Skip to main content
HMS Klar

Privacy policy

Last updated May 20, 2026

HEM, sole proprietorship. Org.nr 924 807 342. Folke Bernadottes vei 6, 0862 Oslo, Norway.

1. Data controller

HEM, a sole proprietorship registered in Norway with organisation number 924 807 342 and business address Folke Bernadottes vei 6, 0862 Oslo, is the data controller for personal data collected through HMS Klar (hmslederkurs.no). HMS Klar is the trading name used for this service.

Privacy inquiries: [email protected].

The service is not directed at children under 16. We do not knowingly process personal data about minors.

2. Data we process

We collect:

  • Name and email (sign-in, certificate, communication).
  • Employer / organisation if provided for the certificate.
  • Course progress, lesson quiz answers, and final test results.
  • Invoice data (amount, buyer, organisation number for business purchases) for bookkeeping.
  • The content of support requests and ticket threads.
  • Technical: IP address, user-agent, attribution tags at checkout (gclid, utm_*, referrer, landing page).
  • Session cookie (hms-session). first-party, strictly necessary for sign-in.

3. Purpose and legal basis

  • Deliver the course and issue the certificate: GDPR art. 6(1)(b) (contract).
  • Bookkeeping and retention of invoice documents for 5 years: art. 6(1)(c) (Bookkeeping Act §13).
  • Prevent fraud, secure the service, measure aggregate usage: art. 6(1)(f) (legitimate interest).
  • Measure the effectiveness of marketing channels via first-party attribution (gclid, utm_*): art. 6(1)(f). We set no third-party cookies without your consent.

4. Storage and deletion

Concrete retention periods:

  • Invoice documents and payment references: 5 years (Bookkeeping Act §13, primary documentation).
  • Certificate data: as long as your user account is active. You can request deletion at any time (the invoice records above persist for the 5-year period).
  • Course progress and quiz answers: as long as the account is active; anonymised on deletion.
  • Support threads: 24 months from the last message.
  • Attribution data (gclid, utm_*): 24 months.
  • Session cookie and sign-in codes: session 30 days rolling, one-time codes 10 minutes.
  • Email logs (delivery status from Resend): 12 months.

If you want your data deleted earlier, email us at [email protected] and we will remove what we can within legal requirements.

5. Processors and recipients

We share personal data with the following categories of providers, only to the extent necessary to deliver the service. A data processing agreement (GDPR art. 28) is in place with each.

  • Stripe. payment processing. Headquartered in the EU (Ireland), data channels in the USA. Transfer basis: Standard Contractual Clauses and the EU-US Data Privacy Framework.
  • Resend. email delivery (transactional and support replies). EU region eu-west-1.
  • Hetzner Online GmbH. server and database hosting. EU (Nürnberg / Falkenstein, Germany).
  • Cloudflare. CDN, edge TLS, and DDoS protection. Global network with EU/USA nodes; transfer basis SCCs and EU-US DPF.
  • Sentry. server-side error monitoring. EU region (Frankfurt). Active when a DSN is configured; until then no error data is sent to Sentry.

We never sell personal data, and do not use it for third-party marketing.

6. Your rights

Under GDPR you have the right to:

  • access the data we hold about you,
  • rectification of inaccurate data,
  • erasure where possible within legal requirements (bookkeeping is an exception),
  • restriction or objection to processing based on legitimate interest,
  • data portability for data you have provided us.

Send requests to [email protected]. We normally respond within 30 days.

7. Right to lodge a complaint with Datatilsynet

You have the right to lodge a complaint about our processing of personal data with Datatilsynet (the Norwegian Data Protection Authority). We encourage you to contact us first at [email protected] so we can try to resolve the matter directly.

8. Automated decision-making

We make no automated decisions or profiling that have legal or similarly significant effects on you. Quizzes and the final knowledge test are scored automatically, but the result is a mechanical count of correct answers. not an evaluation of the person.

9. Cookies

Strictly necessary (always set; the service cannot function without them):

  • hms-session: first-party session cookie that keeps you signed in. Lifetime 30 days rolling. Only set after you sign in.
  • Short-lived technical cookies for CSRF protection and language preference. Lifetime bounded by the session, max 30 days.

Marketing and attribution (only set if you arrive with a tracking parameter in the URL, typically from a Google Ads click):

  • hms-gclid and hms-gclid-type: first-party cookies that store Google's click identifier (gclid, gbraid or wbraid) when present on the landing URL. Lifetime approximately 90 days. Purpose: link a later purchase back to the originating ad so we can measure which campaigns convert. Legal basis: art. 6(1)(f), legitimate interest in measuring marketing performance.
  • utm_* parameters (utm_source, utm_medium, utm_campaign, and similar) are read from the URL at checkout and stored with the order in the database, not in a cookie.

We set no third-party tracking, analytics or advertising cookies, and use neither Google Analytics, Facebook Pixel nor similar tools. All measurement happens on our own server through the cookies listed above.

10. Changes to this policy

We may update this policy when the service or applicable regulations change. The current version is published on this page. Material changes are notified by email to registered users.

11. Contact

For privacy questions, contact us at [email protected]. For other matters: [email protected].