Privacy Policy

The controller for the processing of your personal data is:

• X Beauty AB
• Swedish company registration no.: 559337-9059
• Registered address: Kubikenborgsgatan 6A, 854 63 Sundsvall, Sweden
• General contact: hej@loose-nails.com
• Data protection contact: privacy@loose-nails.com

We have not appointed a Data Protection Officer because the conditions in Article 37 GDPR do not apply to our activities. You can always reach the team responsible for data protection at privacy@loose-nails.com.

We process the following categories of personal data about you:

• Contact details — name, email address, phone number and delivery address.
• Payment data — Stripe customer ID (stripe_customer_id), metadata about the chosen payment method and transaction history. We never store the card or bank account number itself — that data is handled directly by Stripe under PCI DSS.
• Preferences and profile — style choices, preferred length and shape, previously chosen sets, notes from your tipster.
• Communication — SMS logs from your chat with the tipster, email logs (open / delivery status), support tickets.
• Technical data — IP address, browser type, device, language setting and cookies set when you visit loose-nails.com.

We process your personal data for the following purposes on the following legal bases under Article 6(1) GDPR:

• Performance of the contract (Art. 6(1)(b)) — to register and run your subscription, deliver kits, process payments, send transactional SMS and email and provide personal advice through the tipster.
• Compliance with a legal obligation (Art. 6(1)(c)) — bookkeeping and accounting under Swedish accounting law, handling of consumer complaints and other statutory duties.
• Legitimate interests (Art. 6(1)(f)) — product development and service improvement, security monitoring, fraud prevention and analysis of aggregated usage data. We have carried out balancing tests and consider that your interests do not override these.
• Consent (Art. 6(1)(a)) — sending newsletters and marketing to non-customers, and setting non-essential cookies. You may withdraw consent at any time.

To deliver the service we share necessary personal data with the following processors. We have data-processing agreements with each of them:

• Stripe Payments Europe Ltd — payment processing. Established in Ireland.
• Twilio SendGrid — transactional email (order confirmations, receipts, account notices). Established in the USA.
• 46elks AB — SMS messaging and the tipster chat. Established in Sweden.
• Shopify Inc. — order management and fulfilment via the XNails store. Established in Canada.
• PostNord AB and regional carriers (e.g. DHL) — physical delivery of the kit. Established in the EU.
• Vercel Inc. — hosting and operation of loose-nails.com. Established in the USA.

In addition, we may disclose data to public authorities where we are required to do so by law.

Some of our processors are established in the USA (Twilio SendGrid, Vercel and Stripe's group affiliates) or Canada (Shopify). Canada benefits from a European Commission adequacy decision for commercial organisations. For transfers to the USA we rely on:

• the European Commission's adequacy decision for the EU–US Data Privacy Framework where the recipient is certified, or
• the European Commission's Standard Contractual Clauses (SCCs) supplemented with technical and organisational measures.

You can obtain a copy of the safeguards applied by contacting privacy@loose-nails.com.

We retain personal data only for as long as necessary for the relevant purpose:

• Accounting records — 7 years, as required by Swedish accounting law (Bokföringslagen 1999:1078).
• Customer account and subscription history — deleted or anonymised 24 months after the subscription ends, unless a longer retention is required by law.
• Email and SMS logs — 12 months; content is then deleted while limited metadata may be retained for security purposes for a short period.
• Marketing consents and newsletter subscriptions — until you withdraw consent or unsubscribe.
• Technical logs and cookies — as described in the cookie policy.

Under the GDPR you have the following rights in relation to your personal data:

• Access — obtain confirmation as to whether we process your data and receive a copy of it.
• Rectification — have inaccurate or incomplete data corrected.
• Erasure ("right to be forgotten") — have your data deleted, provided we are not required to retain it by law.
• Restriction — request that we temporarily limit the processing.
• Data portability — receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Objection — object to processing based on our legitimate interests and to direct marketing.
• Withdrawal of consent — where the processing is based on your consent, withdraw it at any time without affecting the lawfulness of past processing.
• Lodging a complaint with a supervisory authority — see section 10.

To exercise your rights, email privacy@loose-nails.com. We will reply within one month in accordance with Article 12 GDPR.

Loose Nails uses cookies and similar technologies to deliver and improve the service. Detailed information about which cookies we set, what they do and how you can manage them is provided in our cookie policy.

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss or alteration:

• All traffic to and from loose-nails.com is encrypted with TLS (HTTPS).
• Sensitive fields are encrypted at rest where technically feasible.
• We apply strict access controls and logging — only staff with a job-related need have access to personal data.
• We conduct regular security reviews of our systems and processors.

If a personal-data breach is likely to result in a high risk to your rights and freedoms we will inform you and the competent supervisory authority in accordance with Articles 33–34 GDPR.

If you have questions or wish to exercise your rights please email privacy@loose-nails.com first — we want to put things right.

If you are not satisfied with our response you have the right to lodge a complaint with a data protection supervisory authority. The lead authority for X Beauty AB is:

• Integritetsskyddsmyndigheten (IMY)
• Box 8114, 104 20 Stockholm, Sweden
• imy.se

You may also lodge a complaint with the supervisory authority of the EU/EEA Member State where you reside or where the alleged infringement occurred. Examples include:

• Norway — Datatilsynet, datatilsynet.no.
• Denmark — Datatilsynet, datatilsynet.dk.
• Finland — Tietosuojavaltuutetun toimisto, tietosuoja.fi.
• Germany — Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI), bfdi.bund.de, or the supervisory authority of your federal Land.
• Netherlands — Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl.