Zeeder AB — Privacy Policy (GDPR/EU)
Last updated: 12 September 2025
Company: Zeeder, [Registered address], Sweden
Contact: privacy@zeeder.co
This Privacy Policy explains how Zeeder AB (“Zeeder”, “we”, “us”) processes personal data when you visit our sites, create an account, use the Zeeder platform, or interact with us. It aligns with our Terms & Conditions and Data Processing Addendum (DPA).
1) Who is responsible (Controller vs Processor)
- Controller. Zeeder acts as controller for personal data it collects to operate, secure, and improve the Service (e.g., accounts, billing, product analytics, marketing, website cookies).
- Processor. For certain features (e.g., Store Integrations, creation of orders/fulfilments on a Brand's ecommerce system, messaging to Creators on a Brand's behalf), Zeeder acts as processor for the Brand (controller). The DPA governs that processing (roles, sub‑processors, SCCs, security).
- If a Brand is itself a processor for a third‑party controller, Zeeder acts as sub‑processor.
If you are a Creator and have questions about data processed for a specific Brand's Zeed (e.g., shipping or order details), please contact the Brand first, as it is the controller for that processing.
2) Scope of this notice
This notice covers:
- Our websites, app(s), and platform (“Service”);
- Accounts for Brands and Creators;
- Communications (email/SMS/in‑product); and
- Sales/support interactions.
It does not cover third‑party sites or platforms we do not control (e.g., Instagram, TikTok, Shopify). Their privacy policies apply.
3) Quick summary (plain English)
- We collect limited identity, contact, social handle/metrics, shipping, and usage data to run Zeeder.
- We use data to provide the Service, prevent fraud/abuse, integrate with stores, enable shipments, and (with consent where required) to send product updates and marketing.
- We share data with sub‑processors (hosting, email/SMS, analytics, support tools) under contracts, and with carriers/ecommerce platforms at a Brand's direction.
- Some data may be transferred outside the EEA/UK/CH with SCCs/UK Addendum/Swiss Addendum and supplementary measures.
- You have GDPR rights: access, rectify, erase, restrict, portability, object, and withdraw consent.
- We don't knowingly collect children's data (<18).
4) Data we collect
4.1 Categories and examples
| Category | Examples |
|---|---|
| Account & identity | Name, email, username/handle, profile photo, role, company details (Brands), billing contact |
| Contact & delivery | Email, phone (optional), shipping address, delivery instructions |
| Social presence (Creators) | Public profile links, follower counts/engagement metadata, content links you share with us |
| Store Integration data (Brands) | Order/fulfilment metadata, SKUs, shipment/tracking status, storefront identifiers (from your ecommerce platform) |
| Communications | Messages sent via the Service, support tickets, feedback |
| Usage & device | IP address, device/browser, timestamps, product telemetry, event logs, crash logs |
| Marketing preferences | Email/SMS opt‑ins, cookie consents, unsubscribe flags |
4.2 Special categories & children
- We do not intend to collect special categories (e.g., health, religion) or criminal offence data. Please do not submit such data.
- The Service is not intended for children under 18.
5) Purposes & legal bases
| Purpose | Legal basis (GDPR Art. 6) | Notes |
|---|---|---|
| Provide and administer the Service (account creation, authentication, core features) | Contract 6(1)(b) | Necessary to perform our contract with you or your company |
| Store Integrations, order creation, shipping status | Contract 6(1)(b) (Brand↔Creator), Processor role under DPA | Zeeder acts as processor for Brands; Brands remain controllers |
| Security, fraud prevention, abuse detection, incident response | Legitimate interests 6(1)(f) & Legal obligation 6(1)(c) | Keep service and users secure; comply with law |
| Product analytics & service improvement | Legitimate interests 6(1)(f) | We use aggregated/limited data; you can object |
| Customer support & service communications | Contract 6(1)(b) & Legitimate interests 6(1)(f) | Includes operational emails/SMS about your account |
| Marketing by email/SMS & onboarding tips | Consent 6(1)(a) or Legitimate interests 6(1)(f) where e‑privacy allows | You can withdraw consent at any time; SMS may need explicit opt‑in |
| Legal compliance, accounting, tax | Legal obligation 6(1)(c) | E.g., bookkeeping retention under Swedish law |
Where we rely on legitimate interests, we balance those interests against your rights and expectations.
6) Cookies & similar technologies
We use cookies, SDKs, and similar technologies to:
- keep you logged in and secure (strictly necessary),
- remember preferences (preferences),
- measure usage (analytics), and
- support marketing (advertising) with your consent.
We operate a Consent Management Platform (CMP). In EEA/UK/CH, non‑essential cookies (analytics/advertising) load only with your consent. You can change choices anytime via “Cookie settings.”
What we set:
- Strictly necessary (login/session, CSRF, rate limiting) — legitimate interests.
- Analytics (e.g., page views, feature adoption) — consent.
- Marketing (e.g., campaign attribution) — consent.
See Annex A for an illustrative cookie list. Exact vendors may change; the CMP shows the current list.
7) Sources of personal data
- Directly from you (forms, profile, messages, support).
- Automatically from your device (logs, telemetry) when you use the Service.
- From Brands (if you are a Creator applying to a Brand's Zeed) or from Creators (if you are a Brand representative they message).
- From connected third‑party platforms you choose to link (e.g., ecommerce platforms, social profiles), subject to their permissions.
8) Disclosures and recipients
We share personal data with:
- Sub‑processors (hosting, databases, email/SMS, analytics, support tools, security) under contracts with confidentiality and security obligations (see Annex B / Sub‑processor list URL).
- Ecommerce platforms, carriers, and similar vendors when Brands instruct Zeeder to create orders/shipments or update delivery status (Brand controller context).
- Professional advisers (legal, accounting) and authorities where required by law.
- Corporate transactions: If we restructure, merge, or sell assets, personal data may transfer to the new entity under equivalent protections.
We do not sell personal data.
9) International transfers
We primarily store/process data in the EEA. If we transfer personal data outside the EEA/UK/CH, we ensure appropriate safeguards, typically the EU Standard Contractual Clauses (SCCs) and, where relevant, the UK Addendum and Swiss Addendum, plus technical/organisational measures. See the DPA for details.
10) Retention
We keep personal data only as long as necessary for the purposes above:
- Account data: for the life of the account plus 24 months.
- Logs/telemetry: 12–24 months depending on type.
- Support tickets: 36 months.
- Marketing consents/suppression: as long as needed to honour preferences.
- Billing/invoices: at least 7 years to comply with Swedish bookkeeping laws.
- Backups: typically deleted within 90 days after primary deletion.
We may retain limited data to establish, exercise, or defend legal claims.
11) Security
We implement appropriate technical and organisational measures to protect personal data, including encryption in transit and at rest, access controls, secure SDLC, vulnerability management, logging/monitoring, backups/DR, and incident response. See Annex C for an overview (aligned with the DPA's TOMs).
12) Your rights (EEA/UK/CH)
You have the right to access, rectify, erase, restrict, object, and port your personal data, and to withdraw consent at any time (without affecting prior processing). You also have the right to complain to a supervisory authority.
- How to exercise: Email privacy@zeeder.co. For Brand‑controlled processing (e.g., Store Integrations), contact the Brand directly; we will support them as processor.
- Supervisory authority (Sweden): Integritetsskyddsmyndigheten (IMY), imy.se.
13) Automated decision‑making & profiling
Zeeder uses algorithms to rank/sort Zeeds, suggest matches, and detect fraud/abuse. These processes do not produce legal or similarly significant effects about you. You can contact us to request human review of decisions that materially affect you.
14) Marketing communications
- Email: We may send operational emails (service notices). Marketing emails require consent where required; you can unsubscribe at any time via the link in the email.
- SMS: Requires explicit opt‑in in most cases; reply STOP to opt out. Message/data rates may apply.
15) Social media and public content
If you link or share social posts with us, we may process the URLs and engagement metadata you provide. We do not collect your private messages from social platforms unless you explicitly connect a channel and authorise access.
16) Store Integrations (important role explanation)
When a Brand connects a Store Integration and asks Zeeder to create orders/shipments for Creators:
- The Brand is the controller of the related customer/order/shipping data;
- Zeeder acts as processor under the DPA; and
- Carriers/ecommerce platforms act under their own terms as independent controllers or processors.
Creators seeking to exercise rights for such data should contact the Brand (controller). We will support the Brand's request.
17) Changes to this Privacy Policy
We may update this notice to reflect legal, technical, or business changes. We will post updates with a new “Last updated” date and, where appropriate, notify you. Continued use of the Service indicates acceptance of the updated notice.
18) Contact us
Zeeder
privacy@zeeder.co