• SHOP
Login

Country

Language

Cart

Your cart is empty

Privacy Policy

This Privacy Policy explains how we collect, use, and protect your personal data when you visit or make a purchase from our online shop.


Controller and Contact
The Bread Exchange AB
Pataholm 416
384 92 Ålem
Sweden
Contact email: contact@thebreadexchange.com


This Privacy Policy applies to all interactions with our website and services.


Definition of Personal Data
Personal data means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
How We Collect Personal Data
We collect personal data when you create an account, place an order, subscribe to our newsletter, contact us, submit a product review, or otherwise actively provide information to us. In addition, certain technical data is collected automatically when you visit our website through necessary cookies and server log files.
We process personal data only to the extent necessary for the stated purposes and do not use it for incompatible purposes.
Categories of Personal Data Processed Depending on how you use our website and services, we process the following categories of personal data:
Identification and contact data, such as name, billing and delivery address, email
address, and where provided, telephone number; Order and transaction data, such as ordered products, order number, order history, payment confirmation, and delivery status; Account data, such as login credentials and stored preferences, if you create a customer account;
Communication data, such as messages and information you provide when contacting us by email or in connection with customer support; Newsletter data, such as email address, subscription status, and information on newsletter interaction (e.g. open and click rates); Review data, such as name or pseudonym, review content, rating, and product reference;
Technical and usage data, such as IP address, date and time of access, browser type, operating system, and pages accessed.
Website Access and Technical Operation
When you access our website, our servers automatically process technical information
such as IP address, date and time of access, browser type, operating system, and requested pages. This processing is necessary to ensure the security, stability, and proper functioning of the website.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest).
Server log data is stored for a limited period and then deleted.
Shopify & Customer Privacy API
Our online store is hosted by Shopify. Shopify provides a Customer Privacy API that
technically enforces consent signals (acceptance, rejection, withdrawal) across cookies and consent-dependent services. Based on your cookie selection, Shopify automatically enables or blocks data processing requiring consent.
Order Processing & Logistics
We process personal data necessary for order fulfilment, payment, delivery, and customer service pursuant to Art. 6(1)(b) GDPR. This includes name, address, email address, and order details. For the delivery of orders, we share personal data (name, delivery address and, where required, contact details) with external shipping and logistics partners engaged by us.
These providers process the data solely for delivery purposes and act as processors
pursuant to Art. 28 GDPR.
Payments
Payment processing is carried out via Shopify Payments and other payment service providers made available through Shopify. Depending on the selected payment method, payment data is transmitted directly to the respective provider. Legal basis: Art. 6(1)(b) GDPR.
Customer Accounts
If you choose to create a customer account, we process login credentials and order
history to enable access to your account and to manage your purchases. You may request deletion of your customer account at any time. Legal basis: Art. 6(1)(b) GDPR.
Customer Communication and Support
When you contact us by email or other means, we process the information you provide
in order to respond to your inquiry and maintain our business relationship with you.
Legal basis: Art. 6(1)(b) GDPR where the communication relates to a contract,
otherwise Art. 6(1)(f) GDPR.
Marketing Communications and Newsletters
If you subscribe to our newsletter, your email address and subscription metadata are processed based on your consent pursuant to Art. 6(1)(a) GDPR. Newsletter distribution and tracking (open and click rates) are handled via Shopify Email. You may unsubscribe at any time by using the unsubscribe link contained in each newsletter or by contacting us directly.
Product Reviews (Reviews.io)
We offer customers the opportunity to submit product reviews via the external provider Reviews.io. Personal data such as name or pseudonym, review content, rating, and product reference may be processed.
Processing is based on Art. 6(1)(f) GDPR (legitimate interest in transparent customer feedback) or, where required, on your consent pursuant to Art. 6(1)(a) GDPR.
Social Media Links
Our website contains links to our profiles on Instagram, Facebook, and LinkedIn. These are simple hyperlinks. No data is transmitted to the respective platforms unless you actively click on the link.
Cookies and Consent
We use technically necessary cookies to operate our website. Additional cookies are
only set with your consent via Shopify’s cookie consent mechanism. Vendor and cookie details are available within the cookie banner. You can adjust or withdraw your consent at any time through the cookie settings.
Third-Party Service Providers
We use selected service providers to operate our online store and provide our services: Shopify International Ltd. (hosting, checkout, Shopify Email)
Privacy Policy: https://www.shopify.com/legal/privacy
Reviews.io Ltd. (customer reviews)
Privacy Policy: https://www.reviews.io/legal/privacy-policy
Shipping and logistics partners (delivery of orders)
Where providers act as processors, we have concluded data processing agreements pursuant to Art. 28 GDPR.
International Data Transfers
Data processing generally takes place within the European Union. Where personal data is transferred to third countries, this is done in accordance with applicable legal requirements, in particular through adequacy decisions or standard contractual clauses.
Data Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy or to comply with statutory retention obligations.
Order and accounting data: up to 10 years pursuant to tax and commercial law
Newsletter data: until unsubscription
Reviews: while published or until deletion is requested
Data Security
We implement appropriate technical and organisational measures to protect personal data against loss, misuse, and unauthorized access. However, no security measures
can guarantee absolute protection.
Your Rights
You have the right to access, rectify, erase, restrict the processing of, and object to the processing of your personal data. You also have the right to data portability and to withdraw consent at any time. You may lodge a complaint with a supervisory authority, in particular in your country of residence, place of work, or place of the alleged infringement. In Sweden, the competent authority is the Swedish Authority for Privacy Protection (IMY).
Children
Our services are not directed at children under the age of 16. We do not knowingly process personal data of children.

Changes to this Privacy Policy
We may update this Privacy Policy to reflect legal, technical, or operational changes.
The current version is published on our website.

Latest update: 2026-01-14