Sunstone Institute
Sunstone Institute AS
Last updated: 2026-02-07
Sunstone Institute AS ("we", "us", "our") is a philanthropy-funded research organisation registered in Norway (org. nr. 932 903 679). We are committed to protecting your privacy and ensuring that your personal data is handled safely, transparently, and in accordance with applicable data protection legislation, including the General Data Protection Regulation (EU) 2016/679 ("GDPR") as incorporated into Norwegian law via the Personopplysningsloven.
This Privacy Policy describes what personal data we collect when you visit our website, how we use it, how long we retain it, and what rights you have.
The data controller responsible for the processing of your personal data is:
Sunstone Institute AS
Apotekergata 10B
Oslo, Norway
Email: [email protected]
When you submit a message through our contact form, we collect the following information:
We use this information solely to respond to your enquiry and to communicate with you about the subject you contacted us regarding.
We use Umami, a privacy-focused, open-source analytics tool that we self-host on European infrastructure. Umami does not use cookies, does not use localStorage, does not collect personal information, and does not track visitors across websites.
We collect the following aggregate data:
How we handle IP addresses: Your IP address is used at the time of your visit to determine your approximate country of origin and to generate a pseudonymous visitor identifier via a one-way cryptographic hash. The raw IP address is never stored in our analytics database. The hash rotates on a monthly salt, meaning the resulting identifier cannot be reversed to recover your IP address and automatically expires each calendar month.
What we do not collect: We do not use cookies (first-party or third-party), advertising trackers, cross-site tracking, browser fingerprinting (canvas, WebGL, or similar), or any technology that builds individual user profiles. We do not sell or share analytics data with third parties.
We honour your browser's Do Not Track (DNT) setting. If DNT is enabled, no analytics data is collected from your visit.
Our website is served through Cloudflare's content delivery network for performance and security. Cloudflare processes requests in order to deliver content but does not set tracking cookies on our site. We have specifically disabled Cloudflare features that would place cookies on your device (such as Bot Fight Mode, Waiting Room, and client-side challenge pages).
We use Cloudflare Stream to host and deliver video content on our website. The Cloudflare Stream player does not store identifiable information about viewers and does not set tracking cookies. Cloudflare processes standard request data (such as IP address) in order to deliver video content, but does not use this data for tracking or profiling purposes.
As Cloudflare is a US-based company, requests to its global content delivery network and video streaming infrastructure may be processed at edge nodes outside the EEA. Cloudflare does not store personal data on our behalf. For further details, please refer to Cloudflare's Privacy Policy.
When you contact us using the contact form, we use the information you provide — such as your email address or phone number — to respond to your enquiry. By submitting the form, you acknowledge that we may contact you using the details you have provided.
We use aggregated, non-identifiable analytics data to understand how visitors use our website and to improve the user experience. We do not build individual user profiles for marketing or advertising purposes.
Our core mission involves data-driven research on matters of public interest. Any personal data used in research contexts is handled in accordance with applicable research ethics frameworks, the GDPR, and Norwegian law. We do not use data submitted through the contact form for research purposes.
We process your personal data under the following GDPR legal bases:
We do not sell, rent, or trade your personal data. We do not share analytics data with any third party.
We may share contact form data with trusted service providers who help us manage communications (e.g., email hosting providers), but only to the extent necessary and with appropriate data processing agreements in place.
European data residency: We prioritise the use of European-based infrastructure and service providers. Our analytics platform is self-hosted on European servers, and analytics data does not leave the EEA. Our website is served through Cloudflare's global content delivery network, and video content is delivered via Cloudflare Stream; Cloudflare may process requests at edge nodes outside the EEA, but does not store personal data on our behalf. Where any data transfers outside the EEA are necessary, we ensure appropriate safeguards are in place in accordance with Chapter V of the GDPR (e.g., Standard Contractual Clauses or an adequacy decision).
We retain your personal data only for as long as necessary to fulfil the purposes described in this policy, including:
Contact form submissions are retained for no longer than 12 months after the last communication, unless a longer retention period is required by law. Analytics data is retained in aggregated, non-identifiable form; pseudonymous visitor identifiers expire automatically each calendar month by design.
If you wish to have your data deleted earlier, you may contact us at any time.
Our website does not use cookies. We do not set first-party tracking cookies, and we have configured our infrastructure to prevent third-party cookies from being placed on your device. No consent banner is required or displayed.
Should this change in the future — for example, if we introduce functionality that requires cookies — we will update this policy and implement appropriate consent mechanisms before any cookies are set.
Under the GDPR, you have the right to access, correct, or delete the personal data we hold about you, to object to its processing, and to withdraw any consent you have given — at any time, without affecting the lawfulness of processing carried out prior to withdrawal. In practice, the personal data we hold is limited to information you have submitted via our contact form.
To exercise any of these rights, please contact us using the details in Section 1 above. We will respond to your request within 30 days.
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet):
Datatilsynet Postboks 458 Sentrum 0105 Oslo, Norway www.datatilsynet.no
We take appropriate technical and organisational measures to protect your personal data from unauthorised access, loss, misuse, or alteration. These measures include encryption in transit and at rest, access controls, and regular security reviews.
As an organisation working in contested research domains, security is a core part of our culture and operations. While no method of transmission over the internet can be guaranteed to be completely secure, we continuously review and strengthen our security practices to protect your data.
Our website may include links to external websites, datasets, or publications. We are not responsible for the privacy practices or content of these third parties. We encourage you to read the privacy policies of any external sites you visit.
Our website and services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe that we have inadvertently collected data from a child, please contact us so that we can promptly delete it.
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. The updated version will always be posted on our website with a revised "last updated" date. We encourage you to review this policy periodically.
Where changes are material, we will make reasonable efforts to notify you (e.g., by posting a prominent notice on our website).
If you have any questions about this Privacy Policy, wish to exercise your rights, or have concerns about our data practices, please contact us at:
Sunstone Institute AS
Apotekergata 10B
Oslo, Norway
Email: [email protected]