Privacy Policy
v1.0 · Last updated: 12 May 2026
1. Controller
Panion Norway AS, with its registered business address at Turistvegen 83, 9020 Tromsdalen, is the data controller for the personal data processed via panion.travel. Contact: hello@panion.travel.
In this Privacy Policy, “Panion” refers to the company. “Panions” (with capital P) refers to individuals or businesses that publish curated activity lists and refer Customers to the Platform in exchange for commission.
2. What personal data we process and why
| Category of data | Purpose | Legal basis (GDPR) |
|---|---|---|
| Name, email, phone | Process and confirm bookings; send booking-related communication | Art. 6(1)(b) — performance of contract |
| Payment information (handled by Stripe; we receive limited transaction data) | Process payment | Art. 6(1)(b) |
| Account/login data for Panions and Activity Providers | Provide platform accounts | Art. 6(1)(b) |
| Bank account details (Panions/Providers) | Pay out commission/settlement | Art. 6(1)(b) and (c) — contract and legal obligations (bookkeeping) |
| IP address, device, usage data | Security, analytics, fraud prevention | Art. 6(1)(f) — legitimate interest |
| Referral identifier (which Panion's link/QR you arrived through), processed via Bókun | Attribute commission to the correct Panion; report sales to Panions | Art. 6(1)(a) — consent (cookie); Art. 6(1)(b)/(f) — performance of contract with the Panion / our legitimate interest in correct commission settlement |
| Approximate location | Show relevant activities | Art. 6(1)(a) — consent |
| Marketing communications (if any) | Send offers and newsletters | Art. 6(1)(a) — consent (cf. markedsføringsloven § 15) |
| Account, transaction and payout data for Providers and Panions | Verify identity, prevent fraud, assess compliance with our Terms, decide on suspension or termination of accounts, and manage withholding or release of funds | Art. 6(1)(b) — performance of contract; Art. 6(1)(c) — legal obligations (anti-money laundering, tax, accounting); Art. 6(1)(f) — legitimate interest in protecting the Platform, Customers and Panion Norway AS from fraud and misuse |
| Accounting records | Comply with bookkeeping legislation | Art. 6(1)(c) — bokføringsloven |
3. Sources of data
We collect data directly from you when you use the Platform, make a booking, or create an account. We may also receive data from our payment provider (Stripe), from Bókun, and from Panions who refer you.
4. Recipients and processors
We share personal data with the following categories of recipients, all bound by data processing agreements where required (GDPR Art. 28):
- Stripe (payment processing)
- Bókun ehf. (a TripAdvisor company) — booking management and referral/affiliate tracking. Established in Iceland (EEA); may use sub-processors within the TripAdvisor group, including in the United States.
- Google Analytics (statistics) — subject to consent
- Meta Pixel (marketing measurement) — subject to consent
- Cloud hosting providers (e.g. AWS / Vercel / Google Cloud)
- Email service providers (e.g. Mailchimp / SendGrid)
- Customer support / chatbot tools
- Activity Providers — we share only the data necessary to perform the booking (typically name, email, phone, booking details)
- Panions — aggregated/non-identifying booking information and commission reports (generated by Bókun)
- Public authorities where required by law
5. Transfers outside the EEA
Some of our processors are located outside the EEA (typically in the United States). Such transfers are based on the EU Commission’s Standard Contractual Clauses and, where applicable, certification under the EU-US Data Privacy Framework. You may request a copy of relevant safeguards by contacting hello@panion.travel.
6. Storage period
- Booking and customer service data: kept for as long as necessary to process bookings and handle complaints, typically up to 3 years after the activity.
- Accounting records: 5 years after the end of the financial year (cf. bokføringsloven § 13).
- Marketing data: until you withdraw consent or object.
- Account data for Panions/Providers: until the account is closed, plus a reasonable retention period.
- Documentation related to suspension, termination or withholding decisions: typically 3–5 years, in line with applicable limitation periods.
- Analytics data: anonymised or deleted within 14 months.
7. Your rights (GDPR Art. 15–22)
You have the right to:
- access your personal data,
- have inaccurate data corrected,
- have data deleted (“right to be forgotten”),
- restrict processing,
- object to processing based on legitimate interest,
- data portability,
- withdraw consent at any time (without affecting the lawfulness of prior processing).
To exercise your rights, contact hello@panion.travel.
You may lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet, www.datatilsynet.no) or the supervisory authority in your EEA country of residence.
8. Security
We use industry-standard technical and organisational measures, including encryption in transit, access controls, and regular security reviews, to protect your data.
9. Changes
We may update this Privacy Policy. The latest version is always available on panion.travel.