SAPA Maison crest logo

SAPA

Legal · GDPR

Privacy Policy

This Privacy Policy explains how iCRO-SEO Digital Agency AB ("we", "us") collects, uses, shares and protects personal data of visitors and customers of the SAPA online boutique, in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and Swedish data protection law.

Effective 9 May 2026

01

Data Controller

The data controller for personal data processed via this website is iCRO-SEO Digital Agency AB, registered in Sweden under organisation number 559086-8757.

Contact for privacy matters: info@quantrogroup.com

02

What data we collect

  • Identity & contact: name, email, phone number, billing and shipping address.
  • Order data: products, sizes, prices, order numbers, returns, communication regarding your order.
  • Payment data: processed exclusively by our payment provider Stripe Payments Europe, Ltd. We never store full card numbers; we receive a tokenised reference and the last four digits.
  • Account data: if you create an account — login credentials, preferences, order history.
  • Technical data: IP address, device type, browser, language, pages visited, referring URL, timestamps, cookie identifiers.
  • Marketing data: if you subscribe to our newsletter — email address and engagement metrics.
03

Why we process your data (legal basis)

  • Performance of contract (Art. 6(1)(b) GDPR) — to process your order, payment, shipment, returns and customer service.
  • Legal obligation (Art. 6(1)(c) GDPR) — bookkeeping under the Swedish Bookkeeping Act (Bokföringslagen 1999:1078), tax law and consumer law obligations.
  • Legitimate interest (Art. 6(1)(f) GDPR) — fraud prevention, IT security, analytics on aggregated level, defending legal claims.
  • Consent (Art. 6(1)(a) GDPR) — non-essential cookies, marketing emails, push notifications. You may withdraw consent at any time.
04

Retention periods

  • Order, invoice and accounting records: 7 years from the end of the calendar year of the transaction (Bokföringslagen).
  • Customer account data: until you close the account, then deleted within 90 days.
  • Newsletter subscription: until you unsubscribe.
  • Server logs: max 12 months.
  • Cookie data: see our Cookie Policy.
05

Who we share data with

We share personal data only with carefully selected processors acting on our behalf:

  • Payment processing — Stripe Payments Europe, Ltd. (Ireland).
  • Shipping carriers — DHL, PostNord, UPS or DPD depending on destination.
  • Email and CRM — for order confirmations and (with consent) marketing.
  • Hosting and cloud infrastructure — within the EU/EEA where possible.
  • Auditors, accountants and legal advisors under confidentiality.
  • Public authorities where required by law.

Where transfer outside EU/EEA is necessary, we rely on the EU Standard Contractual Clauses or an adequacy decision by the European Commission.

06

Your rights under GDPR

  • Right of access (Art. 15) — request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16).
  • Right to erasure / "right to be forgotten" (Art. 17).
  • Right to restriction of processing (Art. 18).
  • Right to data portability (Art. 20).
  • Right to object (Art. 21), including against direct marketing.
  • Right to withdraw consent at any time.
  • Right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) — imy.se.

To exercise any of your rights, contact info@quantrogroup.com. We respond within 30 days.

07

Security

We apply appropriate technical and organisational measures including TLS encryption in transit, encryption at rest for sensitive data, role-based access control, regular security reviews, and PCI-DSS-compliant payment processing through Stripe.

08

Changes to this policy

We may update this policy. The current version will always be available on this page with the effective date above.