Privacy Policy
Updated last: May 2026
DATA CONTROLLER
For data-protection enquiries, including any of the rights described below,
contact us at: hey@nordicposterstore.com
This Privacy Policy applies to personal data we process when you visit our
websites or purchase our products, regardless of which market you are in.
References to "GDPR" should be read as references to the EU General Data
Protection Regulation (Regulation 2016/679) and, for users in the United
Kingdom, the UK GDPR and the Data Protection Act 2018, as applicable.
COOKIES
Like most websites on the web we utilize “cookies”. A cookie is a small file that is stored on your computer (by your browser) and store text based values. The information stored in those files is used to be able to provide a good persisting customer experience i.e. not showing “welcome”-messages the first time you use the website, storing the products in your cart, your choices of language or currency. The allowed life time of this file is set depending on the purpose. You can prevent the usage of cookies by disabling the feature in your browser.
We are committed to only store what is necessary as part of pursuing our legitimate interest to maintain and develop our businesses. We are also committed to not storing anything longer than necessary or legally permitted.
AUTOMATIC COLLECTION OF DATA
When using this website we collect information regarding the usage of our services with the purpose of creating a good over all user experience and providing relevant information in marketing. The information is stored in an anonymized state meaning that it is not tied to any personal information.
Example of this is Google (Analytics and Tag manager). Google will on our behalf store and process anonymized data regarding your usage of our services. The nature of the data includes, but is not limited to, what pages you have visited, where you use our services from, and what device you are using. You may at any time withdraw your consent (opt-out) and prevent data from your usage being stored by installing the browser plugins provided by Google for this sole purpose. Google may store this information on servers located outside of the European Union. Google is thereby certified and compliant with everything required under EU-US Data Privacy Framework (DPF), in force since July 2023, and achieves highly sufficient security for handling and storing data of this type.
MANUALLY PROVIDES PERSONAL DATA
When you create an account, make a purchase, request information, or otherwise interact with us, we may ask for information to be able to fulfill your request. NordicPosterStore processes personal data to perform our contractual obligations and to comply with legal obligations. Furthermore, we process personal data to pursue our legitimate interest to maintain and develop our businesses.
Example of what we may ask for:
- Your Name.
- Your email address.
- Your address and phone number.
- In specific cases usernames and passwords, feedback, age, gender, and language.
DATA PROCESSING FOR PAYMENT
We use Stripe as our payment processor to enable you to use the Credit Cards and Swish and any other applicable method authorized by you and provided by our payment service provider.
A essential part of the services provided by us is being able to purchase our goods and services. We do this using partners that we have rigorously evaluated in terms of security and compliance. NordicPosterStore does never store or process information such as, but not limited to, credit card numbers or bank accounts. Any such information entered on our website or as a part of our services is only processed by the payment gateway.
LAWFUL BASIS FOR PROCESSING
Under GDPR Article 6, every processing activity must rely on a lawful basis.
We rely on the following:
• Performance of a contract - to fulfil orders, deliver products, send order
confirmations, handle returns and customer support requests, and operate
your account.
• Compliance with a legal obligation - to meet bookkeeping, tax, consumer-
protection and product-safety obligations applicable in our markets.
• Legitimate interests - to maintain the security of our website, prevent
fraud, analyse aggregate usage of our services to improve them, and conduct
customer surveys. We carry out a balancing test before relying on
legitimate interests and never override your fundamental rights.
• Consent - for non-essential cookies, marketing emails and any optional
data sharing. You can withdraw consent at any time without affecting the
lawfulness of processing carried out before withdrawal.
PROVIDING PRODUCTS AND SERVICES - We use your personal data to provide our
services, ship and deliver products you order, process your requests, ensure
the functionality and security of our services and correct delivery, identify
you, and prevent and investigate fraud and other misuse.
COMMUNICATION - We use your personal data to communicate with you, for
example to inform you of changes to our services, to send critical alerts
relating to our services and products, and to contact you for sales-related
purposes.
MARKETING - With your consent (or where otherwise permitted by law), we may
contact you about new products, services or promotions and conduct market
research. We may also use your personal data to personalise our offering and
to display tailored content and advertising, including third-party content.
You can object to marketing or withdraw consent at any time using the
unsubscribe link in any email or by contacting us.
SHARING YOUR PERSONAL DATA
We will never sell, lease or rent your personal data and may only disclose your personal data to third parties in the circumstances stated below.
- Companies in NordicPosterStore's corporate structureWe may share your personal data with other NordicPosterStore associated companies (affiliates or parent companies) or authorized third parties who process personal data on behalf of us, but only for the purposes described in this Policy and while the party are performing services for NordicPosterStore.
- Mandatory disclosures.We may access, disclose and preserve your personal data, when we have a good faith belief that doing so is necessary to: (1) comply with applicable law or respond to valid legal process from competent authorities, including from law enforcement or other government agencies; (2) protect our customers, (e.g. from spam or fraud and/or preventing serious injury or loss of life); (3) operate and maintain the security of our Services, including to prevent or stop an attack on our computer systems or networks; or (4) protect the rights or property of NordicPosterStore, including enforcing the terms governing the use of the Services, possibly in cooperation with law enforcement agencies.
- Mergers and Acquisitions.If NordicPosterStore is involved in a merger, acquisition or asset sale, we may transfer personal data to the third party involved. However, we will continue to ensure the confidentiality of all personal data.
- Companies listed under “Data shared with Third parties”
DATA SHARED WITH THIRD PARTIES
We share personal data to pursue our legitimate interest to maintain and develop our businesses but only to the following parties:
- Gelateo Sverige AB.Gelato provides NordicPosterStore with fulfilment and production services.
- Stripe. Stripe is our payment gateway and when paying for our products or services we provide Stripe with the required information to i.e but not limited to perform security and fraud validation, and store required transaction data applicable by law.
YOUR RIGHTS UNDER GDPR / UK GDPR
You have the following rights regarding the personal data we hold about you:
• Right of access (Art. 15) — to obtain a copy of your personal data and
information about how we process it.
• Right to rectification (Art. 16) — to have inaccurate or incomplete data
corrected.
• Right to erasure / "right to be forgotten" (Art. 17) — to request deletion
of your data, except where retention is required by law (e.g., bookkeeping
obligations) or to defend legal claims.
• Right to restriction of processing (Art. 18) — to limit how we use your
data while a dispute or rectification request is being resolved.
• Right to data portability (Art. 20) — to receive your data in a commonly
used, machine-readable format and have it transmitted to another
controller where technically feasible.
• Right to object (Art. 21) — to object to processing based on legitimate
interests, including direct marketing.
• Right to withdraw consent (Art. 7) — at any time, without affecting
lawfulness of processing prior to withdrawal.
• Right not to be subject to automated decision-making (Art. 22) — including
profiling that produces legal or similarly significant effects. We do not
currently carry out such processing.
To exercise any of these rights, contact us at hey@nordicposterstore.com. We
will respond within one month of receiving the request, in accordance with
GDPR Article 12.
RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY
If you believe our processing of your personal data infringes data-protection
law, you have the right to lodge a complaint with the data-protection
authority in your country of residence:
• 🇸🇪 Sweden — Integritetsskyddsmyndigheten (IMY) — imy.se
• 🇳🇱 Netherlands — Autoriteit Persoonsgegevens (AP) — autoriteitpersoonsgegevens.nl
• 🇩🇪 Germany — Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) — bfdi.bund.de (or your relevant state DPA)
• 🇬🇧 United Kingdom — Information Commissioner's Office (ICO) — ico.org.uk
• 🇮🇪 Ireland — Data Protection Commission (DPC) — dataprotection.ie
Users in other EU/EEA countries may contact their national data-protection
authority. We would, however, appreciate the opportunity to address your
concerns directly first — please contact us at hey@nordicposterstore.com.
DATA RETENTION
We retain your personal data only for as long as necessary for the purposes
described in this Policy, or for as long as required by law:
• Order data, invoices, payment records — 7 years after the end of the
calendar year in which the transaction occurred (Swedish Bookkeeping Act;
similar obligations in NL, DE, UK).
• Customer-support correspondence — up to 3 years after the last contact.
• Newsletter / marketing data — until you withdraw consent or unsubscribe.
• Cookie-based analytics data — as defined per cookie (typically 1 day to
26 months); see our cookie banner for details.
• Account information — until you request deletion or 3 years of inactivity,
whichever is earlier.
After the applicable retention period expires, we delete or anonymise the
data so it can no longer be associated with you.
CHILDREN'S DATA
Our services are not directed at children under 16. We do not knowingly
collect personal data from children under 16 without verifiable parental
consent. If you believe we may have collected such data, please contact us
and we will delete it promptly.
SAFEGUARDING PERSONAL DATA
By using the Services, you give us your consent to store, process and transfer your Personal Data, that we have collected, outside of your country of residence to the countries where the Data Hosting Providers' servers are located. In some instances you may use our Services in another country than where the Data Hosting Providers' servers are located and therefore your personal data may be transferred across international borders outside the country where you use our Services, including from countries outside the European Economic Area (EEA). In such cases we ensure that there is a legal basis for such a transfer and that adequate protection for your personal data is provided as required by applicable law, for example, by using standard agreements approved by relevant authorities (where necessary) and by requiring the use of other appropriate technical and organizational information security measures.
We do not store personal data longer than is legally permitted and necessary for the purposes of providing our services. The storage period depends on the nature of the information and the purposes of processing. The maximum period may therefore vary per use.
INTERNATIONAL DATA TRANSFERS
Some of our sub-processors may store or process your personal data on servers
located outside the European Economic Area (EEA) or the United Kingdom. When
such transfers occur, we ensure an adequate level of protection through one
or more of the following safeguards:
• Adequacy decisions issued by the European Commission or the UK Information
Commissioner.
• EU-US Data Privacy Framework (DPF) — for transfers to participating US
providers (e.g., Google).
• Standard Contractual Clauses (SCCs) approved by the European Commission,
supplemented where necessary by additional technical and organisational
measures (in line with the Schrems II ruling).
• UK International Data Transfer Agreement / UK Addendum to the EU SCCs for
transfers from the United Kingdom.
You may request a copy of the safeguards in place by contacting us.