Privacy Policy for Rethink

Privacy Policy for Rethink

1. Introduction

This privacy policy describes how Nanometer AB (company reg. no. 559257-6697), operating under the name Rethink ("we", "us", "our"), collects, uses, protects and shares personal data. We care about your privacy and always strive to process your personal data in accordance with applicable data protection legislation, including the General Data Protection Regulation (GDPR) and supplementary Swedish law.

2. Who is the data controller?

Nanometer AB is the data controller for the processing of your personal data.

  • Legal name: Nanometer AB
  • Address: Vasagatan 48, 11120, Stockholm
  • Email: info@rethinktattoo.com

If you have questions about the processing of your personal data or wish to exercise your rights, please contact our Data Protection Officer:

  • Name: Anton Zetterberg
  • Email: Anton@rethinktattoo.com
  • Telephone: 0046732345337

3. What personal data do we collect?

We collect personal data that you voluntarily provide to us when you use our services, visit our website, make bookings, fill in forms or otherwise interact with us. The categories of personal data we collect may include:

  • Basic identity and contact details: Name, address, telephone number, email address.
  • Payment information: Information needed for payment of services (e.g. card details, billing information).
  • Health data: Information about previous treatments, skin type, and other medical information that a nurse and/or skin therapist deems necessary to safely and effectively carry out our services. This is a special category of personal data and is processed with extra care.
  • Technical data: IP address, browser history, information about device and operating system.
  • Communication data: Content of communications with us via chat, email or other channels.

4. For what purposes do we process your personal data and what is the legal basis?

We process your personal data for the following purposes and based on the legal grounds set out below:

Appointment booking and client management (incl. managing bookings, reminders, customer registers)

Contract: The processing is necessary to fulfil our contract with you (e.g. to book and carry out a treatment).

Performance of treatments (incl. documentation of health data for safe and effective treatment)

Consent: For processing health data we obtain your explicit consent through treatment forms before the treatment starts. Legal obligation: In some cases, legislation may require documentation of health data.

Marketing and communication (e.g. newsletters, offers, information about services)

Consent: For direct marketing, we obtain your consent via booking terms and Cookie Script settings. Legitimate interest: For communication considered to be of legitimate interest (e.g. information about similar services to existing customers) after a legitimate interest assessment.

Payment management (incl. invoicing and payment handling)

Contract: Necessary to fulfil the contract for the purchase of services. Legal obligation: To comply with bookkeeping requirements.

Internal administration (e.g. HR management, financial follow-up)

Legal obligation: To comply with legal requirements (e.g. labour law, tax, accounting). Contract: To fulfil employment contracts.

Research and analysis (e.g. to improve services, understand customer behaviour, segmentation)

Legitimate interest: To analyse and improve our services, provided your interest in data protection does not outweigh this. Consent: For more extensive analysis or if it involves sensitive data beyond what is necessary for the processing.


5. With whom do we share your personal data?

We only share your personal data with trusted third-party suppliers when necessary to fulfil the purposes for which the data was collected, or when required by law. These recipients may include:

  • Payment processors: To handle payments for our services (e.g. Stripe, Klarna).
  • Cloud service providers: For data storage and management (e.g. Microsoft Azure).
  • Marketing platforms: To send email and SMS marketing (e.g. Klaviyo, Meta).
  • Analytics providers: To analyse website traffic and customer behaviour (e.g. Google Analytics, Funnel.io).
  • Communication platforms: For customer support and communication (e.g. Intercom).
  • Accounting and HR systems: For financial administration and HR management (e.g. Fortnox).
  • Other service providers: That support our operations (e.g. Senja for reviews, Canva/Figma for design, Google Workspace for internal collaboration).

We have agreements with these providers to ensure they process your personal data securely and in accordance with our instructions and applicable data protection laws.

6. Transfer of personal data to third countries

Rethink aims for all processing and storage of personal data to take place within the EU/EEA. Our primary data storage is in Microsoft Azure data centres in Sweden.

We have verified with our third-party suppliers that no processing or access to personal data takes place outside the EU/EEA. However, we are aware that some global services, even if they have data centres within the EU, may have parent companies or staff in third countries who could potentially access the data. Rethink assumes that these suppliers comply with their own GDPR obligations and that no transfers outside the EU/EEA occur without a legal basis and appropriate safeguards. We are aware that this assumption entails a risk as it has not been actively verified for all providers.

7. How long do we keep your personal data?

We only keep your personal data for as long as necessary for the purposes for which it was collected, or for as long as required by law. Afterwards, the data is securely deleted or anonymised.

  • Customer data (basic identity, contact): 3 years after the last activity or end of customer relationship, unless longer retention is required by another law (e.g. bookkeeping law).
  • Booking history and data relating to treatments (including health data): 10 years after the last treatment, taking into account healthcare legislation and any needs for medical follow-up or liability questions.
  • Payment information: 7 years according to bookkeeping legislation.
  • Marketing data (leads, segmentation): 540 days after last interaction if no conversion to customer, or as long as consent exists and is not withdrawn.
  • IP addresses and browser history (for analysis): 14 months (standard for Google Analytics) or shorter if the purpose is fulfilled earlier.
  • Internal administration (employee data): According to legal requirements in labour law and tax law, e.g. 7 years after the end of employment for certain information.

8. Automated decision-making and profiling

We use automated segmentation to categorise customers based on their interactions with us and where they are in their customer journey (so-called "stages"). This is done by analysing data from our CRM system (Azure) and web analytics tools (Google Analytics).

  • Logic: We categorise customers based on their stage in the customer journey (e.g. Learner, Explorer, Lead, Pay Go, Client, CRP, Completed, Promoter, Site / Social Visitor, Blog / Chat / DM / Booking Flow / Other, Consult booked / Digital Lead, Paying 1-10 treatments, Bought CRP, Done).
  • Meaning and consequences: This segmentation affects how and when we communicate with you. For example, you may receive tailored offers, information on relevant services, or reminders based on your status in the customer journey. The purpose is to make our communication more relevant and effective for you.
  • Your rights: You have the right to object to this type of profiling for direct marketing purposes.

9. How do we protect your personal data? (Data security)

We take appropriate technical and organisational security measures to protect your personal data from unauthorised access, loss, misuse or alteration. These measures include:

  • Encryption: All data is encrypted both in transit and at rest.
  • Access controls: Only authorised staff with a need for access are allowed to access data, and all access is logged. We use role-based permissions and security policies in both backend and frontend.
  • Backups and restoration: Regular backups of all critical data.
  • Incident management: There is a plan in place to handle personal data incidents.

10. Your rights as a data subject

According to the GDPR, you as a data subject have several rights regarding your personal data:

  • Right to information: You have the right to obtain information about how your personal data is processed.
  • Right of access: You have the right to know whether we process personal data about you and, if so, to obtain a copy of that data.
  • Right to rectification: You have the right to have incorrect or incomplete personal data about you corrected.
  • Right to erasure ("the right to be forgotten"): You have the right to request the deletion of your personal data under certain circumstances (e.g. if the data is no longer necessary for the purpose).
  • Right to restriction of processing: You have the right to request restriction of processing of your personal data under certain circumstances.
  • Right to data portability: You have the right to receive the personal data you have given us in a structured, commonly used and machine-readable format and to transfer it to another data controller.
  • Right to object: You have the right to object to the processing of your personal data based on legitimate interest or public interest, and an unconditional right to object to processing for direct marketing.
  • Rights regarding automated decision-making and profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, if the decision has legal effects or similarly significantly affects you.

11. How to exercise your rights

If you wish to exercise any of your rights, please contact our Data Protection Officer by email or telephone. We will process your request without undue delay and at the latest within one month of receipt. If the request is complicated or extensive, the time limit may be extended by a further two months, in which case we will inform you of this.

12. Complaints to the supervisory authority

If you believe that we are processing your personal data in violation of the GDPR, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY), which is the supervisory authority in Sweden.

  • Integritetsskyddsmyndigheten (IMY)
  • Website: www.imy.se
  • Email: imy@imy.se
  • Telephone: +46 8 657 61 00

13. Changes to this privacy policy

We may update this privacy policy as necessary. The latest version will always be available on our website. We encourage you to regularly review this policy to stay informed about how we protect your personal data.