Skip to content
Stift AS

Privacy policy

Last updated: 16 March 2025

1. Data controller

Stift AS is the data controller for the processing of personal data collected and processed via our website, www.stift.no, and in connection with the services we offer our customers.

Contact information for Stift AS:

Stift AS, org. no. 934 059 883 MVA

Postal address: P.O. Box 25, 2151 Årnes, Norway

Email: moritz@stift.no

Mobile: (+47) 90 22 70 00

Contact form: www.stift.no/contact

2. Purpose of the processing

Stift is an authorized company service provider under section 42 of the Anti-Money Laundering Act, specializing in the sale of shelf companies and related services. We process personal data for the following purposes:

  1. Administration and delivery of services:
    1. Carrying out orders (purchase of shelf companies and related services).
    2. Meeting requirements under the Anti-Money Laundering Act (including customer due diligence/KYC).
    3. Invoicing, accounting, and auditing.
    4. Handling other relevant correspondence (email, telephone, chat, etc.).
  2. Contact and communication:
    1. Communication with existing and potential customers, suppliers, or partners.
    2. Follow-up of inquiries, service, and customer support.
  3. Legal obligations:
    1. Fulfilment of statutory requirements, for example storing documentation in accordance with accounting and anti-money-laundering legislation.
    2. Any statutory reporting obligations to relevant authorities.
  4. Marketing:
    1. Sending information about new services or events, to the extent permitted under applicable regulations.
    2. Managing consent to such communications where required, cf. GDPR art. 6(1)(a) and the rules of the Marketing Control Act.

3. Legal basis for the processing

We process personal data on the following legal bases:

  1. Consent (GDPR art. 6(1)(a))
    • Where we explicitly ask for your consent, e.g. for newsletters and marketing.
    • You can withdraw a given consent at any time (cf. article 7(3)).
  2. Performance of a contract (GDPR art. 6(1)(b))
    • Where the processing is necessary to fulfil a contract, or to take steps before entering into a contract, for example processing data in connection with the purchase of shelf companies.
  3. Compliance with legal obligations (GDPR art. 6(1)(c))
    • The Anti-Money Laundering Act imposes various obligations on us related to verifying customers' identity (KYC).
    • The Bookkeeping Act and other accounting legislation require us to store invoices and vouchers.
  4. Legitimate interest (GDPR art. 6(1)(f))
    • The processing may be necessary for purposes related to our business operations, for example answering inquiries, securing IT systems, or following up with customers.
    • In such cases we assess whether our interest in the processing overrides the data subjects' privacy interests.

4. What personal data is processed

The types of personal data we may process include (non-exhaustive):

  • Identity information: Name, national identity number, and any copy of ID if required under the Anti-Money Laundering Act.
  • Contact information: Email address, telephone number, postal address, workplace/company.
  • Customer data: Purchase history, invoicing information, payment details.
  • Correspondence: Email, chat, telephone logs, or other communication related to our customer service.
  • Technical information: IP address, browser information, cookies on the website, and similar, for statistics and operation of the site.

In accordance with the Anti-Money Laundering Act, we may in certain cases obtain additional documentation to confirm identity and beneficial owners, for example a passport copy, certificates of registration, or other confirming documentation.

5. Storage and deletion

We store personal data for as long as necessary for the purposes stated in this policy or as required by other applicable legislation. Examples:

  • Documentation that forms part of our accounting and bookkeeping material is stored in accordance with the retention obligation under accounting legislation (normally 5 years, possibly longer if required).
  • Information obtained under the Anti-Money Laundering Act is stored for as long as the act requires.
  • Correspondence and other information is deleted or anonymized once the purpose of the processing has been fulfilled and there is no longer a legal requirement to retain it.

6. How we share personal data

  1. Internal purposes
    • Access to personal data is limited to employees who need the information to carry out their tasks (the need-to-know principle).
  2. Third parties and subcontractors
    • Auditors, accountants, and other advisers may be granted limited access to personal data when necessary to carry out accounting and auditing tasks.
    • IT suppliers that provide operation of the website, server solutions, or support systems (typically cloud solutions, email services). In such cases we ensure that the supplier commits to processing personal data in accordance with applicable legislation (cf. data processing agreements in line with GDPR art. 28).
    • Banks and payment intermediaries in connection with payment transactions.
    • Other public authorities when required by law, for example reporting requirements to Finanstilsynet or other supervisory bodies, as well as prosecuting authorities or courts upon a legally founded request.
  3. Transfer to third countries (countries outside the EEA)
    • If a need arises to transfer personal data to third countries, we will ensure a lawful basis for the transfer, cf. GDPR chapter V (art. 44–49).
    • In practice we will use the EU Commission's standard data protection clauses or other relevant transfer mechanisms if data is transferred.

7. Your rights

As a data subject you have the following rights under the Personal Data Act and the General Data Protection Regulation:

7.1 Right of access (art. 15)

You have the right to access which personal data we process about you, as well as information about how the data is processed.

7.2 Right to rectification (art. 16)

You may require that incorrect or incomplete information about you is corrected or supplemented.

7.3 Right to erasure (art. 17)

You have the right to have information about you deleted if the conditions in the regulations are met (e.g. when the information is no longer necessary).

7.4 Right to restriction of processing (art. 18)

You may ask us to restrict the processing of your personal data when certain conditions are met.

7.5 Right to data portability (art. 20)

In certain situations you may have the right to receive personal data about you in a structured, commonly used, and machine-readable format, and to have it transferred to another service provider.

7.6 Right to object (art. 21)

You may object to processing based on legitimate interest (cf. GDPR art. 6(1)(f)), and to profiling or direct marketing.

7.7 Right to withdraw consent (art. 7(3))

When the basis for the processing is consent, you may withdraw it at any time. Withdrawal of consent does not affect the lawfulness of processing already carried out.

If you wish to exercise your rights, you can contact us by email, letter, or telephone, cf. the contact information under point 1.

8. Cookies

Our website uses cookies to improve the user experience, deliver relevant services, and collect statistics:

  • Necessary cookies: Used for the website to function (for example login).
  • Analytical cookies: May be used for traffic measurement and usage analysis, e.g. Google Analytics.
  • Functional cookies: Help remember preferences.

You can change/manage the use of cookies in your browser settings. See the guidance for your browser for more information. However, some functions on the website may be limited or not work if you block or delete cookies.

9. Information security

We safeguard the confidentiality, integrity, and availability of personal data using appropriate technical and organizational security measures, cf. GDPR art. 32. This may include:

  • Access control (password routines, access restrictions).
  • Encryption of data traffic (SSL/HTTPS).
  • Backups, firewall, antivirus, and other mechanisms to prevent unauthorized access or leakage.
  • Routines for handling and notifying any breaches of personal data security (cf. art. 33–34).

10. Complaint to the supervisory authority

If you believe our processing of personal data is in breach of applicable privacy legislation, you can contact us for clarification or file a formal complaint with the Norwegian Data Protection Authority (Datatilsynet), cf. GDPR art. 77.

Contact information for Datatilsynet:

Datatilsynet, org. no. 974 761 467

Postal address: Postboks 458 Sentrum, 0105 Oslo, Norway

Email: postkasse@datatilsynet.no

Telephone: (+47) 22 39 69 00

11. Changes to the privacy policy

Updates to the privacy policy may occur. In the event of material changes, we will notify you via our website or other appropriate channels. The updated privacy policy will always be available at www.stift.no/privacy.