top of page

Privacy Policy

Last updated: [DATE upon publication]

When you contact me, book a session, or attend therapy here, you share information about yourself. I take this responsibility seriously. This policy tells you what information I collect, why, how long I keep it, and what rights you have.

This policy is written in accordance with the EU General Data Protection Regulation (GDPR) and Norwegian data protection law, as well as the Norwegian Health Personnel Act and Patient Records Act where relevant.

  1. Data controller

The data controller for personal data processed in connection with my therapy practice and this website is:

Vegard Nilsen
Sole proprietorship – [organisation number if registered, otherwise remove this line]
Heimdalsgata 14, 0561 Oslo, Norway
Email: vb.nilsen@gmail.com
Phone: +47 950 91 921

You may contact me at any time with questions about how your data is handled.

  1. What personal data I process

I process different types of personal data depending on the context:

When you contact me or book a session: your name, email address, phone number, and whatever you choose to write in your message.

When you attend therapy with me: billing and payment information, and clinical notes from our sessions. Clinical notes constitute health data and are processed with particular care (see section 4).

When you visit the website: technical data such as IP address, browser type, and which pages you visit. This is collected automatically through Wix, the platform the website is built on (see sections 6 and 7).

I do not collect more information than is necessary to do my work well and to meet the requirements that apply to a health service.

  1. Purposes and legal basis

I process your personal data for the following purposes, on the following legal grounds:

To respond to inquiries and schedule sessions. Legal basis: GDPR Article 6(1)(b) – performance of a contract at your request.

To provide therapy and keep clinical records. Legal basis: GDPR Article 9(2)(h) – processing necessary for the provision of health care – in combination with the Norwegian Health Personnel Act sections 39–47 and the Patient Records Act, which require me to keep clinical records.

For invoicing and accounting. Legal basis: GDPR Article 6(1)(c) – legal obligation under the Norwegian Bookkeeping Act.

For operating and improving the website. Legal basis: GDPR Article 6(1)(f) – legitimate interest in maintaining a functioning website – or consent where required (see cookies).

  1. About health data in particular

Health data is a special category of personal data requiring additional protection. In practical terms for my practice:

Clinical notes are stored in [NAME OF RECORDS SYSTEM], a clinical records system designed for health professionals and built to meet Norwegian information security requirements.

The notes are not accessible to anyone other than me. I do not share them with third parties without your explicit written consent, except in situations where I have a statutory duty to disclose – for example in cases of concrete risk to life or health, or where there is a duty to report to child welfare authorities in serious cases.

I am bound by professional confidentiality under section 21 of the Norwegian Health Personnel Act. This obligation continues after the therapeutic relationship has ended.

  1. Retention and deletion

How long I keep information depends on its type:

Inquiries that do not lead to a client relationship: deleted within 6 months of last contact.

Clinical records: retained as long as deemed necessary for your health, normally at least 10 years after last contact, in accordance with the Patient Records Act section 25 and associated regulations.

Invoicing and accounting data: retained for at least 5 years after the end of the accounting year, in accordance with the Norwegian Bookkeeping Act section 13.

Technical website data: retained by Wix according to Wix's own retention policies, typically up to 14 months for analytics data.

Once the retention period expires, data is deleted or anonymised.

  1. Data processors and third parties

To run my practice I use certain services that process personal data on my behalf. These are data processors, and I have entered into data processing agreements with them where required:

Wix.com Ltd. – the platform on which the website, contact form, and booking system are built. Wix's servers are located, among other places, in the EU and the US. Transfers to countries outside the EEA take place under the EU Standard Contractual Clauses (SCC) and the Data Privacy Framework.

[NAME OF RECORDS SYSTEM] – for secure clinical record-keeping.

[EXTERNAL ACCOUNTANT, IF ANY – otherwise remove this line]

Beyond this I do not share personal data with third parties, and I never sell data to anyone.

  1. Cookies

The website uses cookies. Some are necessary for the site to function (for example, to remember your language choice or complete a booking). Others are used for visitor statistics so that I can see which pages are useful.

You can manage cookies through your browser. The first time you visit the site, you will see information about cookies where you can choose what you consent to.

  1. Your rights

As a data subject, you have the following rights under the GDPR:

The right of access to the information I hold about you.
The right to rectification of inaccurate or incomplete data.
The right to erasure in certain cases (limited for clinical records, where retention is required by law).
The right to restriction of processing.
The right to data portability for data you have provided to me.
The right to object to processing based on legitimate interest.

To exercise your rights, please send me an email at vb.nilsen@gmail.com. I normally respond within 30 days.

  1. Security

I have implemented appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or disclosure. These include encrypted storage of clinical records, strong passwords, two-factor authentication on relevant systems, and a deliberate practice around what I share and where.

Should a personal data breach nonetheless occur, I will notify the Norwegian Data Protection Authority (Datatilsynet) within 72 hours where required, and notify you directly if the breach is likely to result in a high risk to your rights.

  1. Complaint to the Norwegian Data Protection Authority

If you believe that the processing of your personal data is in breach of data protection law, you have the right to lodge a complaint with the Norwegian Data Protection Authority:

Datatilsynet
Postboks 458 Sentrum, 0105 Oslo, Norway
postkasse@datatilsynet.no
www.datatilsynet.no

I would appreciate it if you contact me first, so we can see if something can be resolved directly. But your right to complain to the supervisory authority stands regardless.

  1. Changes to this policy

This privacy policy may be updated to reflect changes in practice, services, or legislation. Substantial changes will be communicated via the website. The date of the most recent update appears at the top of this document.

  1. Contact

If you have questions about privacy, or wish to exercise one of your rights, please send me an email:

vb.nilsen@gmail.com
+47 950 91 921

I will respond as soon as I can.

bottom of page