HomeServicesMethodAboutCareersJournalContactGet a free website

Legal · Effective 2 June 2026

Privacy Policy.

How DecaRoy AB collects, uses, and protects your personal data — under the EU General Data Protection Regulation (Regulation (EU) 2016/679) and Swedish law.

— 01 / Who we are

Data controller and scope.

The data controller responsible for processing personal data under this policy is DecaRoy AB, based in Trelleborg, Sweden. You can reach us at contact@decaroy.com. A human answers every enquiry, usually within one working day.

This policy applies when you visit our website at decaroy.com, when you contact us, when you apply for a role, and when you become a client and we deliver services to you. It does not apply to third-party websites we link to — for example our hosting partner DreamHost — which have their own privacy policies.

— 02 / Data we collect

Only what we genuinely need.

When you simply visit the website

Standard server logs (IP address, browser, device, page requested, referring URL, timestamp) are kept by our hosting provider to operate the site, prevent abuse, and detect security incidents. Your language preference is stored in your browser's local storage (a single key, decaroy_lang, containing only a two-letter language code). We do not use analytics, advertising, or third-party tracking cookies.

When you contact us

We collect the information you share — typically name, email, business name (if any), and the content of your message.

When you apply for a role

Your contact details, CV, portfolio link, work history, and the content of your cover message.

When you become a client

Business name and registration data, contact person details, project briefs and content you supply (text, images, brand assets), domain and hosting credentials you choose to share, and billing information required to issue invoices under Swedish law.

— 03 / Purposes & legal bases

Why we process it.

We only process personal data on a clearly defined legal basis under Article 6 GDPR.

a
Respond to enquiries
Art. 6(1)(b) GDPR — steps prior to entering into a contract at your request.
b
Deliver services to clients
Art. 6(1)(b) GDPR — performance of a contract to which you are party.
c
Handle job applications
Art. 6(1)(b) GDPR — pre-contractual steps.
d
Meet legal and tax obligations
Art. 6(1)(c) GDPR — invoices and bookkeeping under the Swedish Bokföringslagen (1999:1078).
e
Operate the site and prevent abuse
Art. 6(1)(f) GDPR — legitimate interest in running a secure service.
f
Remember your language preference
Art. 6(1)(f) GDPR — legitimate interest in a usable experience.

We do not currently rely on consent (Art. 6(1)(a) GDPR) because we run no marketing tracking. Should that change, we will ask for your consent in advance and explain exactly what it covers.

— 04 / Sharing & international transfers

Where data goes.

We share personal data only with a small number of carefully chosen service providers (data processors) that help us run our business. Each is bound by a written data processing agreement compliant with Article 28 GDPR.

  • Hosting and CDN providers that serve this website and store our email correspondence.
  • Font and library providers — Google Fonts and a public CSS-utility CDN. They may receive your IP address when your browser fetches the file.
  • Cloud productivity tools for projects, email, document storage, and billing.
  • Affiliate partners — clicking the "Dream" link on the Method page redirects you to DreamHost, which then processes your data under its own privacy policy. We only see anonymous referral statistics.

We do not sell personal data. We do not share it with advertisers, brokers, or any party that would use it for their own marketing.

Some providers are based outside the European Economic Area, primarily in the United States. Where personal data is transferred to such a country, we rely on the safeguards permitted by Chapter V GDPR — typically the Standard Contractual Clauses adopted by the European Commission, supplemented where necessary by additional measures. You may contact us for a copy of the safeguards in place for any specific transfer.

— 05 / How long we keep it

Retention.

We keep personal data only as long as we need it for the purpose for which it was collected, unless a longer period is required by law.

01
Email enquiries
For the duration of the conversation and for up to 24 months afterwards.
02
Job applications
For up to 12 months after receipt, unless you ask us to keep them longer.
03
Client project files
For the duration of the engagement and for 3 years afterwards.
04
Invoices and accounting records
For 7 years after the end of the calendar year, as required by the Swedish Bookkeeping Act.
05
Server logs
Typically 30 days, then deleted or fully anonymised.
— 06 / Your rights

What you can ask us to do.

Under the GDPR you have the following rights with respect to your personal data:

  • Access (Art. 15) — to know whether we hold personal data about you and to receive a copy.
  • Rectification (Art. 16) — to have inaccurate data corrected and incomplete data completed.
  • Erasure (Art. 17) — to have your data deleted where one of the legal grounds applies.
  • Restriction (Art. 18) — to limit our processing in certain situations.
  • Portability (Art. 20) — to receive your data in a structured, machine-readable format.
  • Objection (Art. 21) — to object to processing based on legitimate interest, for reasons relating to your particular situation.
  • Withdraw consent (Art. 7(3)) — at any time, without affecting prior processing.
  • Not be subject to automated decision-making (Art. 22) — we do not take automated decisions about you.

To exercise any of these rights, write to contact@decaroy.com. We answer within one calendar month (Art. 12(3) GDPR), free of charge unless your request is manifestly unfounded or excessive.

If you believe we have processed your personal data in breach of the GDPR, you have the right to lodge a complaint with the Swedish supervisory authority — Integritetsskyddsmyndigheten (IMY), Box 8114, 104 20 Stockholm, +46 8 657 61 00, imy@imy.se, imy.se. You may also lodge a complaint with the supervisory authority of the EU/EEA Member State where you live or work.

— 07 / The operational details

Cookies, security, the small print.

Cookies and local storage

This website does not set tracking, analytics, or advertising cookies. The only data we store on your device is a single local storage key, decaroy_lang, which holds your language choice (a two-letter code such as en or sv). It contains no personal information and is strictly necessary under Art. 5(3) ePrivacy Directive — so no consent banner is required. You can clear it any time by clearing site data for decaroy.com.

Security

We protect personal data with reasonable technical and organisational measures: HTTPS in transport, access controls on internal tools, and the principle of least privilege within our team. If we ever become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and, where required by Art. 34 GDPR, you directly.

Children's privacy

Our services are not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it without undue delay.

Changes to this policy

We may update this policy from time to time. The "effective" date at the top is always the date of the most recent version. Material changes will be communicated by a clear notice on this page or, where appropriate, by email.

— Any question?

contact@decaroy.com

A human reads every message. DecaRoy AB · Trelleborg, Sweden.