Privacy Policy
How we handle your personal data — in plain English, and in accordance with GDPR (Regulation (EU) 2016/679)
Last updated: 2026-04-08 · Version 1.0
1. Who we are (Data Controller)
The controller of your personal data under Art. 4(7) GDPR is:
[TODO — legal entity name]
[TODO — registered address]
Org.nr: [TODO]
Contact for data-protection questions: [email protected]
We have not appointed a dedicated Data Protection Officer (DPO) as we do not meet the thresholds of Art. 37 GDPR. Enquiries are handled directly by the controller.
2. What we collect and why
| Data | Purpose | Legal basis (GDPR Art. 6) | Retention |
|---|---|---|---|
| Name, email, password hash | Account creation and login | Art. 6(1)(b) — contract performance | Until account deletion |
| Avatar, bio, location, profile preferences | Display your profile and personalise the experience | Art. 6(1)(b) — contract | Until account deletion |
| Order data (items, amount, shipping address) | Processing purchases and shipping | Art. 6(1)(b) — contract; Art. 6(1)(c) — legal obligation (accounting) | 7 years (Swedish Bokföringslag SFS 1999:1078) |
| Payment data | Processing payments | Art. 6(1)(b) — contract | Processed directly by Stripe — we never store full card numbers |
| Newsletter email | Sending the Explore Nord newsletter | Art. 6(1)(a) — consent (opt-in) | Until unsubscribe |
| Courier application docs (ID, selfie, BankID status) | Verifying courier identity for the pickup service | Art. 6(1)(b) — contract; Art. 9(2)(a) — explicit consent for ID data | Deleted within 30 days of application rejection, or on courier off-boarding |
| Server access logs (IP, user-agent, request path) | Security, abuse prevention, troubleshooting | Art. 6(1)(f) — legitimate interest | 30 days rolling |
| Cookie consent choice | Remembering your consent preferences | Art. 6(1)(c) — legal obligation (ePrivacy) | 12 months |
3. Who we share data with (Processors & Recipients)
We only share personal data with third parties who act as our processors under a GDPR Art. 28 Data Processing Agreement (DPA). Current processors:
- Stripe Payments Europe, Ltd. — payment processing (HQ: Dublin, IE; servers in EU and US under SCCs). Privacy policy
- Resend Inc. — transactional and newsletter email delivery (HQ: San Francisco, US under SCCs). Privacy policy
- Cloudflare, Inc. — CDN, DDoS protection, TLS termination (HQ: San Francisco, US under SCCs and adequacy mechanisms). Privacy policy
- Contabo GmbH — hosting provider for our server and database (HQ: München, DE — EU). Privacy policy
We do not sell your personal data to anyone, ever.
4. International transfers
Some of our processors (Stripe, Resend, Cloudflare) have infrastructure outside the EU/EEA. Where this is the case, transfers are safeguarded by:
- The European Commission's EU–US Data Privacy Framework (where the processor is certified), or
- The European Commission's Standard Contractual Clauses (2021/914), and
- Supplementary technical measures including end-to-end TLS encryption and minimal data transfer.
A copy of the applicable safeguards is available on request from [email protected].
5. Your rights under GDPR
You have the following rights regarding your personal data:
- Right of access (Art. 15) — get a copy of everything we hold
- Right of rectification (Art. 16) — correct inaccurate data
- Right to erasure / "right to be forgotten" (Art. 17)
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20) — download your data in JSON
- Right to object (Art. 21) — especially to processing based on legitimate interest
- Right to withdraw consent (Art. 7(3)) — at any time, without affecting lawfulness of prior processing
You can exercise these rights directly from your account page (Plan → My Profile) — the Export my data and Delete my account buttons there are automated — or by emailing [email protected]. We will respond within 30 days.
6. Right to lodge a complaint
If you believe our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. In Sweden, this is:
Integritetsskyddsmyndigheten (IMY)
Box 8114, 104 20 Stockholm, Sweden
www.imy.se · [email protected]
7. Cookies & local storage
We use a limited set of cookies and browser storage. They fall into three categories:
- Strictly necessary — login session (
auth_token), cart contents, language choice, cookie consent record. These are set without consent because they are essential to operate the site (ePrivacy Art. 5(3) exception). - Analytics — currently none. Should we introduce privacy-friendly analytics in the future, they will only load after you opt in via the cookie banner.
- Marketing — currently none. Affiliate tracking pixels from partners may load only when you click a booking link; those are governed by the partner's own privacy policy.
You can change your preferences at any time by clicking the Cookie settings link in the site footer.
8. Automated decision-making
We do not use automated decision-making, including profiling, that produces legal effects concerning you (Art. 22 GDPR).
9. Security
We take reasonable technical and organisational measures to protect your data, including:
- HTTPS with modern TLS (TLS 1.2+) for all traffic
- Passwords stored only as bcrypt hashes (never plain text)
- JWT-based session tokens in HttpOnly cookies
- Two-factor authentication (TOTP) protecting the admin panel
- Rate limiting on authentication and upload endpoints
- Automated database backups and integrity monitoring
- A published vulnerability disclosure channel (security.txt)
No system is perfectly secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify IMY within 72 hours and affected users without undue delay (Art. 33–34 GDPR).
10. Children
The site is not directed at children under 13. We do not knowingly collect personal data from children under 13 (the age of digital consent in Sweden under GDPR Art. 8). If you believe a child has provided us with data, please contact [email protected] and we will delete it.
11. Changes to this policy
We may update this policy from time to time. Material changes will be announced via a site banner or an email to registered users. The "Last updated" date at the top always reflects the most recent version.