Privacy Policy
This notice explains how we process personal data when you visit our website, submit forms about Pavnor, or purchase goods through our checkout workflows. We apply the EU General Data Protection Regulation (GDPR), UK GDPR where relevant, and supplementary Swedish data protection rules.
Regional scope and advertising-related processing
Core processing takes place in Sweden and the EU/EEA. We do not sell personal data. If we use online advertising, we do not target or personalise ads based on sensitive health data, and we do not build profiles from health conditions. Campaign measurement tags or similar tools run only where allowed by the preferences saved in the cookie consent panel. Aggregated geographic reports (for example country or region of visits) may be used to understand audience mix; they do not identify individuals unless you have separately sent us a message or order.
Data we collect
- Identity and contact details you type into forms (name, email, optional phone, message content).
- Transactional records such as order identifiers, shipping addresses, payment confirmations from our processors, and refund notes.
- Technical data from your device: IP address, browser type, approximate region from IP, time zone, and cookie identifiers described in the Cookie Policy.
- Communications metadata including timestamps and subject lines when you email operational aliases published in the site footer.
Purposes and legal bases
| Purpose | Legal basis | Notes |
|---|---|---|
| Fulfilling product orders | Contract Article 6(1)(b) GDPR | Processing stops when the contract ends unless law requires longer storage. |
| Answering enquiries | Legitimate interest Article 6(1)(f) | Balanced against your rights; you may object as described below. |
| Compliance and accounting | Legal obligation Article 6(1)(c) | Includes Swedish bookkeeping rules and tax audits. |
| Consent-based analytics or marketing cookies | Consent Article 6(1)(a) | Activated only through the cookie preferences panel. |
Retention
Order documents follow statutory minimums, currently seven years for accounting attachments unless a longer period is mandated. Marketing enquiry emails are deleted or anonymised twenty-four months after the last substantive reply unless a dispute is open. Consent logs for cookies remain while the consent remains verifiable.
Recipients and transfers
We use carefully selected processors for hosting, transactional email, payments, and logistics. Standard Contractual Clauses or other transfer tools apply when a processor processes data outside the EEA. A list of categories is available on written request.
Security measures
We combine TLS encryption in transit, role-based access inside support teams, logging of administrative actions, patching routines for backing services, and contractual confidentiality clauses. No control eliminates every risk; we review incidents according to supervisory guidance.
Your rights
- Access, rectification, restriction, erasure, and portability where applicable.
- Object to processing grounded in legitimate interests, including profiling that produces legal effects.
- Withdraw consent for optional cookies without affecting earlier lawful processing.
- Lodge a complaint with the Swedish Authority for Privacy Protection (IMY).
Exercise rights by writing to the postal address above or using the contact channels shown in the site footer. We verify identity proportionately before disclosing records.
Children
The storefront targets adults. We do not knowingly collect data from minors; please notify us if you believe we received a minor’s submission in error.
Updates
Material changes will be announced with a refreshed publication date at the top of this page. Continued use after changes means you acknowledge the revised notice where permitted by law.