Privacy policy

1. General

1.1 This privacy policy describes how Blair AB, reg. no. 559530-1010, Sven Hultings Plats 5, 412 58 Gothenburg (“Blair”, “we”, “us”) processes and safeguards personal data when private individuals visit our website, place an order, or communicate with us.

1.2 The purpose is to ensure that all processing is carried out lawfully, correctly, and transparently in accordance with the GDPR, ePrivacy rules, and Swedish legislation. The policy is intended to provide you, as a consumer, with clear information about how we collect, use, share, store, and protect your personal data.

1.3 Blair works systematically with privacy protection through technical safeguards, risk analyses, internal routines, and continuous training. We apply data minimisation and store information only for as long as necessary to fulfil purposes and legal requirements.

2. Key Concepts

Concept Meaning
Cookie

Small text files stored in the browser to enable functions, statistics, and marketing. Managed according to Blair’s separate Cookie Policy.
Personal data

Any information that directly or indirectly can identify a natural person, e.g. name, address, personal identity number, email, IP address, order number.
Processing

Any operation performed on personal data, such as collection, storage, analysis, sharing or deletion, whether manual or automated.
Controller

The party that determines the purposes and means of the processing – here: Blair AB.
Processor

An external party that processes data on behalf of Blair under a data processing agreement (DPA).
Legal basis

Legal grounds under Article 6 GDPR (consent, contract, legal obligation or legitimate interest).
Special categories of data

Special categories (health, ethnicity, political opinions etc.) are processed only in exceptional cases. Blair’s services are also not directed at children, and we do not knowingly collect personal data from minors without parental consent.
Data subject

Consumer/customer who uses our services.
Third-country transfer

Transfer of personal data outside the EU/EEA (regulated in GDPR Chapter V).

3. Contact

Data Protection Officer (DPO)
Blair AB
Att: Dataskyddsansvarig
Email: info@heyblair.com
Address: Sven Hultings Plats 5, 412 58 Gothenburg

Contact can also be made as follows:

Matter Contact Comment
General inquiries

info@heyblair.com

We confirm and usually respond within 1 business day and no later than 30 days.
GDPR request

info@heyblair.com

We may request identification (BankID or ID copy).
Incident reporting

info@heyblair.com

Feedback within 24 hours.
Supervisory authority

The Swedish Authority for Privacy Protection (IMY), Box 8114, 104 20 Stockholm

More information at www.imy.se

 

4. Processing of Personal Data

4.1 When visiting our website

When and why Personal data Legal basis Retention period
Delivering the website

IP address, technical logs

Legitimate interest (necessary operation)

2 months
Statistics and analysis (Microsoft Clarity)

IP (truncated), events, cookie ID

Consent (ePrivacy)

90 days
Marketing cookies (Meta, Google, TikTok)

Cookie ID, device ID, hashed email (with consent), conversion data

Consent / legitimate interest (customers)

Up to 24 months

4.2 When you make a purchase

When Personal data Legal basis Retention period
Purchasing products

Name, address, email, phone number, order contents, order number

Contract

3 years (Consumer Sales Act) + 7 years (Accounting Act)
Payment via Svea

Name, address, personal identity number, contact details, payment data, IP address

Contract + legal obligation (Svea)

See section 5 below
Delivery via Sendify/carriers

Name, address, phone number, parcel ID, tracking information

Contract

12 months (Sendify) or according to carrier

4.3 When you create an account or store order history

When Personal data Legal basis Retention period
Creating an account on Blair’s website

Name, email, password (hashed), order history

Contract / requested service

As long as the account is active
Inactive accounts

Name, email, password (hashed), order history

Legitimate interest

Deleted after 24 months of inactivity
Customer analysis and improvement

Order history, purchasing behaviour

Legitimate interest

24 months
Newsletter via Mailchimp

Name, email, interaction data

Consent / existing customer relationship

Until withdrawn or 24 months of inactivity

4.4 Support and customer cases

When Personal Data Legal basis Retention period
Support via email

Name, contact details, correspondence

Legitimate interest

12 months
Complaints/returns

Name, order number, error description

Legal obligation (Consumer Sales Act)

3 years
Disputes/claims

Communication, order data

Legal obligation

Until the case is closed

4.5 Marketing

Type Personal data Legal basis Retention period
Advertising via Meta/Google/TikTok

Cookie ID, device ID, hashed email, conversion events

Consent

24 months
Direct marketing to customer

Email, purchase history

Legitimate interest (opt-out)

Until opt-out or 24 months of inactivity

Prospect marketing = only with consent (e.g. newsletters).

5. Personal Identity Numbers via Svea

Svea may need a personal identity number for:

  • Identification
  • Credit assessment
  • Invoicing
  • Fraud prevention

Blair never has access to the full personal identity number – it is handled by Svea as an independent data controller.

Risk minimisation:

  • Personal identity numbers are sent directly to Svea via encrypted connection.
  • Blair does not store personal identity numbers in our systems.
  • Svea complies with accounting, tax, and payment regulations.

Retention period:
Determined by Svea’s own obligations (usually 7–10 years depending on payment method).

6. Data Processors and Recipients

Here we adjust according to your instructions:

Provider Category Data processed Role Protection
WooCommerce

Webshop

Order data, customer data, accounts

Processor

Encryption, MFA
Mailchimp

Newsletter

Name, email, interaction data

Processor

DPF certification, DPA
Sendify + carriers

Delivery

Name, address, phone, parcel ID

Processor / independent

Encryption, contract
Svea Checkout

Payment

Personal identity number, address, contact data, IP address

Independent controller

DPA, legal requirements
Meta, Google, TikTok

Advertising

Cookie ID, device data, hashed email, conversions

Independent controllers

Consent management
Google Workspace

Email & documents

Name, email, metadata

Processor

DPF

7. Transfers Outside the EU/EEA

Blair mainly processes personal data within the EU/EEA. Some providers use infrastructure or support in the USA. All transfers occur under GDPR Chapter V and after a TIA assessment.

Category / Provider Type of personal data Processing location (main) Transfer mechanism
Google Workspace

Name, email, documents, metadata

USA (DPF-certified)

EU-US Data Privacy Framework (DPF)
Microsoft Clarity / Microsoft Ads

IP address (truncated), cookie ID, analytics data

USA (DPF-certified)

EU-US Data Privacy Framework (DPF)
Mailchimp (Intuit Inc.)

Name, email address, interaction data

USA (DPF-certified)

EU-US Data Privacy Framework (DPF)
TikTok

Cookie ID, device data, hashed email (with consent), conversion events

USA / Singapore (not DPF-certified)

Standard Contractual Clauses (SCC) + supplementary safeguards

8. Your Rights Under the GDPR

Right Article Meaning How to exercise your rights
Access

Art. 15

Obtain a copy of personal data and information about the processing.

Request via info@heyblair.com.
Rectification

Art. 16

Correct inaccurate or incomplete data.

Contact us via email or phone.
Erasure (“right to be forgotten”)

Art. 17

Erasure when data is no longer needed or when consent is withdrawn.

Email info@heyblair.com
Restriction

Art. 18

Temporarily stop processing during a dispute regarding accuracy or legality.

Mark the email “Restriction”.
Data portability

Art. 20

Receive data in a structured format or transfer to another party.

Request export (CSV/JSON).
Objection

Art. 21

Object to legitimate interest or direct marketing.

Use opt-out links or contact us.
Withdraw consent

Art. 7.3

Withdraw consent without affecting previous processing.

Via cookie banner or email.
Automated decision-making

Art. 22

Request manual review of decisions with legal effect.

Email info@heyblair.com

9. Children and Minors

Blair’s services are not directed at children.

  • You must be at least 16 years old to use the service.

  • Minors must make purchases through a guardian.

  • We do not knowingly collect personal data from children.

10. Changes and Validity

10.1 Blair reviews this privacy policy at least once a year or when needed, for example if:

a) New or amended legislation enters into force,
b) The business changes in a way that affects data processing,
c) New systems, providers, or processing activities are introduced, or
d) The Swedish Authority for Privacy Protection (IMY) or EU authorities issue new guidance or decisions.

10.2 The review is carried out by Blair’s Data Protection Officer (DPO) together with management and relevant system owners. The DPO is responsible for identifying the need for updates, documenting changes, and ensuring that new versions comply with applicable law and Blair’s internal information security policy.

10.3 When significant changes are made, we inform:

a) Internally to all employees via email and/or intranet, and
b) Externally to customers, partners, and data subjects via our website (heyblair.com) and, if relevant, via direct communications.

10.4 Each new version receives a revision date and version identifier, and the previous version is archived in accordance with Blair’s document management routines.

10.5 The current version is always published at www.heyblair.com.

 

Last updated: 2 December 2025

This website uses cookies

Cookies ("cookies") consist of small text files. The text files contain data which is stored on your device. To be able to place some type of cookies we need your consent. We at , corporate identity number use these types of cookies. To read more about which cookies we use and storage duration, click here to get to our cookiepolicy.

Manage your cookie-settings

Necessary cookies

Check to consent to the use of Necessary cookies
Necessary cookies are cookies that need to be placed for fundamental functions on the website to work. Fundamental functions are for instance cookies that are needed for you to use menus and navigate the website.

Functional cookies

Check to consent to the use of Functional cookies
Functional cookies need to be placed for the website to perform in the way that you expect. For instance to remember which language you prefer, to know if you are logged in, to keep the website secure, remember login credentials or to enable sorting of products on the website in the way that you prefer.

Statistical cookies

Check to consent to the use of Statistical cookies
To know how you interact with the website we place cookies to collect statistics. These cookies anonymize personal data.

Personalization cookies

Check to consent to the use of Personalization cookies
In order to provide a better experiance we place cookies for your preferances

Ad measurement cookies

Check to consent to the use of Ad measurement cookies
To be able to provide a better service and experience we place cookies to tailor marketing for you. Another purpose for this placement is to market products or services to you, give tailored offers or market and give recommendations on new concepts based on what you have bought from us previously.

Ad measurement user cookies

Check to consent to the use of Ad measurement user cookies
In order to show relevant ads we place cookies to tailor ads for you

Personalized ads cookies

Check to consent to the use of Personalized ads cookies
To show relevant and personal ads we place cookies to provide unique offers that are tailored to your user data