PRIVACY POLICY FOR PAHLÉN AB

In this privacy policy, Pahlén describes how we process your personal data. We process your personal data when you visit our website, if you contact us, when you make a purchase from us and if we share your posts/images on social media or on our website.

In summary – How do we process your personal data?

• If you make a purchase from us, we process your personal data in order to:

o manage your purchase;
o communicate with you about your purchase, if necessary;
o handle any questions about your purchase, returns, right of withdrawal, warranties and complaints; and
o comply with the Swedish Accounting Act.

• When you visit our website and have chosen to give your consent, we process your personal data in order to:

o analyse how our website is used with the help of Google's analytics service; and/or

o show you interesting offers from us on our own and other websites you visit using Meta's marketing services.

• If we ask if we can share your posts on our social media/website, we process your personal data to display the content and market our products.

• If you receive our marketing or contact us, we process your personal data to:

o send you newsletters and other marketing material;

o comply with marketing legislation, if you have unsubscribed from our mailings;

o communicate with you and, for example, be able to answer your questions; and

o send you updated privacy policies;

Our processing of personal data means that your personal data is shared with certain suppliers who process it outside the EU/EEA.

Your rights

You have the following rights:

Right to lodge a complaint with a supervisory authority
Right to withdraw your consent
Right of access
Right to object
Right to erasure
Right to rectification
Right to restriction of processing, and
Right to data portability

We want to be transparent when processing your personal data. Below you can read more details about our personal data processing. The policy is detailed in order to comply with the legal requirements of the General Data Protection Regulation (”GDPR”), so please use our summary above and the table of contents below to click your way to the section you are interested in. Please do not hesitate to contact us if you have any questions or wish to exercise your rights.

Data controller and our contact details
Who processes your personal data and why?
Do we transfer your personal data outside the EU/EEA?
Detailed information about how we process and store your personal data
What rights do you have when we process your personal data?
Balancing of interests

Data controller and our contact details

Pahlén AB, with company registration number 556301-2300 and address Vallentunavägen 401, 194 92 Upplands Väsby ("Pahlén") is responsible for the processing of your personal data as described in this privacy policy.

If you have any questions regarding our processing of your personal data or if you wish to exercise any of your rights, please contact us. Our contact details are:

Telefon: +46 8 594 110 50
Email: info@pahlen.se

Who processes your personal data and why

We collect your personal data directly from you. Primarily, your personal data is only processed by us at Pahlén. In some cases, we share your personal data. More details about when we share your personal data in relation to the respective purposes and what personal data we share in such cases can be found in the tables below. In summary, the following applies:

If you visit our website and give your consent, your personal data will be processed by the analytics and marketing services we use, i.e. Google and/or Meta (Facebook and Instagram). These recipients process personal data on our behalf as our data processors, but also process your personal data as independent data controllers. These providers will inform you separately about the personal data processing for which they are responsible.

If you make a purchase from us, your personal data will be processed by the carrier you choose so that the products can be delivered to you. These recipients are independent data controllers for the processing of your personal data. The carriers that process your personal data are specified in the selection you make at checkout when making a purchase.

In order for us to have functioning IT systems and conduct our business efficiently, our IT providers (e.g. Microsoft) will process your personal data. These IT providers process personal data on our behalf as our data processors.

If you would like more information about how we share your personal data, please read the tables below or contact us.

Do we transfer your personal data outside the EU/EEA?

Pahlén only processes your personal data within the EU/EEA, but some of our service providers process personal data outside the EU/EEA as described below.

If you visit our website, your personal data will be transferred outside the EU/EEA if you consent to Google and/or Meta (Facebook and Instagram) processing your personal data.

We transfer personal data to the United States when we use Microsoft as our IT provider, as Microsoft is an American company.

When your personal data is transferred to the United States, it is done so on the basis of an adequacy decision by the European Commission pursuant to Article 45 of the GDPR. This means that the EU has assessed that the United States has adequate protection for your personal data – this is through an agreement between the EU and the United States called the EU-US Data Privacy Framework. Google, Meta and Microsoft are certified under the EU-US Data Privacy Framework. You can find information about certified providers on the Data Privacy Framework website.

When your personal data is transferred from our IT providers to their subcontractors in a country that does not have an adequacy decision or where the service provider is not certified under the EU-US Data Privacy Framework, the transfer is made on the basis of the European Commission's standard contractual clauses. We will then transfer your personal data in accordance with the standard contractual clauses (Article 46.2 (c) GDPR), Module 1 (controller to controller) and Module 2 (controller to processor), together with supplementary measures. You can find the standard contractual clauses here. In cases where we conclude that legislation or similar in a specific country outside the EU/EEA to which we transfer your personal data affects the effectiveness of the standard contractual clauses, we will take additional protective measures to ensure adequate protection of your personal data.

If you would like to know more about the protective measures we implement when transferring your personal data, please feel free to contact us.

Detailed information about how we process and store your personal data

In this detailed description, you can read more about

- why we process your personal data;

- the categories of personal data we process;

- the legal basis for the processing of your personal data; and

- how long we store your personal data.

If the respective processing means that your personal data is also processed by parties other than Pahlén, in addition to what we mention above, we also state this below.

If you make a purchase from us

When you make a purchase from us, we process your personal data. The purposes for which we process your personal data are set out in the tables below.

Manage your purchase as a private customer
Purpose	Personal data processed	Legal basis
Receive and manage your order Send order confirmation via email Send delivery information via email and deliver your order Share your personal data with carriers as described below	Name Contact details (address, email address and telephone number) Order information, which item(s) you have ordered Payment information	Performance of a contract (Article 6.1 b of the GDPR) The processing is necessary for the performance of the contract relating to your purchase. If the personal data is not provided, you will not be able to make a purchase from us.

Storage period: The personal data linked to your purchase will be actively processed by us for a few days to administer and manage your order so that you can receive the products you have ordered.
After that, information about your purchase will be stored passively for 36 months so that we can smoothly handle any questions about your purchase, returns, warranties and complaints in accordance with applicable consumer legislation. You can read more about this below. If the product you have purchased has a warranty period longer than 36 months, we will store your personal data until the warranty period has expired.

Recipients of your personal data: We will share your name, address and contact details with the carrier you select at checkout so that they can deliver your products. The carriers we use are independent data controllers for the processing of your personal data.

We also share your personal data with our IT providers who process personal data on our behalf as our data processors.

Manage your purchase as a business customer
Purpose	Personal data processed	Legal basis
Receive and manage orders for the company you represent Send order confirmation via email Send delivery information via email and deliver the order to the company you represent Enable payment on behalf of the company you represent	Name Position Contact details (address, email address and telephone number) Information that you or the company you represent provides to us Order information, i.e. information about which product your company has ordered Payment information	Balancing of interests (Article 6.1 f of the GDPR) The processing is necessary for purposes related to our legitimate interest* in being able to administer purchases made by the company you represent.*

Storage period: The personal data linked to your purchase on behalf of the company you represent will be actively processed by us for a few days in order to administer and handle your order so that you can receive the products you have ordered.

After that, information about your company purchase will be stored passively for 36 months. Some personal data is stored for a longer period for other purposes, e.g. for accounting reasons. Read more about this below. If the product you have purchased has a warranty period longer than 36 months, we will store your personal data until the warranty period has expired.

Recipients of your personal data: We will share your name, address and contact details if you choose to enter your own delivery information with the carrier you select at checkout so that they can deliver your products. The carriers we use are independent data controllers for the processing of your personal data.

We also share your personal data with our IT providers who process personal data on our behalf as our data processors.

Communicate with you about your purchase and handle customer service matters
Purpose	Personal data processed	Legal basis
To communicate with you about your purchase, e.g. if the product you ordered is out of stock or to notify you of any delivery delays To keep you informed and updated about our terms and conditions or other information that you, as a customer or representative of our customer, need to know	Name Email Information about your order and, where applicable, which product you have purchased	Balancing of interests (Article 6.1 f of the GDPR) The processing is necessary for purposes related to our legitimate interest* in being able to communicate with you about your purchase when necessary.*
Handle any questions, right of withdrawal, returns, warranties and complaints smoothly and in accordance with applicable consumer legislation and our agreement	Name Contact details (address, email address and telephone number) Order information, which products you have ordered Information that you choose to provide to us, for example, about a defect in a product and information about the measures we have taken in a return or warranty case	Performance of a contract (Article 6.1 b of the GDPR) The processing is necessary for the performance of the contract relating to your purchase. If the personal data is not provided, we will not be able to help you with, for example, a warranty case. Legal obligation (Article 6.1 c of the GDPR) The processing is necessary for us to act in accordance with consumer legislation and thus comply with a legal obligation we have. Balancing of interests (Article 6.1 f of the GDPR) The processing is necessary for purposes related to our legitimate interest* in being able to handle your questions, complaints and other requests in an efficient and customer-friendly manner.*
If you have made a purchase on behalf of the company you represent, we process your personal data in order to handle any questions and returns in accordance with the agreement we have with the company you represent.	Name Contact details (address, email address and telephone number) Order information, which products you have ordered Information that you choose to provide to us, for example, about a defect in a product and information about the measures we have taken in a return or warranty case	Balancing of interests (Article 6.1 f of the GDPR) The processing is necessary for purposes related to our legitimate interest in being able to handle your questions and returns in accordance with the agreement we have with the company you represent.

Storage period: We store your personal data for 36 months after your purchase. If you contact us with a question and we initiate a case to, for example, handle your return, we will process your personal data for an additional 12 months from the date the case is closed.

Recipients of your personal data: Your personal data is shared with our IT providers who process this personal data on our behalf as our data processors.

Comply with the Swedish Accounting Act
Purpose	Pesonal data processed	Legal basis
Compliance with accounting legislation by registering, accounting for and archiving payments and other transactions	Payment history, transactions and other material constituting accounting material	Legal obligation (Article 6.1 c of the GDPR) The processing is necessary to comply with mandatory law, i.e. the Swedish Accounting Act.

Storage period: Personal data included in our accounting material is stored for seven to eight years in order to comply with accounting legislation (end of the seventh financial year).

Recipients of your personal data: We share your personal data with our IT providers who process personal data on our behalf as our data processors.

When you visit our website

We analyse how our website is used and show you relevant offers on other pages and social media you visit based on such analysis. We explain this in detail in the tables below.

To protect your privacy, we and our suppliers have taken measures to avoid identifying you as a user of our website. For example, we only share an encrypted version of your IP address with Google.

Personal data is collected from your device (e.g. mobile phone, computer or tablet) when you visit our website, if you have chosen to consent to this. Google and Meta also use information they already have to perform analysis and to show you interesting offers from us.

In order to collect personal data for analysis and marketing as described below, we use cookies and/or similar technologies. In our information text about cookies, which you can find on our website, we explain in more detail how this works.

Analyse how our website is used
Purpose	Personal data processed	Legal basis
• Analyse how you use our website with the help of cookies. We do this to improve the functionality of the website, to customise the website to suit our visitors and to be able to draw conclusions about our visitors. To do this, we use an analytics service from Google Analytics, which means that a random ID is used to distinguish your device from other visitors and to confirm patterns in how our website is used. We are only interested in how visitors interact with us on an overall level. We at Pahlén do not know who you are and do not take any measures to find out.	• An encrypted version of your IP address that we at Pahlén cannot link to you as an individual • Information about how you use the website, such as what you click on • Which geographic area you are using our website from • How many times you have visited the website, which gives us a basis for calculating the total number of visitors to the website • Your device/browser, for example your screen resolution • How long you stay on the website • Other information that Google has about you, such as information about which website or other channel you found us from	Consent (Article 6.1 a of the GDPR) For the personal data we process for the analysis of your use of our website, we obtain your consent when you visit our website. You have the right to withdraw your consent at any time. Your withdrawal of consent does not affect the lawfulness of processing before consent is withdrawn. You can avoid Google Analytics by, for example, downloading and installing this browser add-on.

Storage period: We do not store your encrypted IP address after your visit to our website.

Recipients of your personal data: Your personal data is collected via a pixel from Google on our website. Google, which provides the analytics service we use, will continue to process your personal data as an independent data controller. For more information about Google's processing of personal data and how long Google stores your personal data, please refer to their privacy policy, which you can find here.

Show interesting offers from us on other pages you visit
Purpose	Personal data processed	Legal basis
To market our products by showing offers and new products that we think are interesting to you. We show marketing tailored specifically to you on other websites and social media that you visit. We may display offers using marketing services from Meta (Facebook and Instagram). We do this based on analysis of our website, through cookies or similar technology, as well as information that these parties already have about you. We tailor the marketing to suit you based on information that the marketing services already have about you and based on your previous browsing history with us. This means that your browsing history is profiled*.	An encrypted version of your IP address that we at Pahlén cannot link to you as an individual Which geographic area you are using our website from Information about how you interact with our website or advertisements. For example, information about which pages you visited after clicking on our advertisement and analysis of how and when you use our website, for example, if you add something to your shopping cart, make a purchase or search for something Information that Meta already has about you, such as which website you found us on	Consent (Article 6.1 a of the GDPR) For the personal data we process for marketing purposes, we obtain your consent when you visit our website. You have the right to withdraw your consent at any time. Your withdrawal of consent does not affect the lawfulness of processing before consent is withdrawn. You can find more information about your choices on Instagram here and on Facebook under the heading "Advertising preferences", where you can choose what marketing you want to see on Facebook.

Storage period: You will see marketing from us for 14 months after your visit to our website.

Recipients of your personal data: Your personal data is shared with the analytics services we use. Meta will continue to process your personal data as an independent data controller. You can read more about Meta's processing of personal data and how long Meta stores your personal data in Meta's privacy policy.

We share your IP address with suppliers who help us with our marketing.

*Profiling: Your personal data is used in what is known as profiling, which the marketing service uses to show you the offers that they and we believe are best suited to you and to provide you with tailored marketing. Profiling is done because otherwise we would not be able to show you relevant offers and marketing, and you would instead see offers that are not relevant to you. You have the right to object to profiling. You can read more about your right to object below, where your rights are explained in detail.

If we share your posts on our social media/website

If you receive our marketing or communicate with us

When you receive our marketing or otherwise have contact with us, we will process your personal data as described in the tables below. We obtain your personal data from you when you contact us or when you register to receive our newsletters and other marketing.

Send newsletters and other marketing communications to you
Purpose	Personal data processed	Legal basis
Manage and send marketing with offers, benefits, discounts and information via email, post and text message	Name Contact details (email address, postal address, telephone number)	Consent (Article 6.1 a of the GDPR) For private customers, we obtain your consent to send you marketing communications. You have the right to withdraw your consent at any time. Your withdrawal of consent does not affect the lawfulness of processing before consent is withdrawn. Balancing of interests (Article 6.1 f of the GDPR) For those of you who represent a business customer, we base the processing on our legitimate interest, when the content is relevant to the recipient's professional role. The processing is necessary for purposes related to our legitimate interest in being able to provide you with newsletters and tailored offers.

Storage period: For those who have given their consent, we will send you marketing communications until you choose to unsubscribe from our mailings. For those who represent a business customer, we will send marketing communications for as long as it is relevant to your professional role. You can opt out of receiving marketing communications from us (in whole or in part) at any time, and we will then stop processing your personal data for marketing purposes. If you opt out of receiving our marketing communications, your personal data will be stored in our unsubscribe register until further notice. See the table below for more information.

Recipients of your personal data: For mailings, we use an email service provider that processes your personal data on our behalf as our data processor.

Below is a description of how we process your personal data if you have unsubscribed from our marketing communications. We have obtained your personal data from you.

Comply with marketing legislation
Purpose	Personal data processed	Legal basis
If you unsubscribe from our mailings, we will store your email address in an "unsubscribe register" to ensure that we do not market to you. This is not personal data that we actively process, so we do not look at your email address and do not use it for anything other than ensuring that you do not receive marketing from us.	Email address Information that you no longer wish to receive marketing from us	Legal obligation (Article 6.1 c of the GDPR) The processing is necessary to comply with our obligations under marketing legislation to ensure that you do not receive mailings that you have asked not to receive.

Storage period: Your email address will remain in our "unsubscribe register" until you ask us to remove your email address from it.

Recipients of your personal data: Your personal data is shared with an email service provider that has unsubscribe register functions. The email service provider processes this personal data on our behalf as our data processor.

Communicate with you
Purpose	Personal data processed	Legal base
Communicate with you if you contact us	Name The contact details you use, such as email address, telephone number and/or address Other information you provide in connection with our contact	Balancing of interests (Article 6.1 f of the GDPR) The processing is necessary for purposes related to our legitimate interest* in being able to communicate with you via the channel you choose to contact us on.*
Send out an updated privacy policy to keep you up to date on our processing of personal data	Name Email address	Compliance with legal obligations (Article 6.1 c of the GDPR) The processing is necessary to comply with our obligations under the GDPR.

Storage period: We store personal data contained in communications in our customer service cases for 12 months from the date on which our contact regarding the case has been concluded.

We will send updates to our privacy policy as long as it is relevant to you, e.g. if you are affected by our updated privacy policy, you will receive a copy of it when it is updated.

Recipients of your personal data: Within the scope of a customer service case or when you interact with us, your personal data is shared with our IT and service providers who process this personal data on our behalf as our data processors.

What rights do you have when we process your personal data?

In accordance with the GDPR, you have certain rights that you can exercise to affect how we process your personal data– see below for more information.

If you have any questions regarding your rights or want to exercise any of your rights, please contact us by using the contact details above. You can also find more detailed information about your rights and when they apply at The Swedish Authority for Privacy Protection (IMY).

- Right to complain – Article 77 of the GDPR
You have the right to lodge a complaint with the competent supervisory authority if you consider that the processing of your personal data violates the GDPR. In Sweden, the competent supervisory authority is The Swedish Authority for Privacy Protection (IMY).

- Right to withdraw consent – Article 7.3 of the GDPR
You have the right to withdraw your consent at any time by contacting us. You can always withdraw the consent you give on the website directly on the website.

- Rätt till tillgång (”rätten till registerutdrag”) – Artikel 15 i GDPR
Du har rätt att få en bekräftelse på om vi behandlar dina personuppgifter eller inte. Du kan skicka en förfrågan genom att kontakta oss på kontaktuppgifterna ovan. Om vi behandlar dina personuppgifter har du även rätt att få en kopia av personuppgifterna vi behandlar samt information om behandlingen, t.ex. ändamålen med behandlingen och hur länge uppgifterna sparas.

- Right of access – Article 15 of the GDPR
You have the right to obtain confirmation as to whether we are processing your personal data or not. You can make a request by contacting us. If we are processing your personal data, you also have the right to obtain a copy of the personal data processed by us as well as information about our processing, such as the purposes of the processing and for how long your personal data is stored.

- Right to object – Article 21 of the GDPR
You have the right to obtain confirmation as to whether we are processing your personal data or not. You can make a request by contacting us. If we are processing your personal data, you also have the right to obtain a copy of the personal data processed by us as well as information about our processing, such as the purposes of the processing and for how long your personal data is stored.

- Right to rectification of processing – Article 16 of the GDPRR
You have the right to have inaccurate personal data concerning you rectified without undue delay. You also have the right to have incomplete personal data completed.

- Right to erasure ("right to be forgotten") – Article 17 of the GDPR
Under certain conditions, you have the right to have your personal data erased by us without undue delay. For example, if you withdraw your consent and there is no other legal basis for the processing or if the personal data is no longer necessary for the purposes for which it was collected or processed.

- Right to restriction of processing – Article 18 of the GDPR
Under certain conditions, you have the right to request that we restrict our processing of your personal data. For example, if you contest the accuracy of the personal data, or if the processing is unlawful and you oppose the erasure of the personal data and instead request the restriction on the use of the personal data.

- Right to data portability – Article 20 of the GDPR
If we process your personal data based on your consent or to fulfil a contract, you have the right to receive personal data concerning you. This right applies to personal data that you have provided to us in a structured, commonly used and machine-readable format. You also have the right to transmit those personal data to another controller, where technically feasible.

Balancing of interests
As stated in the tables above, we process some of your personal data based on a balancing of interests as the legal basis for the processing. The balancing of interests means that we have assessed that our legitimate interest in carrying out the processing outweighs your interest and your fundamental rights not to have your personal data processed. Our legitimate interest is set out in the tables above. If you would like to know more about how we have made these assessments, please feel free to contact us.

This privacy policy was established by Pahlén on 26th of September 2025.

Share your social media posts and photos on our website
Purpose	Personal data processed	Legal basis
Share your posts on social media where you have tagged us on our own social media or on our website if you consent to it	Name Username on, for example, Instagram Your content on social media where you have tagged us, e.g. posts from Instagram	Consent (Article 6.1 a of the GDPR) We obtain your consent for the personal data we process for marketing purposes and for sharing your posts on social media and our website. You have the right to withdraw your consent at any time. Your withdrawal of consent does not affect the lawfulness of processing before consent is withdrawn.

PRIVACY POLICY FOR PAHLÉN AB

In summary – How do we process your personal data?

Your rights

Data controller and our contact details

Who processes your personal data and why

Manage your purchase as a private customer

Manage your purchase as a business customer

Communicate with you about your purchase and handle customer service matters

Comply with the Swedish Accounting Act

Analyse how our website is used

Show interesting offers from us on other pages you visit

Share your social media posts and photos on our website

Send newsletters and other marketing communications to you

Comply with marketing legislation

Communicate with you

Cookies and Similar Technologies

Our lowest price 1-30 days before price reduction: