The data controller within the meaning of the GDPR (applicable via the EEA Agreement in conjunction with the Norwegian Personal Data Act, Act of 15 June 2018 No. 38) is:
BYOM AS
Skjoldenveien 9
1832 Askim
Norway
Org.nr. 937 698 208
Managing director: Karin Gutenbrunner Byom
Email: karin@byom.com
Phone: +47 473 82 740
BYOM AS has not appointed a Data Protection Officer (DPO), as the conditions set out in Art. 37 GDPR are not met. Questions regarding data protection may be directed to the email address above.
The competent supervisory authority is the Norwegian Data Protection Authority (Datatilsynet), Postboks 458 Sentrum, 0105 Oslo, Norway, www.datatilsynet.no. You have the right to lodge a complaint with Datatilsynet at any time (Art. 77 GDPR). If you are habitually resident in another EEA member state, you may also contact the supervisory authority of that state.
We process personal data only to the extent necessary to provide this website and the related services. We do not sell personal data and do not share it with third parties for advertising purposes.
In the course of counselling and coaching sessions, information relating to mental health and personal life circumstances may arise that qualifies as special categories of personal data within the meaning of Art. 9(1) GDPR. We process such data solely on the basis of your explicit consent pursuant to Art. 9(2)(a) GDPR.
Scope of consent: Processing of information relating to mental health, personal life circumstances and the content of counselling and coaching sessions with BYOM AS, as well as any handwritten notes made in connection with those sessions.
Characteristics of consent: Consent is voluntary, specific and informed (Art. 4(11) GDPR). It is obtained separately from other contractual terms and documented with a timestamp.
Consequences of withholding consent: If you do not give consent, counselling sessions without note-taking remain possible. Where notes are considered necessary for professionally responsible follow-up, this will be discussed with you in advance.
Withdrawal (Art. 7(3) GDPR): You may withdraw your consent at any time with effect for the future by contacting us at karin@byom.com. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
This website is hosted by Render Services, Inc. (650 California Street, San Francisco, CA 94108, USA).
When you access the website, Render automatically processes access data, including IP address, date and time of access, URL accessed, HTTP status code and volume of data transferred. This data is recorded in server logs for the purpose of ensuring stable and secure operation of the website.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the uninterrupted operation of the website).
Retention period for server logs: a maximum of 30 days. Render deletes server logs after 30 days at the latest, and sooner depending on the plan.
Third-country transfer: Render is based in the USA. The transfer is based on the adequacy decision of the European Commission of 10 July 2023 on the EU-US Data Privacy Framework (Art. 45 GDPR). Render has been certified under the EU-US Data Privacy Framework since 6 January 2025 (source: render.com/changelog).
This website provides a contact form. When you use it, we collect the following data:
The data you enter is processed via a server-side function (Supabase Edge Function), stored in the project database and forwarded to karin@byom.com via the email delivery service Brevo. Internally, the source page of the enquiry is also stored to allow incoming messages to be attributed correctly.
Purpose: processing your enquiry and getting back in touch with you.
Legal basis: Art. 6(1)(b) GDPR where your enquiry relates to the conclusion of a contract. In all other cases, Art. 6(1)(f) GDPR (legitimate interest in processing incoming enquiries).
Retention: Your data will be deleted no later than 12 months after your enquiry has been fully processed, unless statutory retention obligations apply. Note: automated deletion is not yet technically implemented. Implementation is planned.
Supabase, Inc. (550 Union Street, San Francisco, CA 94133, USA) operates the project backend (database and edge functions) as a data processor within the meaning of Art. 28 GDPR. Data is stored in the North EU region (Stockholm, Sweden), that is, within the EU/EEA. No third-country transfer of the contact form data therefore takes place.
Brevo (Sendinblue SA), 7 rue de Madrid, 75008 Paris, France, processes outgoing emails as a data processor. Brevo is based in the EU. No third-country transfer takes place.
Fiken AS, Tordenskiolds gate 2, 0160 Oslo, Norway, processes billing and accounting data as a data processor. Fiken AS is a Norwegian company. Processing takes place in Norway within the EEA. No third-country transfer takes place. Legal basis: Art. 6(1)(c) GDPR in conjunction with statutory retention obligations (Norwegian Accounting Act, Bokføringsloven, Act 2004-11-19 No. 73, § 13(2)).
For email communication with clients, Google Workspace is used. The provider for users in the EEA is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, acting as a data processor under a concluded data processing agreement. Google Ireland Limited may transfer data to Google LLC (USA). Google LLC is certified under the EU-US Data Privacy Framework (Art. 45 GDPR). Legal basis: Art. 6(1)(b) and (f) GDPR.
This website embeds Google Calendar Appointment Scheduling for booking. Video sessions are conducted via Google Meet. When you book an appointment, you enter data (at minimum name and email address, and optionally a note) directly into the Google booking form. This data is processed by Google Ireland Limited.
Provider for users in the EEA: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Limited processes booking data as an independent data controller. Google's privacy policy applies: policies.google.com/privacy.
Third-country transfer: Google Ireland Limited may transfer data to Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). The transfer is based on standard contractual clauses (Art. 46(2)(c) GDPR). Google LLC is also certified under the EU-US Data Privacy Framework (Art. 45 GDPR).
Legal basis for the embedding: Art. 6(1)(f) GDPR (legitimate interest in functional appointment management).
A password-protected private area provides access to internal tools. These are accessible only to logged-in users. For the operation of these tools, login and usage data are processed via Supabase, Inc. (see section 5). Sessions are managed via technically necessary cookies (see section 8).
Legal basis: Art. 6(1)(b) GDPR (performance of a contract) or Art. 6(1)(f) GDPR for the technical provision of the service.
This website uses only technically necessary cookies and browser storage. A cookie consent banner is therefore not required.
The website stores your selected display language as the value byom-lang in your browser's localStorage. This value contains no personal data, is stored exclusively in your browser and is not transmitted to any server. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in user-friendly language management). No consent is required.
When you log in to the private area, Supabase sets cookies with the prefix sb-. The access token cookie has a validity of 1 hour (3,600 seconds). The session is maintained via a refresh token and expires on active logout or on token expiry. These cookies are technically necessary for the operation of the logged-in area and are not set without your active login.
Analytics, tracking, advertising cookies or similar technologies are not used on this website.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the technical operation of the logged-in area).
BYOM AS implements technical and organisational measures to protect personal data in accordance with Art. 32 GDPR. Data is transmitted between your browser and the servers in encrypted form (TLS/HTTPS). In the event of a personal data breach, we will notify Datatilsynet within 72 hours where the breach is likely to result in a risk to affected persons (Art. 33 GDPR). Affected persons will be notified without undue delay where a high risk exists (Art. 34 GDPR).
Under the GDPR, you have the following rights:
We will comply with an objection unless we can demonstrate compelling legitimate grounds for the processing that override your interests.
To exercise your rights, please contact: karin@byom.com. We will respond within 30 days (Art. 12(3) GDPR).
If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the supervisory authority (Art. 77 GDPR): Datatilsynet, Postboks 458 Sentrum, 0105 Oslo, Norway, www.datatilsynet.no. If you are habitually resident in another EEA member state, you may also contact the authority of that state.
This privacy policy is effective from 29 June 2026. We reserve the right to update it when the processing of data or the legal framework changes. The current version is always available on this page.