1. INTRODUCTION

Welcome to 24SJU Snabbköp Sverige AB’s Privacy Policy. We respect your privacy and are committed to protecting your personal data. This privacy policy will inform you about how we look after your personal data when you use our services and tell you about your privacy rights and how the law protects you.

This privacy policy is provided in a layered format so you can click through to the specific areas set out below.

Controller Information

24SJU Snabbköp Sverige AB is the controller and responsible for your personal data (collectively referred to as “24SJU”, “we”, “us” or “our” in this privacy policy).

Company Details:

• Organization Number: 559227-3841
• Address: Trässberg Storebacka 1, 531 93 Lidköping, Sweden
• Phone: +46707770727
• Email: info@24-sju.se
• Website: https://www.24-sju.se

Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact:

Data Protection Officer

• Email: dpo@24-sju.se
• Phone: +46707770727
• Postal: DPO, 24SJU Snabbköp Sverige AB, Trässberg Storebacka 1, 531 93 Lidköping, Sweden

Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any changes by posting the new privacy policy on this page and updating the “Last Updated” date. For material changes, we will provide additional notice through the app or email.

2. PERSONAL DATA WE COLLECT

Categories of Personal Data

We collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

Identity Data

• BankID information: Name, personnummer (Swedish personal identity number), date of birth
• Government ID: Copies of ID documents
  • Swedish residents: For manual age verification when needed
  • Foreign nationals (social sign-in users): AI-assisted authenticity verification to confirm ID is legitimate and issued by authorized foreign government
• Social login data: Basic profile information from Google, Facebook, or Apple (if you choose this option)

Contact Data

• Mobile phone number (required)
• Email address (optional but recommended)
• Postal address (if provided for special services)

Financial Data

• Payment card details (tokenized – we don’t store full card numbers)
• Swish payment information
• Transaction history

Transaction Data

• Purchase history: Products purchased, quantities, prices
• Store location: Which store you visited
• Timestamps: Date and time of purchases
• Receipts: Digital copies of your receipts

Technical Data

• Device ID: Unique identifier for your mobile device
• IP address: Internet protocol address
• Login data: Authentication logs
• App usage data: Features used, interaction patterns
• Operating system: iOS/Android version

Usage Data

• Store access logs: Entry and exit times
• Product interactions: Items viewed or scanned
• App navigation: How you use our application
• Preferences: Language, notification settings

Marketing and Communications Data

• Marketing preferences: Your preferences in receiving marketing from us
• Communication history: Support tickets, emails, chat logs
• Feedback and surveys: Your responses to our surveys

Special Categories of Personal Data

We may process the following special categories of data:

Health-Related Data

• OTC medicine purchases: May indirectly indicate health conditions
• Legal basis: Explicit consent or substantial public interest (public health)
• Enhanced protection: Encrypted storage, limited access

Data About Children

Our services are primarily intended for adults (18+) due to age-restricted products. If minors create accounts with parental permission, we:

• Collect minimal data necessary
• Require parental consent
• Provide parental controls
• Do not market to minors

How We Collect Your Data

Directly from You

• Account registration
• Purchases and transactions
• Customer service interactions
• Surveys and feedback forms

Automatically

• App usage and analytics
• Store access systems
• Technical logs and cookies

From Third Parties

• BankID (identity verification)
• Payment processors (transaction data)
• Social media platforms (if you link accounts)

3. HOW WE USE YOUR PERSONAL DATA

Legal Basis for Processing

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

1. CONTRACT PERFORMANCE (Article 6(1)(b) GDPR)

Purpose: To perform our contract with you

Data Used:

• Identity and Contact Data: Account creation and management
• Financial Data: Process payments
• Transaction Data: Fulfill orders
• Technical Data: Provide app functionality

2. LEGAL OBLIGATIONS (Article 6(1)(c) GDPR)

Purpose: To comply with legal requirements

Data Used:

• Identity Data: Age verification for alcohol, tobacco, medicines
• Transaction Data: Tax and accounting obligations (7-year retention)
• Financial Data: Anti-money laundering checks
• Store Access Data: Security and regulatory compliance

3. LEGITIMATE INTERESTS (Article 6(1)(f) GDPR)

Purpose: For our legitimate business interests

Data Used:

• Technical Data: Service improvement and troubleshooting
• Usage Data: Analytics and business intelligence
• Security Data: Fraud prevention and store security

We have conducted legitimate interest assessments for all such processing to ensure your interests don’t override ours.

4. CONSENT (Article 6(1)(a) GDPR)

Purpose: Where you have given explicit consent

Data Used:

• Marketing Data: Send promotional communications
• Optional Features: Location-based offers
• Health Data: If processing medicine purchase patterns

You can withdraw consent at any time through app settings or by contacting us.

Specific Processing Purposes

Automated Decision-Making

We use automated decision-making in limited circumstances:

Age Verification (Swedish Residents Only)

• Process: Automatic age verification via BankID for Swedish residents
• Significance: Determines access to age-restricted products
• Your Rights: Request human review of decisions

Fraud Detection

• Process: Transaction pattern analysis
• Significance: May flag suspicious activity
• Your Rights: Contest automated decisions

Marketing Communications

We will only send you marketing communications if you have opted in. You can opt out at any time by:

• Using unsubscribe links in emails
• Adjusting app notification settings
• Contacting dpo@24-sju.se

Marketing consent is separate from service terms acceptance.

4. WHO WE SHARE YOUR DATA WITH

Categories of Recipients

We share your personal data with:

Service Providers (Data Processors)

Payment Processing: – Swish (GetSwish AB): Mobile payments – Location: Sweden – Data: Payment information, phone number – Safeguards: EU-based, GDPR compliant

• Loomis Pay: Card payments (physical terminals)
  • Location: Sweden (Loomis AB)
  • Data: Tokenized card data, transaction amounts
  • Safeguards: PCI-DSS certified, Swedish-based processor
• Seita Payments: Mobile web card payments (in-app)
  • Location: EU
  • Data: Tokenized card data for mobile transactions
  • Safeguards: PCI-DSS certified, EU-based processor

Identity Verification: – BankID (Finansiell ID-Teknik BID AB): Swedish eID – Location: Sweden – Data: Identity verification requests – Safeguards: Swedish regulated service

• AI ID Verification Service: ID document authenticity verification for foreign nationals
  • Location: EU
  • Data: ID card images, extracted identity information
  • Processing: AI-assisted authenticity verification (confirms ID is legitimate and government-issued) with manual review by our support team
  • Safeguards: EU-based infrastructure, encrypted transmission and storage, data stays within EU

Cloud Infrastructure: – Amazon Web Services (AWS): Primary hosting – Location: Stockholm, Sweden (eu-north-1) – Data: All service data (encrypted) – Safeguards: EU data center, SOC 2 certified

• Google Cloud Platform: Backup services
  • Location: EU (Finland)
  • Data: Backup data (encrypted)
  • Safeguards: Standard Contractual Clauses for any non-EU processing

Social Login Providers (Optional): – Google LLC: Google Sign-In – Location: USA (with EU processing) – Data: Basic profile (name, email) – Safeguards: Standard Contractual Clauses, EU-US Data Privacy Framework

• Meta Platforms: Facebook Login
  • Location: USA (with EU processing)
  • Data: Basic profile
  • Safeguards: Standard Contractual Clauses
• Apple Inc.: Sign in with Apple
  • Location: USA (with EU processing)
  • Data: Apple ID, email
  • Safeguards: Standard Contractual Clauses

Analytics & Monitoring: – Google Analytics: App analytics – Location: USA – Data: Anonymized usage data – Safeguards: IP anonymization, Standard Contractual Clauses

Other Recipients

Government Authorities:

• Tax authorities (Skatteverket)
• Law enforcement (when legally required)
• Regulatory bodies (alcohol, tobacco, medicine authorities)

Franchisees/Store Owners:

Security and Legal Claims: We may share your entry and identification data with the specific Franchisee/Store Owner of the store you visit. This is done to ensure store security, investigate incidents (e.g., theft, damage), and allow the Store Owner to establish, exercise, or defend legal claims.

Professional Advisors:

• Auditors (under confidentiality)
• Legal advisors (attorney-client privilege)
• Insurance providers (as needed)

Data Processing Agreements

All our data processors are required to:

• Sign Data Processing Agreements (DPAs)
• Implement appropriate security measures
• Process data only on our instructions
• Assist with GDPR compliance
• Delete data when no longer needed

International Data Transfers

Your data is primarily stored and processed within the EU/EEA. When we transfer data outside the EU/EEA:

Safeguards Used:

1. EU-US Data Privacy Framework: For certified US companies
2. Standard Contractual Clauses (SCCs): EU Commission approved contracts
3. Adequacy Decisions: For countries deemed adequate by the EU

You can request copies of our safeguards by contacting dpo@24-sju.se.

5. DATA SECURITY

Security Measures

We have implemented appropriate technical and organizational measures to protect your personal data:

Technical Measures

• Encryption:
  • In transit: TLS 1.2 & above for all communications
  • At rest: AES-256 for sensitive data
  • ID documents: Additional encryption layer
• Access Controls:
  • Multi-factor authentication for systems
  • Role-based access permissions
  • Regular access reviews
• Infrastructure Security:
  • Firewalls and intrusion detection
  • Regular security patches
  • Vulnerability scanning
  • Penetration testing (annually)

Organizational Measures

• Personnel:
  • Background checks for key personnel
  • Confidentiality agreements
  • Regular training on data protection
  • Limited access on need-to-know basis
• Policies & Procedures:
  • Information security policy
  • Incident response plan
  • Business continuity planning
  • Regular security audits
• Physical Security:
  • Secure data center facilities
  • Access logs and monitoring
  • Environmental controls

Data Breach Response

Despite our security measures, no system is completely secure. In case of a personal data breach:

1. Internal Response (0-24 hours):
   • Contain and assess the breach
   • Document all details
   • Activate incident response team
2. Regulatory Notification (within 72 hours):
   • Notify Integritetsskyddsmyndigheten (Swedish DPA)
   • Provide required information per Article 33 GDPR
3. Individual Notification (if high risk):
   • Notify affected individuals without undue delay
   • Provide clear information about:
     • Nature of the breach
     • Potential consequences
     • Measures taken
     • Recommendations for protection
4. Follow-up:
   • Investigate root cause
   • Implement additional safeguards
   • Update breach register
   • Review and improve procedures

6. DATA RETENTION

Retention Principles

We retain personal data based on:

• Legal requirements
• Contract fulfillment needs
• Legitimate business purposes
• Your consent (where applicable)

Retention Schedule

Deletion Process

After retention periods expire: 1. Data is flagged for deletion 2. Deletion occurs within 30 days 3. Secure deletion methods used 4. Deletion logged for compliance

Exceptions

Retention periods may be extended for: – Active legal proceedings – Regulatory investigations – Specific legal holds – Your explicit request

7. YOUR LEGAL RIGHTS

Overview of Your Rights

Under GDPR, you have the following rights:

1. RIGHT TO BE INFORMED

• Receive clear information about our processing (this privacy policy)
• Be notified of changes to processing

2. RIGHT OF ACCESS (Article 15)

What You Can Request: – Confirmation we’re processing your data – Copy of your personal data – Information about processing purposes, categories, recipients – Retention periods – Your rights

How to Request: Email dpo@24-sju.se with “Data Access Request”

3. RIGHT TO RECTIFICATION (Article 16)

What You Can Do: – Correct inaccurate personal data – Complete incomplete data – Update outdated information

How to Request: – Update via app settings – Email dpo@24-sju.se with corrections

4. RIGHT TO ERASURE (Article 17)

When You Can Request Deletion: – Data no longer necessary – You withdraw consent (where consent was the legal basis) – You object to processing – Data was unlawfully processed – Legal obligation requires erasure

Exceptions: – Legal compliance (e.g., tax records) – Legal claims establishment/defense – Public interest/public health

How to Request: – Use account deletion in app – Email kundsupport@24-sju.se

5. RIGHT TO RESTRICT PROCESSING (Article 18)

When You Can Restrict: – Contesting accuracy of data – Processing is unlawful but you don’t want erasure – We no longer need data but you need it for legal claims – You’ve objected pending verification

How to Request: Email dpo@24-sju.se specifying restriction requested

6. RIGHT TO DATA PORTABILITY (Article 20)

What You Can Receive: – Your data in structured, machine-readable format (JSON/CSV) – Direct transfer to another controller (where feasible)

Applies To: – Data you provided – Processing based on consent or contract – Automated processing

How to Request: Email dpo@24-sju.se requesting data export

7. RIGHT TO OBJECT (Article 21)

You Can Object To: – Processing based on legitimate interests – Direct marketing (absolute right) – Processing for research/statistics

How to Object: – Marketing: Unsubscribe links or app settings – Other: Email dpo@24-sju.se

8. RIGHTS REGARDING AUTOMATED DECISION-MAKING (Article 22)

Your Rights: – Not be subject to solely automated decisions with legal/significant effects – Request human intervention – Express your point of view – Contest the decision

Our Automated Decisions: – Age verification (necessary for contract/legal compliance) – Basic fraud detection

How to Request Review: Email dpo@24-sju.se

How to Exercise Your Rights

Contact Methods

• Primary: dpo@24-sju.se
• Secondary: +46707770727
• Postal: DPO, 24SJU Snabbköp Sverige AB, Trässberg Storebacka 1, 531 93 Lidköping, Sweden

What We Need From You

• Proof of identity (to protect your data)
• Specific description of request
• Relevant account information

Response Timeline

• Acknowledgment: Within 3 business days
• Response: Within 30 days
• Complex requests: May extend to 60 more days (90 total) with notice

Costs

• First request: Free
• Excessive/repeated requests: May charge reasonable fee or refuse
• Manifestly unfounded requests: May refuse

Right to Complain

If you’re not satisfied with our response, you have the right to complain to:

Integritetsskyddsmyndigheten (IMY) Swedish Data Protection Authority – Website: www.imy.se – Email: imy@imy.se – Phone: 08-657 61 00 – Address: Box 8114, 104 20 Stockholm

European Data Protection Board

• For cross-border issues: edpb.europa.eu

8. COOKIES AND SIMILAR TECHNOLOGIES

Mobile App Tracking

Our mobile app uses:

Essential Technical Data

• Device ID: Unique device identifier
• Session ID: Temporary identifier for app session
• Legal Basis: Legitimate interests (app functionality)

Analytics (With Consent)

• Google Analytics for Firebase: App usage patterns
• Crash Reporting: App stability monitoring
• Legal Basis: Consent (you can opt-out in settings)

Website Cookies

Our website uses cookies. Full details in our Cookie Policy at www.24-sju.se/cookies

Cookie Types

• Necessary: Essential for website function
• Functional: Remember preferences
• Analytics: Understand usage (with consent)
• Marketing: Targeted advertising (with consent)

Managing Preferences

App: Settings > Privacy > Analytics Website: Cookie banner or www.24-sju.se/cookie-settings Browser: Use browser settings to block cookies

9. SPECIFIC PRIVACY NOTICES

BankID Processing

Data Processed: – Authentication requests – Personnummer verification – Name confirmation

Purpose: Age verification, secure authentication Legal Basis: Legal obligation (age-restricted products) Retention: Session data only, not stored Learn More: www.bankid.com/privacy

Payment Processing

Card Payments: – Via Loomis Pay (Physical terminal transactions): – We receive: Last 4 digits, card type, expiry – We don’t receive: Full card number, CVV – PCI-DSS compliant processing

• Via Seita Payments (Mobile web card payments in-app):
  • We receive: Last 4 digits, card type, transaction confirmation
  • We don’t receive: Full card number, CVV
  • PCI-DSS compliant processing
  • Tokenization for recurring payments

Swish Payments: – Phone number shared with Swish – Transaction reference stored – Real-time payment confirmation

Payment Timing

We process your payment information at the time of purchase. For card payments, authorization occurs at checkout and the amount is captured immediately after authorization. For Swish payments, funds are transferred instantly according to Swish network rules. Where a pre-authorization is required, the final amount is captured immediately once the transaction is completed.

Location Data

Store Location: – Used to show nearest store – Not tracked continuously – Opt-in only

Legal Basis: Consent Opt-out: App Settings > Privacy > Location

Health-Related Data

OTC Medicine Purchases: – May indicate health conditions – Enhanced security measures – Limited access (pharmacist-trained staff only) – Not used for profiling – Legal Basis: Explicit consent or substantial public interest

AI-Assisted ID Verification (Foreign Nationals)

For Social Sign-In Users Without BankID:

Data Processed:

• ID card/passport images
• Extracted data: Name, date of birth, document number, nationality, issuing country
• Verification results

Process:

1. You upload a photo of your government-issued ID
2. AI technology validates document authenticity (security features, format, issuing authority)
3. AI extracts basic identity information from the document
4. Our support team manually reviews and confirms the ID is legitimate
5. Your ID document is encrypted and stored securely

What We Verify: Document authenticity and legitimacy (confirms ID is issued by authorized foreign government)

What We Do NOT Verify: Age is not verified through this process for foreign nationals

Data Location: All data stays within the EU

AI Service Provider: EU-based service with GDPR-compliant infrastructure

Purpose: Identity confirmation and document authenticity verification for foreign nationals who cannot use BankID

Legal Basis: Contract performance (account creation and identity verification)

Retention: ID documents retained for 2 years or duration of active account (whichever is longer)

Your Rights:

• Request manual-only verification (without AI)
• Request deletion of ID documents (subject to legal retention requirements)
• Access your stored ID data

Security Measures:

• End-to-end encryption during upload
• AES-256 encryption at rest
• Access limited to verified support team members
• Audit logging of all access
• Regular security assessments

10. INTERNATIONAL USERS

EU/EEA Residents

This policy fully complies with GDPR. Your data is primarily processed within the EU/EEA.

Norwegian Users

Norway is part of the EEA. Same protections apply as for EU residents.

Non-EU/EEA Residents

If accessing our services from outside EU/EEA: – Swedish/EU data protection laws still apply – Data imported to Sweden for processing – You have same rights as EU residents

11. PRIVACY BY DESIGN

Our Commitment

We implement privacy by design principles:

1. Proactive not Reactive: Preventing privacy breaches
2. Privacy as Default: Maximum privacy without action required
3. Full Functionality: Privacy doesn’t compromise service
4. End-to-End Security: Lifecycle protection
5. Visibility and Transparency: Open about practices
6. Respect for User Privacy: User interests paramount
7. Privacy Embedded: Built into systems, not added on

Privacy Impact Assessments

We conduct DPIAs for: – New processing activities – New technologies – High-risk processing – Changes to existing processing

12. GLOSSARY

Personal Data: Information relating to an identified or identifiable person

Processing: Any operation on personal data (collection, storage, use, deletion, etc.)

Controller: Organization determining purposes and means of processing (24SJU)

Processor: Organization processing data on controller’s behalf

Data Subject: Individual whose personal data is processed (you)

DPA: Data Protection Authority (Integritetsskyddsmyndigheten in Sweden)

DPO: Data Protection Officer

GDPR: General Data Protection Regulation (EU) 2016/679

Legal Basis: Legal justification for processing personal data

Special Category Data: Sensitive data requiring extra protection (health, biometric, etc.)

Standard Contractual Clauses (SCCs): EU-approved contracts for international transfers

Personnummer: Swedish personal identity number

BankID: Swedish electronic identification system

13. CONTACT INFORMATION

Data Protection Inquiries

Data Protection Officer

• Email: dpo@24-sju.se
• Phone: +46707770727
• Post: DPO, 24SJU Snabbköp Sverige AB, Trässberg Storebacka 1, 531 93 Lidköping, Sweden

General Inquiries

24SJU Snabbköp Sverige AB

• Email: info@24-sju.se
• Phone: +46707770727
• Address: Trässberg Storebacka 1, 531 93 Lidköping, Sweden

Supervisory Authority

Integritetsskyddsmyndigheten (IMY)

• Website: www.imy.se
• Email: imy@imy.se
• Phone: 08-657 61 00

End of Privacy Policy

This privacy policy was last updated on January 30, 2026. For a PDF version or alternative formats, please contact dpo@24-sju.se.