Privacy Policy

Last updated: 2026-02-25

Effective date: 2026-02-25

1. Introduction

Welcome to the privacy policy of Premex AB ("we", "us", or "our"). We operate the website located at https://crafty.premex.se and are committed to protecting your personal data.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you interact with our services. Please read it carefully.

Our principal place of business is located at: Jerikovägen 12, 141 32 Huddinge

Company registration number: 559253-4134

2. Data Controller

Premex AB is the data controller responsible for your personal data.

  • Email: contact@premex.se

Data Protection Officer

We have appointed a Data Protection Officer (DPO) who can be contacted regarding any data protection matters:

  • DPO Contact: dpo@premex.se

3. Information We Collect

Personal Data

We may collect the following categories of personal data that you voluntarily provide to us:

  • Full name

  • Email address

  • Phone number

  • Photos or avatars

Usage Data

We automatically collect certain information when you visit, use, or navigate our services:

  • IP address

  • Browser type and version

  • Pages visited and time spent

  • Date and time of access

  • Error logs and crash reports

Device Information

We collect information about the device you use to access our services, including:

  • Device type and model
  • Operating system and version
  • Unique device identifiers
  • Browser type and version
  • Screen resolution and colour depth
  • Language preferences

Location Data

We collect and process location data, which may include:

  • Approximate location derived from your IP address
  • Precise geolocation data (with your consent where required by law)
  • Wi-Fi access point data and cell tower information

You can disable location services through your device settings at any time. However, disabling location services may affect the functionality of certain features.

Cookies and Tracking Technologies

We use cookies and similar tracking technologies (pixels, web beacons, and local storage) to collect and store information about your interactions with our services. For comprehensive details about the cookies we use and your choices regarding cookies, please see our Cookie Policy.

Obligation to Provide Data

Providing certain personal data is necessary in order to use our services and enter into a contract with us. You will not be able to create an account or use our services. Certain features such as geofence-based time tracking require location data — if you do not provide location access, those features will be unavailable.

4. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal bases:

  • Consent — you have given us clear consent to process your personal data for a specific purpose

  • Contract — processing is necessary for the performance of a contract with you or to take steps at your request before entering into a contract

  • Legal obligation — processing is necessary for compliance with a legal obligation to which we are subject

  • Legitimate interests — processing is necessary for our legitimate interests or those of a third party, provided your rights do not override those interests

Purpose-to-legal-basis mapping:

Service provision and account management — Contract performance; Analytics and usage monitoring — Legitimate interests; Marketing communications — Consent; Legal compliance — Legal obligation; Geofencing and time tracking — Contract performance (explicit consent for precise location data); Push notifications — Consent

Where we rely on consent as a legal basis, you have the right to withdraw your consent at any time. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.

5. How We Use Your Data

We use the information we collect for the following purposes:

  • To provide, operate, and maintain our services

  • To improve and personalise user experience

  • To communicate with users, including responding to inquiries

  • To send promotional and marketing communications (with consent)

  • To monitor and analyse usage trends and service performance

  • To detect, prevent, and address fraud or security issues

  • To comply with legal obligations and enforce our terms

  • To provide customer support

  • To manage user accounts and authentication

6. Data Sharing and Third Parties

We may share your personal data with the following categories of third parties:

  • Cloud hosting and infrastructure providers

  • Analytics and monitoring services

  • Email and communication service providers

  • Payment processors

We require all third parties to respect the security of your personal data and to treat it in accordance with applicable law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your data for specified purposes and in accordance with our instructions.

6.1 Analytics Providers

We use third-party analytics services to help us understand how our services are used. These analytics providers may collect information about your online activity over time and across different websites. The analytics providers we use include:

  • Mixpanel

6.3 Payment Processors

We use third-party payment processors to handle payment transactions securely. Your payment information is transmitted directly to the payment processor and is not stored on our servers. The payment processors we use include:

  • Google Pay

6.4 Social Login Providers

If you choose to register or log in using a social media account, we may receive certain profile information from the social media provider. The information we receive depends on the provider and your privacy settings, but may typically include your name, email address, profile picture, and friends list.

7. International Data Transfers

Your personal data may be transferred to and processed in countries outside your country of residence, including countries that may not provide the same level of data protection as your home country. We transfer data to the following countries or regions:

  • United States

When we transfer your data internationally, we ensure appropriate safeguards are in place to protect your personal data. The transfer mechanisms we rely on include:

  • Standard Contractual Clauses (SCCs)

For transfers outside the European Economic Area (EEA), we ensure that adequate protection is provided through the transfer mechanism stated above, in compliance with Chapter V of the General Data Protection Regulation (GDPR). Where the primary mechanism is insufficient, we may supplement it with Standard Contractual Clauses (SCCs) approved by the European Commission or obtain your explicit consent.

8. Data Retention

We retain your personal data for as long as is necessary to fulfil the purposes for which it was collected, unless a longer retention period is required or permitted by law.

Default retention period: As long as necessary for the stated purpose

We apply the following specific retention periods for different categories of data:

  • Account data: retained for the duration of the account plus 30 days after deletion

  • Transaction records: retained for 7 years for tax and legal compliance

  • Analytics data: retained for 26 months

  • Log files: retained for 90 days

Detailed retention schedule:

Account data — duration of account + 30 days after deletion request; Transaction and billing records — 7 years (Swedish Bokföringslag requirement); Analytics data — 26 months; Server and error logs — 90 days; Marketing consent records — 5 years; Geofence event data — duration of account + 30 days

When the retention period expires, we will securely delete or anonymise your personal data in accordance with our data disposal procedures.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (TLS/SSL)

  • Encryption of data at rest

  • Access controls and role-based permissions

  • Regular data backups with encryption

  • Data processing agreements with all sub-processors

  • Incident response and data breach notification procedures

  • Employee security training and awareness programmes

While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee the absolute security of your data.

Data Breach Notification

In accordance with the General Data Protection Regulation (GDPR):

  • Supervisory Authority Notification: In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR.
  • Individual Notification: Where a data breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, as required by Article 34 of the GDPR. This notification will describe the nature of the breach, the likely consequences, and the measures taken or proposed to address it.
  • Record Keeping: We maintain records of all personal data breaches, including those not requiring notification, as part of our accountability obligations under the GDPR.

In the event of a breach requiring notification, we will notify: the Swedish Authority for Privacy Protection (IMY) at https://www.imy.se

10. Your Rights

10.1 Rights Under the GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the GDPR:

  • Right of Access — You can request a copy of the personal data we hold about you.
  • Right to Rectification — You can request that we correct any inaccurate or incomplete personal data.
  • Right to Erasure — You can request that we delete your personal data (the "right to be forgotten"), subject to certain legal exceptions.
  • Right to Restrict Processing — You can request that we limit the processing of your personal data in certain circumstances.
  • Right to Data Portability — You can request a machine-readable copy of the personal data you have provided to us.
  • Right to Object — You can object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent — Where we process data based on your consent, you can withdraw that consent at any time.
  • Right Not to Be Subject to Automated Decision-Making — You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you.

To exercise any of these rights, please contact us at contact@premex.se. We will respond to your request within one month.

If you believe that we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority: the Swedish Authority for Privacy Protection (IMY) at https://www.imy.se

Swedish Data Protection Law

In addition to the GDPR, we comply with the Swedish Act with Supplementary Provisions to the EU General Data Protection Regulation (Lag 2018:218) and the Swedish Electronic Communications Act (LEK 2022:482), which implements the ePrivacy Directive. The supervisory authority for data protection in Sweden is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY). You may contact IMY at https://www.imy.se if you have concerns about our processing of your personal data.

11. Children's Privacy

Our services are not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If we discover that we have inadvertently collected personal data from a child under 16, we will promptly delete that information. If you believe that we may have collected data from a child, please contact us at contact@premex.se.

12. Do Not Track Signals

Our services do not currently respond to Do Not Track (DNT) browser signals. There is no uniform standard for how DNT signals should be interpreted, and we will update this policy if a standard is established.

13. Automated Decision-Making

We do not use solely automated decision-making, including profiling, that would have a legal or similarly significant effect on you.

14. Cookie Policy

We use cookies and similar tracking technologies on our services. For detailed information about the types of cookies we use, the purposes for which we use them, and how you can manage your cookie preferences, please refer to our Cookie Policy.

You can manage your cookie preferences at any time through our consent banner or through your browser settings.

15. Third-Party Links

Our services may contain links to third-party websites and services that are not operated by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party websites or services. We encourage you to review the privacy policy of every site you visit.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

We will notify you by email and by posting the updated policy on our website.

The "Last updated" date at the top of this policy indicates when it was last revised. We encourage you to review this policy periodically. If material changes affect the legal basis on which we process your data, we will seek renewed consent where required.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

  • Email: contact@premex.se

  • Website: https://crafty.premex.se

  • Postal Address: Jerikovägen 12, 141 32 Huddinge

Data Protection Officer: dpo@premex.se

Supervisory Authority: If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority: the Swedish Authority for Privacy Protection (IMY) at https://www.imy.se