Privacy Policy
Last Updated: 22 April 2026
1. Data Controller
The data controller for the processing described in this policy is:
Disqnect AS has not appointed a Data Protection Officer (DPO) as our core activities do not require one under GDPR Art. 37. For all privacy-related enquiries, contact us at the email above.
2. What We Collect and Why
We collect and process personal data for specific purposes, each with a defined legal basis under GDPR Art. 6(1):
| Data | Purpose | Legal Basis |
|---|---|---|
| Name, email, shipping & billing address | Process and fulfil your order, send shipping updates | Art. 6(1)(b) — Contract performance |
| Payment information | Process payment (via Stripe — we never see your card details) | Art. 6(1)(b) — Contract performance |
| Email address (marketing) | Send product updates and marketing (only if you opt in) | Art. 6(1)(a) — Consent |
| Support correspondence | Provide customer support | Art. 6(1)(b) — Contract performance |
| Device diagnostics, error logs, crash reports | Improve product reliability and fix issues | Art. 6(1)(f) — Legitimate interest (product improvement) |
| IP address, browser type, pages visited | Website analytics and security | Art. 6(1)(f) — Legitimate interest (service operation) |
| Order and transaction records | Tax and accounting compliance (bokforingsloven § 13) | Art. 6(1)(c) — Legal obligation |
Legitimate interest balancing: Where we rely on legitimate interest, we have assessed that our interest in product improvement and service operation does not override your rights and freedoms. Device diagnostics are limited to technical performance data and do not include personal assessment data or content. You may object to processing based on legitimate interest at any time (see Section 7).
Is providing data required? Providing your name, address, and payment information is necessary to fulfil your order. If you do not provide this data, we cannot process your purchase. Marketing consent is entirely optional and does not affect your purchase or use of the Product.
3. Data Captured by the Device (Art. 14)
The qEY device has RF, NFC, WiFi, and network scanning capabilities. During security assessments, it may capture data from the surrounding environment, including device identifiers (MAC addresses, NFC UIDs), network identifiers (SSIDs), and signal data from third-party devices.
You, the device operator, are the data controller for any personal data captured during your security assessments. Disqnect does not receive, process, or store this data unless you transmit it through the Q platform.
It is your responsibility to ensure lawful basis for any data capture (e.g., written authorisation from the network or system owner), to limit data collection to what is necessary, and to comply with GDPR and applicable data protection laws for any personal data your assessments produce.
Where assessment data is transmitted through Q, Disqnect processes it on your behalf as a data processor under GDPR Art. 28. Business customers requiring a Data Processing Agreement (DPA) may request one at theis@disqnect.com.
4. Data Retention
| Data Category | Retention Period |
|---|---|
| Order and transaction records | 7 years from transaction date (Norwegian bokforingsloven § 13) |
| Customer support correspondence | 3 years after last interaction |
| Marketing contact information | Until consent is withdrawn, or 3 years of inactivity, whichever is sooner |
| Device diagnostics and error logs | 24 months from collection, then deleted |
| Website analytics | 14 months |
| Assessment data processed through Q | Retained while your account is active; deleted within 90 days of account closure or upon request |
5. Who We Share Data With
We do not sell your personal data. We share data only with:
- Stripe Inc. — payment processing (US, EU-US Data Privacy Framework certified)
- DHL / shipping carriers — order delivery (name and shipping address only)
- Hosting providers — infrastructure services (EU-based servers, Standard Contractual Clauses where applicable)
- Law enforcement or regulatory authorities — only when required by law or valid legal process
All third-party service providers process data under data processing agreements and are bound by confidentiality obligations.
6. International Data Transfers
Your data may be transferred outside the EEA:
- United States (Stripe) — Stripe is certified under the EU-US Data Privacy Framework (adequacy decision of 10 July 2023). Standard Contractual Clauses (SCCs) are also in place as a supplementary safeguard.
You may request a copy of the safeguards we use for international transfers by contacting us at theis@disqnect.com.
7. Your Rights
Under GDPR and Norwegian personopplysningsloven, you have the right to:
- Access — request a copy of your personal data (Art. 15)
- Rectification — correct inaccurate or incomplete data (Art. 16)
- Erasure — request deletion of your data where applicable (Art. 17)
- Restrict processing — limit how we use your data in certain circumstances (Art. 18)
- Data portability — receive your data in a structured, machine-readable format (Art. 20)
- Object — object to processing based on legitimate interest; we will stop unless we demonstrate compelling legitimate grounds (Art. 21)
- Withdraw consent — where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal (Art. 7(3))
To exercise any of these rights, contact theis@disqnect.com. We will respond within 30 days.
Right to lodge a complaint: You have the right to lodge a complaint with the Norwegian Data Protection Authority:
8. Cookies
Our website uses cookies — small text files stored on your device. We use:
- Strictly necessary cookies — required for the website to function (e.g., session management, shopping cart). No consent required.
- Analytics cookies — help us understand how visitors use the site. Only placed with your consent.
We do not use advertising or tracking cookies. You can manage cookie preferences in your browser settings. Disabling strictly necessary cookies may affect website functionality.
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit and at rest, access controls, and regular security reviews. No method of transmission or storage is 100% secure, but we take reasonable steps to protect your information.
10. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.
11. Children
Our products are intended for persons aged 18 and over. We do not knowingly collect personal data from individuals under 18. If we learn that we have collected data from a person under 18, we will delete it promptly.
12. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email or prominent notice on our website. The "Last Updated" date at the top reflects the most recent revision. Continued use of our services after changes does not constitute consent to new processing activities — where consent is required, we will seek it separately.
13. Contact
For privacy enquiries, data subject requests, or to exercise your rights: