Privacy Policy

1. Data Controller

The data controller responsible for your personal data is: Daniela Maryla Rybiałek (trading as nordai.studio), Tant Gröns Väg 11, 147 60 Uttran, Sweden, VAT no. SE961101078701. For any data-related questions, contact us at hello@nordai.studio. We will respond to requests within 30 days.

2. Data We Collect

Depending on how you interact with us, we may collect the following categories of personal data:

• —Contact forms: full name, email address, message content, submission timestamp, IP address.
• —Orders: name, billing and delivery address, email address, phone number (optional), order details, and payment confirmation reference. Card details are processed exclusively by our certified payment provider and never stored on our servers.
• —Meeting bookings: name and email address provided when scheduling a consultation via Cal.com.
• —Client relationship: correspondence history, call and meeting notes held in our CRM system.
• —Website: we do not use tracking cookies or analytics that collect personal data.

3. Purpose of Processing

We process your personal data only for the following purposes:

• —Responding to your inquiry and communicating about your project.
• —Fulfilling and managing orders for services or digital products.
• —Sending booking confirmations and reminders for scheduled meetings.
• —Managing the client relationship and maintaining project records.
• —Complying with legal obligations such as bookkeeping and tax requirements.
• —Sending marketing communications (only with your explicit prior consent).
• —Preventing spam and ensuring the security of our systems (legitimate interest).

4. Legal Basis

We rely on the following legal bases under GDPR Article 6:

• —Art. 6(1)(a) — Consent: processing based on your freely given, specific, and informed consent (contact forms, marketing emails). You may withdraw consent at any time by contacting hello@nordai.studio.
• —Art. 6(1)(b) — Contract: processing necessary to perform a contract with you or to take pre-contractual steps at your request (order fulfilment, service delivery).
• —Art. 6(1)(c) — Legal obligation: processing required by Swedish law, in particular the Bookkeeping Act (Bokföringslagen, 1999:1078), which requires retention of accounting records for 7 years.
• —Art. 6(1)(f) — Legitimate interest: preventing spam, ensuring website security, and maintaining business records — where these interests do not override your fundamental rights.

5. Order Processing

When you place an order, we process your name, email address, billing and delivery address, and order details to perform the contract. Payment is handled by a certified payment service provider under PCI-DSS standards — we receive only a payment confirmation reference and never store your card details. Where applicable, delivery information may be shared with shipping partners solely for the purpose of fulfilling your order.

6. Retention Periods

We retain personal data only as long as necessary:

• —Contact form inquiries: up to 12 months from submission, unless we enter into a business relationship.
• —Order and invoice data: 7 years from the end of the financial year, as required by the Swedish Bookkeeping Act.
• —Client relationship data: for the duration of the business relationship and up to 3 years thereafter.
• —Marketing consent records: until you withdraw consent.
• —Cal.com booking data: governed by Cal.com's own retention policy; see cal.com/privacy.

7. Marketing Communications

We will only send marketing emails if you have given explicit, separate consent. Every marketing message includes an unsubscribe link. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal. We do not use your data for automated profiling or for automated decision-making that produces legal or similarly significant effects.

8. Your Rights

Under the GDPR you have the following rights, exercisable at any time by contacting hello@nordai.studio:

• —Right of access (Art. 15) — obtain a copy of your personal data and information about how it is processed.
• —Right to rectification (Art. 16) — request correction of inaccurate or incomplete data.
• —Right to erasure (Art. 17) — request deletion of your data, subject to legal retention obligations.
• —Right to restriction (Art. 18) — request that we limit processing of your data.
• —Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
• —Right to object (Art. 21) — object to processing based on legitimate interest or for direct marketing.
• —Right to withdraw consent (Art. 7(3)) — withdraw consent at any time without affecting the lawfulness of prior processing.
• —Right to lodge a complaint (Art. 77) — file a complaint with the Swedish supervisory authority (IMY) or your local data protection authority.

9. Cookies

Our website currently uses only strictly necessary cookies required for core functionality: a language preference cookie and a dark/light mode preference cookie. These contain no personal information and are not shared with third parties. We plan to introduce Google Analytics (Google LLC) for website traffic analysis. When this is active, analytics cookies will be used — but only with your prior, explicit consent via a cookie consent banner. Google Analytics may transfer data to Google servers in the United States; such transfers are covered by Standard Contractual Clauses. You will be able to accept or decline analytics cookies at any time via the consent banner. No analytics or advertising cookies are currently active.

10. Third-Party Service Providers

We share your data only with trusted processors who help us operate our services:

• —Vercel Inc. (web hosting and infrastructure) — servers in the USA; transfers covered by Standard Contractual Clauses (SCCs) under GDPR Art. 46. See vercel.com/legal/privacy-policy.
• —Neon Inc. (database hosting) — data stored on servers within the EU/EEA.
• —Cal.com Inc. (meeting scheduling) — name and email shared when you book a meeting. See cal.com/privacy.
• —Payment service provider — your payment details are processed directly by our provider under PCI-DSS standards; we do not store card data.
• —Email delivery service — used solely to send transactional and confirmation messages.
• —Google LLC (Google Analytics, planned) — anonymised website usage statistics; data may be transferred to the USA under Standard Contractual Clauses. Processing takes place only after your explicit cookie consent. See policies.google.com/privacy.

11. International Data Transfers

Some service providers (Vercel, Cal.com) are based outside the EEA, primarily in the United States. For any such transfer we ensure appropriate safeguards are in place — specifically Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c). You may request a copy of the applicable safeguards by contacting us at hello@nordai.studio.

12. Supervisory Authority

If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with the Swedish data protection authority: Integritetsskyddsmyndigheten (IMY), Box 8114, 104 20 Stockholm, Sweden — www.imy.se / imy@imy.se. You may also contact the supervisory authority in your country of habitual residence within the EU/EEA.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, services, or legal requirements. When we make material changes we will update the date at the top of this page. We encourage you to review this policy periodically. Continued use of our services after a material update constitutes acknowledgement of the revised policy.

14. Contact

For any questions about this Privacy Policy, to exercise your rights, or to request deletion of your data, please write to: Daniela Maryla Rybiałek · hello@nordai.studio · nordai.studio. We will respond within 30 days.