Privacy Policy
Last updated: 2026-06-11
This policy explains how Mjuk Lov collects, uses and protects your personal data when you use our website, create an account and place an order. We comply with the EU General Data Protection Regulation (GDPR) and Swedish data protection law.
1. Data controller
The controller of your personal data is Mjuk Lov, based in Gothenburg, Sweden.
Data protection contact: mjuklov.se@gmail.com.
2. Data we process
- Account: email and password (stored encrypted/hashed by our provider), plus the name and phone number you provide.
- Orders: products, desired date, pickup or delivery, delivery addresses (including the recipient's name and phone), and your contact details.
- Saved addresses: addresses you choose to save for reuse.
- Preferences: the diet and allergies you enter, plus saved recipes, notes and cooking history. Allergy information may constitute health data (a special category of personal data).
- AI assistant: the questions you type and, only if you consent, your saved diet/allergy preferences.
- Technical data: data stored locally in your browser (cart, language choice, preferences), essential authentication cookies, and anonymous performance metrics.
3. Purposes and legal bases
- Creating and managing your account and processing and delivering your order. Legal basis: performance of a contract.
- Adapting recipes/answers to your diet and allergy data and sending them to our AI provider. Legal basis: your explicit consent (special-category data). You can withdraw consent at any time.
- Sending order confirmations and replies to your enquiries. Legal basis: contract / legitimate interest.
- Security, preventing misuse and improving the service. Legal basis: legitimate interest.
- Showing personalised offers and discounts based on your saved recipes, likes and purchase history. Legal basis: your consent (marketing). You can withdraw consent at any time.
- Keeping accounting records of completed purchases. Legal basis: legal obligation (Swedish Bookkeeping Act).
4. Recipients and processors
We never sell your data. To run the service we use the following providers, who process data on our behalf:
- Supabase: database, accounts and authentication.
- OpenAI: powers the AI assistant (only the questions and, with consent, the preferences you send).
- Google Maps Platform: address suggestions for delivery.
- Resend: sending order and contact emails.
- Vercel: hosting and anonymous performance metrics (Speed Insights).
- Stripe: payments (if/when payment is enabled).
5. International transfers
Some of our providers may process data outside the EU/EEA (e.g. in the USA). Where this happens, the transfer relies on the European Commission's Standard Contractual Clauses or a valid adequacy decision, with appropriate safeguards.
6. Retention
- Account data: for as long as your account is active. You can delete your account at any time.
- Orders and accounting records: for as long as required by the Swedish Bookkeeping Act (normally seven years).
- Preferences and saved addresses: until you change or delete them.
- When you delete your account your personal data is removed immediately. Completed orders are retained but anonymised (your identity and contact details are removed) to comply with the Bookkeeping Act.
7. Your rights
Under the GDPR you have the right to:
- request access to and a copy of your data,
- rectify inaccurate data,
- erase your data (the “right to be forgotten”),
- restrict or object to processing,
- receive your data in a machine-readable format (data portability),
- withdraw any consent you have given, at any time.
- You can export your data and delete your account directly from “My page”.
8. Complaints
You can exercise your rights by emailing mjuklov.se@gmail.com. If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY), imy.se.
9. Cookies and local storage
We use essential authentication cookies to keep you signed in, and local storage in your browser for the cart, language choice and your preferences. These are required for the service to work. We do not use advertising or tracking cookies. Our performance metrics (Vercel Speed Insights) are anonymous and not linked to you.
10. Security
Data is transferred over encrypted connections (HTTPS), passwords are stored hashed, and access to account data is restricted at the row level so you can only reach your own data.
11. Children
The service is not directed at children. We do not knowingly collect data about children under 13 without a guardian's consent.
12. Changes
We may update this policy. Material changes will be announced on the website. The date at the top shows when the policy was last changed.