Privacy policy
We are pleased that you are visiting our website. The protection and security of your personal data when using our website is very important to us. Below we explain which personal data we collect when you visit maisonlefon.com and for what purposes it is used. Personal data is any information relating to an identified or identifiable natural person (the "data subject") - for example name, address, email address, or user behavior.
Controller
The controller responsible for the processing of personal data within the meaning of the EU General Data Protection Regulation (GDPR) is:
Maison Lefon Atelier AB ("Maison Lefon") Organisation number 559288-8456
Grevgatan 55, Stockholm
Email: info@maisonlefon.com Phone: +46703552344
General
This privacy statement meets the legal requirements for transparency in the processing of personal data. The processing of personal data (e.g. collection, retrieval, use, storage, or transmission) always requires a legal basis and a defined purpose. Stored personal data is deleted as soon as the purpose of processing has been achieved and no legitimate grounds for further retention exist. We inform you about specific storage periods in the relevant sections below. Independently of this, we retain personal data where statutory retention obligations apply, in particular under the Swedish Bookkeeping Act (bokföringslagen).
Purposes and legal bases of processing (Art. 13 GDPR)
We process your personal data for the following purposes:
- to fulfill our contractual obligations to you (Art. 6(1)(b) GDPR);
- to carry out pre-contractual measures, such as responding to enquiries (Art. 6(1)(b) GDPR);
- where you have given consent for a specific purpose, for example to receive our newsletter (Art. 6(1)(a) GDPR);
- to comply with legal obligations to which we are subject, in particular accounting and tax obligations (Art. 6(1)(c) GDPR);
- to protect our legitimate interests — in particular to assert or defend legal claims, ensure IT security, prevent fraud, and carry out market research and direct marketing where you have not objected (Art. 6(1)(f) GDPR).
Recipients of personal data
Within our company, only those who need it to perform their tasks have access to your data (need-to-know principle). Individual processes are carried out by carefully selected service providers (e.g. our e-commerce platform, payment providers, and shipping carriers). Where such providers process personal data on our behalf, we have concluded data processing agreements with them in accordance with Art. 28 GDPR.
Data retention
We store your data for the duration of our contractual relationship and in compliance with statutory retention periods. In particular, accounting records are retained for up to seven (7) years as required by the Swedish Bookkeeping Act (bokföringslagen). Where no contractual relationship exists, we process data only for as long as the specific purpose requires.
Your rights as a data subject
Under the GDPR, you have the right to:
- Information (Art. 15) about the data we hold on you, including a copy;
- Rectification (Art. 16) of inaccurate or incomplete data;
- Erasure (Art. 17), unless processing is required for a legal obligation or for the assertion or defence of legal claims;
- Restriction of processing (Art. 18);
- Data portability (Art. 20), where processing is based on consent or contract and carried out by automated means;
- Object (Art. 21) to processing based on legitimate interests, and at any time to processing for direct marketing;
- Withdraw consent (Art. 7(3)) at any time, with effect for the future.
To exercise any of these rights, contact us at info@maisonlefon.com.
You also have the right to lodge a complaint with a supervisory authority. The competent authority in Sweden is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY), imy.se.
Cookies
Cookies are small text files sent to your browser when you visit our website and stored on your device. As an alternative, information may be stored in your browser's local storage. Some functions of our website cannot be offered without technically necessary cookies. Other, non-essential cookies allow us to carry out analyses and improve our website — for example by recognizing your browser on a return visit and storing your preferred settings (e.g. country and language). Cookies cannot run programs or transmit viruses. You can manage your preferences at any time via the cookie settings / consent manager on our website. Detailed information on the cookies used is provided in the relevant sections below.
Processing in detail
An automated decision in individual cases, including profiling, does not take place.
Provision of the website and hosting
When you access our website, your browser automatically transmits certain data to our server, which is temporarily stored in a log file: IP address of the requesting device, date and time of access, name and URL of the retrieved file, the referrer URL, and the browser and operating system used. Our website is operated on Shopify, provided by Shopify International Limited (Ireland) / Shopify Inc. (Canada), which processes this data on our behalf for the secure, fast, and efficient provision of our online shop (Art. 6(1)(b) and (f) GDPR). A data processing agreement is in place.
Contact enquiries
When you contact us (e.g. by email, contact form, or telephone), we store the data arising from this (e.g. name, email address, and the content of your enquiry) to process it and answer any follow-up questions. We do not pass this data on without your consent. The legal basis is Art. 6(1)(b) GDPR where your enquiry relates to a contract, otherwise our legitimate interest in handling enquiries (Art. 6(1)(f)) or your consent (Art. 6(1)(a)). This data is retained until your enquiry has been fully resolved, subject to statutory retention periods.
Customer account and contract data
We collect, process, and use your personal data only insofar as it is necessary to establish, perform, or amend our contractual relationship with you (Art. 6(1)(b) GDPR). Customer data is deleted after completion of the order or termination of the business relationship, unless statutory retention periods require otherwise.
Data transmission on conclusion of a contract
We transmit personal data only where necessary to perform the contract - for example to the shipping carrier handling your delivery (PostNord within Sweden, UPS internationally) or to the payment institution processing your payment. Any further transmission takes place only with your express consent. Legal basis: Art. 6(1)(b) GDPR.
Payment services
When you make a purchase, your payment data (e.g. name, amount, and account or card details) is processed by the relevant payment service provider for the purpose of processing your payment; the respective providers' terms and privacy notices apply. The legal basis is the performance of the contract (Art. 6(1)(b) GDPR) and our interest in a smooth, secure payment process (Art. 6(1)(f) GDPR). We currently offer payment via [Shopify Payments / Klarna / PayPal / card (Visa, Mastercard, American Express)]. Data is transmitted in encrypted form.
If you offer "pay later" / invoice payment (e.g. Klarna): the provider may carry out a credit assessment to determine the probability of payment default, on the basis of Art. 6(1)(b) and (f) GDPR. Where score values are used, they are based on a recognized mathematical-statistical procedure.
Newsletter
If you subscribe to our newsletter, we require your email address and confirmation that you consent to receive it. No other data is collected unless you provide it voluntarily. Processing is based solely on your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time via the "unsubscribe" link in any newsletter. We store this data until you unsubscribe. After unsubscribing, your email address may be kept on a suppression list for an indefinite period solely to ensure we do not contact you again (Art. 6(1)(f) GDPR). Our newsletter is sent via [Klaviyo / Shopify Email / Mailchimp], with whom a data processing agreement is in place.
Social media presence
We maintain publicly accessible profiles on social networks, including Facebook and Instagram, both operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. When you visit our profiles, the platform operator may process your data (e.g. IP address, usage behavior) and build user profiles for personalized advertising; we have no full influence on this. For visits to our profiles we are jointly responsible with the operator under Art. 26 GDPR. The legal basis for our presence is Art. 6(1)(f) GDPR. For details, please consult the privacy policy of the respective platform.
Meta (Facebook) Pixel
We use the Meta Pixel, provided by Meta Platforms Ireland Limited, to measure and optimize our advertising. The pixel allows us to understand the behavior of visitors directed to our site from a Meta ad. As the website operator we receive aggregated data only; Meta processes the data for its own advertising purposes and joint responsibility applies under Art. 26 GDPR for the collection and transmission stage. Where you have consented (e.g. via our cookie banner), processing is based on Art. 6(1)(a) GDPR; you can withdraw consent at any time. Transfers to the USA are based on the EU Standard Contractual Clauses and/or the EU–U.S. Data Privacy Framework.
Web analytics (if used)
If enabled, we use [Google Analytics 4], provided by Google Ireland Limited, to understand how our website is used (e.g. visit frequency, duration, and devices), on the basis of your consent (Art. 6(1)(a) GDPR). IP anonymisation is applied. You can withdraw consent at any time. Transfers to the USA are based on the EU Standard Contractual Clauses and/or the EU–U.S. Data Privacy Framework.
International data transfers
Some of our service providers are based in, or transfer data to, countries outside the EU/EEA (in particular the USA). Such transfers are safeguarded by the EU Standard Contractual Clauses, applicable adequacy decisions, and/or the EU–U.S. Data Privacy Framework where the recipient is certified.
Changes to this policy
We may update this privacy policy to reflect changes in our processing or in legal requirements. The current version is always available on our website.
Contact
For any questions regarding data protection, contact us at info@maisonlefon.com.
Last updated: 02 June, 2026