Privacy Policy
Last updated: 22 May 2025
WalldoffStudios AB (Swedish org. no. 559490-5902) (we, us, or our) understands that protecting your personal information is important. This Privacy Policy sets out our commitment to protecting the privacy of personal information provided to us, or collected by us, when interacting with you.
As a company based in Sweden, we are subject to the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Swedish Data Protection Act (Dataskyddslagen, SFS 2018:218). The Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) is our supervisory authority.
For the purposes of the GDPR, WalldoffStudios AB is the data controller for the personal information described in this policy.
The information we collect
Personal information means any information relating to an identified or identifiable natural person. The types of personal information we may collect about you include:
- Identity Data — including your full name, date of birth, company name, and username.
- Contact Data — including your email address, telephone number, and postal address.
- Financial Data — including VAT registration number and payment card details (processed solely through our third-party payment processor, Stripe, Inc.; we do not store card details ourselves).
- Transaction Data — including details about payments made to or from us and details of products or services you have purchased from us.
- Technical and Usage Data — when you visit our website, details about your IP address, browser type and version, browser session and geo-location data, page views and session statistics, device and network information, and how you navigate through our site.
- Profile Data — including your account username and password, purchase and download history, and any support requests you have submitted.
- Interaction Data — information you provide when you participate in any interactive features, surveys, contests, promotions, or events.
- Marketing and Communications Data — your preferences for receiving marketing from us and your communication preferences.
- Seller / Professional Data — if you apply to become a seller on our platform, your professional background, portfolio, and payout information.
- Special categories of data — we do not actively collect sensitive personal data (e.g. health, racial or ethnic origin, religious beliefs, or biometric data). If we ever need to do so, we will first obtain your explicit consent and will only process such data where permitted by law.
How we collect personal information
We collect personal information in a variety of ways, including:
- when you provide it directly to us, including via email, contact forms, or when you create an account;
- when you purchase or download assets from our platform;
- when you apply to become a seller;
- when you use our website (including through analytics and cookie providers — see the Cookies section below);
- from third-party service providers we use to operate our platform (e.g. Supabase, Stripe); or
- from publicly available sources.
Why we collect, hold, use, and disclose personal information
We have set out below a description of the purposes for which we collect and process your personal information, together with the legal basis we rely on under the GDPR.
| Purpose | Data types | Legal basis |
|---|---|---|
| To enable you to create an account and access our assets. | Identity Data, Contact Data | Performance of a contract |
| To process purchases and deliver digital products to you. | Identity Data, Contact Data, Financial Data, Transaction Data | Performance of a contract |
| To respond to support requests and other enquiries. | Identity Data, Contact Data, Profile Data | Performance of a contract; Legitimate interest (providing good customer service) |
| For internal record-keeping, invoicing, and billing. | Identity Data, Contact Data, Financial Data, Transaction Data | Performance of a contract; Legal obligation; Legitimate interest (debt recovery and financial administration) |
| For analytics, product improvement, and business development. | Profile Data, Technical and Usage Data | Legitimate interest (keeping our website relevant and improving our offerings) |
| For marketing communications, including promotional emails about new assets or offers. | Identity Data, Contact Data, Profile Data, Marketing and Communications Data | Consent (for new contacts); Legitimate interest (for existing customers, subject to opt-out) |
| To manage seller applications and seller payouts. | Identity Data, Contact Data, Seller / Professional Data | Performance of a contract; Legitimate interest (evaluating seller applications) |
| To comply with legal obligations. | Any relevant personal information | Legal obligation |
Our disclosures of personal information to third parties
We may disclose your personal information to:
- our employees, contractors, and related entities;
- IT service providers, data storage, web-hosting, and server providers;
- payment systems operators or processors;
- email communications providers;
- professional advisors, auditors, insurers, and insurance brokers;
- our existing or potential agents or business partners;
- a prospective purchaser if we merge with or are acquired by another company, or sell all or a portion of our assets — your personal information may be transferred to or disclosed to advisers and prospective purchasers;
- courts, tribunals, regulatory authorities, and law enforcement officers, as required or authorised by law, in connection with any actual or prospective legal proceedings;
- third parties that collect and process data such as analytics providers; and
- any other third parties as required or permitted by applicable law.
Data processors
In order to operate our platform, communicate with you, process orders, and improve your experience, we work with the following third-party service providers (data processors) who process personal information on our behalf. All processors are contractually required to handle your data securely and in accordance with the GDPR, including through Standard Contractual Clauses (SCCs) or other adequate transfer mechanisms where data is transferred outside the EEA.
| Processor | Purpose | Data processed | Location |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, and file storage | Account data, purchase history, uploaded assets | USA (EU data region available) |
| Stripe, Inc. | Payment processing and seller payouts | Name, email, order details, payment card data, payout info | USA (EU data centre available) |
| Resend, Inc. | Transactional and marketing email delivery | Name, email address, email content | USA |
| Vercel, Inc. | Website hosting and edge delivery | IP address, request logs, Technical and Usage Data | USA (EU edge locations) |
We only share the minimum data necessary with these processors to perform their services. For further information or to exercise your data rights in relation to them, please contact us.
International data transfers
Some of our data processors are based outside the European Economic Area (EEA). Whenever we transfer your personal information outside the EEA, we ensure an equivalent level of protection by:
- only transferring data to countries that have been deemed to provide an adequate level of protection by the European Commission; or
- using Standard Contractual Clauses (SCCs) approved by the European Commission in our agreements with processors.
Data retention
We will only retain your personal information for as long as reasonably necessary to fulfil the purposes we collected it for, including to satisfy any legal, regulatory, tax, accounting, or reporting requirements. We may retain your personal information for a longer period in the event of a complaint, or if we reasonably believe there is a prospect of litigation in respect of our relationship with you.
To determine the appropriate retention period we consider the amount, nature, and sensitivity of the personal information; the potential risk of harm from unauthorised use or disclosure; the purposes for which we process it; and the applicable legal or regulatory requirements.
Your rights and controlling your personal information
Under the GDPR you have the following rights in relation to your personal information. We will respond to any request within one calendar month. There is no fee for exercising your rights, unless your request is clearly unfounded, repetitive, or excessive.
- Access — you may request a copy of the personal information we hold about you (a "data subject access request").
- Rectification — you may ask us to correct inaccurate or incomplete personal information we hold about you.
- Erasure — you may ask us to delete your personal information where there is no good reason for us to continue processing it ("right to be forgotten").
- Restriction — you may ask us to suspend the processing of your personal information in certain circumstances.
- Data portability — you may request a structured, machine-readable copy of the personal information you have provided to us, where we process it by automated means on the basis of your consent or a contract.
- Objection — you may object to our processing of your personal information where we rely on legitimate interests. You always have the right to object to direct marketing.
- Withdraw consent — where we rely on consent as the legal basis, you may withdraw your consent at any time. This will not affect the lawfulness of processing before withdrawal.
- Automated decision-making — you have the right not to be subject to a decision based solely on automated processing (including profiling) that produces a legal effect or similarly significant effect on you.
To exercise any of these rights, please contact us using the details at the end of this policy.
Marketing opt-out
You can unsubscribe from our marketing communications at any time by clicking the unsubscribe link in any email we send you, or by contacting us directly. Unsubscribing from marketing will not affect transactional communications (e.g. order confirmations).
Storage and security
We are committed to ensuring that the personal information we collect is kept secure. We have put in place appropriate technical and organisational measures to safeguard personal information and protect it from misuse, loss, and unauthorised access, modification, or disclosure. These measures include encryption of data in transit (TLS/HTTPS) and at rest, access controls, and regular security reviews.
While we are committed to security, no method of transmission over the Internet is completely secure. The transmission of information to and from our website is carried out at your own risk.
Cookies
We may use cookies and similar tracking technologies on our website. Cookies are small text files placed on your device that help us recognise you when you return and allow us to improve your experience.
We use the following types of cookies:
- Strictly necessary cookies — required for the website to function (e.g. authentication session tokens). These cannot be disabled.
- Analytics cookies — help us understand how visitors use our website (e.g. pages visited, session duration). We only use these with your consent.
- Preference cookies — remember your settings and choices to personalise your experience.
You can control cookies through your browser settings. Blocking all cookies may affect some functionality of our website.
Links to other websites
Our website may contain links to third-party websites. We have no control over those websites and are not responsible for the protection of any personal information you provide while visiting them. Those websites are not governed by this Privacy Policy.
Complaints
If you wish to make a complaint about how we handle your personal information, please contact us using the details below. We will investigate your complaint and respond to you in writing within a reasonable time.
If you are not satisfied with our response, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at www.imy.se. If you are based in another EU/EEA country, you may also contact the supervisory authority in your country of residence.
Amendments
We may update this Privacy Policy from time to time by publishing the amended version on our website. We recommend you check this page regularly to stay informed of any changes. If we make material changes we will notify you by email or by a prominent notice on our website.
Contact us
For any questions, requests, or notices regarding this Privacy Policy, please contact our Privacy Officer:
WalldoffStudios AB
Sweden
Email: support@walldoffassetlibrary.com
Or use our contact form.