At Brittfurn, we protect your personal data and will always strive for the highest level of protection that reflects the rules of the General Data Protection Regulation. This privacy policy reviews how we collect and use your personal information. The policy also explains your rights, and how you as a customer can assert these. We therefore encourage you to read and understand our privacy policy, so that you feel confident in how Brittfurn handles your personal data. Should any questions arise, you are always welcome to contact us at info@brittfurn.se . Using the table of contents below, you can easily find the sections that are of interest to you.

Personal data is any information/data that can be directly or indirectly linked to a living natural person. Encrypted data and various types of electronic identities (for example: IP numbers) are also considered personal data if they can be linked to natural persons.

Personal data processing is everything that happens with personal data. That is, every action that uses personal data constitutes processing, regardless of whether the action is carried out manually or automatically. Examples of commonly occurring processing operations are collection, registration, organization, structuring, storage, processing, transfer and deletion.

Brittfurn AB, company no. 556671–3201, with address Sturegatan 20, 114 36 Stockholm, is responsible for the processing of personal data.

In addition to the information you provide to us, or that we collect from you based on your purchases and how you use our services, we may also collect personal information from third parties. The information we collect from third parties is as follows:

- Address information from public records to ensure we have the correct address information for you.
- Credit rating information from credit rating agencies, banks or information companies.

Data Processors . Where necessary to provide our services, we share your personal information with companies that are our data processors. A data processor is a company that processes information on our behalf and under our instructions. We will never sell or give away your personal information to another company. We have different groups of data processors who help us with:

- Transport (logistics companies and freight forwarders).
- Payment solutions (card acquiring companies, banks and other payment service providers).
- Marketing (print and distribution, social media, media agencies or advertising agencies).
- IT services (companies that handle the necessary operation, technical support and maintenance of our IT solutions).

When your personal data is shared with data processors, it is only for purposes that are compatible with the purposes for which we have collected the information (e.g. to be able to fulfill our obligations under the terms of purchase). We check all data processors to ensure that they can provide sufficient guarantees regarding the security and confidentiality of personal data.


Authorities/companies that are independent data controllers . We also share your personal data with certain authorities and companies that are independent data controllers. The fact that the authority/company is an independent data controller means that we do not control how the information provided to the company is handled. Independent data controllers with whom we share your personal data are:

- Government authorities (police, tax authorities or other authorities) if we are required to do so by law or in the event of suspicion of a crime.
- Companies that provide general goods transport (logistics companies and freight forwarders).
- Companies that offer payment solutions (card acquiring companies, banks and other payment service providers). When your personal data is shared with a company that is an independent data controller, the company's privacy policy and personal data processing applies.

We always strive to process your personal data within the EU/EEA and all of our own IT systems are located within the EU/EEA. However, in the case of system support and maintenance, we may be required to transfer the information to a country outside the EU/EEA, e.g. if we share your personal data with a data processor who, either itself or through a subcontractor, is established or stores information in a country outside the EU/EEA. In these cases, the processor may only access the information that is relevant for the purpose (e.g. log files).

Regardless of the country in which your personal data is processed, we take all reasonable legal, technical and organisational measures to ensure that the level of protection is the same as within the EU/EEA. In cases where personal data is processed outside the EU/EEA, the level of protection is guaranteed either by a decision from the EU Commission that the country in question ensures an adequate level of protection or by the use of so-called appropriate safeguards. Examples of appropriate safeguards are approved codes of conduct in the recipient country, standard contractual clauses, binding corporate rules or Privacy Shield.

We never store your personal data for longer than is necessary for each purpose. See more about the specific storage periods under each purpose in Chapter 3.

Right to access (so-called register extract) . We are always open and transparent about how we process your personal data and if you would like to gain a deeper insight into what personal data we process about you, you can request access to the data. Please note that if we receive a request for access, we may ask for additional information to ensure that your request is handled effectively and that the information is provided to the right person.

Right to rectification . You may request that your personal data be corrected if it is incorrect. Within the scope of the stated purpose, you also have the right to supplement any incomplete personal data.

Right to erasure . You can request the erasure of personal data we process about you if:

- The data is no longer necessary for the purposes for which it was collected or processed.
- You object to a balancing of interests we have made based on legitimate interest and your reason for objection outweighs our legitimate interest.
- You object to processing for direct marketing purposes.
- The personal data is processed illegally.
- The personal data must be deleted to comply with a legal obligation to which we are subject.

Personal data has been collected about a child (under 13 years of age) for whom you have parental responsibility and the collection has taken place in connection with the offering of information society services (e.g. social media).

Please note that we may be entitled to refuse your request if there are legal obligations that prevent us from immediately erasing certain personal data. These obligations arise from accounting and tax legislation, banking and money laundering legislation, but also from consumer law. It may also happen that the processing is necessary for us to be able to establish, exercise or defend legal claims. Should we be prevented from complying with a request for erasure, we will instead block the personal data from being used for purposes other than the purpose that prevents the requested erasure.

Right to restriction . You have the right to request that our processing of your personal data be restricted. If you dispute the accuracy of the personal data we process, you may request that processing be restricted for the period necessary for us to verify whether the personal data is accurate. If we no longer need the personal data for the stated purposes, but you need them to establish, exercise or defend legal claims, you may request that we restrict the processing of your personal data. This means that you may request that we not erase your data. If you have objected to a balancing of legitimate interests that we have made as a legal basis for a purpose, you may request that processing be restricted for the period necessary for us to verify whether our legitimate interests outweigh your interests in having the data erased. If processing has been restricted in any of the situations above, we may only process the data, in addition to the storage itself, to establish, exercise or defend legal claims, to protect the rights of someone else or if you have given your consent.

Right to object to certain types of processing . You always have the right to opt out of direct marketing and to object to all processing of personal data based on a balancing of interests.

Legitimate interest : Where we use a balancing of interests as a legal basis for a purpose, you have the opportunity to object to the processing. In order to continue to process your personal data after such an objection, we need to be able to demonstrate compelling legitimate grounds for the processing in question which outweigh your interests, rights or freedoms. Otherwise, we may only process the data for the establishment, exercise or defence of legal claims.

Direct marketing (including analyses carried out for direct marketing purposes) : You have the opportunity to object to your personal data being used for direct marketing. The objection also includes the analyses of personal data (so-called profiling) carried out for direct marketing purposes. Direct marketing refers to all types of outreach marketing measures (e.g. via post, email and text message). Marketing measures where you as a customer have actively chosen to use one of our services or have otherwise sought us out to find out more about our services do not count as direct marketing (e.g. product recommendations). If you object to direct marketing, we will cease processing your personal data for that purpose as well as cease all types of direct marketing measures. Keep in mind that you always have the opportunity to influence which channels we will use for mailings and personal offers. For example, you can choose to only receive offers from us via email, but not text message. In that case, you should not object to the processing of personal data as such, but instead limit our communication channels (by contacting customer service).

Right to data portability . If our right to process your personal data is based either on your consent or the performance of a contract with you, you have the right to request that the data concerning you that you have provided to us be transferred to another controller (so-called data portability). A prerequisite for data portability is that the transfer is technically possible and can be automated.

We do not use, register or store our customers' social security numbers at Brittfurn.

Cookies are small text files consisting of letters and numbers that are sent from our web server and saved on your browser or device. At brittfurn.se we use the following cookies:

- Session cookies (a temporary cookie that expires when you close your browser or device).
- Persistent cookies (cookies that remain on your computer until you delete them or they expire).
- First-party cookies (cookies set by the website you are visiting).
- Third-party cookies (cookies set by a third-party website. We use these primarily for analytics, e.g. Google Analytics.).

Similar technologies (technologies that store information in your browser or on your device in a way similar to cookies)

The cookies we use generally improve the services we offer. Some of our services require cookies to function properly, while others improve the services for you. We use cookies for overall analytical information regarding your use of our services and to save functional settings such as language and other information. We also use cookies to be able to target relevant marketing to you.

Absolutely, your browser or device allows you to change the settings for the use and scope of cookies. Go to the settings for your browser or device to learn more about how to adjust the settings for cookies. Examples of what you can adjust are blocking all cookies, only accepting first-party cookies, or deleting cookies when you close your browser. Keep in mind that some of our services may not work if you block or delete cookies. You can read more about cookies in general on the Swedish Post and Telecom Agency website, pts.se.

We use IT systems to protect the confidentiality, integrity and access to personal data. We have taken specific security measures to protect your personal data against unlawful or unauthorized processing (such as unauthorized access, loss, destruction or damage). Only those persons who actually need to handle your personal data in order for us to fulfill our stated purposes have access to it.

The Swedish Data Protection Authority is responsible for monitoring the application of the legislation, and anyone who believes that a company is handling personal data incorrectly can submit a complaint to the Swedish Data Protection Authority.