CheckPFAS

Privacy Policy

Last updated: March 7, 2026

1. Data Controller

CheckPFAS.com is operated by Jovian Creative AS, a company registered in Norway.

Company: Jovian Creative AS
Organisation number: 930 966 495
Country: Norway

2. Scope of This Policy

This Privacy Policy applies to all visitors of checkpfas.com and describes how Jovian Creative AS collects, uses, stores, and protects personal data in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and applicable Norwegian law.

3. Data We Collect

3.1 Data you provide directly

CheckPFAS does not require account registration or login. If you contact us by email, we will receive your email address and any information you include in your message. This data is used solely to respond to your inquiry.

3.2 ZIP code lookups

When you look up a ZIP code, the lookup is performed client-side against pre-built static data files. We do not log, store, or transmit your ZIP code or search query to any server. No personal data is collected through the water quality lookup tool.

3.3 Automatically collected data

Like most websites, our web server may receive standard technical data when you visit, including:

  • IP address (truncated or anonymised where possible)
  • Browser type and version
  • Operating system
  • Referring URL
  • Pages visited and time of visit

This data is processed for security, performance, and aggregate analytics purposes. It is not used to identify individual users.

3.4 Cookies

CheckPFAS distinguishes two categories of cookies:

  • Essential cookies: none. The core site does not set cookies. Your browser's localStorage is used to remember your last-looked-up ZIP code and your cookie-consent choice, and those values never leave your browser.
  • Analytics cookies (Google Analytics 4): set only after you explicitly accept via our cookie banner. If you decline, no GA4 cookies are set (GA4 runs in a cookieless "consent mode" by default — see Section 6.5). See Section 6.5 for the specific cookies and their lifetimes.

When you click affiliate links to Amazon or other retailers, those third-party sites may set their own cookies on their own domains. We have no control over those cookies and they are subject to the respective privacy policies of those sites.

4. Legal Basis for Processing

Where we process personal data, we rely on the following legal bases under GDPR Article 6:

  • Legitimate interests (Art. 6(1)(f)): Processing server logs for security and performance monitoring, and operating cookieless analytics (Plausible) that collects no personal data.
  • Consent (Art. 6(1)(a)): Setting Google Analytics 4 cookies and collecting identifiable analytics data, only where you have opted in via our cookie banner (GA4's default cookieless consent-mode signals are aggregated and non-identifying). You may withdraw consent at any time using the cookie preferences control in Section 6.5.
  • Contract (Art. 6(1)(b)): Handling email inquiries to respond to your request.

See Section 6.4 (Plausible, no consent required) and Section 6.5 (Google Analytics, consent-based) for analytics details.

5. How We Use Your Data

Any personal data we collect is used exclusively to:

  • Respond to your emails or support requests
  • Monitor and maintain website security and performance
  • Comply with legal obligations

We do not sell, rent, or share your personal data with third parties for marketing purposes.

6. Third-Party Services

6.1 Amazon Associates

CheckPFAS participates in the Amazon Services LLC Associates Program, an affiliate advertising program. When you click an Amazon affiliate link, Amazon may set cookies on your device to track purchases. Amazon's data processing is governed by Amazon's Privacy Notice.

6.2 Hosting

Our website is hosted on infrastructure that may process access logs. Our hosting provider is bound by data processing agreements consistent with GDPR requirements.

6.3 External data sources

Water quality data is sourced from the U.S. Environmental Protection Agency (EPA) UCMR 5 dataset, which is public domain. No personal data is transferred to the EPA when you use our lookup tool.

6.4 Plausible Analytics

We use Plausible Analytics, a privacy-friendly, EU-hosted analytics service operated by Plausible Insights OÜ (Estonia). Plausible:

  • Does not use cookies or store any data in your browser
  • Does not collect personal data or personally identifiable information
  • Uses a daily rotating salt to hash IP addresses — the original IP is never stored
  • Is fully compliant with GDPR, CCPA, and PECR without requiring a consent banner

Aggregate, anonymised data (page views, referrers, country-level geography) may be processed by Plausible on servers within the EU. For more information, see Plausible's Privacy Policy.

6.5 Google Analytics 4

We use Google Analytics 4 (measurement ID G-50YCBJXWKM), provided by Google Ireland Limited, to understand how visitors find and use the site at a marketing-channel level. GA4 runs with Google Consent Mode: by default — and if you decline — it sets no cookies and sends only anonymous, aggregated signals (with no identifiers) that Google uses for traffic modeling. It sets the cookies described below and collects identifiable analytics data only after you accept via our cookie banner.

When loaded, GA4 sets the following cookies on your device:

  • _ga — distinguishes unique browsers; expires after 2 years.
  • _ga_G-50YCBJXWKM — persists session state for GA4; expires after 2 years.

GA4 does not log or store your IP address — Google states that IP addresses are processed transiently for geolocation and then discarded. Aggregate data (page views, traffic sources, country-level geography, device class) is processed by Google and may be transferred outside the EEA under Standard Contractual Clauses.

To opt out: decline analytics in our cookie banner (your choice is remembered), install the Google Analytics Opt-out Browser Add-on, or enable Do Not Track / Global Privacy Control in your browser. See also Google's Privacy Policy.

7. Data Retention

Server access logs are retained for a maximum of 30 days for security purposes, after which they are deleted or anonymised. Email correspondence is retained for as long as necessary to resolve your inquiry and for a reasonable period thereafter, not exceeding 2 years.

8. International Data Transfers

CheckPFAS is operated from Norway (EEA). If you access the site from outside the EEA, be aware that your connection data may pass through servers located in the EEA. Any transfers outside the EEA are conducted in compliance with GDPR Chapter V, using Standard Contractual Clauses or equivalent safeguards where required.

9. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

  • Right of access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): Request correction of inaccurate data.
  • Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
  • Right to restriction (Art. 18): Request that we restrict processing of your data.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3)): Withdraw any consent previously given at any time.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with the Norwegian supervisory authority: Datatilsynet (datatilsynet.no).

10. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. Our website uses HTTPS encryption for all connections.

11. Children's Privacy

CheckPFAS is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. California Residents (CCPA / CPRA)

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives California residents specific rights regarding personal information. Even though CheckPFAS is operated from Norway under GDPR, we extend these rights to California residents as a matter of policy:

  • Right to know: what categories of personal information we have collected about you. For CheckPFAS visitors, this is limited to:
    • Your IP address — anonymized via Plausible within ~24 hours; not logged or stored by Google Analytics 4.
    • Pages you visited and basic referral / device-class data (collected by Plausible and, if you accepted cookies, by GA4).
    • If you accepted analytics cookies: a GA4 client ID stored in your browser via the _ga cookie. No name, email, or address is attached.
    • Any localStorage values you set yourself (such as your last-looked-up ZIP code and your cookie-consent choice), which never leave your browser.
  • Right to delete: request deletion of personal information we hold. Since we don't operate user accounts and our analytics tools don't retain identifiable data, there is generally nothing to delete on our side. Your localStorage and cookie data are yours to clear from your browser settings — and you can withdraw analytics consent at any time via the cookie preferences control in Section 6.5.
  • Right to correct: request correction of inaccurate personal information. Not applicable to our analytics since we hold no identifiable records.
  • Right to opt out of "sale" or "sharing": we do not sell or share personal information. No third-party advertising networks, no data brokers. Our only commercial relationship is with the Amazon Associates program, and Amazon only learns that a click came from CheckPFAS — they do not receive your CheckPFAS browsing history.
  • Right to non-discrimination: exercising any of the above rights will not result in discriminatory treatment. The site is free for everyone.

To exercise any of these rights, contact us at [email protected]. We will respond within the CCPA-required 45-day window.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. Continued use of CheckPFAS after changes constitutes acceptance of the updated policy. We encourage you to review this policy periodically.

14. Contact

For any questions, data requests, or concerns about this Privacy Policy, please contact:

Jovian Creative AS
Org. nr.: 930 966 495