Legal
Privacy policy
Last updated: May 2026
1. Data controller
Earius International AB (reg. no. 559060-9748), referred to below as “Rius Legacy”, is the data controller for the processing of your personal data. We process your data in accordance with the EU General Data Protection Regulation (GDPR) and supplementary Swedish legislation.
Postal address: Hermelinsvägen 21, 132 46 Saltsjö-Boo, Sweden
Contact: info@riuslegacy.com
2. Information you provide to us
When you make a purchase: name, email address, phone number, delivery or pickup address, payment information. Full card details are handled by Stripe — we never receive or store them.
When you contact us or apply: the details you enter in the form (typically name, email, phone and message).
When you subscribe to the newsletter: your email address, which is synced with our email provider Klaviyo.
When you are registered as a seller in a group: your name and (optionally) your email address. The sales administrator enters this — you become a seller at the group's initiative.
When you are a sales administrator: your name, email address, phone number, billing address, organization details, the group's Swish number.
3. Information we collect automatically
IP address: collected temporarily for rate-limiting (protection against abuse) via Upstash. Stored for a maximum of 24 hours and deleted automatically. One exception: when a group contact person applies for cooperation we save the IP address and timestamp as proof that the partnership terms were accepted — see the retention periods in section 4.
Cookies and local storage: a limited number of technically necessary cookies for the cart, login and consent choice. Details in section 12 below.
Technical error logs: when technical errors occur, a stack trace is sent to Sentry for troubleshooting. It contains the URL, browser type and any error message text — no form values or full customer data.
We do not use any web analytics or marketing tracking today. The cookie banner option “Allow all” reserves the possibility of enabling website statistics in the future — if that happens, we will update this policy first.
4. Why we process your data, legal basis and retention period
To meet the GDPR transparency requirement, we list each purpose with the legal basis we rely on and how long the data is kept:
| Purpose | Legal basis | Retention period |
|---|---|---|
| Complete the purchase — order handling, payment, delivery, receipt | Contract (GDPR art. 6.1 b) | 7 years (Swedish Bookkeeping Act). After a deletion request, name/email/address are anonymized; transaction amount + date are kept. |
| Handle returns, complaints and customer service matters | Contract (art. 6.1 b) + legal obligation (Consumer Sales Act) | 3 years after the matter is closed |
| Bookkeeping and accounting | Legal obligation (art. 6.1 c) | 7 years (Bookkeeping Act) |
| Share contact and delivery details with the group and the seller for group purchases (required for distribution/delivery) | Consent (art. 6.1 a) — checkbox at checkout | Same as the order (7 years); access ends when the campaign closes |
| Account for sales administrator and seller (login, profile, dashboard) | Contract (art. 6.1 b) — the partnership agreement with the group | Until the account is deleted or the group ends the cooperation |
| Newsletter and marketing via email | Consent (art. 6.1 a) | Until you unsubscribe (link in every send) |
| Protect the service against abuse (rate-limiting, CSRF protection) | Legitimate interest (art. 6.1 f) — secure operation | IP addresses are deleted within 24 hours |
| Proof of accepted partnership terms when a group applies (IP address + timestamp saved when the terms are accepted) | Legitimate interest (art. 6.1 f) — being able to prove the terms were accepted | As long as the cooperation with the group is ongoing; thereafter until the limitation period for the agreement has expired |
| Troubleshooting and stability (Sentry logging of technical errors) | Legitimate interest (art. 6.1 f) — operational reliability | 90 days |
5. Sharing for group purchases
When you shop via a group's web shop (URL in the format riuslegacy.com/lag/[groupname] or /lag/[groupname]/[seller]) we share your contact and delivery details with the sales administrator and the seller linked to the purchase. This is necessary for the group's distribution of the products to work and for them to be able to reach you if there are questions about the order.
What is shared: name, email address, phone number, delivery address, ordered products, total amount, payment status.
What is NOT shared: your personal identity number, your payment card details, your IP address history or other information we don't need to handle the group purchase.
This sharing only happens after your explicit consent — for group purchases you tick a separate box at checkout in addition to the general terms. Without the tick, the purchase cannot be completed.
6. Data processors we engage
We engage the following providers that process personal data on our behalf. We have a data processing agreement (DPA) with all of them under GDPR art. 28.
- Stripe Payments Europe Ltd (Ireland, card payments and payment processing)
- Supabase Inc. (database hosting, EU region; the company is registered in the US)
- Vercel Inc. (web hosting and CDN, EU region; the company is registered in the US)
- Resend (transactional email such as order confirmations, EU region)
- Klaviyo Inc. (email newsletter, US — DPF-certified)
- Upstash Inc. (Redis for rate-limiting and email queue, EU region)
- Sentry / Functional Software Inc. (error logging, EU region)
- Carriers (Early Bird, PostNord, DHL) — name and address for delivery, only for home delivery
We never sell your personal data to third parties.
7. The group's own responsibility for your data
Once the group has received your contact and delivery details under section 5, the group is an independent data controller for its own processing of the data — mainly to contact you about delivery or distribution and to handle any questions about the order.
The group's processing is governed by the same GDPR principles as our own. We require in our partnership terms that groups may only use the data to fulfil the order and must delete or return it once the purpose has been met. If you have questions about how a specific group handles your data, you can contact the group's administrator directly or reach out to us and we'll facilitate the contact.
8. International transfers
Several of our providers are US companies (Stripe, Supabase, Vercel, Klaviyo, Upstash, Sentry). Where data is actually transferred to the US, we rely on the following safeguards under GDPR art. 44–49:
- EU-US Data Privacy Framework (DPF) — for providers that are certified (e.g. Klaviyo). The DPF is the European Commission's adequacy decision since 2023.
- Standard Contractual Clauses (SCC) — for providers not yet DPF-certified. SCCs contain binding contractual safeguards approved by the European Commission.
- EU-region hosting — for Supabase, Vercel, Resend, Upstash and Sentry, data is hosted in their EU regions (Frankfurt, Stockholm or Ireland), which minimizes actual third-country transfer.
9. Security
We have taken appropriate technical and organizational measures under GDPR art. 32:
- Encryption in transit — all traffic to the site goes over HTTPS/TLS 1.2+
- Encryption at rest — database and backups are encrypted by Supabase
- Row-level access control — Row Level Security in the database ensures one group can never read another group's data
- Passwords — hashed with bcrypt by Supabase Auth; plaintext is never stored
- PCI DSS — card payments are handled by Stripe (PCI DSS Level 1-certified); we are never exposed to card data
- Rate-limiting — protection against brute force on login, contact and checkout
- Log monitoring — errors are reported via Sentry for quick detection of any security events
10. Your rights
You have the right to:
- Request a copy of your data (what data we hold about you)
- Request rectification of incorrect data
- Request erasure (“the right to be forgotten”)
- Request restriction of processing
- Object to processing based on legitimate interest
- Data portability (receive your data in a machine-readable format)
- Withdraw consent at any time
Contact us at info@riuslegacy.com to exercise your rights. We respond within 30 days.
For erasure requests: accounting records under section 4 must be kept for 7 years (Bookkeeping Act ch. 7 § 2), but we anonymize personally identifying information so that the remaining data cannot be linked to you.
11. Automated decision-making
We do not use automated decision-making or profiling that has legal consequences for you under GDPR art. 22.
Stripe uses automatic fraud detection (Radar) on card payments to block suspicious transactions. This assessment may in rare cases lead to a payment being declined. In cases where this affects you, you can contact us for a manual review.
12. Cookies and local storage
When you visit the website you get to choose between “Necessary only” and “Allow all” via the cookie banner. Your choice is saved and you can change it at any time via “Manage cookies” in the footer.
Necessary cookies (always active): cart (rius_cart_v1), consent choice (rius_cookie_consent), login session for sales administrators and sellers (Supabase Auth), active-group cookie for multi-team admins (rius_active_team), CSRF protection.
With “Allow all” we may enable website statistics in the future. No such tracking is active today.
Stripe places technically necessary cookies for the payment process — exempt from the consent requirement under the Swedish Electronic Communications Act ch. 6 § 18a (cookies required to deliver a service the user has requested).
Detailed cookie information is available on our cookie page.
13. Children
We do not primarily target children under 16. Because we sell clothing via fundraising campaigns where players/students may be young, our assumption is that a guardian is involved in the purchase.
If we become aware that a person under 13 has provided personal data directly to us without a guardian's consent (GDPR art. 8 + the Swedish age limit of 13 for digital consent) we delete that data without delay. Contact info@riuslegacy.com with any questions.
14. Complaints and updates
If you believe we process your personal data incorrectly, you can file a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se.
We're always happy to receive your feedback directly at info@riuslegacy.com.
This policy was last updated in May 2026. For significant changes we inform existing customers by email or via a clear notice on the website.
Questions about our privacy policy? Contact us