Privacy & Data‑Protection Policy

Vara & Co. values your privacy and handles personal data in accordance with the EU General Data Protection Regulation (“GDPR”) and the Swedish Data Protection Act. We implement privacy by design and default and comply with the GDPR’s fundamental principles.

What Personal Data We Collect

We collect only data necessary to provide our services, including:

  • Order data – name, postal address, telephone number, e‑mail address, order contents and payment information.

  • Account data – if you create an account, we store login credentials (encrypted), wish lists and previous order history.

  • Communication data – queries, feedback or complaints you send to us.

  • Marketing preferences – if you sign up for newsletters or marketing, we collect your consent and preferences.

Lawful Bases for Processing

The GDPR requires every processing operation to rely on a lawful basis. Private companies like ours mainly use the following grounds: contract, legal obligation, legitimate interests, and consent.

  • Contract – We need to process your order and payment to fulfil our contract with you.

  • Legal obligation – We process data to meet accounting and tax obligations and to comply with consumer‑protection laws.

  • Legitimate interests – We may use your data for fraud prevention, analytics and to improve our services. When relying on legitimate interests, we balance our interests against your rights and expect you to reasonably expect such processing.

  • Consent – We rely on your consent for sending newsletters or using non‑essential cookies. You may withdraw your consent at any time.

How We Use Personal Data

Our purposes are specific, explicit and legitimate:

  • Processing orders, payments and deliveries.

  • Providing customer support and handling returns and complaints.

  • Sending order confirmations and updates.

  • Improving our website and services through analytics.

  • Marketing (only if you consent) and personalised product recommendations.

  • Complying with legal obligations (e.g., accounting records).

We do not process more data than necessary and ensure data is accurate and kept up to date. We erase or anonymise personal data when it is no longer needed.

Data Subject Rights

Under the GDPR, you have several rights concerning your personal data:

  1. Right to Information – You have the right to know how we process your data and to receive this information in clear language.

  2. Right to Access – You may request a copy of the personal data we hold about you.

  3. Right to Rectification – You may request correction of inaccurate or incomplete data.

  4. Right to Erasure (“Right to be forgotten”) – You may request erasure of your data in certain circumstances, for example if it is no longer necessary for the purposes for which it was collected or if you withdraw your consent.

  5. Right to Restrict Processing – You may request restriction of processing in specific cases, for example while we verify the accuracy of your data.

  6. Data Portability – You may request that we transfer your personal data to you or to another provider.

  7. Right to Object – You may object to processing based on legitimate interests or for direct marketing. We will cease processing unless we can demonstrate compelling legitimate grounds.

  8. Automated Decision‑Making – You have the right not to be subject to decisions based solely on automated processing that significantly affect you.

To exercise any of these rights, please contact us via the details below. We will respond within 30 days and may ask you to verify your identity. If you are not satisfied with our response, you can lodge a complaint with the Swedish Authority for Privacy Protection (IMY).

Cookies and Tracking Technologies

Our website uses cookies to provide a better user experience. Under the Swedish Electronic Communications Act and GDPR, we must obtain your consent for non‑essential cookies. Essential cookies (e.g., to remember your cart) are required for the website to function and do not require consent. When you first visit our site, a banner allows you to accept, customise or reject non‑essential cookies. You can modify your cookie preferences at any time.

Data Security and Storage

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration and destruction. This includes encryption, firewalls, secure servers and access controls. We limit access to personal data to staff who need it to perform their duties. Data is stored within the EU or in countries deemed adequate by the European Commission. If we transfer data outside the EU/EEA, we ensure appropriate safeguards (e.g., standard contractual clauses).

Retention Period

We keep order data for as long as necessary to fulfil our contract and for the duration required by law (e.g., accounting rules). Marketing consent records are retained until you withdraw consent. Data collected for analytics is anonymised or pseudonymised where possible.

Data Sharing

We may share personal data with:

  • Service providers (payment processors, logistics partners, IT vendors) who act as data processors and only process data according to our instructions.

  • Authorities when required by law or to protect our rights.

  • Accounting and legal advisors for compliance and dispute resolution.

We do not sell your personal data to third parties.