Privacy policy

When you visit hagawebb.com: the site is static and served via Cloudflare Pages. No tracking cookies, no analytics, no third-party scripts other than Google Fonts (loaded from fonts.googleapis.com). Cloudflare logs technical data for security and operations:

• IP address (truncated/anonymised in Cloudflare logs)
• User-agent (browser, operating system)
• Requested URL and response status
• Timestamp
• Referring URL (if your browser sends it)

When you email us: you share whatever data you choose to send — name, email, phone, business name, message content. Inbound mail to [email protected] is forwarded to a Gmail mailbox for response.

When you become a client: we collect the legal information required for invoicing and contracts — full legal name, registered address, VAT number, name and title of signatory. This data is held in a separate client database (SQLite, locally on Hagawebb's server).

What we do not collect: tracking cookies, fingerprints, precise geolocation, payment card data (we use bank transfer only), or special categories of personal data.

We process your data for the following purposes:

• Operating and securing the website — server logs, DDoS protection, debugging. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).
• Responding to your enquiry — when you email us. Legal basis: pre-contractual measures at your request (Art. 6(1)(b)) or legitimate interest (Art. 6(1)(f)).
• Performing the engagement — if you become a client: contract, invoicing, delivery, support. Legal basis: performance of contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) for accounting / invoice retention.
• Bookkeeping and tax — invoices, receipts, client data. Legal basis: legal obligation under the Swedish Bookkeeping Act (1999:1078) and VAT rules.

The following services are processors or recipients of personal data within our operations:

We do not sell or share personal data for marketing purposes with anyone.

Cloudflare and Google operate infrastructure both in the EU and in the US. Resend operates within the EU. For US transfers, we rely on the EU-US Data Privacy Framework (where the provider is certified) and, where applicable, the European Commission's Standard Contractual Clauses (SCCs) as a transfer mechanism under Art. 46 GDPR.

Only technical metadata (IP addresses, request logs) or — for outbound mail — content you have provided to us is transferred to these providers for delivery / storage.

• Cloudflare server logs: handled per Cloudflare's retention (typically 30 days for access logs).
• Email: archived in Gmail indefinitely unless a deletion request is received.
• Client data (engaged clients): processed for the duration of the engagement and retained for 7 years thereafter under the Swedish Bookkeeping Act (1999:1078) ch. 7 § 2.
• Invoices and accounting records: 7 years under the Bookkeeping Act.
• Enquiries that don't lead to engagement: deleted on request, or after 12 months.

Under GDPR, you have the following rights regarding your personal data:

• Access (Art. 15) — confirmation of, and a copy of, the data we process about you.
• Rectification (Art. 16) — correction of inaccurate data.
• Erasure (Art. 17) — deletion when there is no remaining legal basis to process (note: bookkeeping data is subject to the 7-year retention above).
• Restriction (Art. 18) — temporary restriction of processing while a question is being resolved.
• Portability (Art. 20) — receive your data in a structured, machine-readable format.
• Objection (Art. 21) — object to processing based on legitimate interest.
• Withdraw consent — where we process based on consent, you can withdraw at any time.

To exercise a right, email [email protected]. We respond within one month per Art. 12(3) GDPR.

You have the right to lodge a complaint with a supervisory authority. The Swedish authority is:

Integritetsskyddsmyndigheten (IMY) — imy.se
Box 8114, 104 20 Stockholm, Sweden · Tel. +46 8-657 61 00

You may also contact the supervisory authority of the EU country where you reside, where you work, or where the alleged infringement took place.

We may update this policy. The "Last updated" date at the top reflects the most recent change. For material changes we'll post a notice on the homepage for at least 30 days. If anything is unclear, get in touch: [email protected].