Main content

Privacy Policy

1. Who we are

This privacy policy describes how Devold of Norway processes personal data about you when you visit devold.com, place an order in our online store, create a customer account, sign up for our newsletter, join our membership programme, or otherwise interact with us online.

This English-language policy applies to customers across all of Devold's online markets — Norway, Sweden, Denmark, Finland, Germany and Austria — who view our site in English. Localised versions are available in Norwegian Bokmål, Swedish, Danish and German. Country-specific information — including the relevant data protection supervisory authority, applicable local marketing-law conditions, and statutory accounting-retention periods — is set out in section 10 (Country annexes).

Data controller

Devold Retail AS Org. no. 975 984 184 O.A. Devold-vegen 16, 6030 Langevåg, Norway Telephone: +47 70 19 77 00

Contact for privacy inquiries: post@devold.no

For order-related questions, you can also reach our customer service team at webshop@devold.no.

2. Scope of this policy

This policy applies to personal data we process through our online operations on devold.com, including the online store, customer accounts, the newsletter, the membership programme, customer service inquiries received online, and our digital marketing activities.

Separate privacy notices apply to:

  • Processing in our physical retail stores (including our brand store in Oslo and our outlet stores in Langevåg, Valldal, Vestby, Stavanger, Hellesylt and Dyrkorn) and at events;
  • Processing in connection with employment and job applications;
  • Processing carried out by separate Devold-branded sites operated under different legal frameworks (e.g., Devold Protection).

3. The personal data we process, why, and on what legal basis

We process different categories of personal data depending on how you interact with us. This section describes the main processing activities, the categories of data involved, the purposes, and the legal basis under Article 6 of the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").

3.1 When you visit devold.com

What we process: technical information about your device and browser (IP address, browser type and version, operating system, screen size, language), pages viewed, navigation patterns, referring URL, and timestamps. We also process cookie identifiers and similar tracking technology identifiers — see section 4 below. When you use the site's search bar, view product listings, or are shown product recommendations, we additionally process your search queries, the products you click and the actions you take on them (such as "added to cart" or "purchased"), together with a pseudonymous user identifier; this is done through our search and recommendation provider Algolia (see section 5.1).

Why we process it:

  • to operate, secure and stabilise the website (legitimate interest);
  • to detect, prevent and respond to attacks, fraud and abuse (legitimate interest);
  • to provide site search, merchandising of category and search-result pages, and "you may also like" / "frequently bought together" product recommendations (legitimate interest in offering relevant and efficient navigation, where this does not rely on profiling cookies; otherwise consent);
  • to measure reach, analyse visitor behaviour, optimise content, and personalise marketing (consent).

Legal basis:

  • Art. 6(1)(f) GDPR — legitimate interest in operating and securing our website — for the strictly necessary technical operation;
  • Art. 6(1)(a) GDPR — your consent, given via the cookie banner — for analytics, marketing measurement, advertising and retargeting cookies and similar technologies. You can withdraw your consent at any time via the cookie preference centre in the website footer.

Retention: technical log data is retained for up to 12 months. Analytics and marketing data is retained for the period specified in our cookie information (see section 4).

3.2 When you place an order in the online store

What we process: your name, delivery and billing addresses, email address, telephone number, order details (products, prices, options, delivery preferences), payment-method identifier (we do not store full card data), order history, communications related to your order, and the IP address from which the order is placed.

Why we process it:

  • to accept and fulfil your order, including processing payment, arranging delivery, handling returns, complaints and warranty claims;
  • to communicate with you about your order (order confirmations, shipping notices, customer service);
  • to comply with our legal obligations under bookkeeping, tax, consumer-protection and product-safety law;
  • to detect and prevent payment fraud.

Legal basis:

  • Art. 6(1)(b) GDPR — performance of the sales contract — for fulfilling your order and managing the customer relationship;
  • Art. 6(1)(c) GDPR — compliance with a legal obligation — for bookkeeping, tax retention, warranty law and consumer-protection law;
  • Art. 6(1)(f) GDPR — legitimate interest in preventing fraud and securing payment — for fraud screening.

Retention: non-accounting elements of your order data are kept for up to 3 years following your last order, after which they are deleted or anonymised. Accounting records are retained for the period required by the local bookkeeping and tax law applicable to your order (see section 10 — Country annexes). Warranty-relevant data is retained for the period of the applicable warranty plus the relevant limitation period for consumer claims.

3.3 When you create or use a customer account

What we process: your email address, password (stored as a salted hash — we never see your plaintext password), name, contact details, order history, account preferences, returns history, and saved addresses.

Why we process it:

  • to provide and operate your account, including login, password reset, order history, and saved-data features;
  • to enable you to exercise your data subject rights through self-service tools where available;
  • to keep your account secure (e.g., detecting suspicious login attempts).

Legal basis:

  • Art. 6(1)(b) GDPR — performance of the account terms — for providing the account;
  • Art. 6(1)(f) GDPR — legitimate interest in account security and abuse prevention.

Retention: account data is retained for as long as your account is active. If your account has been inactive (no logins and no orders) for more than 24 months, we may close it after notifying you, and your account data will be deleted or anonymised, except where retention is required for compliance with legal obligations (e.g., accounting records).

3.4 When you sign up for our newsletter

What we process: your email address, your name (optional), your country/locale, your stated product interests (optional), and your interactions with our newsletter (open rate, click-through, click timing, dwell time — collected pseudonymously to measure performance).

Why we process it:

  • to send you our newsletter with information about our products, collections, campaigns, sustainability work, and events;
  • to personalise the content of the newsletter based on your stated preferences and your interactions with our communications;
  • to measure newsletter performance and optimise our content.

Legal basis:

  • Art. 6(1)(a) GDPR — your consent, given when you sign up using a double opt-in procedure (you receive a confirmation email and your subscription is only activated after you click the verification link);
  • For the pseudonymous analytics on newsletter performance: Art. 6(1)(f) GDPR — our legitimate interest in measuring and improving our newsletter.

How to withdraw consent: every newsletter we send includes a one-click unsubscribe link. You can also email post@devold.no to unsubscribe. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

Retention: we retain your subscription data until you unsubscribe. After unsubscribe, we move your email address to a suppression list (so we do not accidentally re-add you), which we retain for as long as we operate the newsletter programme.

3.5 When you join our membership programme

What we process: the data you provide when joining (name, email, telephone number, date of birth, country, optional preferences), your order history and product preferences within the programme, your earned status/points/rewards, and your interaction history with programme communications.

Note on Norwegian personal identification numbers (fødselsnummer): Devold does not collect Norwegian personal identification numbers from members.

Why we process it:

  • to operate the membership programme, calculate rewards and benefits, and communicate programme-related information;
  • to send you personalised marketing communications about Devold products and offers;
  • to analyse member behaviour to improve the programme.

Legal basis:

  • Art. 6(1)(b) GDPR — performance of the membership terms — for the operation of the programme itself;
  • Art. 6(1)(a) GDPR — your consent, given when you join the programme — for personalised marketing within the programme. You can withdraw your consent at any time by ending your membership or by using the unsubscribe link in our communications;
  • Art. 6(1)(f) GDPR — our legitimate interest in analysing programme performance and detecting misuse.

Retention: we retain your member data for the duration of your membership. If you have not been active in the programme (no logins, no orders, no engagement with member communications) for 36 months, we may close your membership after notifying you, and your member data will be deleted or anonymised, subject to longer retention required by law.

3.6 When you contact our customer service

What we process: the contents of your message (email, contact form, social media direct message, or telephone call), your name and contact details, and any other information you choose to share. If you call us, your telephone number may be retained automatically by our telephony system for a short period (see retention below).

Why we process it:

  • to respond to your inquiry, answer your questions, and resolve any issues;
  • to handle complaints, returns and warranty claims;
  • to improve our customer service operations.

Legal basis:

  • Art. 6(1)(b) GDPR — performance of a contract (or pre-contractual steps) — where your inquiry relates to an order or potential order;
  • Art. 6(1)(f) GDPR — our legitimate interest in operating an efficient customer service function — for general inquiries.

Retention: customer service correspondence is retained for up to 3 years from the date of the last communication, after which it is deleted unless legal-hold or warranty rules require longer retention. Telephony metadata (incoming caller numbers) is retained for up to 2 months.

3.7 When you write a product review or participate in a competition

Product reviews: if you submit a product review, we share your order data with Lipscore (our review platform — see section 5) so that Lipscore can invite you to review your purchase. The review you write is published with the name or pseudonym you choose. The legal basis is Art. 6(1)(f) GDPR — our legitimate interest in collecting authentic customer feedback. You can request deletion of your review at any time.

Competitions: we run competitions and giveaways, including on our social media channels (Facebook, Instagram). When you enter a competition we process the data you provide to enter, contact winners, and ship prizes.

The legal basis is Art. 6(1)(b) GDPR — performance of the competition terms — for participation, and Art. 6(1)(a) GDPR — your consent — for any optional marketing communications associated with the entry.

When you enter a competition through Meta-operated platforms (Facebook, Instagram), Meta Platforms Ireland Ltd. collects and processes entry data through its own tools. For data collected jointly by us and Meta in this context, we act as joint controllers with Meta under Art. 26 GDPR. Meta is responsible for providing you with information about its own processing under its privacy policy; you can exercise your rights against either of us.

4. Cookies and similar technologies

Devold.com uses cookies, pixels, tags, local storage and similar technologies. Some are strictly necessary for the website to function (e.g., the shopping cart, language preference, fraud detection); others require your consent under the ePrivacy laws applicable in your country (see section 10).

Our cookie banner appears on your first visit and asks for your consent before non-essential cookies and trackers are set. You can revisit and change your preferences at any time via the "Cookie preferences" link in the website footer.

Full details of the cookies we use — including their purposes, the third parties that may set them, the data they collect, and their retention periods — are available in our separate Cookie Policy, accessible from the website footer.

5. Who we share your data with

We share your personal data with the following categories of recipients, and only to the extent necessary for the purposes described in section 3:

5.1 Our processors (service providers acting on our instructions)

The processors below act on our behalf and are contractually bound by data processing agreements compliant with Art. 28 GDPR:

Netlify, Inc. — Front-end hosting and content delivery network (CDN). Location: EU-based primary edge with US headquarters. Netlify, Inc. is an active participant in the EU-U.S. Data Privacy Framework (DPF) and the UK Extension. Transfers to the US are made under the DPF, supported by EU Standard Contractual Clauses as backstop.

New Black AB (EVA) — E-commerce platform. Location: EU (Sweden). EVA is the e-commerce platform powering devold.com, provided by New Black AB.

Sanity — Content management system (CMS) and content delivery. Location: EU.

Algolia SAS (Paris, France) — On-site search, search-result merchandising and product recommendations (e.g., "you may also like", "frequently bought together"). Location: EU (Frankfurt cluster). Algolia SAS is the EU-headquartered contracting entity; Algolia, Inc. (US) provides infrastructure and support. We send Algolia search queries, click/conversion events on search results and product listings, a pseudonymous user identifier, and the visitor's IP address (used by Algolia for routing, anti-abuse and approximate geolocation of results). Algolia acts as our processor under Art. 28 GDPR. Remote US-based support access is covered by Algolia's Data Processing Addendum, the EU Standard Contractual Clauses (Decision (EU) 2021/914), and supplementary measures.

ITX — Customer service ticketing. Location: EU.

Voyado AB — Membership programme operations and email marketing. Location: EU (Stockholm).

Adyen N.V. — Payment processing (cards and certain alternative methods). Location: EU (Amsterdam). Adyen handles full card data; Devold never stores full card numbers.

Logistra AS — Shipping integration platform (carrier routing and shipping label generation). Location: EU (Norway). Sits between Devold's order system and the physical carriers; routes shipments and produces shipping labels.

DHL — Shipping and delivery. Location: EU/EEA (with onward transfer for international shipments).

Element Logic — Implementation and integration of Autostore / EWMS warehouse management. Location: EU (Norway).

Columbus Norway — Implementation and integration of Microsoft Dynamics 365 / AX (ERP). Location: EU (Norway).

Lipscore AS — Product review platform. Location: EU (Norway).

Outtra — "Buy local" widget functionality. Location: EU.

Google Ireland Ltd. (Google Analytics, Google Tag Manager, Google Ads) — Web analytics, tag management, advertising. Location: EU primary, with onward transfer to Google LLC (US). Transfers to the US are made on the basis of the EU-U.S. Data Privacy Framework (Google LLC is a participant) and supplementary EU Standard Contractual Clauses. We will update this policy if the Data Privacy Framework is invalidated.

Meta Platforms Ireland Ltd. (Facebook Pixel, Instagram, Custom Audiences) — Advertising, retargeting, audience matching. Location: EU primary, with onward transfer to Meta Platforms, Inc. (US). Same DPF + SCC basis as Google. Consent-based.

5.2 Independent controllers we share data with

These recipients act as independent data controllers for the data we share with them — they decide independently how that data is processed once they receive it:

  • Klarna Bank AB (Sweden) — if you choose to pay with Klarna's "Pay later" or other Klarna-financed methods, you are redirected to Klarna's environment. Klarna processes your data as a separate controller in accordance with Klarna's own privacy policy. We share the order amount, currency, your email and a transaction identifier with Klarna; Klarna decides on credit assessment, fraud screening and credit reporting under its own legal bases (typically Art. 6(1)(b) and Art. 6(1)(f) GDPR for Klarna).
  • Payment-card networks and your card issuer — when you pay by card, the card networks (Visa, Mastercard, etc.) and your issuing bank receive transaction details necessary to authorise and settle the transaction.
  • Social media platforms when you engage with us through them — Meta (Facebook, Instagram), TikTok, YouTube and Pinterest each operate as independent controllers (and, in some cases, joint controllers with us under Art. 26 GDPR) for data collected through their platforms. Their respective privacy policies apply to that processing.

5.3 Group companies

We are part of the Fenix Outdoor group. To the extent permitted under data protection law, we may share your personal data with other group companies for purposes such as group-level customer relationship management, group marketing analytics, the operation of the membership programme, and the provision of shared services (e.g., logistics, customer service support). Where any such sharing involves joint controllership under Art. 26 GDPR, a summary of the joint controller arrangement and the contact point for exercising your rights is available on request from post@devold.no.

5.4 Authorities and other legitimate disclosures

We may disclose your personal data to public authorities (tax authorities, courts, police, supervisory authorities) when required by law, in response to a valid legal request, or where necessary to establish, exercise or defend legal claims. We may also disclose data to our professional advisers (lawyers, auditors, accountants) under appropriate confidentiality protections.

6. International data transfers

Our default position is that personal data is processed within the European Economic Area (EEA). However, some of the processors and recipients listed in section 5 are established, or have parent companies established, in countries outside the EEA — principally the United States.

Where personal data is transferred outside the EEA, we rely on one of the following legal mechanisms under Chapter V GDPR:

  • Adequacy decisions (Art. 45 GDPR): for transfers to countries the European Commission has determined provide an adequate level of data protection. The current list is at: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en. In particular, transfers to the United States are made to organisations certified under the EU-U.S. Data Privacy Framework (DPF) — which the European Commission designated as adequate on 10 July 2023 — where the receiving organisation is a DPF participant.
  • Appropriate safeguards (Art. 46 GDPR): where no adequacy decision applies (or in addition to it), we rely on the European Commission's Standard Contractual Clauses (SCCs) — Decision (EU) 2021/914 — together with supplementary technical, contractual and organisational measures as required by the Schrems II judgment of the Court of Justice of the European Union (CJEU Case C-311/18).
  • Derogations (Art. 49 GDPR): in limited circumstances — for example, where a transfer is necessary for the performance of a contract concluded in your interest (Art. 49(1)(b)) or where you have given explicit consent to the transfer (Art. 49(1)(a)).

You can request a copy of the safeguards we have in place for any specific transfer by emailing post@devold.no.

7. Your rights

Subject to the conditions and limitations set out in the GDPR, you have the following rights in relation to your personal data:

  • Access (Art. 15 GDPR) — to obtain confirmation of whether we process personal data about you and, if so, a copy of that data together with information about how we process it.
  • Rectification (Art. 16 GDPR) — to have inaccurate personal data corrected and incomplete data completed.
  • Erasure / "right to be forgotten" (Art. 17 GDPR) — to have your personal data deleted in certain circumstances (e.g., where the data is no longer needed for the purposes for which it was collected, or where you withdraw consent and there is no other legal basis).
  • Restriction of processing (Art. 18 GDPR) — to have processing limited in certain circumstances (e.g., while we verify the accuracy of disputed data).
  • Data portability (Art. 20 GDPR) — to receive personal data you have provided to us in a structured, commonly used and machine-readable format, and to have it transmitted to another controller where technically feasible.
  • Objection (Art. 21 GDPR) — to object to processing based on our legitimate interests (Art. 6(1)(f) GDPR), including profiling, on grounds relating to your particular situation. You may also object at any time to processing of your personal data for direct marketing purposes — there are no specific grounds required for that objection, and we will stop processing your data for direct marketing on receipt of your objection.
  • Withdraw consent (Art. 7(3) GDPR) — to withdraw, at any time, any consent you have given us. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
  • Lodge a complaint with a supervisory authority (Art. 77 GDPR) — see section 10 for the relevant supervisory authority in your country.
  • Not be subject to a decision based solely on automated processing (Art. 22 GDPR) — including profiling — that produces legal effects concerning you or similarly significantly affects you. We do not currently make any decisions about you based solely on automated processing that produce such effects.

How to exercise your rights: email post@devold.no with your request. We will respond within one month of receipt (Art. 12(3) GDPR). Where requests are complex or numerous, we may extend that period by a further two months and will inform you of any extension within the first month, along with the reasons for the delay.

We may need to verify your identity before responding, particularly where the request is sensitive or where we have reasonable doubts about who is making the request. We will request the minimum identification data necessary and explain why.

There is no fee for exercising your rights. However, where a request is manifestly unfounded or excessive — in particular because of its repetitive character — we may charge a reasonable fee or refuse to act on the request, in accordance with Art. 12(5) GDPR.

8. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration or disclosure. These measures include encryption of data in transit (TLS), encryption of sensitive data at rest, access controls based on least-privilege principles, logging and monitoring, vendor security assessments, and staff training. We never store full card numbers — all card data is transmitted directly to and stored with our PCI-DSS-certified payment provider, Adyen.

In the event of a personal data breach, we will notify the supervisory authority within 72 hours where required under Art. 33 GDPR, and we will notify you directly where the breach is likely to result in a high risk to your rights and freedoms (Art. 34 GDPR).

9. Children

devold.com is not directed at children. We do not knowingly collect personal data from children, and the minimum age for creating a customer account or joining our membership programme is 18 years. Customers who wish to purchase Devold children's products on behalf of a child should do so through their own adult account.

If you believe we have collected personal data from a child under 18, please contact us at post@devold.no and we will delete that data.

10. Country annexes — supervisory authorities and local marketing rules

This section provides country-specific information for our customers in each market.

10.1 Norway

Supervisory authority: Datatilsynet, Postboks 458 Sentrum, 0105 Oslo. https://www.datatilsynet.no/ — Tel. +47 22 39 69 00.

Marketing to existing customers (soft opt-in): Section 15 of the Norwegian Marketing Control Act (markedsføringsloven) permits electronic direct marketing to existing customers for similar goods or services without prior consent, provided you were given a clear and free opportunity to opt out at the time your contact details were collected, and an opt-out is offered in every subsequent message.

Bookkeeping retention: five years from the end of the accounting year (bokføringsloven § 13).

10.2 Sweden

Supervisory authority: Integritetsskyddsmyndigheten (IMY), Box 8114, 104 20 Stockholm. https://www.imy.se/ — Tel. +46 8 657 61 00.

Marketing to existing customers (soft opt-in): Section 19 of the Swedish Marketing Act (marknadsföringslagen) permits electronic direct marketing to existing customers for similar goods or services without prior consent, subject to the same opt-out conditions as Norway.

Bookkeeping retention: seven years from the end of the accounting year (bokföringslagen 7 kap. 2 §).

10.3 Denmark

Supervisory authority: Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby. https://www.datatilsynet.dk/ — Tel. +45 33 19 32 00. Email: dt@datatilsynet.dk.

Marketing to existing customers (soft opt-in): Section 10(2) of the Danish Marketing Practices Act (markedsføringsloven) permits electronic direct marketing of similar own products to existing customers without prior consent, subject to the standard opt-out conditions.

Bookkeeping retention: five years from the end of the financial year (bogføringsloven § 12).

10.4 Finland

Supervisory authority: Tietosuojavaltuutetun toimisto (Office of the Data Protection Ombudsman), PL 800, 00531 Helsinki. https://tietosuoja.fi/ — Tel. +358 29 56 66700.

Marketing to existing customers (soft opt-in): § 200 of the Information Society Code (laki sähköisen viestinnän palveluista) permits electronic direct marketing of similar products to existing customers without prior consent, subject to the standard opt-out conditions.

Bookkeeping retention: six years from the end of the accounting year (kirjanpitolaki 2:10 §).

Language note: This policy is provided in English for customers in Finland. If you would prefer to receive assistance in Finnish or Swedish, please contact us at post@devold.no.

10.5 Germany

Supervisory authority: the federal Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI). The relevant authority for a complaint by a German resident is typically the Landes-Datenschutzbeauftragter of the federal state where the data subject resides. As Devold's lead supervisory authority under the GDPR one-stop-shop is Datatilsynet (Norway), complaints from German residents may be lodged with either Datatilsynet or the local Landes-DPA.

Marketing to existing customers (soft opt-in): § 7(3) of the German Unfair Competition Act (UWG) permits email marketing to existing customers for similar own products without prior consent, subject to specific conditions: the customer must have provided the email address in connection with a sale, must not have objected to the use of the address for advertising, and must be clearly informed of the right to object at the time of collection and in every subsequent message.

Bookkeeping retention: ten years from the end of the financial year for invoices and accounting records (§ 257 HGB / § 147 AO); six years for commercial correspondence.

Cookies and tracking: § 25 of the German Telecommunications Telemedia Data Protection Act (TDDDG, formerly TTDSG) requires consent for any access to or storage of information on a user's device that is not strictly necessary.

10.6 Austria

Supervisory authority: Datenschutzbehörde (DSB), Barichgasse 40-42, 1030 Wien. https://www.dsb.gv.at/ — Tel. +43 1 52 152-0. Email: dsb@dsb.gv.at.

Marketing to existing customers (soft opt-in): § 174(4) of the Austrian Telecommunications Act 2021 (TKG 2021) permits electronic direct marketing to existing customers for similar products without prior consent, subject to the standard opt-out conditions, provided the customer is not on the "Robinson list" maintained by the regulator (RTR).

Bookkeeping retention: seven years from the end of the financial year (§ 132 BAO / § 212 UGB).

Cookies and tracking: § 165(3) of the Austrian Telecommunications Act 2021 requires consent for cookies and similar technologies that are not strictly necessary.

11. Changes to this policy

We may update this policy from time to time. When we make material changes, we will:

  • post the updated policy on devold.com with a new "Last updated" date;
  • where you have given us your contact details (e.g., as a customer, newsletter subscriber, or programme member), we will notify you of the change in advance, where the change is likely to materially affect you.

Last updated: 26 May 2026