Privacy Policy
Effective from 21 April 2026 · Version 1.0
1. Introduction
Vespera Sleep AS ("Vespera", "we", "us") takes your privacy seriously. In this Privacy Policy we explain what personal data we collect about you, why we collect it, how we use it, how long we store it, and what rights you have under the EU General Data Protection Regulation (GDPR) and Norwegian data protection law.
This Privacy Policy applies to your use of the website www.vespera-sleep.com, to purchases of our products and services, and to all other contact you have with Vespera.
2. Data controller
The controller of personal data is:
- Vespera Sleep AS
- Company registration no.: 923 869 506
- Vilbergkroken 44, 2080 Eidsvoll, Norway
- Privacy enquiries: post@vespera-sleep.com
- General contact: post@vespera-sleep.com
3. Personal data we process
Depending on how you use our services, we may process the following categories of personal data:
- Identity and contact information: name, address, e-mail, phone number.
- Order and payment information: order history, purchase amount, payment method. Full card details are never processed by Vespera directly, but by our payment providers.
- Account information: username, hashed password, preferences, settings.
- Communications data: e-mail correspondence, chat logs, customer service interactions.
- Sleep and wellness data (optional, with consent): self-reported sleep patterns, and data from third-party wearables (e.g. Oura, WHOOP) if you choose to connect these to the AI Sleep Blueprint or Sleep Impact Reports.
- Technical data: IP address, browser, operating system, visit logs, cookies and similar identifiers.
- Marketing data: preferences, engagement with e-mails and ads, consent history.
4. Purposes, legal basis and retention
The table below summarises the purposes for which we process your personal data, the legal basis on which the processing is founded (cf. GDPR Article 6, and Article 9 for special categories such as health data), and how long we retain the data.
| Purpose | Categories of personal data | Legal basis (GDPR Art. 6) | Retention period |
|---|---|---|---|
| Performance of the purchase agreement (order, delivery, invoicing) | Name, address, e-mail, phone, order details, payment information | Art. 6(1)(b) — necessary for the performance of a contract | For the duration of the customer relationship, then as necessary for performance (15 years for manufacturer's warranty; 5 years for the Norwegian statutory complaint period) |
| Accounting and bookkeeping | Invoice data, payment data, order history | Art. 6(1)(c) — legal obligation (Norwegian Bookkeeping Act) | 5 years after the end of the financial year, cf. Norwegian Bookkeeping Act § 13 |
| Customer service and complaint handling | Contact details, communication history, order reference | Art. 6(1)(b) / (c) / (f) | While the complaint period is running (up to 5 years) and 3 years thereafter for documentation |
| User account on the website | E-mail, hashed password, settings, order history | Art. 6(1)(b) — necessary for the account agreement | Until the account is deleted by the user, or after 3 years without log-in |
| Newsletter and marketing | E-mail, name, preferences, engagement data | Art. 6(1)(a) — consent / Art. 6(1)(f) — legitimate interest where an existing customer relationship exists (cf. Norwegian Marketing Control Act § 15) | Until consent is withdrawn, or end of customer relationship plus 1 year |
| AI Sleep Blueprint and Sleep Impact Reports (optional service) | Self-reported sleep data, preferences, health and wellness data from wearables (e.g. Oura, WHOOP) upon your consent | Art. 6(1)(a) consent + Art. 9(2)(a) explicit consent for health data | Until consent is withdrawn or the service is terminated, plus a maximum of 90 days |
| Analytics and website improvement | Pseudonymised usage data, shortened IP address, device information | Art. 6(1)(f) — legitimate interest / Art. 6(1)(a) for optional cookies | Up to 26 months (standard for analytics tools) |
| Fraud prevention and legal claims | Order and payment data, IP address, communications | Art. 6(1)(f) — legitimate interest / Art. 6(1)(c) | As long as necessary to detect, prevent or defend legal claims (normally up to 3 years, longer during ongoing proceedings) |
5. Health and wellness data
If you actively choose to use Vespera's optional services such as the AI Sleep Blueprint and Sleep Impact Reports, and you connect data from a wearable (e.g. Oura or WHOOP), we process data that may constitute special categories of personal data (health data) within the meaning of GDPR Article 9. The processing is based exclusively on your explicit consent pursuant to Article 9(2)(a).
You may withdraw your consent at any time, disconnect the wearable integration, and/or delete data in your account settings or by contacting post@vespera-sleep.com. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
6. Sources of personal data
We primarily obtain personal data from you directly — when you place an order, create an account, contact us or use our services. In addition, we may receive data from:
- Payment providers (payment confirmation, not full card data).
- Shipping partners (tracking and delivery confirmations).
- Third-party wearable providers (e.g. Oura, WHOOP), only with your consent.
- Analytics tools and cookies on the website, in accordance with your cookie preferences.
7. Recipients and sharing
We only share personal data with third parties where necessary for the purposes set out above, or where required by law. Recipients may include:
- Data processors providing services to us, including Shopify (webshop), e-mail and marketing platforms, analytics tools, customer service tools and cloud services. All are bound by data processing agreements pursuant to GDPR Article 28.
- Payment providers (card, Vipps, instalment payment via a third party) who act as independent controllers for their part of the payment process.
- Shipping and logistics partners for delivery of goods.
- Accountants and auditors, subject to statutory professional secrecy.
- The manufacturer Greensleep (International Bedding BV, Belgium) in connection with warranty and complaint handling, where necessary.
- Public authorities where we are legally obliged to disclose.
- Professional advisers (lawyers, auditors) in connection with legal claims or disputes.
We do not sell your personal data to third parties.
8. Transfers outside the EEA
Some of our data processors may have infrastructure or sub-processors outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we ensure that the transfer takes place on a lawful basis — typically the European Commission's Standard Contractual Clauses supplemented with necessary measures, or an adequacy decision. You may contact us for more information on specific transfers.
9. Cookies
The website uses cookies in accordance with the Norwegian Electronic Communications Act § 2-7b, the EU ePrivacy Directive and GDPR. We use:
- Strictly necessary cookies that are required for the website to function (e.g. shopping cart, log-in). These do not require consent.
- Functional cookies that remember your preferences. Require consent.
- Analytics cookies that help us understand how the website is used. Require consent.
- Marketing cookies used for targeted advertising. Require consent.
You choose your preferences through the cookie banner shown on your first visit, and you may at any time change your choices via the "Cookie settings" link in the footer of the website.
10. Your rights
Pursuant to GDPR Articles 13–22, you have the following rights in relation to Vespera:
- Right of access to the personal data we hold about you (Art. 15).
- Right to rectification of inaccurate or incomplete data (Art. 16).
- Right to erasure ("right to be forgotten") when the data is no longer necessary for the purpose, you withdraw consent, or the processing is unlawful (Art. 17).
- Right to restriction of processing under certain conditions (Art. 18).
- Right to data portability — you may receive a copy of the personal data you have provided to us in a structured, commonly used and machine-readable format (Art. 20).
- Right to object to processing based on legitimate interest or used for direct marketing (Art. 21).
- Right to withdraw consent at any time — this does not affect the lawfulness of processing carried out before withdrawal (Art. 7).
- Right not to be subject to solely automated decisions producing legal or similarly significant effects (Art. 22). Vespera does not engage in such automated decision-making.
To exercise your rights, contact us at post@vespera-sleep.com. We respond without undue delay and no later than within 30 days. In complex cases the deadline may be extended by up to 60 days — we will notify you in that event.
11. Complaints to supervisory authorities
If you consider that our processing of your personal data infringes applicable law, you have the right to lodge a complaint with a supervisory authority. We nevertheless encourage you to contact us first, so that we can address any concerns.
Consumers in Norway may contact the Norwegian Data Protection Authority (Datatilsynet):
- PO Box 458 Sentrum, 0105 Oslo, Norway
- Phone: +47 22 39 69 00
- E-mail: postkasse@datatilsynet.no
- Web: www.datatilsynet.no
Consumers resident in another EU/EEA country may lodge a complaint with the data protection authority in their country of habitual residence or where the alleged infringement took place.
12. Information security
Vespera implements appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration or disclosure. Measures include encryption of data in transit, access controls, logging, incident-handling procedures, and training of our staff and partners.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours, and inform you where the breach is likely to result in a high risk, in accordance with GDPR Articles 33 and 34.
13. Children
Our website and services are not directed at children under 15. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without the required consent of a parent or guardian, we will delete it without undue delay.
14. Changes to this policy
Vespera may update this Privacy Policy to reflect changes in our services, in the law, or in our practices. Material changes will be notified on the website or by e-mail if you have a customer relationship with us. The version date is stated at the top of this document.
15. Contact us
If you have questions about this Privacy Policy or our processing of personal data, please contact us:
Vespera Sleep AS
Vilbergkroken 44, 2080 Eidsvoll, Norway
Privacy e-mail: post@vespera-sleep.com
General e-mail: post@vespera-sleep.com