Privacy Policy

1. Data controller

The data controller responsible for your personal data is:

• Walldoff Studios AB
• Organisation number: 559490-5902
• VAT number: SE559490590201
• Address: Stramaljvägen 26, 168 73 Bromma, Sweden
• Email: hello@walldoff3d.se

We have not appointed a Data Protection Officer (DPO), as we are not legally required to. For any privacy matter, contact us at the email above and mark your message “Privacy”.

2. What data we collect

We collect only what we need to run the shop and fulfil your orders:

• Account data: email address, password (stored only as a salted hash by our authentication provider), display name and any profile details you choose to add.
• Order data: the items you order, chosen material, colour, size and configuration, prices, VAT, discounts, order number, order history and order/queue status.
• Delivery data: recipient name, shipping address, chosen delivery method or service point (ombud), and the phone number / email used for carrier delivery notifications.
• Payment data: processed by Stripe. We receive a payment confirmation, the amount, currency, a payment-intent reference and limited card metadata (e.g. card brand and last four digits). We never see or store your full card number, CVC or PIN.
• Communications: messages you send us via the contact form, email or custom-request flow, including any reference images or model files you upload for a custom request.
• Usage & wishlist data: items you wishlist and in-app notifications, used to operate those features and to gauge print demand in aggregate.
• Technical data: IP address, basic request/server logs, security and rate-limiting data, and the strictly necessary cookies/local storage needed to run the site (see our Cookie Policy).

We do not knowingly collect special-category data (such as health, ethnicity or political views). Please don't send us such data in messages or custom requests.

3. Why we use it and the legal basis

Under Article 6 GDPR we rely on the following legal bases for each purpose:

• To create and manage your accountand let you sign in — performance of a contract (Art. 6(1)(b)).
• To process and fulfil your order(take payment, print, post-process, pack, ship and support it) — performance of a contract (Art. 6(1)(b)).
• To send transactional order & delivery notifications (confirmation, status changes, tracking) — performance of a contract (Art. 6(1)(b)).
• To keep accounting and tax records— legal obligation (Art. 6(1)(c)), under the Swedish Bookkeeping Act (Bokföringslagen 1999:1078).
• To handle returns, refunds, complaints and disputes — performance of a contract and legal obligation, and our legitimate interest in defending legal claims (Art. 6(1)(b), (c) and (f)).
• To run, secure and prevent fraud/abuse of the website (logging, rate limiting, payment-fraud checks) — legitimate interest in a secure, working service (Art. 6(1)(f)).
• To respond to your messages and custom requests — performance of a contract / taking steps before a contract, or legitimate interest (Art. 6(1)(b) and (f)).

We do not send marketing emails and do not use your data for advertising, behavioural profiling or to build customer profiles. We do not sell your personal data to anyone.

4. Who we share data with (processors)

We don't sell or rent your data. We share it only with the service providers (“processors”) that help us operate the shop, and only the data each one needs. Each acts under a data-processing agreement and only on our instructions:

• Stripe— payment processing and fraud prevention. Acts as an independent controller for parts of payment handling. See stripe.com/privacy.
• Supabase— database, authentication and file storage hosting (your account, orders and uploaded files).
• Resend— sending transactional emails such as order confirmations and delivery updates.
• PostNord and Instabox / Instabee — shipping and delivery. We share the recipient name, address or chosen service point, and contact details needed to deliver your parcel and provide tracking.
• Vercel— hosting of the website / application.
• Fly.io— hosting of our background workers (queue, email and fulfilment jobs).
• Upstash— Redis used for the job queue and rate limiting.

We may also disclose data where we are legally required to (for example to a tax or law-enforcement authority), or to establish, exercise or defend legal claims.

5. International transfers

We aim to keep data within the EU/EEA. Some of our providers are US-based or operate globally, so your data may be processed outside the EU/EEA. Where that happens, we rely on an appropriate GDPR transfer mechanism — typically the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework — together with additional safeguards. You can request more detail about a specific provider by emailing us.

6. How long we keep it

We keep personal data only as long as needed for the purpose it was collected, then delete or anonymise it:

• Account data:for as long as your account is active. If you close your account or ask us to delete it, we remove it — except data we must keep for legal reasons (see below).
• Order & invoice / accounting data: retained for up to 7 years after the end of the relevant financial year, as required by the Swedish Bookkeeping Act.
• Delivery data: kept with the order record; the carrier keeps its own copy under its own policy.
• Custom-request uploads and reference images: kept while needed to quote and fulfil the request, then deleted once it is completed or declined.
• Support messages: kept as long as needed to handle your query and any related warranty/complaint period.
• Technical / security logs: kept for a short period for security and troubleshooting, then rotated out.

7. How we protect your data

We apply appropriate technical and organisational measures, including: encryption in transit (HTTPS), access controls and row-level security on the database, hashed passwords, signed/expiring URLs for private files, payment handling delegated to PCI-DSS-compliant Stripe, rate limiting and signed webhooks. No method is 100% secure, but we work to keep your data safe and will notify you and the supervisory authority of a qualifying data breach as required by the GDPR.

8. Automated decisions & profiling

We do not carry out automated decision-making that produces legal or similarly significant effects on you under Article 22 GDPR. Our payment provider, Stripe, may run automated fraud checks as part of processing a payment.

9. Children

The shop is intended for adults. We don't knowingly collect personal data from children under 13. If you believe a child has provided us data, contact us and we will delete it.

10. Your rights

Under the GDPR you have the right to:

• Access— obtain a copy of the personal data we hold about you;
• Rectification— have inaccurate or incomplete data corrected;
• Erasure— have your data deleted where there is no overriding legal obligation to keep it;
• Restriction— limit how we process your data in certain cases;
• Objection— object to processing based on our legitimate interests;
• Portability— receive data you provided in a structured, machine-readable format;
• Withdraw consent— at any time, where processing is based on consent (this doesn't affect processing done before withdrawal).

To exercise any right, email hello@walldoff3d.se. We may need to verify your identity first, and we aim to respond within one month. Exercising your rights is free unless a request is manifestly unfounded or excessive.

11. Complaints

We'd like the chance to resolve any concern first, so please contact us. You also have the right to lodge a complaint with the Swedish data-protection authority, Integritetsskyddsmyndigheten (IMY) (imy.se), or with the supervisory authority in your EU country of residence.

12. Changes to this policy

We may update this policy as our shop or the law changes. The current version, with its “last updated” date at the top, always applies. For significant changes we'll make the update clear on the site.