Privacy Notice

Impact Solution Scandinavia AB ("we"/"us"/"our") is committed to protecting your right to privacy and your personal data. The purpose of this privacy notice is to inform you about what personal data we process, how we collect it, why we use it and for how long, who we may share it with, and what rights you have.

This privacy notice applies when you use our services, including purchases via our vending machines and use of our website.

1. Information we collect about you

We only collect the personal data necessary to complete your purchase, manage customer service, and offer any potential membership benefits:

• Information you provide yourself: Name, email address, and phone number that you provide in connection with a purchase or customer contact.
• Transaction data: Time of purchase, product information, price, and payment method.
• Customer communication: Correspondence when you contact us via email, phone, or other channels.
• Technical logs: IP address and necessary system information used to ensure security, prevent fraud, and operate our services reliably.

2. Use of your personal data

We only use your personal data when we have a valid legal basis for doing so. Depending on the circumstances, we may rely on your consent or the fact that the processing is necessary to fulfill a contract with you, protect your vital interests, or to comply with the law. We may also process your personal data if we believe it is in our or others' legitimate interest.

To communicate effectively with you and run our business:

• Complete and administer your purchase
• Provide receipts and order confirmations
• Respond to your inquiries and manage customer service
• Handle complaints and warranty claims

To monitor certain activities:

• Monitor transactions to ensure service quality
• Combat fraud and ensure system security
• Fulfill our legal obligations

In connection with legal or regulatory obligations:

• Accounting and tax law (7 years)
• Cooperation with authorities upon legal request
• Protect our rights and interests

3. Transfer, storage, and security of your personal data

Recipients

We may share your personal data with the following categories of recipients:

• Payment service providers: Worldline and other secure payment service providers for payment processing
• Service providers: IT providers who perform services on our behalf (system operation, maintenance, support)
• Authorities: When required by law or to fulfill our legal obligations

We never sell your personal data to third parties.

Security

We maintain commercially reasonable physical, electronic, and procedural safeguards to protect your personal data in accordance with statutory data protection requirements. All information is stored on our or our subcontractors' secure servers and is accessed and used according to our security policies and standards.

International data transfer

If we transfer personal data from the European Economic Area (EEA) to a country outside the EEA, we will take specific additional measures to protect the relevant personal data based on legal grounds such as the European Commission's approved standard contractual clauses.

Data retention

We store personal data for as long as necessary for the processing purposes for which the information was collected. Our retention periods are based on business needs and statutory requirements:

• Transaction data: 7 years (accounting requirements)
• Customer service cases: 3 years
• Technical logs: 12 months
• Marketing consent: Until you withdraw consent

4. Your Rights

Your rights when we process your personal data for marketing purposes

You have the right to decide whether we may process your personal data for marketing purposes. We will ask for your consent in advance if we intend to use your personal data for marketing purposes. You can withdraw your consent to the use of your personal data for marketing purposes at any time.

Your other rights

When we process your personal data according to this privacy notice, you have the right to demand that we do the following:

• Provide you with further information about our use of your information
• Give you a copy of your personal data that we hold
• Update any errors in the personal data we hold
• Delete any personal data that we no longer have a legal basis to use
• Where processing is based on consent, withdraw your consent so that we stop that specific processing
• Object to processing based on legitimate interests
• Restrict our use of your information while a complaint is being investigated
• Not be subject to automated decisions that may have negative effects
• Transfer your personal data to a legitimate party of your choice

If you are not satisfied with our use of your personal data or our response to the exercise of these rights, you have the right to file a complaint with the Swedish Authority for Privacy Protection (IMY).

5. Contact us

If you wish to exercise any of your rights as set out in this privacy notice or have other questions regarding our processing of your personal data, please contact us at:

6. Changes to our Privacy Notice

We may change the content of our websites and, consequently, our privacy notice may change from time to time in the future. If we change this privacy notice, we will update the date of the last change below. If these changes are significant, we will clearly state this on our website.

7. Legal Bases

We process your personal data based on the following legal grounds:

• Consent: Where you have consented to our use of your data
• Performance of a contract: Where your data is required to enter into or perform our contract with you
• Legal obligation: If we need to use your data to comply with our legal obligations
• Legitimate interests: If we use your data to achieve a legitimate interest and our reasons outweigh any harm to your rights
• Legal claims: If your data is required to defend, prosecute, or make a claim