Privacy Policy | Doner Knives

Privacy Policy for DonerKnives.com

1. Company and Data Controller Information

This Privacy Policy explains how DonerKnives.com (the “Website”) collects, uses, and protects your personal data in compliance with the EU General Data Protection Regulation (GDPR). The Website is owned and operated by Royals Media AB, which is the data controller responsible for your personal data. Our registered address is Nöbbelövs Torg 31, 226 52 Lund, Sweden. If you have any questions or requests regarding your personal data, you can contact us by email at contact@donerknives.com or by mail at the address above. We are committed to protecting your privacy and ensuring the security of your information. We do not sell or rent your personal data to third parties.

2. Personal Data We Collect

We collect various types of personal information in order to provide our e-commerce services. The data we collect includes:

Identity and Contact Information: Name, billing address, shipping address, email address, telephone number, and other contact details you provide. This information is collected, for example, when you create an account or place an order.
Account Credentials: If you register an account, we collect login details such as username and password (stored in hashed/encrypted form).
Order and Transaction Information: Details of the products you have ordered, order dates, order number, and purchase history. We also record transaction details such as payment method and transaction ID. (Note: we do not store your full credit card or bank account numbers on our servers – payment details are handled securely by our payment provider, Mollie .)
Payment Information: While we do not collect or store sensitive payment card data ourselves, our payment processor may collect payment details (e.g. credit card number or bank account) to process your order . We retain non-sensitive payment metadata such as payment type, amount, and status for record-keeping.
Communication Data: Any personal data you provide when contacting us (for example, via our custom contact form or email), such as your name, email, company/organization, and the content of your inquiry or message.
Newsletter Information: If you sign up for our email newsletter, we collect your email address (and optionally your name) to send you promotional updates.
Usage and Technical Data: When you visit our Website, we collect certain data automatically via cookies and similar tracking technologies. This includes your IP address, browser type and version, device identifiers, operating system, referral URL, and information about how you interact with the site (pages viewed, clicks, time spent, etc.). For instance, our analytics tools may record your general geographic location (city/country) and browsing actions on our site. Google Analytics 4 is configured not to store your full IP address . We may also use cookies to remember your preferences (such as items in your cart or product filter settings) to improve your experience. (See the Cookies and Tracking section below for more details.)
Cookies and Identifiers: Cookies are small text files stored on your device. We assign you a unique customer identifier (via cookies or similar) when you use our site to help recognize you, maintain your session (e.g., keeping you logged in or preserving your shopping cart), and gather analytics data. Some cookies are essential for the Website to function, while others are used for analytics and preference customization.

We only collect personal data that you voluntarily provide to us or that is necessary to provide our services. Where we ask for personal data, you have the option not to provide it; however, please note that if you choose not to provide certain information (such as address or payment details), we may not be able to fulfill your order or provide certain services.

3. How We Collect Personal Data

We collect personal data through several channels:

Directly from You: Most of the data we process is provided directly by you. For example, you give us your information when you: create an account on our site, place an order and fill out the checkout form, enter information into your account profile, submit a message through our contact form, or subscribe to our newsletter. This data is provided voluntarily by you as part of using our Website and services.
Through Your Use of the Website: When you browse or use our online store, we automatically collect technical and usage data via cookies, analytics scripts, and server logs. This includes information such as your IP address, browser type, pages visited, and actions taken on the site. We use Google Analytics 4 (via the Site Kit plugin) to gather aggregate usage statistics; Google Analytics uses first-party cookies to distinguish users and track site usage. However, Google Analytics 4 does not record or store your individual IP address (IP data is anonymized and not logged) . It collects other device and interaction information, like browser and device type, in order to help us analyze traffic.
Cookies and Similar Technologies: Our Website uses cookies and similar tracking technologies to collect data automatically. For example, cookies enable core functionalities like maintaining your shopping cart and allowing you to stay logged in to your account. We may also use cookies to remember your preferences (for instance, filter selections made via the Filter Everything PRO plugin) and to understand how you use our site. (See Section 9. Cookies and Tracking for more information on what cookies we use and how to control them.)
Third-Party Sources: In general, we do not obtain personal data about you from third-party sources, except through the integrated services we use to operate the store. For instance, if a payment is processed via our payment provider or if a shipment is arranged through our shipping partner, those services may provide us with information such as payment confirmations or tracking updates. These scenarios are explained in Section 5 (Third-Party Processors). We do not purchase or collect consumer data from data brokers or social media profiles.
User Accounts: If you register for an account, we collect the information needed to set up and maintain your account (like name, email, password). You can log in to review and update some of this information at any time. Account creation and login are voluntary, and you can also check out as a guest if you prefer (in which case we collect only the data needed to process the transaction).
Newsletter Signup: When you subscribe to our newsletter, you directly provide your email address (and name, if requested) via the signup form. We record the date/time of your consent to receive our marketing emails. You will only be added to our mailing list if you explicitly opt in.

We will not collect additional categories of personal data or use the data we collected for materially different purposes without obtaining your consent or updating you first (consistent with this Privacy Policy).

4. Why We Collect Data and Legal Bases for Processing

We process your personal data only for specific purposes and where we have a legal basis under GDPR to do so. Below we explain the purposes for which we use your data and the corresponding legal grounds:

To Process and Fulfill Your Orders: We use your name, address, contact details, and payment information to process transactions and deliver the products you purchase. This includes processing payments, confirming your order, shipping the products to you, and communicating order status updates. Legal Basis: Performance of a contract – we need this data to fulfill our sales contract with you (processing your order and delivering the goods) . Without this information, we cannot complete your purchase.
To Manage Your Account: If you create an account, we process your data to maintain your account, allow you to log in, view order history, and save preferences (like default shipping addresses). Legal Basis: Performance of a contract – managing the user account is necessary to provide the account-related features you request.
Payment Processing and Fraud Prevention: We share necessary data with our payment processor (Mollie) to take payment and prevent fraudulent transactions. For example, Mollie may verify your payment details and perform security checks. Legal Basis: Performance of a contract (to process the payment for your order) and our legitimate interest in preventing fraud and ensuring secure transactions. We also have legal obligations under financial regulations to collect certain information for fraud prevention and record-keeping.
Shipping and Delivery: We use your contact details and address to arrange delivery of your orders via our shipping partner (Fraktjakt) and to allow carriers to deliver packages. We may also share your phone/email with the carrier to provide delivery updates or resolve issues. Legal Basis: Performance of a contract – it’s necessary to fulfill the delivery portion of your purchase.
Customer Service and Communications: If you contact us with questions, requests, or complaints, we will use your provided information to respond and assist you. This could include order inquiries, technical support, or product questions via email or our contact form. Legal Basis: Legitimate interests – it is in both your and our interest to effectively address communications and ensure customer satisfaction. (If your inquiry is about exercising GDPR rights, our legal basis is compliance with a legal obligation.)
Email Newsletter and Marketing: With your consent, we use your email address to send you our newsletter or promotional offers about our products. You will receive marketing emails only if you have opted in (for example, by entering your email in our newsletter signup form and confirming your subscription). You can unsubscribe at any time, and we will stop sending you marketing messages. Legal Basis: Consent – you have given clear consent for us to send you direct marketing emails. (If you are an existing customer, we may also rely on legitimate interest to send you marketing about similar products, but in all cases you have the right to opt out easily.)
Analytics and Improvement of Our Website: We analyze how users navigate and use our site (via Google Analytics and similar tools) in order to improve our store’s functionality, user experience, and product offerings. This may involve processing technical and usage data such as page views, clicks, and referral sources. Wherever possible, we use this data in an aggregated or pseudonymized form. Legal Basis: Consent – we rely on your consent for non-essential analytics cookies and tracking (as required by ePrivacy laws). In jurisdictions where legitimate interest is permitted for basic analytics, we may alternatively rely on our legitimate interest in understanding website performance and customer preferences. In either case, we are committed to respecting your preferences (see Cookies section for how to opt out of analytics). Google Analytics 4 is privacy-focused (it does not store IP addresses of EU users and only uses the data for analytics purposes) .
Personalization: To the extent we offer features like product filtering or recommendations, we may process data to tailor our site to your preferences. For example, we might use cookies to save your filter settings or remember items in your cart between visits. Legal Basis: Legitimate interests – providing an improved, personalized shopping experience (since these features benefit users). This processing has minimal privacy impact and is under user control (you can clear or disable cookies if desired).
Compliance with Legal Obligations: We also process and retain personal data as needed to comply with various legal and regulatory requirements. For example, under tax and accounting laws, we must keep records of sales and transactions (which include personal data like names, addresses, and purchase details) for a certain period. In Sweden, financial records (including transaction personal data) are typically kept for up to seven years as required by the Accounting Act . Legal Basis: Legal obligation – we will process and retain data when we are legally required to do so (e.g., for tax audits, court orders, or product safety regulations). This may include verifying your identity when fulfilling certain rights requests, or retaining some data to meet anti-fraud, bookkeeping, or consumer protection laws.
Security and Fraud Prevention: We may process certain data to protect our Website, business, and customers from fraud, unauthorized access, and other security issues. For instance, we may log IP addresses when orders are placed or when login attempts are made, in order to detect and block malicious activity. We also keep security logs of our website’s operation. Legal Basis: Legitimate interests – it’s our legitimate interest to ensure the integrity and security of our services, which also protects the rights and data of our customers. This processing is limited to what is necessary for security monitoring and incident response.
Other Legitimate Interests: We may process data for additional internal purposes that are compatible with the original purposes. For example, we might anonymize and aggregate customer data to generate business performance reports, or use purchase history to maintain inventory and customer support records. If we process your data for a new purpose that is not compatible with those above, we will seek your consent or provide notice as required by law.

Where we rely on consent as the legal basis, you have the right to withdraw that consent at any time (for example, you can opt out of the newsletter or decline analytics cookies – doing so will not affect the lawfulness of processing that occurred before your withdrawal). Where we rely on legitimate interests, we have balanced those interests against your privacy rights and believe our processing is not intrusive or harmful. You still have the right to object to any processing based on legitimate interests (see Your Rights below).

If you have questions about the legal basis for any specific processing of your personal data, feel free to contact us for more information.

5. Third-Party Service Providers and Data Sharing

In order to run our e-commerce business, we rely on several third-party service providers (processors) who help us with payments, shipping, analytics, email, and other functions. We only share personal data with these third parties to the extent necessary for them to perform their services, and each provider is contractually obligated to protect your data and use it only for the agreed purpose. We do not sell your personal information to anyone. Below are the key third-party services we use, what data they handle, and why:

Mollie Payments (Payment Processor): We use Mollie Payments for WooCommerce to handle online payment transactions on our Website. When you enter your payment details (such as credit card or bank information) at checkout, that information is transmitted directly to Mollie over an encrypted connection. Mollie processes your payment on our behalf. This means Mollie will receive personal data necessary for payment, which may include your name, contact information, IP address, and payment details (e.g. card number, bank account number, transaction amount) . Mollie specializes in secure payment processing and is PCI-DSS compliant; we do not see or store your full card number or bank credentials. We share data with Mollie only to the extent needed to verify and complete the transaction (and for fraud screening or refunds if applicable). Mollie is based in the EU (the Netherlands) and operates under strict European financial regulations. For more details, you can refer to Mollie’s Privacy Statement , which explains how they process personal data as a payment service provider.
Fraktjakt (Shipping Service Integration): For shipping and delivery, we use the Fraktjakt plugin, which connects our store with various shipping carriers in Sweden. When you place an order, we share the necessary delivery information with Fraktjakt to generate shipping options and labels. This includes your name, delivery address, email, and phone number (for shipping notifications), and order details like package weight or content description. Fraktjakt will use this data to calculate shipping rates, book the shipment with the chosen carrier (e.g., PostNord, DHL), and facilitate package tracking. Fraktjakt stores personal data such as names, addresses, and contact info of senders/recipients as part of providing its services . Your IP address may also be recorded by Fraktjakt when using their service through our site . We have ensured that Fraktjakt handles your data securely and in compliance with GDPR. They will not use your information for any purpose other than arranging shipments and complying with legal obligations (e.g., customs or accounting) . For more information, see Fraktjakt’s privacy policy on their website.
Google Analytics (via Site Kit by Google): We use Google Analytics 4 to understand how visitors use our Website, which helps us improve our services and user experience. Google Analytics collects usage data such as pages visited, time on site, clicks, and technical information about your browser and device. Importantly, Google Analytics 4 does not log or store your IP address – for EU users, IP addresses are only used to derive general location (e.g., city) and then are dropped without being recorded . Google Analytics uses cookies to distinguish unique users and remember your site preferences. The data Google Analytics collects (e.g., device info, browser type, referral source) may be transmitted to and stored on Google servers (Google may process data in the United States or other countries; see Section 6 on data transfers). Google acts as our data processor for analytics, meaning they only process data on our instructions and for our purposes of analysis. We have configured Google Analytics to respect privacy as much as possible (for instance, we have enabled features to avoid collecting any precise personal identifiers). We do not use Google Analytics for advertising or profiling, and we do not allow Google to use the analytics data for its own purposes beyond providing us the analytics service. You can opt out of Google Analytics by refusing analytics cookies in our (future) consent banner or by using Google’s Analytics Opt-out Browser Add-on . For more details, you can review Google’s Privacy Policy and Google’s Analytics data practices.
Google Search Console and PageSpeed Insights (via Site Kit): Our site is also connected to Google Search Console and PageSpeed Insights through the Site Kit plugin. These Google services help us monitor our website’s presence in Google search results and performance metrics. They do not collect additional personal data from you beyond what Google already receives by virtue of you visiting our site. PageSpeed Insights might perform automated performance tests, and Search Console provides us aggregate data about search queries and site indexing. These tools operate in the backend and do not directly set cookies or track individual users. Any data we see is aggregated and not tied to individual identities. We mention these services for full transparency, but they have minimal or no impact on your personal data when you use our site.
Google Fonts (Web Fonts Service): We use Google Fonts (via our Kallyas theme) to display consistent and attractive typography on our Website. When you load a page, your browser may fetch font files from Google’s servers (domains such as fonts.googleapis.com or fonts.gstatic.com). In doing so, Google servers receive some data from your browser: specifically, they get the request for the font file which includes your IP address and certain technical info like your browser type and the page referring to the font . However, Google Fonts is designed with privacy in mind: it does not set any cookies or track you beyond the necessary technical delivery of fonts . Google states that it does not use information collected via Google Fonts to create user profiles or for advertising purposes . The data is used to serve the fonts and ensure compatibility and security. Nevertheless, your IP address is a piece of personal data that Google processes to deliver the font and for security reasons . If you are uncomfortable with this, you can configure your browser to block Google Fonts; note that doing so may cause the site’s fonts to default to standard ones. We are evaluating alternatives like locally hosting fonts to eliminate external requests.
Amazon Simple Email Service (SES) (Email Sending): We use Amazon SES (an email delivery service provided by Amazon Web Services) to send out various emails from our Website. This includes transactional emails (order confirmations, receipts, shipping notifications, password reset emails, etc.) and marketing emails (newsletters, if you have subscribed). When we send you an email, your email address and the content of the email are processed by Amazon SES servers to facilitate delivery. Amazon may temporarily log information about the email (such as timestamp and whether delivery was successful or bounced). Amazon does not use this data for any purposes other than to send emails on our behalf and to maintain their service. Amazon Web Services is a reputable cloud services provider that implements strong security and privacy measures. According to AWS commitments, we (the customer) control our data and Amazon will not access or share it without our instruction, except as necessary for security or legal compliance . We have a data processing agreement with AWS to ensure your email data is protected. Amazon’s servers may be located in the European Union (we strive to use EU datacenters when possible), but note that AWS is a global service – any transfer of data outside the EU is safeguarded by standard contractual clauses and Amazon’s adherence to GDPR requirements. For more information, see the AWS Privacy Notice.
Email Marketing Platform: (If applicable) In the event we use a dedicated email marketing platform or plugin to manage our newsletter (for example, a service like Mailchimp, Sendinblue, or a WordPress newsletter plugin), that service would also process your email address and name for the purpose of sending bulk emails and tracking newsletter analytics (such as open rates). We would ensure any such service complies with GDPR and that you have consented to any marketing communications. (Currently, our email marketing is handled via Amazon SES as described above, without a separate third-party platform.)
Filter Everything PRO (Filtering Plugin): The Filter Everything PRO plugin is used on our site to allow you to filter and sort products by various criteria. This plugin operates on our website itself and does not send your data to an external server; it processes filter selections in real-time to show you relevant products. It may use local browser storage or cookies to remember your filter choices during your session for convenience, but those data remain on your device. No personal information is transmitted to the plugin author or outside our infrastructure when you use product filters.
Hosting and IT Providers: Our website is hosted on servers that ensure high security and uptime. (For example, if we use a hosting company or cloud provider to host the WordPress site and database, that provider might technically have access to stored personal data as a processor.) We ensure that our hosting provider implements strong security measures and complies with data protection requirements. All data on the server (including your personal data) is stored in secure data centers. Additionally, we may use standard third-party plugins or services for the operation of the site (like backup services, security firewalls, or content delivery networks). If any of these services process personal data, they do so under our instructions and only for the functioning of the website. We will update this Privacy Policy to specifically list any additional third-party services that significantly affect personal data, should they be added in the future.

Third-Party Privacy Policies: We encourage you to review the privacy policies of the above service providers for more information on their practices. Notably, you can find more details here: Mollie’s Privacy Policy (available on mollie.com) which describes how Mollie handles payer data ; Google’s Privacy Policy and Google Analytics data protection resources, which explain Google’s handling of data for analytics and Fonts ; AWS Privacy Notice for Amazon’s commitments to data privacy ; and Fraktjakt’s Privacy Policy (on fraktjakt.se) for how they process shipping-related personal data . We have provided citations and links in this Policy for transparency. All these third parties process personal data only for the purposes we’ve specified and under robust data protection agreements.

Other than the processors listed above, we will not share your personal data with third parties unless one of the following circumstances applies: (1) you have explicitly given us consent to do so; (2) it is necessary for the establishment, exercise, or defense of legal claims; (3) we are required by law or a lawful request by public authorities (e.g., law enforcement) to disclose certain data; or (4) in the unlikely event of a business transfer (e.g. merger or sale of the company), in which case we would ensure the recipient is bound to respect your personal data in line with this Policy.

6. Data Storage, International Transfers, and Retention Periods

Data Storage Location: Your personal data is stored primarily on secure servers located in the European Union. We use hosting and cloud services that store data within the EU/EEA whenever feasible. For example, order and account data in our WooCommerce database are stored on our server (likely in an EU data center), and our payment and shipping partners (Mollie and Fraktjakt) are based in the EU (the Netherlands and Sweden, respectively) and store data on EU servers.

However, some of our third-party service providers may process or transfer data outside of your country or outside the European Economic Area (EEA). Specifically:

Google (Analytics & Fonts): While Google Analytics 4 collects EU user data through EU-based servers initially , the analytics data may be transmitted to Google’s servers in the United States for processing. Google is a U.S.-based company and thus personal data (like analytics information or your IP address when fetching Google Fonts) might be considered an international transfer. Google has committed to complying with European data protection standards; it relies on mechanisms such as the European Commission’s Standard Contractual Clauses (SCCs) and, as of 2023, Google is certified under the EU-U.S. Data Privacy Framework for relevant services. We have a data processing addendum with Google that includes the SCCs to protect any transferred data. In practice, Google Analytics 4 minimizes personal data collection (no IP logs, etc.), and Google Fonts only uses IPs transiently .
Amazon Web Services (SES): Amazon may route emails through servers in the EU region or other regions depending on service configuration. We strive to use EU AWS regions for our SES service. Regardless, AWS is a global cloud provider; if any personal data (like your email content or address for an email) is transferred or stored outside the EEA (for example, on a U.S. server), it is protected by Amazon’s binding corporate rules and SCCs. Amazon has a GDPR-compliant Data Processing Addendum in place, and they have publicly committed that they do not access or use customer content except as necessary to provide the service and as agreed . AWS also participates in the new Data Privacy Framework as applicable.
Other Providers: In the normal course, Mollie and Fraktjakt keep data within the EU. If we ever use a provider that stores or accesses personal data outside the EU, we will ensure there is a legal transfer mechanism in place (such as SCCs or an adequacy decision) and that your data is kept secure.

We take steps to ensure any international data transfers are done in accordance with GDPR Chapter V. This means your data will only be transferred to countries with an adequate level of data protection (as determined by the EU Commission) or under contracts that provide appropriate safeguards for your data. If you’d like more information about international data transfers or copies of the relevant safeguards, please contact us.

Data Security Measures: All personal data we store is protected by appropriate technical and organizational security measures. For example, our website uses HTTPS/SSL encryption for all traffic, meaning that any data you submit (like personal details or payment information) is encrypted in transit between your device and our server. Our payment transactions are processed securely through Mollie, which uses strong encryption and security protocols. Internally, we restrict access to personal data – only authorized personnel (or service providers) who need to process your data for the purposes above have access, and they are bound by confidentiality. We maintain up-to-date security practices to prevent unauthorized access, loss, or alteration of data, including firewalls, security monitoring, regular software updates, and backups. We also ensure that our service providers similarly commit to strong security (for instance, AWS and Google are industry leaders in security and have numerous certifications). In short, we strive to protect your data with a high level of care, implementing measures such as access controls, encryption, and backup routines to guard against breaches. (More details on our security measures are provided in Section 10.)

Retention Periods: We retain personal data only for as long as necessary to fulfill the purposes outlined in this Policy, unless a longer retention period is required or permitted by law. Retention may vary based on the type of data:

Order and Transaction Data: We keep records of your purchases (including personal data contained in invoices, receipts, and order history) for as long as needed to provide customer service and for our legitimate business records. In addition, we are required by Swedish accounting and tax laws to retain transaction records for a minimum of 7 years after the end of the fiscal year in which the transaction occurred . This means your order details will typically be kept for at least that period. After the legal retention period, we will delete or anonymize this information if it’s no longer needed for the original purpose.
Customer Account Data: If you have an account with us, we will retain your account information for as long as your account is active. You can edit or delete certain information through your account dashboard. If you request to close your account, we will deactivate it and remove or anonymize personal data associated with it, except for any information we are required to keep for legal or troubleshooting purposes (e.g., past order records linked to the account will be kept as noted above). Inactive accounts: If you have not logged into your account for an extended period, we may contact you to confirm if you wish to keep it. We may delete accounts that remain inactive for several years, but we will attempt to notify you first.
Newsletter (Marketing) Data: We retain your email address and any provided details for sending newsletters until you unsubscribe or withdraw your consent. If you opt out of marketing, we will remove you from the mailing list promptly and will no longer process your data for that purpose. (We may keep a record of your unsubscribe request or email address on a suppression list to ensure we honor your opt-out.)
Contact Form Messages and Customer Support: If you contact us via email or contact form, we may retain your communications (including personal data in them) for a certain period to ensure we can follow up and improve our services. Typically, we keep routine inquiry correspondence for up to 1 year after resolving your issue, in case you have further questions or to reference the communication for training. In some cases, important correspondence (for example, about a warranty or a dispute) may be kept longer if necessary.
Analytics Data: Data collected via Google Analytics is retained in Google’s systems for a default period (we currently retain user-level analytics data for 14 months in GA4, which is the shortest standard option, unless we configure otherwise). Aggregate analytics reports may be kept longer, but they do not contain personally identifiable data.
Server Logs: Our web server and security systems may log IP addresses and visits for security, debugging, and performance monitoring. These logs are generally kept for a short period (typically a few weeks up to a few months) unless reviewing them for a specific security investigation. They are then automatically rotated or deleted.
Payment Information: We do not store full payment card numbers or CVV codes. Mollie, our payment processor, will handle and store payment details as needed for each transaction (and their retention policies will apply for that data, e.g., Mollie may keep transaction records for a certain number of years to comply with financial regulations). Any payment-related data we retain (like transaction IDs or partial card digits for reference) are kept as part of order records under the same retention as order data (7 years for financial info by law ).
Legal Requirements and Disputes: If we are under a legal obligation to retain data (for example, due to a government order, litigation hold, or investigation), or if data is needed to resolve a dispute or enforce our terms, we will retain the specific data as long as necessary to fulfill that obligation or resolve the issue, even if this extends beyond the normal retention period.

After the applicable retention period has elapsed, and if the data is no longer needed, we will either securely delete it or anonymize it (so it can no longer be linked to you). For example, we might anonymize order records by removing personal identifiers, and retain the anonymized data for statistical purposes.

If you request erasure of your data (see Your Rights below), we will evaluate if we can delete the data without violating any legal requirements or overriding legitimate interests. If we must keep certain data (e.g., a record of a transaction for tax purposes), we will inform you and isolate that data from active use.

7. Your Rights Under GDPR

As an individual in the EU (or in other jurisdictions with similar data protection laws), you have a number of important rights regarding your personal data. We are committed to facilitating your exercise of these rights. Below is a summary of your data subject rights:

Right to Be Informed: You have the right to be given clear, transparent information about how we collect and use your personal data. This Privacy Policy is intended to provide you with that information . If anything is unclear, please let us know.
Right of Access: You have the right to request access to the personal data we hold about you . This means you can ask us to confirm whether we are processing your data and provide you with a copy of that data, as well as information about how it’s being used.
Right to Rectification: You have the right to have inaccurate personal data corrected or completed if it is incomplete . If you believe any of your information in our records (or accessible through your account) is incorrect or outdated, you can request that we update it. For example, you can correct much of your basic info by logging into your account settings, or ask us to fix any errors.
Right to Erasure (Right to be Forgotten): You have the right to request the deletion of your personal data in certain circumstances . Upon your request, we will erase your personal data provided that we do not have a legal obligation or overriding legitimate interest to continue processing it. For example, you can ask us to delete your customer account or remove information we no longer need. We will comply unless retention is legally required (e.g., we generally cannot delete order records immediately due to accounting laws, but we can remove your account and unsubscribe you from communications).
Right to Restrict Processing: You have the right to request that we limit the processing of your personal data in certain situations . This means we would store your data but temporarily stop any other processing. You might exercise this right if you contest the accuracy of your data (until we verify or correct it), or if you object to processing and we are considering that objection, or if processing is unlawful but you don’t want the data erased. When processing is restricted, we will inform you before lifting the restriction.
Right to Object: You have the right to object to certain types of processing of your personal data . You can always object to processing for direct marketing – if you object, we will stop using your data for marketing purposes immediately. You can also object if we are processing your data based on legitimate interests (or performing a task in public interest/exercise of official authority), and you feel it impacts your rights. In such cases, we will stop processing unless we have compelling legitimate grounds that override your rights or if we need to continue for legal claims. If you object to analytics tracking (cookies), you can exercise that through cookie controls or browser settings (see Cookies section).
Right to Data Portability: You have the right to obtain and reuse the personal data you have provided to us, in a structured, commonly used, and machine-readable format , and to have that data transmitted to another controller where technically feasible. This right applies when the processing is based on your consent or on a contract and carried out by automated means. For example, you can request a copy of the data you provided when registering and ordering (like your account info and order history) in a CSV or similar format, so you can port it to another service. We will assist with such requests to the extent possible.
Right to Withdraw Consent: If we are processing any of your personal data based on your consent, you have the right to withdraw that consent at any time. For instance, you can unsubscribe from our newsletter (withdrawing consent to marketing emails) by clicking the “unsubscribe” link in any newsletter or by contacting us. Withdrawing consent will not affect the legality of any processing we conducted prior to your withdrawal, and it won’t affect processing under other legal bases. However, once withdrawn, we will cease the specific processing that was based on consent.
Rights Related to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing, including profiling, if that decision produces legal effects or similarly significant effects on you . Examples would include automated credit checks or hiring algorithms without human involvement. Note: We do not engage in any fully automated decision-making or profiling that has a significant effect on you. We do not use algorithms to, for example, refuse transactions or make decisions about you without human review. If this ever changes, we will inform you and ensure your rights in this area are respected (including the right to human intervention in such decisions).
Right to Lodge a Complaint: If you believe your data protection rights have been violated or you have a concern about how we handle your data, you have the right to file a complaint with a supervisory data protection authority. You may do so in the EU member state where you live, where you work, or where the alleged infringement occurred. For example, our lead supervisory authority in Sweden is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, “IMY”) . You can contact IMY or your local DPA about any concern. We do kindly ask that you consider raising any issues with us first, so we have the chance to address them, but you are free to approach the regulators at any time.

These rights are subject to certain legal limitations. For instance, we might not be able to fully comply with a request for erasure if we are required by law to keep certain data, or we might deny an access request if it adversely affects the rights and freedoms of others (e.g., includes someone else’s personal data). If any such limitations apply, we will explain them to you in our response.

No Fee Typically Required: Exercising your rights is free of charge. We will not charge you for making a request unless it is manifestly unfounded or excessive (in which case, we may charge a reasonable fee or refuse to act on the request).

Timeframe: We will respond to legitimate requests as soon as possible, and at the latest within one month of receiving the request, as required by GDPR. If the request is complex or we have received many requests, we may extend this by a further two months, but we will inform you and explain the reason if that happens (e.g., if we need more time to gather large amounts of data).

For further details on your rights, you may refer to GDPR Chapter 3 or resources provided by data protection authorities . We are dedicated to honoring these rights and have procedures in place to handle your requests.

8. How to Exercise Your Rights

If you wish to exercise any of the rights outlined above, you can contact us with your specific request. The easiest way is to email us at contact@donerknives.com with the subject line “GDPR Privacy Request” (or similar), and clearly let us know what you need: for example, “I would like a copy of my data” (access request) or “Please delete my account and data” (erasure request), etc. You can also send your request by mail to our postal address provided in Section 1, or reach out through our online contact form (if using the form, please specify that it’s a privacy/data request).

To ensure we respect your privacy and prevent unauthorized access, we may need to verify your identity before fulfilling certain requests. For instance, if you are asking for access to your data or deletion of your account, we might ask you to provide information that matches our records (such as confirming your recent order number, email address, or other details) or to log in to your existing account (if you have one) as part of the verification. This is to make sure we do not disclose or erase data at the request of someone impersonating you. We will only use such verification information for confirming identity and security purposes.

Once your identity is confirmed and we understand the scope of your request, we will proceed to fulfill it. You will receive a confirmation once we have taken action, or a communication explaining any information we are providing (for an access request) or the outcome of your request.

For rectification requests: You can correct many basic details by logging into your account profile and updating your information. If you need assistance or want us to correct something specific, just contact us with the details of the correction needed. We might ask for supporting info if necessary (for example, proof of correct address if our records differ).

For access requests: We will compile the data we have about you and provide it in a commonly used electronic format (likely JSON, CSV, or PDF). If you prefer a hard copy, let us know (though electronic is usually more convenient and secure). We will include information such as: data we have collected, the purposes of processing, the categories of data, the recipients (or categories of recipients) with whom we’ve shared the data, the retention period (or criteria for retention), and the sources of the data if not collected from you directly, as well as information about automated processing if applicable – basically the information that this Privacy Policy contains, but specific to your data.

For erasure requests: We will remove your personal data from our systems and instruct any processors (e.g., our service providers) to do the same, where applicable. Note that erasure may involve deleting your account and personal identifiers, but we might retain some transaction data without personal identifiers (e.g., keeping an invoice number with the amount but no name attached) for legal compliance. If full erasure isn’t immediately possible (for example, data backed up on secure archives), we will securely isolate and protect the data until deletion is feasible. We will inform you once your data has been deleted or anonymized.

For object or restrict requests: We will evaluate your request. For objection to marketing, we’ll remove you from marketing lists immediately (and you can always use the unsubscribe link in emails for instant removal). For objection to other processing based on legitimate interest, please explain your reasons so we can assess them. We may either agree and cease processing, or explain why we believe we have compelling grounds to continue. For restriction, if granted, we will mark the data as restricted and only process it for certain things (like storage or with your consent or for legal claims) until the restriction is lifted.

For data portability: We will provide your data in a structured, machine-readable format (such as a CSV file with your account details and order history). If feasible, and if you request, we can also attempt to transmit the data directly to another service provider of your choice, but often it is simplest for us to give it to you to provide to them.

We aim to make the exercise of your rights as straightforward as possible. If you need any assistance or have questions about the process, please let us know. We may develop automated tools in the future to let you download or delete your data directly (for example, via account settings), and if so we will update this policy to reflect those options.

Lodging a Complaint: As noted, you have the right to complain to a supervisory authority. If you are in Sweden, the relevant authority is the Integritetsskyddsmyndigheten (IMY) – the Swedish Authority for Privacy Protection . You can find their contact details on their official website (imy.se). For other EEA countries, you can find a list of Data Protection Authorities via the European Data Protection Board’s website or resources like GDPRhub. We sincerely hope we can resolve any issue by communicating with you directly, but you are fully entitled to seek advice or assistance from the authorities at any time.

9. Cookies and Tracking Technologies

Cookies are small text files that are placed on your device (computer, smartphone, etc.) when you visit a website. They are widely used to make websites work efficiently and to provide information to the site owners. On DonerKnives.com, we use cookies and similar tracking technologies for several purposes, as outlined below. We believe in transparency about cookies, and we provide this overview so you can understand and manage your preferences.

Types of Cookies We Use:

Essential Cookies: These are necessary for the core functionality of our online store. For example, when you add products to your cart or proceed to checkout, we use cookies (or an equivalent mechanism) to remember your cart items as you navigate the site. If you log into your account, cookies keep you logged in during your session. We also use security cookies to prevent fraudulent use of login credentials and to protect user data. These cookies are active by default because our website cannot function properly without them. They do not gather information for marketing purposes.
Preferences Cookies: These cookies remember your choices and preferences to enhance your experience on our site. For instance, our product filtering plugin (Filter Everything PRO) may use a cookie or session storage to retain the filter options you select, so that the site can display products according to your criteria and remember those filters as you browse different pages. Similarly, if our site has a language selector or remembers your currency preferences, cookies would be used to save those settings. Preference cookies are intended to make your shopping experience smoother (e.g., not having to reapply filters or log in again on every page).
Analytics Cookies: We use Google Analytics to collect information about how visitors use our site. Analytics cookies allow us to recognize and count the number of visitors, and see how visitors move around the site. This helps us to improve the way our website works (for example, by ensuring that users are finding what they need easily). The data collected via analytics cookies is aggregated and anonymized; it does not identify you personally. Typical information includes pages you visited, time spent on site, link clicks, and other usage statistics. Google Analytics sets first-party cookies (such as _ga, _gid, etc.) on your browser. These cookies have varying expiration times (some last for the session, others for 24 hours, others for up to 14 months or more) and they store a unique identifier to distinguish visitors. We want to emphasize that with Google Analytics 4, no personally identifiable information (like your name or exact IP) is stored in these cookies – GA4 even avoids logging IP addresses of EU users entirely . The information obtained through analytics cookies is sent to Google Analytics and compiled into reports for us. Google Analytics cookies help us understand things like which pages are most popular, which marketing campaigns are effective, and how users are engaging with our content. This information is used solely for statistical purposes and to improve the site; we do not use it to profile individual users or to target ads.
Third-Party Cookies: Aside from Google Analytics, our site does not intentionally use third-party marketing or advertising cookies at this time. We do not currently have ads or social media trackers (like Facebook pixels) embedded. The only third-party cookies that might be set relate to the services described earlier – for example, when processing a payment via Mollie, you might be redirected to a payment page that sets its own cookies for security and fraud prevention, or when loading Google Maps or other embedded content, those services could set cookies. However, on our site specifically, the notable third-party interactions are Google services (Analytics, Fonts) as described. Google Fonts itself does not use cookies at all (it simply fetches files). Mollie may set a cookie during the payment flow to remember your payment session (ensuring that when you return to our site from the payment gateway, the order is properly tracked), but such cookies would be short-lived and only used for completing the payment. Fraktjakt could potentially use cookies to maintain shipping selection data but typically works server-to-server. In summary, third-party cookies on our site are minimal and not used for advertising. We will update you if we introduce any advertising or social media cookies in the future.

Cookie Consent: As of the effective date of this Policy, we do not have a dedicated cookie consent banner or tool implemented yet. This means cookies (aside from strictly necessary ones) may be set by default when you use our site. We are working towards implementing a full cookie consent mechanism to comply with the ePrivacy Directive requirements, especially for analytics cookies. In the meantime, by using our site, we assume that you consent to the placement of cookies as described here. You still have control over cookies as explained below. (We understand the importance of obtaining explicit consent for non-essential cookies and are addressing this as a priority. Once our cookie consent plugin is in place, you will be able to choose which cookies to accept or reject upon your first visit.)

Managing and Disabling Cookies: You have the right to decide whether to accept or reject cookies (particularly non-essential cookies like analytics). Here are some ways you can manage cookies:

Browser Settings: Most web browsers allow you to control cookies through their settings. You can typically find an option to block or delete cookies. For example, you might be able to instruct your browser to refuse all cookies, accept only first-party cookies, or delete cookies when you close the browser. You can also clear existing cookies from your browser. Please note that if you disable cookies entirely, our Website may not function properly – for instance, you won’t be able to add items to your cart or proceed through checkout (because those rely on essential cookies). Disabling certain cookies (like analytics or preferences) will not affect core functionality but may reduce the personalization or insight we gain. Each browser is different, so check the help section of your browser or visit websites like aboutcookies.org for detailed guidance on how to manage your cookie preferences.
Opt-Out Mechanisms: For Google Analytics, as mentioned, Google offers a Browser Opt-Out Add-on . If you install this add-on in your browser, it prevents Google Analytics from collecting data on your visits to all websites that use GA (including ours). Additionally, once we implement our cookie consent banner, you will be able to opt out of analytics cookies directly on our site.
Do Not Track: Our site honors browser “Do Not Track” (DNT) signals to the extent possible. If your browser is set to DNT, we treat that as a signal that you may not want to be tracked for analytics, and we will attempt to disable analytics for your session. However, not all third-party services fully recognize DNT, so using the above methods is more reliable.
Cookie Policy Page: We maintain a dedicated Cookie Policy (see our website footer for “Cookie Policy”). That page provides detailed information about each cookie we use (cookie name, purpose, and duration) and will be updated as needed. You can refer to it for a comprehensive list. (Note: If our cookie policy page is not yet fully populated, we will update it soon. For now, this section contains the essential info.)

By continuing to use our Website without adjusting your browser settings to block cookies, you are effectively consenting to our use of cookies as described here. We will assume you are okay with essential and analytics cookies unless you take action to opt out or until our consent tool allows you to make a choice.

If you have any concerns about our use of cookies or require assistance in opting out, please contact us. We value your privacy and want to ensure you feel comfortable using our site.

10. Data Security Measures

We take the security of your personal data very seriously. We have implemented a range of technical and organizational measures to protect your information from unauthorized access, disclosure, alteration, or destruction. While no website or system can guarantee absolute security, we strive to adhere to best practices to safeguard your data .

Technical Security Measures:

Encryption: Our site is secured with SSL/TLS encryption. This means that all data transmitted between your browser and our Website is encrypted in transit. You can verify this by looking for “https://” and a padlock symbol in your browser’s address bar when you visit our site. Encryption protects sensitive data (like personal details and payment information) from being intercepted during transmission. Additionally, sensitive information stored in our databases (such as passwords) is encrypted or hashed. For example, account passwords are never stored in plain text; they are hashed using secure algorithms, so even in the unlikely event of a database breach, the actual passwords would not be exposed.
Secure Payment Processing: As noted, we outsource payment processing to Mollie, which is PCI DSS compliant. When you enter payment details, you’re doing so on secure, PCI-compliant infrastructure. This adds an extra layer of security as your card data never touches our servers. Mollie and our site communicate via secure channels to confirm payment status.
Access Control: We limit access to personal data on a need-to-know basis. Only authorized staff or service providers who require access to fulfill their roles are permitted to see your personal information. Access to administrative areas of our website, database, and third-party dashboards (like Mollie, AWS, etc.) is protected by strong authentication (such as strong passwords and, where supported, two-factor authentication). Internally, our team is trained on data security and confidentiality.
Firewall and Monitoring: Our web hosting environment is protected by firewalls which help block unauthorized traffic (e.g., attempts to hack the site). We also employ security monitoring tools that alert us to suspicious activities or potential vulnerabilities. For instance, we use plugins or services that monitor login attempts and other security-relevant events on the WordPress site. If an anomaly is detected (like multiple failed logins or an attempt to inject malicious code), we investigate and take action (such as blocking an IP or tightening firewall rules).
Software Updates and Patches: We keep our website software (including WordPress core, themes, and plugins) updated to the latest secure versions. Regular updates help protect against known vulnerabilities. We also apply security patches promptly when they are released by our software vendors. Our server operating system and related software are similarly kept up to date by our hosting provider or management team.
Backups: We perform regular backups of our website and database. Backups are encrypted (if stored off-site) and kept in secure storage. This measure ensures that in case of any data loss incident or ransomware attack, we can restore your information from a recent backup. Backups also help maintain data integrity.
Testing and Audits: Periodically, we test our systems (or have them tested by security professionals) to identify potential weaknesses. This can include vulnerability scanning or penetration testing on critical systems. We also review our security policies and incident response plans regularly to ensure we are prepared to handle any potential breaches effectively.
AWS Cloud Security: For services like Amazon SES or any other AWS resources we might use, we leverage AWS’s robust security features. AWS data centers and infrastructure have multiple certifications (like ISO 27001, SOC 1/2/3, etc.), and AWS provides tools for encryption, access management, and network security which we utilize. As AWS emphasizes, we control our data stored on AWS and AWS protects it in accordance with our instructions .

Organizational Measures:

We ensure that anyone who processes personal data on our behalf (e.g., employees, contractors, or service providers) is bound by confidentiality and data protection obligations. If we work with an external developer or IT support, they are required to handle data securely and sign appropriate agreements.
We have a data protection policy internally, and we educate our team about best practices, such as using secure passwords, recognizing phishing attempts, and not sharing account credentials.
Physical access to any systems that contain personal data is secured. For instance, if personal data is accessible via an office computer, that computer is password-protected and kept in a secure location. Our hosting servers are in secure data centers with controlled access.
We pseudonymize or anonymize data where feasible. For example, when analyzing customer trends, we might use aggregated data without direct identifiers. For test or development purposes, we avoid using real personal data whenever possible.
In the event of any subcontractors (like if we use a marketing agency or an accountant who might handle customer data), we ensure they are under a strict data processing agreement and adhere to equivalent security standards.

Payment Security: A special note on payment security – your online payment transactions are encrypted and processed by Mollie, as mentioned. Mollie complies with the highest level of security in the payment industry (PCI DSS Level 1). Any payment information transmitted from our site to Mollie is done securely, and we do not store sensitive card data ourselves, which greatly reduces risk. Mollie also employs fraud detection systems to protect against misuse of your payment details.

Data Breach Response: Despite all our efforts, if a data breach were to occur (meaning an incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data), we have a response plan in place. This includes:

Containment and Assessment: We would immediately work to contain the breach (e.g., shut down systems that are compromised, change access credentials, etc.) and assess the scope and impact.
Notification: In line with GDPR Article 33/34, if the breach is likely to result in a high risk to your rights and freedoms (e.g., a risk of identity theft, financial loss, or other significant harm), we will notify the relevant supervisory authority (IMY in Sweden) within 72 hours of becoming aware of the breach. If there is a high risk to you, we will also inform you without undue delay, in clear language about what happened and what steps you should take. We may notify you via email, website notice, or other direct communication.
Remediation: We will take steps to remediate the issue and prevent future occurrences. This could involve patching security vulnerabilities, restoring data from backups, and reinforcing our defenses. We will also keep records of the incident and our response.

Our aim is to prevent security incidents proactively. We invest in security measures and continuously improve them as new threats emerge. We want you to have confidence that your data is safe with us.

If you have any questions about the security of your data or if you notice any vulnerabilities or suspicious activity related to our site, please contact us immediately. We appreciate feedback from our users and take security tips seriously.

11. Changes to This Privacy Policy

We may update or revise this Privacy Policy from time to time to reflect changes in our practices, ensure compliance with new legal requirements, or incorporate improvements in how we communicate our privacy practices. When we make changes, we will post the updated policy on this page and change the “Last updated” or “Effective date” at the bottom of the policy. For significant changes, we may also provide a more prominent notice, such as a banner on our Website or an email notification to registered users, to inform you of the update.

Examples of significant changes might include: adding new purposes for processing personal data, changing how or why we share data with third parties, or launching new features that affect personal data. Minor changes, such as clarifications or typographical corrections, will typically just be updated on the site.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of the Website after any changes to the Privacy Policy have been posted will signify your acceptance of those changes, provided that we will not materially reduce your rights under this Policy without obtaining your consent or otherwise as required by law.

If we seek to process your personal data for a new purpose that is not covered by this Policy, we will, if required by law, obtain your consent or give you the opportunity to opt out before we engage in that processing.

In summary, we will always keep this document up to date with our latest data practices. The version published on the Website is the effective one. You can see the effective date below to know when it was last revised.

12. Effective Date

This Privacy Policy is effective as of June 12, 2025. It was last updated on that date.