How we handle your personal data

1. Data controller

The data controller for the processing is:

If you have questions about how we handle your data, or want to exercise any of your rights, the easiest way to reach us is the email address above.

2. What personal data we process

We only process the data we need to provide our services. The scope depends on how you use the website.

2.1 When you visit the website

• Technical session cookie (wix_session) for sign-in, cart and B2B pricing.
• Functional values in your browser's local storage — for example language choice and VAT inclusion. These never leave your device except as part of an authenticated request.
• Standard server logs (timestamp, requested URL, IP address, browser) that arise from running any website.

2.2 When you send a message via the contact form

• Name
• Company (optional)
• Email address
• Phone number (optional)
• Message content

2.3 When you place an order or request a quote

• First and last name
• Email address
• Phone number
• Company name and corporate ID (for business orders)
• Invoice and shipping address
• Order lines (products, quantities, prices)
• Any message text, customer reference, chosen installation or delivery options
• Payment data is handled by Wix Checkout and its connected payment service providers. We never store full card numbers or equivalent data in our own infrastructure.

2.4 When you have a customer account

• Contact details as above
• Saved shipping addresses
• Order history
• User categorisations and customer segments needed to assign the correct price level and access rights (e.g. business customer with agreed price list, or service partner with access to spare-parts ordering). Such categorisations are set manually by us.

2.5 When you receive an order confirmation

The order confirmation and PDF receipt are sent by email. The confirmation contains the data required to document the purchase: your name, your email address, shipping address, order number, order lines and amount.

We do not use any special categories of personal data (sensitive data under GDPR Art. 9) and do not ask you to provide any.

3. Purposes of processing

We process personal data for the following purposes:

• Process and deliver orders, services and complaints.
• Invoice and administer payments.
• Manage member accounts and sign-in.
• Reply to messages and inquiries received via the contact form or otherwise.
• Fulfil our legal obligations (including bookkeeping, tax, and consumer law).
• Protect the website and detect and prevent abuse, errors and security incidents.
• Develop and improve our product range and service — based on aggregated and anonymised statistics.

4. Legal basis

Each processing activity must, under GDPR Art. 6(1), have a legal basis. For us those bases are:

When we rely on legitimate interest we have made a balancing test and concluded that our interest in being able to run the business — for example protecting our IT environment or replying to customer questions — does not unreasonably encroach on your rights. You always have the right to object to such processing (see section 9).

5. Where the data comes from

We primarily collect data directly from you when you visit the website, register an account, submit an inquiry or place an order.

For business purchases we may supplement with public data from the Swedish Companies Registration Office (Bolagsverket), the Swedish Tax Agency (Skatteverket), or credit reporting agencies to confirm the company's authority and creditworthiness. Such supplementation is only done to the extent necessary to enter into or perform the agreement.

6. Who we share data with

We use a small number of carefully chosen suppliers that process personal data on our behalf. We share only what is necessary, and we sign data processor agreements with all of them.

• Wix.com Ltd. — provides the headless platform that powers customer accounts, order register, product catalog, contact register, and CMS forms.
• Lagerkoll AB — Swedish warehouse and order management system. Every order is sent here for picking, delivery and invoicing.
• Resend, Inc. — delivers the order confirmation emails we send automatically.
• Vercel Inc. — hosting provider for the Next.js application that runs the website (server and edge environment, logging, security). Also provides cookieless, query-redacted page-traffic analytics (Vercel Web Analytics) that we do not use to identify visitors.
• Google LLC (reCAPTCHA Enterprise) — loaded only on the registration page (/registrera) to prevent automated account creation. Wix requires a valid reCAPTCHA token to create new members. Google receives your IP address, browser/device information and anonymised interaction signals (mouse movements, clicks, timing) to determine whether the visitor is a bot. The service is not used for advertising or tracking. See Google's privacy policy.
• Carriers such as PostNord, DHL, Schenker or Bring — depending on the chosen delivery method.
• Payment service providers connected to Wix Checkout when you pay by card or invoice.
• Auditor and bookkeeping agency for our statutory bookkeeping.
• Authorities (e.g. Skatteverket, Konsumentverket, IMY, the Swedish Police) when we are required by law to disclose data.

We never sell your personal data and do not share it with ad networks. The only analytics service on the website is Vercel Web Analytics — cookieless and query-redacted, meaning we strip query strings from URLs before they are sent. We do not use the service to identify individual visitors.

7. Transfer to third countries

Some of our suppliers are established outside the EU/EEA:

• Wix.com Ltd. has its parent company in Israel. Israel has a valid adequacy decision from the European Commission, which means the level of protection is considered equivalent to the EU's. For parts of Wix's operations that take place outside the adequacy country, the EU Standard Contractual Clauses (SCCs) apply.
• Resend, Inc. is established in the USA. For the necessary transfer to the USA we rely primarily on the EU-approved Data Privacy Framework. As an additional, precautionary safeguard we also apply approved Standard Contractual Clauses (SCCs).
• Vercel Inc. is established in the USA. For the necessary transfer to the USA we rely primarily on the EU-approved Data Privacy Framework, supplemented with Standard Contractual Clauses (SCCs). Vercel Web Analytics receives query-redacted page-traffic data without customer-identifying information.
• Google LLC is established in the USA. For the reCAPTCHA transfer we rely on the EU-approved Data Privacy Framework (Google is certified) supplemented with Standard Contractual Clauses (SCCs). Only the IP and interaction data needed to identify bot traffic on the registration page is shared.
• If any other sub-processor at any time processes data outside the EU/EEA, this is done on the basis of the Data Privacy Framework, Standard Contractual Clauses, or another valid transfer mechanism in GDPR Chapter V.

Contact us at info@nordiccoffeetools.se if you would like a copy of the applicable Standard Contractual Clauses.

8. How long we keep the data

We never keep personal data longer than necessary for the purposes for which we collected it, or to fulfil legal requirements.

After the retention period has elapsed, the data is deleted or anonymised.

9. Your rights under GDPR

As a data subject you have a number of rights. To exercise any of them, contact us at info@nordiccoffeetools.se.

When you contact us to exercise your rights we handle your case free of charge. Our goal is always to come back to you with a decision and action within 30 days of receiving your request. In exceptional cases — for particularly complex cases — the response time may be extended, in which case we'll let you know.

• Right of access (Art. 15). You can request a register extract of the data we process about you.
• Right to rectification (Art. 16). If anything is incorrect or incomplete, we will correct it. You can also correct many fields yourself under "My details" in your account.
• Right to erasure (Art. 17). You can request that we delete data we no longer have a basis for processing. We may, however, need to retain certain information to comply with bookkeeping or other legal requirements.
• Right to restriction (Art. 18). You can request that the processing be restricted while an objection or correction is being assessed.
• Right to object (Art. 21). You can object to processing we perform on the basis of legitimate interest. You always have the right to object to direct marketing.
• Right to data portability (Art. 20). For data you have provided to us yourself and which we process based on contract or consent, you can receive it in a structured, commonly used and machine-readable format.
• Right to withdraw consent (Art. 7(3)). When we process data on the basis of your consent (e.g. for newsletters), you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

To protect you against unauthorised disclosures, we may need to ask you to confirm your identity in an appropriate way before we carry out a request.

10. Security

We continuously work with technical and organisational security measures to protect your data against unauthorised access, alteration, disclosure or loss. Our measures include:

• Encryption of traffic (TLS/HTTPS) across the entire website.
• Strict access control — only authorised staff have access to systems containing personal data, and access is role-based.
• Short session lifetimes and protected cookies (Secure, SameSite=Lax) in production.
• Secrets and API keys are stored in secure environment variables and are never exposed on the client.
• Suppliers are evaluated and regulated through data processor agreements.
• Security updates, logging and incident routines.

No security measures are 100% safe. If a personal data incident does occur, we handle it under GDPR Art. 33–34 and notify IMY and the affected data subjects when required.

11. Cookies and similar technologies

A cookie is a small text file stored in your browser. The website currently uses only strictly necessary cookies — those required to make a service you have actively requested (e.g. sign-in or cart) work.

In addition to cookies we use your browser's local storage (localStorage/sessionStorage) for functional values such as language choice, VAT display and a cached B2B status. These values stay on your device until you clear them and are not transferred to us except as part of an ordinary request signature.

The only analytics service on the website is Vercel Web Analytics, which measures page traffic without setting cookies. Before each event is sent, we strip query strings and fragment identifiers so the service never receives order numbers, form contents or other data that could be linked to individual visitors. We do not use marketing cookies or tracking technologies that require consent, and therefore have no consent banner today. If such technologies are introduced in future, you will get a clear opportunity to accept or decline before they are activated, in accordance with ch. 6 §18 of the Swedish Electronic Communications Act (LEK) and GDPR.

Our commitment: quarterly cookie review

Because we build on a third-party platform (Wix), new cookies may appear without us actively having chosen them. To keep the protection in this policy true, we have an internal routine to review the website's cookies and local storage keys quarterly. If the review discovers new tracking, analytics or marketing cookies, this policy is updated without delay and an approved consent banner is introduced before such cookies may be set, in accordance with LEK and IMY's practice on "dark patterns".

You can always delete cookies via your browser's settings. Note that the website's signed-in features may then stop working.

12. Automated decision-making

We do not use the kind of automated decision-making or profiling referred to in GDPR Art. 22. B2B price labels are set manually by us based on agreement with each business customer.

13. Right to lodge a complaint with IMY

If you believe we are processing your personal data incorrectly, you can lodge a complaint with the Swedish Authority for Privacy Protection (IMY), the Swedish supervisory authority:

We of course appreciate it if you contact us first, so we get the chance to clear up any misunderstandings.

14. Changes to this policy

We may update this privacy policy when our business, the technology, or the law changes. The current version is always shown at the bottom of the page, together with the date of the most recent change.

For material changes — for example introducing an entirely new type of processing or a new recipient — we will notify you specifically, primarily by email to signed-in members or through a clear notice on the website.

15. Contact

Please get in touch if you have questions about this policy or want to exercise any of your rights.

We have not currently designated a Data Protection Officer, since the business is not subject to the statutory requirement under GDPR Art. 37. Data-protection questions are handled by our customer service and management via the email address above.