Privacy policy

Last updated: August 22, 2025

This Privacy Policy explains how BON LO (“we”, “us”, “our”) collects, uses, discloses and safeguards your personal information when you visit or purchase from bon-lo.com and related services (the “Services”). If this Policy conflicts with our Terms of Service, this Policy controls for privacy matters.

We are the data controller for processing described here. Contact.

1) Personal information we collect

  • Identifiers & contact: name, email, phone, billing/shipping details.

  • Order & account data: items viewed/added/purchased/returned, preferences, support history.

  • Payment data: payment method, transaction details (processed by our payment providers; we do not store full card numbers).

  • Device/usage: IP address, device/browser info, pages/events, cookies or similar tech.

  • Marketing & communications: your consents, unsubscribes and preferences.

  • Inferences derived from the above (e.g., product interests).

Sources: directly from you; automatically via the Services (cookies, pixels, SDKs); our providers (payments, shipping); advertising/analytics partners where lawful; and Shopify as further described below.

2) How and why we use your data (and legal bases)

We process personal information only where we have a lawful basis under GDPR:

  • To provide and fulfil your purchase (create account, process payments, deliver orders, handle returns/support).
    Legal basis: Contract (Art. 6(1)(b)); Legal obligation for invoicing/accounting (Art. 6(1)(c)).

  • Customer support & service communications (order updates, service emails).
    Legal basis: Contract / Legitimate interests (service quality; Art. 6(1)(f)).

  • Fraud prevention & security (authenticate, detect/prevent abuse).
    Legal basis: Legitimate interests / Legal obligation.

  • Analytics and performance (understand site use, improve UX and products).
    Legal basis: Legitimate interests; where cookies/trackers are not strictly necessary, Consent.

  • Marketing (newsletters, campaigns, personalized ads).
    Legal basis: Consent (EU e-privacy/GDPR). You can withdraw at any time (unsubscribe link / Cookie Preferences).

  • Compliance & enforcement (tax/audit, regulatory requests, dispute handling).
    Legal basis: Legal obligation / Legitimate interests.

Where we rely on consent, you may withdraw it at any time without affecting prior processing.

3) Cookies & similar technologies (Cookie Policy)

We use cookies, pixels and similar technologies to run our store, measure performance and (with your consent) personalize content and ads.

3.1 What cookies are

Cookies are small files stored on your device. They can be session (deleted when you close the browser) or persistent(remain until expiry or deletion). Similar tech includes SDKs, local storage and tracking pixels.

3.2 Categories we use

  • Strictly necessary (required for core functions such as checkout, cart, login, security, consent storage). These run without consent.

  • Preferences (remember choices like language or region).

  • Analytics (understand site usage and improve performance; e.g., page views, conversion events).

  • Marketing/advertising (measure campaigns and show relevant ads on our site and on third-party sites).

Non-essential cookies (preferences/analytics/marketing) only run with your consent in the EU/EEA.

3.3 Your choices (consent & withdrawal)

  • Give/withdraw consent: Use the “Cookie preferences” link in our footer at any time to change your settings or withdraw consent.

  • Browser controls: You can block/delete cookies in your browser. Blocking strictly necessary cookies may break core features (e.g., checkout).

  • Email marketing: Use the unsubscribe link in emails to stop marketing emails (service emails may still be sent).

3.4 Who sets cookies (first vs third party)

  • First-party cookies are set by bon-lo.com (e.g., cart, session, consent).

  • Third-party cookies may be set by our service providers for analytics/ads and by Shopify to operate the storefront. We may use advertising/analytics partners (for example, platforms that help measure performance and personalize ads). The current list of vendors and cookie lifetimes appears in the Cookie preferences panel.

3.5 Data we collect via cookies

Device identifiers (including IP address), browser type, pages viewed, products added, orders and events (e.g., add-to-cart). Where legally required, these run only after you consent.

3.6 Retention

Cookie lifetimes vary by purpose and vendor. See the Cookie preferences panel for per-cookie duration. Consent records may be retained to demonstrate compliance. You can withdraw consent at any time.

3.7 Legal bases

  • Strictly necessary: Legitimate interests (provide a secure, functioning store) and/or contract.

  • Preferences/Analytics/Marketing: Consent (you can withdraw at any time).

4) Sharing and recipients

We share data with:

  • Shopify (store platform/hosting, checkout, security, performance).

  • Payment processors & banks (payments, refunds, fraud checks).

  • Logistics & fulfilment partners (warehousing, shipping, returns).

  • IT, analytics, and marketing vendors (only as needed and subject to contracts).

  • Authorities, courts, advisors (where required by law or to protect rights).
    In acquisitions/restructuring we may transfer data subject to confidentiality and applicable law.

5) Relationship with Shopify

Our store is hosted by Shopify. For most store operations, we are the controller and Shopify acts as our processorunder Shopify’s Data Processing Addendum. For certain “Enhanced/Consumer” features (e.g., cross-merchant analytics/ads), Shopify may act as an independent controller and is responsible for responding to rights requests about those features. Learn more and exercise rights directly with Shopify via the Shopify Consumer Privacy Policy and Shopify Privacy Portal.

6) International transfers

We may transfer personal information outside the EEA/UK (e.g., to Shopify or service providers). Where we do so, we rely on approved transfer mechanisms (such as the EU Standard Contractual Clauses) and implement appropriate safeguards. Details are available on request and in Shopify’s privacy documentation.

7) Retention

We keep personal information only as long as needed for the purposes above:

  • Orders, invoices & accounting records: generally 7 years to meet Swedish bookkeeping/tax rules.

  • Customer service emails/cases: typically up to 3 years after resolution.

  • Marketing data: until you withdraw consent or after a period of inactivity (normally 24 months).
    We may retain longer if required by law or to establish/defend legal claims.

8) Your rights

Subject to law, you have the right to access, rectify, erase, restrict, object (including to direct marketing), and data portability. Where processing is based on consent, you can withdraw consent at any time. You also have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects; we do not take such decisions in our direct relationship with you. To exercise rights, email via contact form. You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or your local EU regulator.

9) Children

Our Services are not intended for children. Where we rely on consent for online services, Sweden’s digital age of consent is 13. If you believe a child provided data without appropriate consent, contact us to delete it.

10) Necessity of providing data

Providing certain data (e.g., name, address, payment info) is necessary to enter into a purchase contract. If you do not provide it, we cannot fulfil your order. Technical data may be necessary for site security and performance.

11) Security

We use administrative, technical and organizational measures to protect your data. No system is 100% secure; transmission over the Internet carries risk.

12) Updates

We may update this Policy from time to time. We will post changes here and, where required by law, notify you.