Privacy Policy
Last updated: 14 July 2026
1. Who is the controller
Bokable is a product of Destination AS. Destination AS is the data controller for the personal data this policy covers.
- Company: Destination AS
- Organisation number: 921 817 320
- Address: Malurtveien 8, 1369 Stabekk, Norway
- Email: [email protected]
We are not required to appoint a data protection officer under GDPR Article 37, and have not appointed one. Privacy enquiries go to the address above.
2. What this policy covers
This policy separates two things, because our role is not the same in each:
- This website (bokable.com). Here Destination AS is the controller. Sections 3 to 6 are about this.
- The Bokable platform — the product our customers log in to. There, the customer is normally the controller for guest and booking data, and Destination AS is the processor. Section 7 covers this, and the GDPR page goes into the roles in more detail.
3. Cookies
This website uses no cookies. We store nothing on your device and read nothing from it. Concretely, the site:
- sets no cookies, first-party or third-party
- uses no localStorage, sessionStorage or similar storage
- runs no analytics — no Google Analytics, no Meta pixel, no tracking of any kind
- loads no fonts, scripts or other content from third-party servers. The fonts are served from our own server, and our content security policy blocks external origins
Section 3-15 of the Norwegian Electronic Communications Act (ekomloven), in force since 1 January 2025, requires consent before anyone stores information on, or gains access to information in, your terminal equipment. That consent must meet the standard set by the GDPR. This site does neither of those things, so there is nothing to consent to. That is why you are not met with a consent banner — not because we skipped it, but because there is nothing to ask about.
If we later introduce cookies or other tracking that is not strictly necessary to deliver the service, we will ask for consent first. Refusing will be as easy as accepting, and you will be able to withdraw consent as easily as you gave it.
4. Server logs
The web server that delivers bokable.com keeps an operational log, as any web server does. It records the visitor's IP address, the time, the address requested, the status code and the browser's user agent. An IP address counts as personal data.
- Purpose: to operate and secure the site, and to detect faults and abuse
- Legal basis: legitimate interests, GDPR Article 6(1)(f). The interest is keeping the site up and safe, and we consider it not to override your privacy, since the log is never used to profile or recognise you
- Retention: logs are kept no longer than is necessary to operate and secure the site. They are written to the hosting platform the site runs on, and retention follows that platform's routines. We have therefore not fixed a period in days — but if you want to know what applies right now, ask and we will tell you
The logs are not used for marketing, are not combined with other data about you, and are not used to recognise you from one visit to the next.
5. The contact form
Our contact form sends nothing to us on its own. When you press send, your browser opens your own email client with a message already filled in. Nothing leaves your machine until you choose to send that email yourself. The form stores nothing, and what you type never passes through a server of ours on the way.
If you do send the email, we receive what you filled in: name, email address, phone number, company name, property type, number of units and your message.
- Purpose: to answer your enquiry and, where relevant, prepare an agreement
- Legal basis: steps taken at your request prior to entering a contract, GDPR Article 6(1)(b). Where the enquiry is not about a possible customer relationship, the basis is our legitimate interest in responding to enquiries, Article 6(1)(f)
- Retention: enquiries that do not lead to a customer relationship are deleted no later than 12 months after the last contact. If you become a customer, the data follows the customer relationship
You are not obliged to provide anything. But without a name and an email address we have no way to reply to you.
6. Marketing
We send no newsletters or marketing from this website, and there is nothing here to sign up to. If you contact us about Bokable, we answer your enquiry. Should we send marketing email later, we will do so within the Norwegian Marketing Control Act, and you will be able to opt out at any time.
We do not sell personal data, and we do not share it with advertising networks.
7. The Bokable platform
This section is about the product, not the website. If you use Bokable as a customer, we process data on your behalf and on your instructions, as a processor. You are the controller for the guest, booking and property data entered into it.
Primary service data is held on Microsoft Azure within the EEA. We also use these sub-processors:
- Microsoft Azure — hosting and storage (EEA)
- Stripe — payment processing
- Postmark — transactional email, such as booking confirmations
- Cloudinary — image storage and delivery
Each is bound by a data processing agreement. Customers who want a data processing agreement with us, or an up-to-date list of sub-processors, can request one at [email protected].
8. Transfers outside the EEA
Some of the providers above are US companies, and the processing may involve transferring personal data out of the EEA. Where it does, the transfer rests on a valid basis under GDPR Chapter V — either an adequacy decision by the European Commission, or the EU Standard Contractual Clauses, with supplementary measures where necessary. You may ask us for details of the basis for a particular transfer.
9. Security
We use technical and organisational measures intended to protect personal data against unauthorised access, alteration, loss and disclosure. These include encryption in transit, access controls, logging, backups and monitoring. If we detect a personal data breach, we notify the Norwegian Data Protection Authority within 72 hours where GDPR Article 33 requires it, and those affected where Article 34 requires it.
10. Your rights
In relation to Destination AS, you have the right to:
- learn what personal data we hold about you, and obtain a copy (Article 15)
- have inaccurate or incomplete data corrected (Article 16)
- have data erased (Article 17)
- have the processing restricted (Article 18)
- receive the data in a machine-readable format and have it transmitted elsewhere (Article 20)
- object to processing based on legitimate interests, including the server logs (Article 21)
- withdraw consent, where processing rests on consent, without affecting the lawfulness of what was already done
Email [email protected] to exercise a right. We normally reply within one month. If we are in genuine doubt about who you are, we may ask for information needed to confirm your identity — and no more than that.
If your request concerns a booking or a guest's data, the accommodation provider is the controller and you should contact them first. We assist our customers in responding.
11. Complaints
If you believe we are handling personal data unlawfully, we would rather hear it from you first, so we can put it right. Either way, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet), Postboks 458 Sentrum, 0105 Oslo, or with the supervisory authority where you live or work. Datatilsynet explains the procedure on its website.
12. Changes
If we change how we handle personal data, we update this policy and the date at the top. Where a change matters to you, we will say so more clearly than by a new date alone.