Privacy Policy

Last updated: June 2026

This Privacy Policy describes how ScandicData (Data Controller: 5K Studio LLC) collects, uses, and protects personal data in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR") as applicable within the European Union (EU) and European Economic Area (EEA). This policy applies to personal data of our business customers, their authorised representatives, and any other individuals whose personal data we process in connection with our products and services.

1. Data Controller Information

5K Studio LLC
Registration Number: 40203338684
Graudu street 21, Liepaja, Latvia, LV-3401
Email: post@scandicdata.no

2. Categories of Data Collected and Legal Basis

We process personal data based on the following legal grounds under Article 6 of the GDPR:

Performance of a Contract (Art. 6(1)(b)): To process orders, deliver hardware, activate SaaS subscriptions, provide technical support, and manage billing. Data collected includes: name, email address, billing address, shipping address, and company details of authorised representatives.
Legitimate Interests (Art. 6(1)(f)): To maintain the security of our platform, to route system alerts and threshold notifications to the registered account users (including contact persons at the Buyer's organisation), and to ensure device connectivity and service reliability. Our legitimate interest is to ensure the operational continuity of the monitoring service contracted by the Buyer. You have the right to object to processing based on legitimate interests — see Section 5.

Note on sensor measurement data: Environmental measurement data generated by installed IoT sensors — including but not limited to temperature, CO₂ concentration, humidity, and any other physical parameters supported by current or future device configurations — constitutes operational data about the monitored physical environment, not personal data within the meaning of the GDPR. Such data is therefore processed outside the scope of this Privacy Policy. Where a future sensor configuration generates data that relates to or could identify a natural person (for example, occupancy detection, presence sensing, or biometric parameters), ScandicData will revise this Policy accordingly and notify all active subscribers in advance of deploying such sensor types.
Consent (Art. 6(1)(a)): For the use of non-essential analytics cookies on our website. Consent is obtained through our cookie banner and can be withdrawn at any time.
Legal Obligation (Art. 6(1)(c)): To comply with applicable tax, accounting, and financial record-keeping obligations under Latvian and EU law.

3. Data Sharing and Third-Party Processors

We never sell your personal data to third parties. We engage trusted third-party Data Processors strictly necessary for our business operations, including: EEA-licensed payment service providers (for secure payment processing) and verified logistics and courier services (for hardware delivery). All processors are engaged under written data processing agreements in accordance with Article 28 GDPR. Your credit card information is never stored on our servers.

4. International Data Transfers

We prioritise processing personal data within the EEA. Where data must be transferred to a third country outside the EEA, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46(2)(c) GDPR, before any such transfer takes place.

5. Your Rights as a Data Subject

Under the GDPR, you have the following rights regarding your personal data. To exercise any of these rights, please submit a written request to post@scandicdata.no. We will respond within 30 days in accordance with Article 12 GDPR. We may request verification of your identity before processing the request.

Right of Access (Art. 15): You may request a copy of the personal data we hold about you, along with information about how it is processed.
Right to Rectification (Art. 16): You may request correction of inaccurate or incomplete personal data we hold about you.
Right to Erasure — "Right to be Forgotten" (Art. 17): You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, subject to mandatory legal retention obligations (e.g., tax and accounting records).
Right to Restriction of Processing (Art. 18): You may request that we temporarily restrict the processing of your personal data in certain circumstances — for example, while a dispute regarding its accuracy is being resolved, or where you have objected to processing and a determination is pending.
Right to Data Portability (Art. 20): Where processing is based on consent or contractual necessity and is carried out by automated means, you may request your personal data in a structured, commonly used, and machine-readable format, and request its transfer to another data controller where technically feasible.
Right to Object (Art. 21): You have the right to object at any time to the processing of your personal data where that processing is based on our legitimate interests (Article 6(1)(f) GDPR). Upon receipt of an objection, we will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless the processing is necessary for the establishment, exercise, or defence of legal claims.

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the competent supervisory authority at any time, without prejudice to any other administrative or judicial remedy (Article 77 GDPR). As 5K Studio LLC is registered in Latvia, the competent lead supervisory authority is:

Datu valsts inspekcija (Data State Inspectorate)
Elijas iela 17, Riga, Latvia, LV-1050
Website: www.dvi.gov.lv
Email: info@dvi.gov.lv

You may also lodge a complaint with the supervisory authority in the EU/EEA member state of your habitual residence or place of work.

6. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Order and transaction records are retained for the period required under Latvian tax and accounting legislation (currently 5 years from the end of the tax year). Account data is retained for the duration of the active business relationship and for a reasonable period thereafter to handle potential disputes or warranty claims.

7. Cookies and Analytics

Our website uses cookies to ensure platform functionality and improve user experience. We use Google Analytics to monitor website traffic patterns. Google Analytics operates through pseudonymisation (IP addresses are not stored by us in identifiable form); however, Google Analytics does not constitute full anonymisation under the GDPR, as residual identification risk cannot be entirely excluded. It is therefore treated as personal data processing subject to consent requirements.

Non-essential analytics cookies are activated only if you provide explicit, freely given consent via our cookie banner displayed on your first visit. You can withdraw your consent at any time by clicking "Decline" on the banner or by clearing your browser cookies. Withdrawing consent does not affect the lawfulness of any processing carried out before withdrawal.