Privacy policy

1. GENERAL

1.1 What does this policy cover?
This Privacy Policy (“Privacy Policy”) governs the processing of personal data collected from individual users (“you” and “your”) through the e-commerce website https://twistboxes.com (the “Website”). This Privacy Policy does not apply to any other websites, applications, or software integrated with the Website, nor does it apply to third-party products or services (for example, social media providers linked from the Website).

1.2 What is personal data?
Personal data refers to any information that directly or indirectly, in combination with other data, can identify a living individual. A non-exhaustive list of examples includes, among others:

  • Name
  • Personal identification number (where applicable)
  • Delivery address
  • Phone number
  • Email address
  • Order history
  • User and device data

1.3 What is the processing of personal data?
Processing personal data includes any operation performed on personal data, whether automated or not, such as:

  • Collection
  • Registration
  • Organization
  • Storage
  • Transfer
  • Erasure

1.4 Who is responsible for your personal data?
The Website is owned and operated by Twistboxes AB, a company registered in Sweden with the Swedish Companies Registration Office (Sw. “Bolagsverket”), with the following corporate details:

Twistboxes AB
Registration number: 559353-9447
Address: Bystämmogatan 6, SE-725 91 Västerås, Sweden
VAT number: SE559353944701
Email: info@twistboxes.com

Twistboxes AB is the data controller and is responsible for the processing of your personal data in accordance with this Privacy Policy.

1.5 Legal basis for processing
We only process personal data when a legal basis exists under the GDPR. The legal bases we rely on include:

  • Your consent
  • Performance of a contract, such as processing your order or enabling Website functionality
  • Compliance with a legal obligation, such as bookkeeping requirements
  • Legitimate interests, after carrying out a balancing test where our interest outweighs your interest in the protection of your personal data, and only where such processing does not override your fundamental rights and freedoms

2. PERSONAL DATA WE COLLECT THROUGH THE WEBSITE

2.1 What personal data we collect and why
We only collect the minimum amount of personal data necessary (“data minimisation”) for the operation of the Website and for providing our services. Personal data is used for limited, specific, and legitimate purposes described in this Privacy Policy, including enabling access to the Website, fulfilling orders, customer service, communication, maintenance, statistics, and safeguarding our legitimate interests.

Below is an overview of the types of personal data we collect, the purpose of processing, the legal basis, and retention periods.

Product orders
Type of personal data: First name, last name, address, email address, phone number.
Purpose: To send order confirmations and receipts, deliver your products, manage returns, contact you when necessary, and provide customer service.
Legal basis: Performance of contract.
Retention: Stored for the period required by applicable law (typically at least 7 years).

Payments
Type of personal data: Payment information collected by our payment service providers, including billing and delivery address and payment method details (e.g., card information).
Purpose: To process payments and comply with bookkeeping obligations.
Legal basis: Performance of contract and legal obligation.
Retention: Stored for the period required by applicable law (typically at least 7 years).

Customer inquiries
Type of personal data: When contacting us via email, contact form, or chat, we collect your name (if provided), email address, phone number (if provided), and any information you choose to include in your message.
Purpose: To respond to inquiries, provide requested information, and offer customer support.
Legal basis: Legitimate interest (customer service), consent (where applicable), or performance of contract (when related to a purchase).
Additional clause: For optional personal data that you choose to provide, the lawful basis for processing is your consent.
Retention: Retained until the conversation is concluded and the matter is considered resolved.

Reviews
Type of personal data: Your name or display name, and any information you include in your product review.
Purpose: To publish your review on the Website and provide other customers/or potential customers with insights about our products.
Legal basis: Consent.
Retention: Until you request deletion or until the review is no longer relevant (e.g., the product is discontinued).

Technical and device data
Type of personal data: IP address, browser type and version, device identifiers, operating system information, log files, usage data, cookie identifiers, and other technical data collected automatically through your interaction with the Website.
Purpose: To enable essential Website functionality, maintain security, prevent fraud, perform analytics, measure performance, improve the user experience, and comply with requirements under Google Consent Mode v2 and applicable ePrivacy rules.
Legal basis: Legitimate interest (Website functionality and security) and consent (where required for analytics or marketing cookies under ePrivacy).
Retention: Retained in accordance with our Cookie Policy or anonymised as soon as legally and operationally feasible.

2.2 Marketing and commercial communication
We send commercial communication only if:

i) you subscribe to our newsletter,
ii) you voluntarily provide your email address for marketing purposes, or
iii) you purchase a product from us and we rely on legitimate interest to inform you about similar products.

Such communication may include information about new products, Website features, and special offers. You may unsubscribe at any time by clicking “Unsubscribe” in our emails or by contacting us.

2.3 Transactional messages
We may send essential service messages such as order confirmations, receipts, invoices, shipping updates, or technical notices. These messages are not considered marketing and cannot be opted out of, as they are necessary for the performance of our contract with you.

2.4 Feedback and miscellaneous inquiries
If you provide feedback or submit questions, we may document your comments. Where possible, we anonymize such information. Once data is anonymized and can no longer be linked to an identifiable individual, it is no longer considered personal data and may be used for legitimate business purposes.

2.5 Sensitive personal data
We do not collect or process sensitive personal data (such as data relating to health, religion, ethnicity, political views, biometrics, sexual life, or union membership).

2.6 Sources of personal data
We collect personal data from:

  • You directly, when making purchases or contacting us
  • Your use of the Website, which generates technical data
  • Third parties, such as payment providers, when legally permitted

2.7 Consequences of not providing personal data
If you choose not to provide certain personal data, we may not be able to process your order, respond to your inquiry, or provide full Website functionality. If you believe that any of the personal data we collect is excessive, irrelevant, or not necessary for its intended purpose, please inform us immediately, and we will review the data collection in accordance with our obligations under GDPR.

3. STORAGE OF PERSONAL DATA

3.1 Retention of personal data
We store personal data only as long as necessary for the purposes described in this Privacy Policy, or until you request deletion, unless otherwise required by law. Once no legal basis remains, the data is permanently deleted or anonymized.

3.2 Retention of anonymized data
Anonymized or non-personal data may be stored as long as necessary for analytics, audits, legal compliance, dispute resolution, or business optimization.

3.3 Legal retention obligations
When required by law (e.g., bookkeeping), we retain personal data for the mandated period (commonly seven years) before secure deletion.


4. PROTECTION AND DISCLOSURE OF PERSONAL DATA

4.1 How we protect your data
We use appropriate technical and organisational measures to safeguard personal data against loss, misuse, and unauthorised access. Our security measures include:

  • secure networks and encrypted communication where applicable
  • strong passwords and access controls
  • restricted employee access on a “need-to-know” basis
  • multi-factor authentication where relevant
  • anonymization or pseudonymization whenever possible
  • regular updates and security patches
  • careful selection and contractual control of data processors

4.2 When we share your data
We do not sell your personal data and have no intention of doing so in the future. We only share your personal data with trusted service providers when necessary to fulfil the purposes described in this Privacy Policy. We may share your personal data for the following purposes:

  • operating, hosting, and maintaining the Website;
  • processing and fulfilling your product orders;
  • shipping, delivery, and logistics;
  • processing payments and preventing payment fraud;
  • providing customer service and communication;
  • ensuring security, preventing misuse, and detecting fraudulent activity;
  • fulfilling our contractual obligations;
  • complying with legal requirements or responding to lawful requests from authorities.

Any service provider that processes personal data on our behalf is bound by contractual data protection obligations that ensure your data remains protected in accordance with applicable law. All processors are contractually required to process personal data solely in accordance with our documented instructions and are prohibited from using the data for any other purpose.

4.3 How we share your personal data
Although Twistboxes AB is based in Sweden, within the European Economic Area (EEA), some of our data processors or service providers may be located outside the EEA or outside the country where you reside. This means that your personal data may need to be transferred internationally.

Whenever such transfers occur, we ensure that your personal data remains protected in accordance with applicable data protection laws. This is achieved by:

  • Ensuring that the destination country has been granted an adequacy decision by the European Commission; or
  • Entering into a data processing agreement with the recipient that includes the European Commission’s Standard Contractual Clauses (SCCs) or other legally approved safeguards; and
  • Implementing additional technical and organisational measures, where necessary, to ensure an equivalent level of protection.

These measures guarantee that any international transfer provides a level of data protection essentially equivalent to that within the EU/EEA.

5. YOUR RIGHTS

5.1 Your rights under GDPR
You have the following rights, subject to legal limitations:

  • Right of access – to obtain a copy of your personal data and information on how it is processed
  • Right to rectification – to correct inaccurate or incomplete data
  • Right to erasure – to request deletion of your data in certain cases
  • Right to restriction – to request limited processing in specific circumstances
  • Right to data portability – to receive your personal data in a structured, commonly used, and machine-readable format, and to have that data transmitted to another controller, where the processing is carried out by automated means and based on your consent or on a contract.
  • Right to object – to object to processing based on legitimate interest, and to all direct marketing
  • Right to withdraw consent – at any time, without affecting prior lawful processing
  • Right to lodge a complaint – with a supervisory authority (e.g., the Swedish Authority for Privacy Protection)

5.2 How to exercise your rights
To exercise any of your rights, please contact us at info@twistboxes.com using the subject line “GDPR Request” and clearly describe your request. To protect your data, we may request additional information to verify your identity.  We aim to respond within 30 days, as required by law.

 

6. OTHER INFORMATION

6.1 Validity
This Privacy Policy is effective from the “Last Updated” date below and remains in force until replaced or amended.

6.2 Changes to this Policy
We may update this Privacy Policy from time to time. The latest version will always be available on the Website. If we make material changes affecting our processing of personal data, we will notify you and request new consent where required.

6.3 Children’s data
The Website is not intended for individuals under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete the information.

6.4 Contact
If you have any questions about this Privacy Policy or our processing of personal data, please contact us:

Twistboxes AB
Registration number: 559353-9447
Address: Bystämmogatan 6, SE-725 91 Västerås, Sweden
Email: info@twistboxes.com

This Privacy Policy was created on 2025-11-04, last updated on 2025-11-24, and can be downloaded by clicking here.