Privacy & Data Protection
Privacy Policy
This page explains how Ad Fontes collects, uses, stores, and protects personal data submitted through our website and online systems.
Last updated: 07.05.2026
Short version
- • We only collect the information needed to process bookings, volunteer requests, and sponsor inquiries.
- • We do not use your data for marketing or analytics.
- • We use trusted service providers such as Supabase, Cloudflare, and Resend.
- • You can contact us to access, correct, or request deletion of your data.
1. Introduction
This Privacy Policy explains how Ad Fontes collects, uses, and protects personal data submitted through our online systems, including our booking system, volunteer signup and sponsor signup forms.
The Ad Fontes website and related systems are developed and maintained by Dombestein Data on behalf of Ad Fontes and HSU (Humanistisk Studentutvalg).
Ad Fontes / HSU acts as the Data Controller for personal data processed through the services provided on this website, while Dombestein Data acts as a technical Data Processor for system operation, maintenance, hosting configuration, and support.
Dombestein Data does not use personal data for purposes other than operating and maintaining the services on behalf of Ad Fontes / HSU.
2. Data we collect
When you submit a booking request or interact with the booking system or any of the forms provided on the website, we collect the following information:
Data collected in all forms:
- Name
- Email Address
- Additional notes / messages included in the request(s)
Further data collected through sponsor submission forms:
- Company Name
Further data collected through booking requests:
- Occasion / Event Description
- Preferred Date and Time
- Number of Attendees
- Equipment Needs
Data collected automatically:
- IP address (via Cloudflare for security / logging purposes)
- Browser and Device metadata
- Timestamps for request creation and updates
Internal administrative data collected:
- Status of booking (pending, approved, denied, conflicting, archived)
- Decision notes
- Decision taken by
We only collect the minimum amount of personal data required to provide our services and do not request unnecessary information.
Our services are not intended for children under 16. We do not knowingly collect data from minors. If you believe a minor has submitted data, contact us to request removal.
3. Purpose of Processing
We process personal data solely for the operation and administration of the Ad Fontes website and booking system. This includes:
- Managing and responding to booking requests, sponsor / partner requests, and volunteer sign-ups
- Ensuring no conflicting events are scheduled
- Contacting you with updates on your request
- Internal planning and resource allocation
- Maintaining records of past events for operational purposes
- Ensuring the safe and responsible operation of the bar’s facilities
We do not use any collected data for marketing or analytics.
4. Legal Basis for Processing
We send automated email notifications as part of processing your request, such as confirmation emails, approval notices, and denial notices.
Under GDPR Article 6, processing is based on:
Art. 6(1)(b) – Contract / pre-contractual necessity
When you submit a booking, sponsor, partner, or volunteer request, we must process it to evaluate and respond appropriately.
Art. 6(1)(f) – Legitimate Interests
For preventing double-bookings, ensuring correct resource planning, maintaining operational security, and protecting website infrastructure.
These notifications are strictly functional and related to your submitted request. They are not marketing messages and do not require explicit consent under GDPR.
We do not send marketing emails.
5. Data Processors & Third Parties
To operate our systems, we use the following GDPR-compliant providers:
Dombestein Data
Acts as technical Data Processor responsible for development, technical operation, hosting configuration, and security measures.
Supabase
Hosting, authentication, and database storage.
Data Region: EU (eu-west-1 – Ireland)
Cloudflare
Provides website hosting, caching, security protections, and traffic routing.
Resend
Transactional email delivery provider used for confirmations and booking notifications.
Data Region: United States
6. Data Retention
We retain personal data only as long as necessary for operational, administrative, and security purposes.
- Unprocessed booking requests may be removed after 14 days
- Archived booking records may be retained for up to three (3) years
- Transactional email logs may be retained temporarily by Resend
- Sponsor and partner requests may be retained for up to 12 months unless collaboration is established
7. Your Rights Under GDPR
Under GDPR, you have the right to:
- Access your stored personal data
- Correct inaccurate information
- Request deletion of your data
- Restrict processing in certain circumstances
- Withdraw your request at any time
- File a complaint with Datatilsynet
8. Contact Information
Dombestein Data – Acting on behalf of Ad Fontes
Email: isak@dombesteindata.net
https://dombesteindata.netAd Fontes / HSU
Email: ekstern.af@hsu.no
9. Security Measures
- Encrypted database connections (TLS)
- Role-based access control through Supabase
- Cloudflare security protections
- Strict authentication for administrators
- Minimal data collection practices
10. Changes to This Policy
We may update this Privacy Policy when necessary. Updates will be published on this page with a new effective date.