Privacy Policy

Settings — 2026-06-09

1. Data Controller

The data controller responsible for processing your personal data is the operator of this online store ("we", "us"). We process personal data in accordance with the EU General Data Protection Regulation (GDPR – Regulation 2016/679) and applicable national data protection laws of all EU/EEA Member States, including Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the EEA states of Iceland, Liechtenstein, and Norway.

2. Personal Data We Collect

• Account data: name, email address, hashed password.
• Order data: delivery address, phone number, order history, payment reference.
• Technical data: IP address, browser type, device type, preferred language, cookie identifiers.
• Usage data: pages visited, search queries, items viewed.

3. Legal Basis for Processing (GDPR Art. 6)

• Art. 6(1)(b) – Contract: processing necessary to fulfil your purchase order and manage your account.
• Art. 6(1)(c) – Legal obligation: tax reporting, anti-fraud requirements, food safety traceability (Regulation EC 178/2002).
• Art. 6(1)(a) – Consent: marketing emails, analytics cookies, and any processing requiring explicit opt-in.
• Art. 6(1)(f) – Legitimate interest: fraud prevention, service improvement, anonymised analytics.

4. Data Sharing & Transfers

We may share data with: payment processors (Stripe), delivery carriers, and hosting providers. All sub-processors are GDPR-compliant or located in countries with an adequacy decision (Art. 45) or bound by Standard Contractual Clauses (Art. 46). We do not sell personal data.

5. Data Retention

Account data is retained for the duration of your account. Order records are kept for the legally required period (typically 7–10 years depending on national tax law). Marketing consent records are kept until withdrawal. Technical logs are deleted after 90 days.

6. Your Rights (GDPR Art. 15–22)

You have the right to:

• Access your personal data (Art. 15)
• Rectification of inaccurate data (Art. 16)
• Erasure ("right to be forgotten") (Art. 17)
• Restriction of processing (Art. 18)
• Data portability (Art. 20)
• Object to processing (Art. 21)
• Not be subject to solely automated decisions (Art. 22)

To exercise any right, contact us at info@rewiab.se. We will respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority.

7. Cookies & Analytics

We use strictly necessary cookies (session, CSRF protection, language and currency preference) without consent. We do not set advertising or third-party tracking cookies and we do not share any data with ad networks.

To understand how the store is used we operate our own first-party, privacy-preserving analytics. A random session identifier is stored in your browser's localStorage for up to 30 minutes of inactivity. Your IP address is truncated server-side to a /24 prefix before storage so it cannot be linked to a household, and we never share it with any third party. Because the data is strictly first-party, anonymised and used only for aggregate site statistics, the legal basis is our legitimate interest under GDPR Art. 6(1)(f) and no banner-based opt-in is required under the ePrivacy Directive (2002/58/EC). You can disable this at any time in your browser's privacy settings or by browsing in private/incognito mode.

8. Scandinavian-Specific Provisions

Sweden: Processing complies with the Swedish Authority for Privacy Protection (IMY) guidelines. Denmark: Compliant with the Danish Data Protection Act (Databeskyttelsesloven). Finland: Processing follows the Data Protection Act (Tietosuojalaki 1050/2018). Norway (EEA): We comply with the Norwegian Personal Data Act (Personopplysningsloven) and Datatilsynet guidance.

9. Security

We implement encryption in transit (TLS 1.2+), at-rest encryption for databases, access control, regular security audits, and incident response procedures in accordance with GDPR Art. 32.

10. Changes

We may update this policy periodically. Material changes will be communicated by email or an in-app notification at least 14 days before they take effect.