Skip to content

Privacy Policy

Last updated: March 2026

We care about your privacy. This policy explains what data we collect, why, the legal basis for processing, and how we handle it.

This document is published in Swedish and English. In the event of any conflict between language versions, the Swedish text takes precedence.

Data controller

The data controller for personal data processed through SLO is SLO Earth AB, org.nr 559479-6517, Typografvägen 1, 126 53 Hägersten, Sweden. Contact: slo@slo.earth.

SLO is a small company and is not required to appoint a Data Protection Officer under GDPR Article 37. For all data protection inquiries, contact slo@slo.earth.

What we collect

Account information — When you sign up, we collect your name, email address, and optionally your phone number through our authentication provider, Clerk. You can also add a profile image.

Shop and business details — If you create a shop, we store your business name, contact information, address, VAT/org number, and payment details (bank account, Swish, Stripe Connect ID).

Orders and transactions — When you place or receive orders, we store order details, delivery and billing addresses, item quantities, prices, and payment status.

Location data — If you add a shop location, we use Google Places to look up addresses, coordinates, and business details. We also calculate delivery routes between locations.

Follower and list data — When you follow a shop, the shop owner can see your name, email, and order history summary. For business (B2B) followers, your organization name, billing address, and contact details are also visible to the shops you follow.

Usage data — We use Google Analytics to understand how people use SLO. This helps us improve the product.

Legal basis for processing

We process personal data under the following legal bases (GDPR Article 6):

Contractual necessity (Art. 6(1)(b)) — Account information, shop details, order data, delivery addresses, and payment processing. This data is necessary to provide the platform services you have signed up for.

Legitimate interest (Art. 6(1)(f)) — Usage analytics (to improve the platform), default email notifications (to keep you informed about your orders), and AI-assisted product management (to help producers manage their catalogue efficiently). You have the right to object to processing based on legitimate interest.

Consent (Art. 6(1)(a)) — SMS notifications (opt-in only) and non-essential cookies (analytics). You can withdraw consent at any time without affecting the lawfulness of prior processing.

Legal obligation (Art. 6(1)(c)) — Order and transaction records are retained as required by Swedish bookkeeping law (Bokföringslagen).

Services we use (sub-processors)

We have Data Processing Agreements (DPAs) in place with all sub-processors listed below, in accordance with GDPR Article 28.

Clerk (USA) — Authentication and user accounts. Handles sign-up, login, and session management.

Stripe (USA) — Payment processing. Handles card payments and payouts to producers. We never see or store your full card number.

Sanity (Norway/EU) — Our content database. Stores shops, products, orders, and all platform content.

Resend (USA) — Email delivery. Sends order confirmations and notifications.

46elks (Sweden) — SMS delivery. Sends order and follower notifications to users who opt in to SMS.

Google Analytics (USA) — Usage statistics. Only activated with your consent.

Google Places (USA) — Address lookup and geocoding for shop locations.

OpenRouteService (Germany/EU) — Delivery route calculation between locations.

Anthropic Claude (USA) — AI-assisted product management. Product data may be processed to help with inventory and descriptions.

OpenAI Whisper (USA) — Audio transcription for voice-based product input.

Fly.io (USA, servers in EU) — Application hosting. Our servers run in the EU (Stockholm region).

Data transfers outside the EU/EEA

Some of our sub-processors are based in the United States: Clerk, Stripe, Resend, Google, Anthropic, OpenAI, and Fly.io. When personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place.

These transfers are protected by the EU-US Data Privacy Framework (for certified providers) and/or Standard Contractual Clauses (SCCs) approved by the European Commission. Fly.io processes data on servers located in the EU (Stockholm). You may request a copy of the relevant safeguards by contacting us.

Notifications and preferences

You can receive notifications by email and SMS. Email notifications are on by default (legitimate interest) and can be turned off. SMS notifications are off by default and require your explicit consent. You can manage your notification preferences from your account settings at any time.

Cookies and local storage

We use strictly necessary cookies to keep you logged in (no consent required). We also use your browser’s local storage to remember your shopping cart and active account. We do not use advertising cookies or trackers.

Analytics cookies (Google Analytics) are only set with your prior consent, as required by Swedish law (LEK 2022:482). You can manage your cookie preferences at any time.

Your rights

Under the GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15) — You can request a copy of all personal data we hold about you.

Right to rectification (Art. 16) — You can ask us to correct inaccurate or incomplete data.

Right to erasure (Art. 17) — You can request deletion of your personal data, subject to legal retention obligations.

Right to restriction (Art. 18) — You can ask us to temporarily stop processing your data in certain circumstances.

Right to data portability (Art. 20) — You can request your data in a structured, machine-readable format for transfer to another service.

Right to object (Art. 21) — You can object to processing based on legitimate interest, including direct marketing. We will stop processing unless we have compelling legitimate grounds.

Where we rely on your consent (SMS notifications, analytics cookies), you can withdraw consent at any time through your account settings or by contacting us. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

You have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) if you believe your personal data is being processed unlawfully. IMY: imy.se, Box 8114, 104 20 Stockholm.

Data retention

Account data — Retained for as long as your account is active. If you delete your account, your personal data is removed within 30 days.

Order and transaction records — Retained for 7 years after the end of the fiscal year, as required by Swedish bookkeeping law (Bokföringslagen 7 kap. 2 §).

Analytics data — Google Analytics data is retained according to your consent preferences. We do not store analytics data on our own servers.

Is providing data mandatory?

Providing your name and email is required to create an account and use SLO. If you are a producer, business and payment details are required to receive orders and payouts. Providing this data is a contractual requirement — without it, we cannot provide the corresponding services. No data is collected based on a statutory obligation at the time of collection.

Automated decision-making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. AI tools (Anthropic Claude, OpenAI Whisper) are used solely to assist producers with product descriptions, inventory, and voice input. They do not make decisions about individuals.

Children

SLO is not directed at children under 13 years of age. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

Data breach notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Swedish Authority for Privacy Protection (IMY) within 72 hours, as required by GDPR Article 33. If the breach is likely to result in a high risk to you, we will also inform you directly without undue delay, in accordance with GDPR Article 34.

Changes to this policy

We may update this policy from time to time. We will notify registered users of significant changes via email. The date at the top of this page indicates when the policy was last updated.

Questions?

If you have any questions about this policy or your data, email us at slo@slo.earth