Pontus Karlsson
Updated 2025-06-01

Privacy Policy

This policy explains what personal data we collect, why we collect it, how it is used, and your rights. The data controller is Pontus Karlsson, Sweden (inquiries@pontuskarlsson.art).

1. Data we collect and why

We collect the following categories of personal data:

  • Contact and order data — name, email address, shipping address, and billing address. Collected when you place an order or contact us by email. Used to fulfil your order, arrange shipment, and communicate with you about your purchase.
  • Payment metadata — transaction reference, amount, and currency. Your card details are handled exclusively by Stripe and are never stored by us.
  • Email address (newsletter) — if you subscribe to our mailing list, your address is stored with Mailchimp to send you updates about new works and exhibitions (maximum two emails per year). You can unsubscribe at any time.

2. Legal basis (GDPR)

  • Performance of a contract (Art. 6(1)(b) GDPR) — order and shipping data is processed because it is necessary to fulfil your purchase.
  • Legal obligation (Art. 6(1)(c) GDPR) — order and invoice data is retained to comply with the Swedish Bookkeeping Act (Bokföringslagen).
  • Consent (Art. 6(1)(a) GDPR) — newsletter subscription is based on your explicit opt-in.

3. Third-party processors

We use the following sub-processors, each bound by data processing agreements:

  • Stripe — payment processing. Stripe is PCI DSS certified and processes card data under its own privacy policy (stripe.com/privacy).
  • Medusa — order management platform. Stores order and customer data on our behalf.
  • Resend — transactional email. Used to send order confirmations to you and to us. Your email and name are passed to Resend solely for this purpose.
  • Mailchimp — newsletter distribution. Your email is stored by Mailchimp if you have subscribed. See their policy at mailchimp.com/legal.
  • Netlify — website hosting. Server logs may include your IP address for security and diagnostic purposes.

We do not sell or share your personal data with any third party for marketing or advertising purposes.

4. How long we keep your data

  • Order and invoice data — retained for 7 years to comply with the Swedish Bookkeeping Act.
  • Newsletter subscriptions — retained until you unsubscribe.
  • Email enquiries — retained for as long as necessary to handle your enquiry and for up to 2 years thereafter.

5. Cookies

This site uses only strictly necessary cookies required for the checkout process (set by Stripe to manage your payment session). These cookies do not track you across other sites and do not require your consent. We do not currently use analytics or advertising cookies. Should this change, we will update this policy and request your consent via a cookie banner.

6. Your rights

Under GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete your data, subject to legal retention obligations.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — unsubscribe from the newsletter at any time.

To exercise any of these rights, contact us at inquiries@pontuskarlsson.art. We will respond within 30 days.

7. Supervisory authority

If you believe we are processing your data unlawfully, you have the right to lodge a complaint with the Swedish supervisory authority, Integritetsskyddsmyndigheten (IMY).

Questions? Contact us at inquiries@pontuskarlsson.art or read our Terms of Sale.