Privacy Policy — Oase

Effective date: January 1st 2025
Who we are: Oase of Norway AS, org. no. 932738945, Tors veg 13 5221 Nesttun (“we”, “us”, “our”). We operate Oase, a community marketplace where individuals and businesses buy and sell football jerseys and related items across Norway/EEA.

We are the controller for personal data processed to operate the marketplace, user accounts, community features, payments orchestration, trust & safety, and our own marketing. Some partners act as independent controllers (e.g., payment/KYC). Individual sellers may be independent controllers for their own off-platform records and marketing.

Contact: hei@oase.ai • Postal: Tors veg 13 5221 Nesttun
DPO/Privacy Lead: Olle Nyberg
You can complain to Datatilsynet (Norway) if you’re unhappy with how we handle your data.

1) Data we collect

You provide:

  • Account & identity (name, username, password, email, phone, country, preferred language).
  • Profile & community (bio, profile photo, collection photos, listings, comments, messages, ratings, dispute info).
  • Transactions (purchase/sale details, shipping info you enter, VAT/invoice details, returns, chargebacks).
  • Verification documents if required by a partner (e.g., payments/KYC).
  • Support interactions (emails, attachments, issue descriptions).

Collected automatically:

  • Device/usage (IP address, device identifiers, app version, browser/OS, referral, pages viewed, feature usage events, crash logs).
  • Location (coarse location from IP; we do not collect precise location).
  • Cookies/SDKs for authentication, preferences, analytics (only with consent), and security.

From third parties:

  • Payments/KYC: status and tokenized identifiers from Dintero.
  • Shipping: none currently integrated.
  • Fraud/risk: none currently integrated (we use manual review).
  • Social login: Facebook login may provide your name, email, and profile picture (subject to your settings).
  • Analytics & comms: usage and messaging metadata from our service providers as described below.

We do not intentionally collect special category data. Please don’t include sensitive information (e.g., health, religion, political views) in listings or messages.

2) Why we process personal data (and our legal bases)

We process data to:

  • Run the marketplace: account creation, login, listing, search, checkout, buyer–seller messaging (contract).
  • Payments & payouts: process payments, refunds, chargebacks via Dintero (contract; legal obligation for financial/AML compliance where applicable).
  • Shipping & logistics: if or when integrated, to create labels and track deliveries (contract).
  • Trust & safety: moderation, fraud and abuse prevention, enforcing rules and bans (legitimate interests; legal obligation when applicable).
  • Community features: profiles, collections, comments, ratings, badges (contract; legitimate interests in a healthy community).
  • Support: resolve issues, disputes, and returns (contract; legitimate interests).
  • Analytics & product improvement: understand feature usage and improve performance (non-essential analytics only with consent).
  • Marketing: emails and in-product messages about Oase (with consent where required; for existing customers, legitimate interests with easy opt-out).
  • Security: access logs, incident response (legitimate interests; legal obligation).
  • Legal & compliance: tax, bookkeeping, audits, responding to lawful requests (legal obligation).

Where we rely on consent, you can withdraw it at any time in Konto → Personvern or by contacting hei@oase.ai.

3) Who we share data with

We share only what’s necessary for each purpose:

  • Payments & KYC: Dintero (independent controller for its services).
  • Shipping/labels: none currently integrated.
  • Fraud/risk tools: none; we use manual review today.
  • Analytics: PostHog (configured but not active at the moment; non-essential, only with consent if enabled).
  • Email/SMS/Push & Support: Brevo (for communications and support).
  • Cloud & infrastructure: Vercel (hosting/deployment), Microsoft (cloud services).
  • Law enforcement & regulators: when required by law or to protect users, platform, or the public.
  • Buyers & sellers: we share necessary order information between the parties (e.g., name, delivery address when applicable, item details, messages). Public community content is visible by design.

Vendors acting as processors are bound by contracts with confidentiality, security, and data protection obligations.

4) International transfers

Some providers may process data outside your country and/or outside the EEA. When we transfer personal data internationally, we rely on lawful safeguards such as adequacy decisions or Standard Contractual Clauses (SCCs), and apply supplemental measures when needed.

5) Retention

We keep data only as long as needed, then delete or irreversibly anonymize it:

  • Account data: for your account’s lifetime; then 6 months for backups.
  • Transactions/invoices/tax records: 5 years (or longer if required by local law).
  • KYC/AML data (if any): 5 years after the relationship ends (or as required by law).
  • Security & access logs: 12 months.
  • Marketing consent records: 3 years.
  • Messages & community content: retained for the life of the account; 12 months after closure for dispute handling and fraud prevention.

6) Your rights

Subject to law, you can request access, rectification, erasure, restriction, portability, and you can object to processing based on legitimate interests or direct marketing. You may withdraw consent at any time.

Use Konto → Personvern or email hei@oase.ai. We may ask for information to verify your identity. You can also complain to Datatilsynet.

7) Children

Our services are not intended for children under 13. We do not knowingly collect data from children in that age group. If you believe a child provided data, contact us so we can delete it.

8) Cookies, SDKs, and similar technologies

We use cookies/SDKs for:

  • Strictly necessary functions (login sessions, security, load balancing).
  • Preferences (e.g., language, currency).
  • Analytics (performance and product improvement) — only with consent in the EEA.
  • Marketing (measurement) — only with consent in the EEA.

You can manage choices in [Cookie Settings — TBD] and your device/OS settings. Non-essential cookies are off by default until you opt in.

9) Security

We employ appropriate technical and organizational measures (encryption in transit, access controls, least-privilege, monitoring, vulnerability management, and incident response). No system is 100% secure; if a data breach occurs, we will notify users and authorities when required by law.

10) Role clarity

  • Oase of Norway AS is the controller for operating the platform, trust & safety, analytics (when enabled), and our own marketing.
  • Sellers (individual and business) may be independent controllers for data they export or use off-platform (e.g., their accounting or marketing). Sellers must comply with applicable data protection and consumer laws.
  • Dintero acts as an independent controller for payment/KYC services.
  • If a feature involves joint controllership, we will provide a transparent Art. 26 arrangement.

11) Community content and public profiles

Content you post publicly (listings, collection photos, comments, ratings, usernames, and—based on your settings—name, photo, email, and age) can be visible to others and may be indexed by search engines. Do not share personal data you don’t want public. We may moderate or remove content that violates our rules.

We will never make your national ID/personal identification number (PID) public.

12) Automated decision-making and profiling

We do not use automated decision-making for fraud screening or content moderation today; reviews are manual. If we introduce automation that could significantly affect you, we will update this notice and provide human review on request.

We may use lightweight personalization (e.g., recommended content) when enabled; this does not produce legal or similarly significant effects.

13) Search indexing and third-party links

Public listings and profiles (if you enable visibility) may be indexed by search engines. We may link to or embed third-party services (e.g., payments, social login). Their privacy practices are their own—please review their policies.

14) Marketing preferences

  • Our messages: manage email/SMS/push preferences via Konto → Personvern or an unsubscribe link.
  • Sellers’ off-platform messages: contact the seller directly to exercise your rights.

We do not sell personal data.

15) Changes to this policy

We may update this policy to reflect operational, legal, or regulatory changes. We will notify you of material changes by email and update the effective date above.

16) How to contact us

Oase of Norway AS — Privacy
Email: hei@oase.ai
Address: Tors veg 13 5221 Nesttun
DPO/Privacy Lead: Olle Nyberg