Legal

Privacy Policy

How we collect, use, and protect your personal data.

Last updated: March 2026. See also our Terms of Service and Cookie Policy.

1. Data Controller

Company
Stormfors AB, trading as Kaizen
Country
Sweden
Legal basis
GDPR (EU 2016/679)

2. What Data We Collect

Contact information

Name, email address, phone number, and company details provided when you contact us, submit an intake form, or enter into a service agreement.

Project data

Website URLs, content materials, brand assets, and other information you provide for project delivery. This may include messages, feedback, and approval decisions through our client portal.

Payment information

Payment details are processed by Stripe. We do not store credit card numbers, bank account details, or other payment credentials on our systems. We receive transaction confirmations from Stripe (amount, date, status).

Website analytics

hi-kaizen.com uses Cloudflare Web Analytics, which is privacy-focused and does not use cookies, track individual visitors, or collect personal data. We receive aggregated, anonymous usage data (page views, referrers, countries).

3. How We Use Your Data

We use your personal data for:

  • Delivering the services you have contracted (legal basis: contract performance)
  • Communicating about your project, including updates and delivery notifications (legal basis: contract performance)
  • Sending invoices and processing payments (legal basis: contract performance, legal obligation)
  • Responding to inquiries and support requests (legal basis: legitimate interest)
  • Improving our services based on aggregated, anonymized usage patterns (legal basis: legitimate interest)

We do not use your data for profiling, automated decision-making, or marketing purposes unless you explicitly opt in.

4. Data Processors and Sharing

We share data only with service providers necessary to deliver our services. All processors are GDPR-compliant or covered by adequate safeguards.

Stripe

Payment processing (US, EU SCCs)

Cloudflare

Hosting, DNS, analytics (US, EU SCCs)

Sanity

Content management for client sites (EU/US)

Resend

Transactional email delivery (US, EU SCCs)

We do not sell personal data. We do not share data with third parties for marketing purposes.

5. Data Retention

Contact information

Duration of relationship + 2 years

Project files and deliverables

Duration of relationship + 1 year

Invoices and financial records

7 years (Swedish accounting law)

Website analytics (aggregated)

Indefinite (no personal data)

After the retention period, personal data is deleted or anonymized. You can request earlier deletion (see Your Rights below), except where retention is required by law.

6. Your Rights (GDPR)

Under GDPR, you have the right to:

  • Access your personal data and receive a copy
  • Rectification of inaccurate or incomplete data
  • Erasure of your personal data ("right to be forgotten")
  • Restrict processing in certain circumstances
  • Data portability to receive your data in a structured, machine-readable format
  • Object to processing based on legitimate interest
  • Withdraw consent at any time, where processing is based on consent

To exercise any of these rights, email [email protected] with your request. We will respond within 30 days.

If you believe we are processing your data unlawfully, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at imy.se.

7. Security Measures

We implement appropriate technical and organizational measures to protect your data, including:

  • All data transmitted over HTTPS/TLS encryption
  • Access controls limiting data access to authorized personnel
  • Regular security updates and dependency monitoring
  • Payment data handled exclusively by PCI-DSS compliant processors (Stripe)

8. International Data Transfers

Some of our data processors operate outside the EU/EEA (see Section 4). Transfers to countries without an EU adequacy decision are protected by Standard Contractual Clauses (SCCs) as approved by the European Commission, or the EU-US Data Privacy Framework where applicable.

9. Children's Privacy

Our services are intended for businesses and individuals over 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact us and we will delete it promptly.

10. Changes to This Policy

We may update this privacy policy from time to time. Significant changes will be communicated to active clients via email. The "last updated" date at the top reflects the latest revision.

For questions about this policy, contact us at [email protected].

Terms of ServiceCookie Policy

© 2026 Kaizen, a brand of Stormfors AB. All rights reserved.