Privacy Policy

SUSPENDED (operated by the store owner) is the data controller responsible for your personal data. If you have questions about how we handle your data, contact us at suspendedwear@gmail.com.

We collect and process the following categories of personal data: • Order information: Name, email address, shipping address, phone number (if provided), and payment details (processed securely by Stripe). We do not store your full card details. • Account information: Email address and name when you create an account through our authentication provider (Clerk). • Communication data: Name, email, and message content when you contact us through our contact form. • Newsletter: Email address when you subscribe to our newsletter. We do not run third party analytics, advertising pixels, or behavioural tracking on this site.

We process your personal data based on the following legal grounds under GDPR Article 6: • Contract performance (Art. 6(1)(b)): Processing necessary to fulfill your order, including production, shipping, and payment. • Legitimate interest (Art. 6(1)(f)): Improving our website, preventing fraud, and providing customer support. • Consent (Art. 6(1)(a)): Newsletter subscriptions and non-essential cookies. You can withdraw consent at any time. • Legal obligation (Art. 6(1)(c)): Retaining order and financial records as required by Norwegian accounting law (bokføringsloven).

We use your personal data to: • Process and fulfill your orders (production, shipping, payment). • Send order confirmations and shipping notifications. • Respond to your inquiries and provide customer support. • Send newsletter emails (only with your explicit consent). • Comply with legal and regulatory obligations. We never sell your personal data to third parties.

We share your data with trusted processors who help us operate our business. All processors operate under GDPR and a data processing agreement: • Gelato (print on demand production and fulfillment): Receives your shipping address and order details to produce and ship your items. • Stripe (payment processing): Processes your payment information securely. Stripe is PCI DSS Level 1 certified. • Clerk (authentication): Manages account creation and login. • Resend (email delivery): Sends transactional and newsletter emails on our behalf. • Railway (hosting and database): Hosts our website and stores order data in a managed Postgres database in the EU. We do not transfer your data outside the EU/EEA unless the recipient provides adequate safeguards (e.g. EU Standard Contractual Clauses).

We retain your personal data only as long as necessary for the purposes described in this policy: • Order data: Retained for 5 years after the transaction, as required by Norwegian accounting law. • Account data: Retained until you request account deletion. • Newsletter subscriptions: Retained until you unsubscribe. • Contact form messages: Retained for up to 12 months to resolve inquiries.

Under the General Data Protection Regulation (GDPR), you have the following rights: • Right of access (Art. 15): Request a copy of the personal data we hold about you. • Right to rectification (Art. 16): Request correction of inaccurate personal data. • Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"). • Right to restrict processing (Art. 18): Request that we limit the processing of your data. • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format. • Right to object (Art. 21): Object to processing based on legitimate interest. • Right to withdraw consent: Withdraw consent for newsletter or marketing at any time. To exercise any of these rights, email us at suspendedwear@gmail.com. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) at datatilsynet.no.

Our website uses essential cookies required for the site to function (e.g. session management, shopping cart). These do not require consent. We do not use advertising cookies, tracking pixels, or third party analytics.

We implement appropriate technical and organizational measures to protect your personal data, including: • HTTPS encryption for all data in transit. • Secure payment processing through Stripe (PCI DSS Level 1). • Access controls limiting who can view customer data. • Regular security reviews of our infrastructure and code.

Our services are not directed at children under 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16 without parental consent, we will take steps to delete that data promptly.

We may update this privacy policy from time to time. Any changes will be posted on this page with an updated "last modified" date. We encourage you to review this policy periodically.