Privacy Policy

Last updated: February 25, 2026

Data Controller: NorthLuma AB

Country: Sweden (EU/EEA)

1. Introduction

NorthLuma AB ("NorthLuma," "we," "our," or "us") is a Swedish company that provides professional WordPress website design, development, and related digital services. This Privacy Policy explains how we collect, use, store, and protect your personal data in accordance with the EU General Data Protection Regulation (GDPR) and Swedish data protection law (Dataskyddslagen).

By using our website (northluma.com) or ordering our services, you acknowledge that you have read and understood this Privacy Policy.

2. Data We Collect

2.1 Information You Provide

Contact & Order Information: Name, email address, phone number, WhatsApp number, company name, country, and project requirements when you submit an order or inquiry.
Communication Data: Messages, emails, and chat conversations with our team or chatbot.
Payment Information: Payment is processed by Stripe, Inc. We do not store your credit card number, CVV, or full card details on our servers. Stripe processes and stores this data under their own Privacy Policy and is PCI-DSS Level 1 certified.

2.2 Information Collected Automatically

Usage Data: Pages visited, time on site, click patterns, and referral source.
Device Data: Browser type, operating system, screen resolution, and IP address.
Cookies: We use cookies for language preference, analytics, and session management. See Section 7 for details.

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data based on the following legal grounds:

Contract Performance (Art. 6(1)(b)): Processing necessary to fulfill your website order and deliver our services.
Legitimate Interest (Art. 6(1)(f)): Analytics, fraud prevention, and improving our services.
Consent (Art. 6(1)(a)): Marketing communications and non-essential cookies. You may withdraw consent at any time.
Legal Obligation (Art. 6(1)(c)): Tax records, invoicing, and compliance with Swedish law.

4. How We Use Your Data

To process and fulfill your website order
To communicate with you about your project (email, WhatsApp, phone)
To process payments via Stripe
To send order confirmations and project updates
To improve our services and website experience
To detect and prevent fraud or abuse
To comply with legal and tax obligations under Swedish law

5. Data Sharing & Third Parties

We share your data only when necessary:

Stripe, Inc. – Payment processing (Privacy Policy)
Resend – Transactional email delivery
Google Analytics – Website analytics (anonymized, with consent)
OpenAI – Chatbot assistance (no personal data is stored by OpenAI)
Hosting Provider – Secure server infrastructure within the EU/EEA

We never sell your personal data to third parties. We do not share data with advertisers or data brokers.

6. Data Storage & Security

Data is stored on servers located within the EU/EEA.
All data transmission is encrypted via TLS/SSL (256-bit).
Access to personal data is limited to authorized personnel only.
Payment data is handled exclusively by Stripe (PCI-DSS Level 1).
We conduct regular security reviews to protect your information.

7. Cookies

We use the following types of cookies:

Essential Cookies: Language preference (nl_lang), cookie consent status (nl_cookie_consent). Required for the site to function. Cannot be disabled.
Analytics Cookies: Only activated with your consent. Help us understand how visitors interact with our site. Data is anonymized.

You can manage cookie preferences through the cookie banner on our website. You may also clear cookies through your browser settings at any time.

8. Data Retention

Order data: Retained for 7 years to comply with Swedish bookkeeping law (Bokföringslagen).
Communication data: Retained for 2 years after project completion, then deleted.
Analytics data: Retained for 26 months (anonymized).
Cookie data: Session cookies expire on browser close; preference cookies expire after 1 year.

9. Your Rights Under GDPR

As a data subject, you have the following rights:

Right of Access (Art. 15): Request a copy of all personal data we hold about you.
Right to Rectification (Art. 16): Request correction of inaccurate data.
Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten"), subject to legal retention requirements.
Right to Restriction (Art. 18): Request that we limit processing of your data.
Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
Right to Object (Art. 21): Object to processing based on legitimate interest.
Right to Withdraw Consent (Art. 7(3)): Withdraw consent for analytics cookies or marketing at any time.

To exercise any of these rights, contact us at support@northluma.com. We will respond within 30 days.

10. International Transfers

Some of our service providers (Stripe, OpenAI) are based in the United States. Transfers to the US are protected by the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs) where applicable.

11. Children's Privacy

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact us and we will delete it promptly.

12. Supervisory Authority

If you believe we have not handled your data properly, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY):

Integritetsskyddsmyndigheten (IMY)

Website: www.imy.se

Email: imy@imy.se

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on our website. The "Last updated" date at the top reflects the latest revision.

14. Contact Us

NorthLuma AB

Email: support@northluma.com

Website: northluma.com

Country: Sweden