Hurtigruten Privacy Notice
Introduction
Your privacy is important to us at Hurtigruten and we are concerned with safeguarding your personal data. This Privacy Notice contains information about how we process personal data about you. We encourage you to read it. If you have additional questions or require more information about our processing activities, please do not hesitate to contact us.
Who we are
Hurtigruten consists of several companies (collectively hereafter referred to as "Hurtigruten", the "Group", "we" or "us"). The controller is the Hurtigruten entity that you have a relationship with, as described below:
Hurtigruten Global Sales AS, organisation number 914 904 633, owns and is responsible for the processing of personal data through our global centralized booking system, for our websites, for your account on our websites, for our mobile app and for our loyalty program. Hurtigruten Global Sales AS is our contracting entity with you in the Nordics and in Germany and certain other European markets and is responsible for customer communication and marketing to its customers.
Hurtigruten UK Ltd., organisation number 02865967, is our contracting entity in the UK and certain other markets and is responsible for processing of personal data associated with all booking data and financial information about you relating to bookings with Hurtigruten UK Ltd., such as when you receive an invoice or make a payment with us. Hurtigruten UK Ltd. is responsible for customer communication and marketing to its customers.
Hurtigruten Americas, Inc., is our contracting entity with you in the Americas region and is responsible for processing of personal data associated with all booking data and financial information about you relating to bookings with Hurtigruten Americas, Inc., such as when you receive an invoice or make a payment with us. Hurtigruten Americas, Inc. is responsible for customer communication and marketing to its customers.
Hurtigruten France SAS, organisation number 449 035 005 RCS Paris, is our contracting entity with you in France and certain other markets and is responsible for processing of personal data associated with all booking data and financial information about you relating to bookings with Hurtigruten France SAS, such as when you receive an invoice or make a payment with us. Hurtigruten France SAS is responsible for customer communication and marketing to its customers.
Hurtigruten Coastal AS, organisation number 918 704 981,concerning your sailing with and stay on board on of our Coastal or Signature vessels and activities onboard such vessel.
Hurtigruten Svalbard AS, organisation number 951 291 579, concerning your bookings with Hurtigruten Svalbard AS, including stays at our hotels and restaurants, sailings with vessels commercially operated by Hurtigruten Svalbard AS and related activities and excursions.
Green Dog Svalbard AS, organisation number 997 415 949, concerning your bookings with Green Dog Svalbard AS for dog sledging activities in Svalbard operated by Green Dog Svalbard AS.
Who we process personal data about
As part of our business activities, we process personal data about the following individuals:
Private customers.
Contact persons at our agents, suppliers, business customers and other business partners.
Visitors of our website, app and our social media accounts.
If you are an employee, consultant or similar personnel that works for us, you will find information about how we process personal data about you in our internal privacy notice.
How do we use your personal data
Our main purpose is to provide you with a great experience during your trip. For our business purposes, we typically process personal data as follows.
| Purpose | Types of data | Source | Legal basis | Storage |
|---|---|---|---|---|
To manage and perform bookings | Name, phone number, e-mail address, phone number, date of birth, nationality, booking data (such as cruise choices, cabin category, hotel bookings, flight bookings, itinerary, excursions, activities), transaction data | From you | To perform the contract with you as customer and to comply with statutory bookkeeping rules | Up to 10 years after the trip |
To fulfil statutory travel requirements | Passport and visa data, photo at boarding | From you, photo at boarding | To comply with statutory requirements | 90 days after the trip |
To maintain manifests and safety on board | Name, cabin number, date of birth, travel companions, port of disembarkation, need for special assistance | From you | The legitimate interest in ensuring safety and emergency management | 30 days after your trip is over |
To administer our website and mobile app | Name, phone number, e-mail address, address, and other data that you may provide on your line profile | From you | To perform the contract with you as user of our website or app | For as long as you are a registered user of the website or app |
To maintain customer engagement and customer communications (journey-based communications, service & operational messages and personalised lifecycle marketing) | Email interactions, SMS interactions, push notifications, preferences, unsubscribe history, communication logs, service message history, call recordings, chat, comments, reviews | From you, from your device, from our communications systems | To perform the contract with you as customer; The legitimate interest in maintaining accurate communication records and ensuring compliance with marketing preferences | Up to 5 years after interaction, unless you withdraw consent or opt out earlier |
To support participation in on-board activities | Data required for specific activities (e.g., fitness, lectures) | From you | To perform the contracts with you as user of the activity | 30 days after your trip is over |
To accommodate health-related needs, and other particular needs | Allergies, food preferences (which may indicate religion), disabilities, medical conditions | From you (including forms that you voluntarily fill out) | Your consent, which is deemed given when you provide us the information | 24 months after trip |
To manage health-related services | Health-information relevant for the situation, screening results (if required to trace disease) | From you; From screening | For preventive or occupational medicine | 30 days after your trip is over |
To secure the vessel through CCTV | Video recordings from access points and public areas | From CCTV | The legitimate interest in ensuring safety and crime prevention | 7 days, however up to 30 days if likely to be handed to police |
To keep next-of-kin information for emergencies | Next-of-kin contact details | From you | The legitimate interest in ensuring passenger safety | 90 days after trip |
To send information on similar or related products and services, as well as personalized newsletters, campaigns, marketing communications to share news, offers and inspiration about our products | E-mail address, phone number, booking data | From you | If you are a customer: the legitimate interest in informing you about our similar or related products and services In other situations: Your consent | If you are a customer: From the date of booking and until shortly after end of trip, or until you opt-out If other situations: Until consent withdrawn |
To receive personalised cabin messages | Booking data (such as data about children on board) | From you | Your consent | Until trip is over, or until consent withdrawn |
To operate our 1893 Ambassador Loyalty Programme, including targeting communications and offers based on membership level and history and analysis to improve the Loyalty Programme | Name, e-mail address, phone number Ambassador ID, points, tiers, balance, tier, recognitions, account activity, milestones | From you, from your loyalty profile | To perform the contract with you as loyalty member | For as long as you are enrolled in the Loyalty Programme |
To run competitions | E-mail address, phone number, competition participation, and other data that may be requested in the competition | From you | To perform the contract with you as participant | 6 months after the competition is over |
To perform analytics and statistics and improve customer experience | Travel history, booking data, call recordings, demographics, website behaviour Aggregated interaction data, survey responses, NPS/CSAT scores. Feedback forms, usage patterns in My Account | From you, call recordings, from your device, web analytics tools, from surveys | The legitimate interest in optimising / improving products, services and customer experience Your consent for session recording and analysing call recordings | Up to 48 months. Aggregated or anonymised data retained longer for trends |
To perform user tests | User test responses | From you | Your consent | Until the test is completed and the results are aggregated |
My Account* & Preferences | Storage of profile data, saved items e.g. travel docs, preferences and communication settings | From you, from My Account | To perform the contract with you as a My Account user | As long as you have a My Account |
As described in the table above, we send both operational and marketing communications. Operational messages are essential to deliver our services, are not marketing messaged and cannot be unsubscribed from. Marketing messages share information, inspiration, offers and updates about our products and services. If you are an existing customer, we rely on legitimate interest. If you are not yet a customer, we will only send marketing when you have provided your consent. You can unsubscribe from these messages at any time by using the unsubscribe link in the email or email [email protected]. We will ensure that your preferences are respected and updated across all systems within a reasonable period of time.
We use third-party advertising platforms, such as Google and Meta (Facebook and Instagram), to create and use "custom audience" or similar matching products. This involves uploading to the platform a list of hashed (pseudonymised) e-mail addresses and/or phone numbers of selected customers. The platform compares the hashed identifiers against its own user base to create audience segments of matched users. These segments are used to display our ads to those matched users on the platform and/or to suppress our ads so that certain matched users do not receive them (for example, to avoid showing ads to people who have already booked). We enter into appropriate contractual arrangements with the relevant platform provider to protect your personal data.
To ensure we provide consistent, accurate and relevant services, we may combine personal data collected from different sources. We use automated tools and profiling/segmentation to understand our customers preferences and improve the relevance of our communications and offers. We use the combined information, to the extent relevant for the purposes mentioned in the table above.
As described in the table above, we carry out customer insights, feedback and research activities to understand how our products and services are used and how we can improve them. This may include post voyage surveys, satisfaction scores, feedback forms, interviews, focus groups, user testing, market research studies and analysis of aggregated trends. Individual responses are stored up to 24 months, after which they are aggregated or anonymised.
We may also use personal data for other purposes not incompatible with those listed above, such as bookkeeping, handling of claims, complaints and disputes, and mergers & acquisitions and similar transfers of business.
We may also store personal data longer than what is stipulated above if you consent to it, if it is required by law, or if a special need arise, such as claims, complaints and disputes.
How we share your personal data
We may disclose your personal data to the following categories of recipients related to the purposes mentioned above:
To other Hurtigruten companies for internal administrative purposes.
To partners operating activities, excursions, hotels, restaurants and similar that you have booked through us.
To our suppliers (such as suppliers of IT systems (including without limitation providers of our CRM platform, email personalisation tool, analytic tools and survey/voice of the customer partners), agents or providers of other services to us). We will enter into agreements with them including requirements that they do not process the data for other purposes than to supply services for us.
To authorities upon request.
To third parties if required by law.
To our advisors and business partners in a manner common in our industry, which may also include third parties in connection with possible mergers or acquisitions or similar transfers of business.
We may transfer your personal data originating from EEA to countries outside the EEA if the recipients mentioned above (or their suppliers) are located outside the EEA. If so, we will adopt appropriate safeguards to protect the privacy of the data (such as by entering into EU's Standard Contractual Clauses). We will provide you with further details about such international data transfers upon request. If you want to obtain a copy of the safeguards, please use the contact details below.
Third parties and social media
We have pages on social media – Meta, Instagram, LinkedIn – where we provide information about our services and interact with the users. On such social media pages, we may receive anonymised insight, such as statistics about age, sex and location of our users. We may also receive information that you decide to share with us, such as chats, comments and likes.
Your experience on the social media sites will be governed by the privacy and other policies of those sites, see Meta's Privacy Notice for Facebook and Instagram, and the Privacy Notice for LinkedIn. As we are joint controllers with the social media for data processed from your use of social media tools or links on our site, and for aggregated insight that we get from your use of our pages on social media, you may also contact us if you would like to have more information, or if you want to exercise your privacy rights. However, please note that we may not be able to respond to all request, and that we may have to refer you to the social media for further information.
Payment Processing
In case of Services requiring payment, you may need to provide your credit card details or other payment account information, which will be used solely for processing payments. We use third-party payment processors to assist us in the processing of your payment information securely. Your transaction data, like credit card information, will be collected by our payment service providers.
Your privacy rights
You have several rights as regards the processing of your personal data. Such rights include:
| Rights | Description |
|---|---|
Information | To receive further information on how we process your personal data. |
Access | To receive a copy of the information we have on you. |
Rectification | To request rectification and completion of the information we have on you. |
Erasure | To request erasure of information if there are no applicable legal grounds for processing such information. |
Restriction | To ask that we restrict the processing of your information. |
Data portability | To ask that your information is transferred to you in a structured, commonly used and machine-readable format. |
Objection | To object to our processing of your personal data. You also have the right to object to being subject to a decision based solely on automated processing. |
Please note that these rights are subject to conditions and limitations by law. Please contact us if you would like to exercise your rights or if you would like more information about the conditions/limitations.
If you find that we use your personal data in violation of applicable law, you may file a complaint to the relevant data protection authority. We encourage you to contact us prior to making such complaint, so that we may consider your objection and clarify any misunderstandings.
Changes to this Privacy Notice
We are continuously working to develop and improve our services in relation to our customers. This may alter that the manner or scope of our processing of personal data. Occasionally, we will therefore adjust and update this Privacy Notice. You will be notified about significant changes. You will always find the latest version of this Privacy Notice on our website.
Cookies
If you visit our website, we place cookies on your device. You will find more information about the use of cookies in our Cookie Policy published on this website.
Contact info
If you have questions regarding the processing of data, you may contact us by email at [email protected], or send an enquiry to Hurtigruten, Attn.: Legal department, Langkaia 1, 0150 Oslo.
If you have questions regarding your booking or other questions unrelated to privacy, feel free to contact [email protected].
Version Control
| Version Number | 2.0 |
|---|---|
Effective Date | 11.02.2026 |
Next Review Date | 01.02.2027 |
Responsible Officer | VP Legal and General Counsel |
*My Account expected to go live H1/2026