Pontus Karlsson
Updated 2026-05-31

Privacy Policy

This policy explains what personal data we collect, why we collect it, how it is used, and your rights. The data controller is Pontus Karlsson, Sweden (inquiries@pontuskarlsson.art).

1. Data we collect and why

We collect the following categories of personal data:

  • Contact and order data: name, email address, shipping address, and billing address. Collected when you place an order or contact us by email. Used to fulfil your order, arrange shipment, and communicate with you about your purchase.
  • Payment metadata: transaction reference, amount, and currency. Your card details are handled exclusively by Stripe and are never stored by us.
  • Email address (newsletter): if you subscribe to our mailing list, your address is processed by Resend to send you updates about new works and exhibitions (maximum two emails per year). You can unsubscribe at any time.
  • Private preview links: when you open a subscriber or client preview URL, we increment an anonymous view counter on that preview document (no personal data is stored with the count).

2. Legal basis (GDPR)

  • Performance of a contract (Art. 6(1)(b) GDPR): order and shipping data is processed because it is necessary to fulfil your purchase.
  • Legal obligation (Art. 6(1)(c) GDPR): order and invoice data is retained to comply with the Swedish Bookkeeping Act (Bokföringslagen).
  • Consent (Art. 6(1)(a) GDPR): newsletter subscription and optional analytics/marketing cookies (via our cookie banner).
  • Legitimate interests (Art. 6(1)(f) GDPR): aggregated, cookieless site statistics (Simple Analytics) and anonymous preview link view counts, where we balance our interest in understanding reach against your privacy; you may object by contacting us.

3. Third-party processors

We use the following sub-processors, each bound by data processing agreements:

  • Stripe: payment processing. Stripe is PCI DSS certified and processes card data under its own privacy policy (stripe.com/privacy).
  • Medusa: order management platform. Stores order and customer data on our behalf.
  • Resend: transactional email, order notifications, and newsletter delivery. Your email (and name when provided) is stored by Resend if you order or subscribe. See resend.com/legal.
  • Simple Analytics: aggregated, cookieless page-view statistics (no personal profiles). Enabled via our hosting provider.
  • Netlify: website hosting. Server logs may include your IP address for security and diagnostic purposes.

We do not sell or share your personal data with any third party for marketing or advertising purposes beyond what you consent to in the cookie banner (e.g. Google Analytics or Meta Pixel, if enabled).

International transfers

Some processors are located outside the EU/EEA (including the United States), such as Stripe, Resend, Netlify, and optionally Google or Meta if you accept those cookies. Transfers are made with appropriate safeguards, typically Standard Contractual Clauses or equivalent mechanisms offered by the provider.

4. How long we keep your data

  • Order and invoice data: retained for 7 years to comply with the Swedish Bookkeeping Act.
  • Newsletter subscriptions: retained until you unsubscribe.
  • Email enquiries: retained for as long as necessary to handle your enquiry and for up to 2 years thereafter.

5. Cookies

Strictly necessary: cookies set by Stripe during checkout to manage your payment session. These do not require consent.

Simple Analytics: we use Simple Analytics for aggregated, cookieless traffic statistics. It does not use cookies for tracking according to the provider.

Optional (with consent): if you accept analytics or marketing in our cookie banner, Google Analytics 4 and/or Meta Pixel may set cookies. You can change your choice anytime via the cookie preferences control on the site.

6. Your rights

Under GDPR you have the right to:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: ask us to correct inaccurate data.
  • Erasure: ask us to delete your data, subject to legal retention obligations.
  • Portability: receive your data in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interests.
  • Withdraw consent: unsubscribe from the newsletter at any time.

To exercise any of these rights, contact us at inquiries@pontuskarlsson.art. We will respond within 30 days.

7. Supervisory authority

If you believe we are processing your data unlawfully, you have the right to lodge a complaint with the Swedish supervisory authority, Integritetsskyddsmyndigheten (IMY).

Questions? Contact us at inquiries@pontuskarlsson.art or read our Terms of Sale.