on your state, you may have the right to:

  • Request to know what personal data we have collected

  • Request deletion of your data

  • Request correction

  • Opt-out of:

  • Sale of personal data (we do not sell)

  • Sharing for advertising (we do not share)

  • Request a copy of your personal information

  • Appeal a decision if we decline a request

To submit a request, email [email protected].

We will verify your identity before processing your request.


Non-Discrimination

We do not discriminate against individuals who exercise their privacy rights.