This policy covers liljeforce.com. If you use one of our products, that product has its own privacy policy that governs data inside the product.
Data controller
Liljeforce AB is the data controller for personal data collected through liljeforce.com.
- Org. nr 559211-3186
- Grundtvigsgatan 39, 168 48 Bromma, Sweden
- bridget@liljeforce.com
What this policy covers
This policy covers data processed through the marketing site at liljeforce.com. It does not cover:
- Data processed inside our products. See the Amplycom privacy policy and the TalkBoiler privacy policy.
- Personal data we hold on behalf of clients during a consulting engagement. That processing is governed by a separate Data Processing Agreement signed with the client.
What we collect on this website
Two things, both narrow:
- Contact form. When you fill in the form at /contact, we collect your name, email, an optional subject, and the message. We send it as an email through Resend to our inbox. We do not store contact-form submissions in any Liljeforce database.
- Web analytics. We use Vercel Analytics to understand aggregate traffic: page views, referrer, device class, country. It is cookieless and does not identify you personally.
If you go on to buy a subscription, that purchase is processed by Stripe and triggers the data flows in section 5 below.
What we don't collect
No newsletter list, no advertising trackers, no third-party analytics beyond Vercel, no chat widgets, no session replay. The marketing site does not set any cookies, which is why there is no cookie banner.
Legal basis under GDPR
- Contact form: legitimate interest in responding to inbound enquiries (Art. 6(1)(f)) and pre-contractual steps where you are asking about working with us (Art. 6(1)(b)).
- Web analytics: legitimate interest in understanding aggregate traffic (Art. 6(1)(f)).
- Subscription purchases: contractual necessity (Art. 6(1)(b)) and legal obligation for invoicing and tax records (Art. 6(1)(c)).
Subprocessors
We rely on a small set of vendors to run the site and our back office:
| Service | What it does for us |
|---|---|
| Vercel | Hosts liljeforce.com and provides cookieless web analytics. US-based vendor with EU edge infrastructure. |
| Resend | Delivers contact-form submissions to our inbox. The message itself sits in our regular email after delivery. |
| Stripe | Processes subscription and credit-pack payments where Liljeforce AB is the merchant. PCI-compliant; their own privacy policy applies to the payment data they handle. |
| Neon | EU-region Postgres for our internal admin board. Public visitors do not interact with this; listed for completeness. |
| Google Workspace | The inbox that receives contact-form emails forwarded by Resend. |
Retention
- Contact-form emails stay in our inbox for up to 24 months, then we delete them. If a thread turned into an active client relationship, the relevant context lives inside that engagement and is governed by its DPA.
- Web analytics retention follows the Vercel Analytics default.
- Stripe transaction records and related invoices are kept for seven years to meet Swedish bookkeeping law (bokföringslagen).
International transfers
Vercel and Stripe are US-based vendors. Where data is transferred to the US, the transfer is covered by Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework. Resend processes email through its own infrastructure under Standard Contractual Clauses. Neon stores our admin data in the EU.
Your rights
Under GDPR you have the right to access, correct, delete, restrict, object to, and port the personal data we hold about you. To exercise any of these, email bridget@liljeforce.com and we will respond within one month.
You can also lodge a complaint with the Swedish data protection authority, Integritetsskyddsmyndigheten (IMY).
Cookies
The marketing site sets no cookies. Vercel Analytics is cookieless. If this changes we will update this section and add a consent banner.
Client data during consulting
During a consulting engagement we may process personal data on behalf of a client, in which case the client is the controller and we are the processor. That processing is governed by a separate Data Processing Agreement, not by this policy.
Changes to this policy
We may update this page from time to time. Non-material changes (clarifications, corrections) take effect immediately. Material changes take effect 30 days after we post notice on this page or send email notice. The date at the top reflects the current version.