Ecoride AB safeguards your personal privacy. This policy explains how we collect and process your personal data when you purchase our electric bicycles (via ecoride.com, authorized retailers, or our stores), use our mobile app with IoT functions, contact customer service, participate in events, or receive newsletters and marketing. The policy has been drafted in accordance with the EU General Data Protection Regulation (GDPR) and applicable Swedish legislation (including the Consumer Sales Act and the E-commerce Act). It applies to all our processing of personal data across all sales channels. We may update the policy and will then notify you of the changes as described below in section 12.
1. Data ControllerData Controller: Ecoride AB (company registration number 556764-6871) is responsible for the processing of personal data in our business. This includes our website ecoride.com, our own physical stores, and related services and digital channels.
Contact details: You can contact us regarding data protection matters by email at info@ecoride.com or by post to: Ecoride AB, Terminalvägen 6, 418 79. Our customer service can also be reached by phone at +46 744 10 22 12 for general inquiries.
Please note that if you purchase an Ecoride bicycle from an independent authorized retailer, the retailer initially collects your personal data in accordance with its own privacy policy. However, Ecoride AB may gain access to certain information from the retailer (e.g. the bicycle’s frame number and your contact details) in order to register the warranty, activate IoT services, or handle support cases. In these cases, we process the data in accordance with this policy.
2. Personal Data CollectedWhat is personal data? Personal data refers to any information that can directly or indirectly be linked to a living natural person. This includes obvious identifiers such as name and contact information, but also, for example, customer numbers, electronic identities (IP address, cookie ID), and data collected via your electric bicycle, to the extent that it can be attributed to you.
What data do we collect? The information we collect depends on the context in which you interact with us (purchase, app use, customer service, etc.). Below are the categories of personal data we process and examples of data in each category:
Identity data: First and last name. In certain cases, personal identity number (e.g. if required for a credit purchase or to verify identity).
Contact data: Address, email address, phone number. Also delivery address and any alternative contact person if you have provided that.
Customer and account data: Customer number, order number and purchase history (previous orders, purchased products, dates and place of purchase). If you create an account on our website or in the app, we may also process login data (username, password in encrypted form).
Payment data: Payment method and information necessary to complete payment (e.g. transaction ID, invoice number).
Please note: We do not handle your full card details — card payments are managed by authorized payment service providers. For invoice or installment payments via a partner (e.g. Qliro AB), a credit check and personal identity number may need to be obtained by the payment partner, but this data is not stored by Ecoride beyond what is needed to register the payment.
Product and bicycle information: Data about the purchased bicycle or product, such as frame number/ID, model, color, as well as any link to insurance or a service agreement (e.g. if you have signed up for Ecoride Safe).
IoT data (the bicycle’s sensor data): If your electric bicycle is equipped with our IoT technology and you have activated the Ecoride Connect app, we collect technical data from the bicycle. This includes, for example, real-time GPS position, battery status and charge level, the bicycle’s range, your trip history (distance, routes and speed), as well as information for service needs. The bicycle also records events such as unauthorized movement (theft alarm), which is communicated to you via the app. This IoT information is linked to you as a customer through the bicycle’s unique ID and your app account.
Correspondence and case information: The content of communications with us. If you contact customer service or make a complaint, we store the data you provide, such as a case description, photos or documentation you submit, and information we provide to you in the case. This may include personal data (e.g. contact data, health data if it occurs in a damage case, etc. — however, avoid sending sensitive data if it is not necessary).
Marketing preferences: Information on whether you have consented to newsletters, product recommendations via email, or other mailings. Also information about any preferences you have stated for marketing or which types of mailings you wish to receive.
Event and competition information: If you register for an event with us (e.g. cycling event, product demonstration, or trade fair) or participate in a competition, we collect the data necessary for administration. This may include name, contact data, any wishes you have stated (e.g. special diet at an event with refreshments), and data linked to your participation (e.g. jersey size in a cycling race, or a competition entry).
Technical data about your device and usage: When you visit our website or use our mobile app, we collect certain information automatically via cookies and similar technologies. This may include IP address, browser or device information, unique device identification number, and how you interact with our digital services (e.g. which pages are visited, clicks, and timestamps). More information is available in our cookie policy (see section 11 below).
We may gain access to personal data directly from you (e.g. when you fill in a form, place an order, or contact us) or indirectly through your use of our services (e.g. automatically via the website/app technology, the IoT device in the bicycle, etc.). In some cases we also obtain data from third parties: for example, from a retailer that sold you the bicycle, from payment intermediaries confirming a payment, or from public registers (e.g. address updates via the population register).
We process only the personal data necessary for the purposes described in this policy, and we strive to always have a lawful basis (see section 3) for all processing. You are not obliged to provide personal data, but if you choose not to do so, it may affect our ability to deliver the requested product or service (e.g. we cannot complete a purchase without necessary information, or provide IoT functions without data from the bicycle).
3. Purposes and Legal Basis for Processing
We process personal data for various purposes related to our products and services. Under the GDPR, all processing must be based on a so-called lawful basis (legal basis). This may be that the processing is necessary to perform a contract with you, to comply with a legal obligation, is based on our legitimate interest, or (in certain cases) on your consent. Below we describe the main purposes of the processing and which legal basis applies to each purpose:
Purchase and delivery of productsWe process personal data in order to manage orders and purchases you make with us, whether online via Ecoride.com or in a physical store. This includes identifying you as a customer, receiving payment, delivering the bicycle or product to the correct address, and handling invoicing and payment confirmations. Information about your purchase history is also processed so that we can provide customer service (e.g. locate your order in case of questions) and fulfill warranty or complaint obligations related to the purchase.
Legal basis: Performance of a contract – the purchase agreement with you (the processing is necessary to deliver the product and administer the purchase). Certain processing (e.g. storage of invoice documentation) is also carried out due to a legal obligation (for example, the Accounting Act).
If you contact us for support, ask a question, or need to exercise your right to complain or claim a warranty, we use your personal data to identify you and your case, resolve the issue, and respond to you. This may involve using contact details to reply, order information to verify the purchase, and the data you provide about the issue. We may also need to process personal data to carry out returns, exchanges, or repairs, and in applicable cases coordinate with workshops or logistics partners.
Legal basis: Primarily contract (as it is considered necessary to fulfill our contractual obligations regarding support and complaint handling as part of the purchase). In some cases, we rely on legitimate interest – both your interest in receiving assistance and our legitimate business interest in providing good service and maintaining customer satisfaction. If processing is required by law (e.g. an obligation to handle a complaint under the Consumer Sales Act), a legal obligation also constitutes the legal basis.
For customers who use our app and IoT-connected bicycles, we process personal data to deliver the digital services associated with the bicycle’s smart functions. This means that we collect and analyze IoT data (see section 4) to display the bicycle’s position, status, and riding data in real time in the app, provide theft alarms in case of unauthorized movement and enable tracking if the bicycle is lost, show battery status and range, and send service reminders. Through the app, you can also book service with connected workshops, which requires us to share certain bicycle information with the selected service provider.
Legal basis: Contract – when you activate the IoT service (e.g. by subscribing to Ecoride Track or Safe), you enter into an agreement for this service, and the necessary data processing to provide the functions is based on that agreement. Certain elements may also be based on legitimate interest, for example our interest in improving product safety; however, we assess that the majority of IoT processing is directly linked to the provision of the service. If in the future we wish to use IoT data for any additional purpose beyond what is required for the service (e.g. analyzing personal usage patterns for marketing purposes), we would first obtain your consent.
(Note that anonymized data may be used for development and statistics – see section 5.)
We process your personal data to send newsletters, offers, product news, invitations to events, and similar marketing communications. This usually concerns your email address for digital newsletters, but may also include, for example, phone number for SMS or physical address for postal mailings, if you have provided these and consented to such communication.
Legal basis: Consent – we only send newsletters via email if you have explicitly opted in (e.g. by signing up via our form and confirming that you wish to receive our newsletter). You can withdraw your consent at any time by unsubscribing via the link in the emails or by contacting us.
In some cases, we may rely on legitimate interest for certain direct marketing, such as sending offers for similar products to our existing customers. In such cases, we perform a balancing test and assess that our legitimate interest in marketing relevant products to you outweighs the minimal impact on your privacy, especially since you always have a clear option to opt out of further communications. You always have an unconditional right to object to direct marketing (see section 9 on rights), and we will then cease such processing.
In connection with events that we organize (e.g. demo days, cycling tours, or trade fairs) or competitions, we process personal data to administer your participation. This includes registering sign-ups, sending information and reminders to participants before and after the event, and handling practical details (e.g. name lists at check-in, notifications to winners in competitions). We may also request feedback after the event, although this is voluntary.
Legal basis: Legitimate interest – if you have registered for an event, both you and we have a legitimate interest in your data being processed to carry out the event smoothly. In some cases, processing may also be considered necessary to perform a contract (e.g. if you purchase a ticket to an event, delivering the event service is part of the contract). We consider our use of your data for these purposes to be expected and beneficial to you as a participant. If we wished to use event participation information for any additional purpose (e.g. marketing unrelated products), we would base this on consent or inform you separately.
We continuously strive to improve our electric bicycles, the app, and our other services. Therefore, we may use collected data (including, for example, purchase history, feedback from customer service, and aggregated IoT data) to analyze trends and usage behavior, develop new functions, improve user experience, and make business decisions (e.g. regarding inventory management or which new models are in demand). We mainly use anonymized or aggregated data for analysis and development purposes, so that no conclusions can be linked to an individual person. If we ever need to review personal data at an individual level (e.g. logs) for troubleshooting or improvement, this is done to the greatest extent possible in a limited scope and only when necessary.
Legal basis: Legitimate interest – it is in our legitimate interest to evaluate and improve our products and services. This type of processing has low impact on your privacy since the results do not focus on you as an individual, and we take measures to pseudonymize or anonymize data as far as possible.
Finally, we may need to process personal data to comply with various legal requirements or authority decisions. This includes, for example, obligations under the Accounting Act to retain documentation of business transactions, obligations under product safety legislation to contact customers in case of safety notices or recalls, and to comply with authority requests (e.g. providing information in legal proceedings or in response to police inquiries). In addition, processing may take place to establish, exercise, or defend legal claims, for example if a dispute arises.
Legal basis: Legal obligation – where the law requires certain processing (we then follow the statutory time limits and procedures). When it comes to protecting our rights in disputes, etc., we rely on legitimate interest (being able to defend ourselves or enforce contractual terms).
Several of Ecoride’s newer electric bicycle models (e.g. Ambassador 4, Tripper 4) are equipped with IoT technology – sensors and a GPS unit integrated into the bicycle frame that enable internet connectivity. Together with our mobile application Ecoride Connect, this provides a number of smart functions for you as a customer, but it also means that certain data about the bicycle and its use is collected digitally. Below we describe how such bicycle data (IoT data) is handled:
Collection of IoT dataWhen you have an IoT-equipped bicycle and activate it in the app, the bicycle’s unit continuously collects data and transmits it in encrypted form to Ecoride’s database servers via the mobile network. The types of data collected have been mentioned above: primarily real-time position (GPS coordinates), bicycle movement (to detect, for example, theft), battery status (charge level, health), and trip statistics (such as distance and routes for your rides, as well as speed). In addition, the bicycle’s ID and technical status are recorded – the system can, for example, detect if any error code or service indicator has arisen in the bicycle’s electronics. All this data is linked to the bicycle’s unique IoT device and thus to you as the owner/user of the bicycle, as long as the bicycle is registered in the app.
Use of IoT data for services provided to youThe collected bicycle data is primarily used to provide you with the promised functions in the app. This means that on your phone you can see where your bicycle is located on a map in real time, check battery level and remaining estimated kilometers, view history of your previous rides (distance, time, average speed, etc.), and receive notifications – for example alerts in the app if the bicycle is moved without your knowledge (theft alarm). The IoT system also enables us to send service reminders, for example based on how far you have ridden we can indicate that it is time for a check-up. When you use the app to book service with one of our connected service partners, relevant information about the bicycle (e.g. model, any error codes, and service notes) will be shared with the workshop/partner you have selected so that they can prepare and provide fast and accurate assistance. This only occurs at your request in connection with booking the service.
Use of IoT data by EcorideEcoride as a company also uses IoT data internally to improve your experience and increase security. If your electric bicycle is stolen and you wish to use the IoT functionality for tracking, you must yourself register this via logged-in mode on our website (www.ecoride.com). In order for us to handle the case, you must attach a copy of your police report. After verification, a theft report containing available GPS data is generated and sent to you. The data is also handled internally at Ecoride for support and follow-up. Furthermore, IoT data helps us understand bicycle performance and recurring issues, which can be used to improve product design and service intervals. Such analysis is mainly carried out at an aggregated level (see section 5 regarding anonymized insights).
Storage and protectionIoT information is stored in our secure cloud platform for IoT data. We ensure that communication and storage are protected through encryption and other security measures so that unauthorized parties cannot access your bicycle’s data. Only a limited number of people at Ecoride (e.g. technicians in the support team) and at our IT provider for the IoT system are authorized to access raw data, and only for system maintenance or to assist you in a specific case.
Customer controlYou have control over the IoT function via the app. For example, if you sell your electric bicycle or for another reason want to disconnect it, you can deregister the bicycle from your account. The bicycle’s IoT device will then no longer be associated with you and we will cease processing its data as your personal data. (The data may then either be deleted or anonymized – see section 8 on retention periods.) The new owner can register the bicycle to their own account, creating a new association under that person’s account. If you terminate your IoT subscription (e.g. Ecoride Track or Safe), real-time monitoring will be disabled after the end of the subscription period. We may retain certain history for a short period after termination, but thereafter the data linked to you is deleted or anonymized.
Privacy considerationsWe are aware that data such as GPS positions and movement patterns are sensitive from a privacy perspective. Such data is therefore processed with extra care. We do not share IoT raw data that can be linked to you with any external party without your explicit consent or assignment (except in specific circumstances such as authority orders in criminal investigations). All use of IoT information follows the purposes stated above and is carried out in accordance with applicable data protection regulations.
5. Extended Use of Anonymized Data (Statistics and Insights)In addition to the individual use of IoT data for you as a customer, Ecoride also uses the collected data at an overall and anonymized level to generate valuable insights. This is done in cooperation with partners acting as data processors on our behalf for this purpose. Below we explain what this means:
Purpose of the extended data useBy analyzing large amounts of data from our connected bicycles, we can identify patterns and trends in how electric bicycles are used in different environments. Such insights can be valuable to external stakeholders such as municipalities, traffic planners, or research projects. For example, to produce statistics on average commuting distances by electric bicycle in urban areas, popular cycling routes in a region, average battery usage per season, or the effects of weather on cycling frequency – without revealing anything about individual users. This type of aggregated information can help third parties understand and promote cycling as a mode of transport (e.g. as a basis for better cycling infrastructure or charging infrastructure), while also providing Ecoride with business opportunities to offer data-driven insights.
Anonymization and aggregationAll personal IoT data used for this purpose is anonymized before being shared with any third party. Anonymization means that all direct or indirect identifying data (such as GPS tracks that could be linked to a specific person or bicycle) is removed or altered so that the individual can no longer be identified. We use technical methods to ensure that the dataset cannot be de-anonymized afterwards, and we combine data from many users so that reports only show aggregated statistics. For example, we may report that “The average commuter cycles X km per day in Gothenburg” or “During the past year, a total of Y kilometers were ridden on Ecoride bicycles in Stockholm,” but no personal details (such as where you cycled on a specific day) will be disclosed.
Sharing insights with third partiesOnce the analysis has been completed, aggregated reports or dashboards may be shared with selected third parties, such as a municipality interested in cycling data for urban planning, or a cooperation partner within the transport sector seeking to understand micromobility patterns. Only anonymized and aggregated information is shared. Third parties therefore do not receive any raw data or individual-level information, only overall results. In many cases, the compiled insights are presented as statistics or graphs without any personal data at all.
Confidentiality and securityExternal partners assisting with this data analysis are bound by a data processing agreement and may only process the data in accordance with our instructions. The raw data handled by the partner during the analysis process (before full anonymization) is protected by the same high security measures as all other personal data at Ecoride. The partner may not retain or use the data for its own purposes, and all handling is logged and controlled. When anonymized datasets or reports are produced and shared onward, we ensure that they do not contain identifiers. If in any case there is doubt as to whether the information is sufficiently anonymized (e.g. if a dataset for a small locality risks identifying an individual), we will refrain from sharing such information or obtain additional consent where necessary.
In summary: By using our IoT functions, you anonymously contribute to general knowledge that can benefit society (e.g. better cycling infrastructure), but no external party will be able to link these insights to you as an individual. If you have questions or objections regarding this, you are welcome to contact us.
6. Recipients of Personal DataEcoride does not sell your personal data to third parties. However, we share certain data with partners and suppliers when required to operate our business and provide our products/services to you – or when we are legally obliged to disclose information. We ensure that all external parties who receive personal data protect it in accordance with applicable data protection legislation (through agreements and security routines). Below are the categories of recipients who may process your data:
Payment providersTo handle payments for our products, we use external payment services. For example, we cooperate with Qliro AB for invoice and installment payment services. If you choose invoice payment, certain information (name, contact details, personal identity number, and purchase amount) will be shared with Qliro, which in turn performs necessary credit checks and administers the payment. Card payments are also processed via payment gateways/banks (e.g. card networks or PayPal/Swish where applicable), which receive necessary transaction data. These parties are usually independent data controllers for their processing (e.g. a bank handles your card data under its own terms), but we only share what is required and they may not use the information for purposes other than completing the payment.
Delivery and logistics partnersIf you order a bicycle or accessories for delivery to your home or a pickup point, we share your address and contact information with shipping companies/carriers that perform the delivery (e.g. DHL, PostNord, or similar transport services). They act as independent recipients of address data in order to fulfill the delivery and may contact you for notifications. We ensure that only relevant data (name, address, phone/email for notification, and possibly package content value for insurance/customs purposes) is disclosed.
IT and system providersWe use several IT systems for our website, e-commerce, customer management, IoT platform, email communications, etc. External providers may in this context gain access to personal data as data processors on our behalf. This includes, for example, our web hosting/platform that stores the webshop customer database, cloud services for data storage and backup, email and newsletter service providers (to send newsletters or transactional emails), and technical subcontractors who develop and maintain our app and IoT systems. These companies may only process your data according to our instructions and for the purposes we have specified (for example, the email provider may only use your email address to send the emails we ask them to send on our behalf). They are bound by data processing agreements that ensure appropriate security and confidentiality.
Data analysis partnersAs described in section 5, we analyze IoT data through partner cooperation and generate anonymized insights. External partners act as data processors and are subject to the same strict agreements to protect the data. Within the framework of data analysis, they may have temporary access to raw IoT data, but they may not share or exploit the personal data for their own purposes. Only anonymized results are passed on from their systems to any third parties, in accordance with what has been described above.
Service partners and retailersIf you use services that involve authorized service partners or stores, some information sharing may take place. Example: When you book a service via the app or through our customer service at a workshop in our network, we share necessary data with that workshop (your name, contact details, bicycle model/ID, and relevant service history) so that they can perform the work. Similarly, if in a warranty case you prefer to handle it via a local retailer or store, we may exchange information about the purchase and the issue with that party to coordinate the action. These recipients (workshops/retailers) are usually independent data controllers for their customer handling, but we enter into cooperation agreements that include data protection commitments. They may only use the data to perform service or warranty obligations towards you, not for their own purposes (unless you yourself become their direct customer).
Authorities and legally required recipientsIn some cases, we may need to disclose personal data to authorities, such as the Police Authority or the Swedish Tax Agency, if required by law. This may occur, for example, in legal proceedings (court orders requiring us to provide information) or in criminal investigations (if the police request data to investigate bicycle theft, we may need to provide GPS information following a lawful request, or if we must report fraud). We may also share information with insurance companies if relevant to an insurance case – for example, in connection with Ecoride Safe theft insurance, certain information may need to be exchanged with the insurer if a bicycle is stolen and is to be compensated. In all such cases, we ensure that there is a lawful basis and documentation for the disclosure.
All data processors who process data on our behalf (e.g. IT providers, data analysis partners) are subject to written agreements governing how they may process the data and requiring them to implement adequate security measures. We also require that sub-processors (if they engage their own subcontractors) follow the same rules. If any recipient is located outside the EU/EEA, see section 7 below on how we ensure protection in such cases.
7. Transfer of Data to Third CountriesEcoride strives to handle and store personal data within the EU/EEA (European Union / European Economic Area) as far as possible, to ensure that your data is subject to the EU’s level of data protection. We always aim to process your personal data within the EU/EEA. The IT systems and services we use, including data storage (data centers), are located within the EU. We do not transfer your personal data to third countries (countries outside the EU/EEA).
8. Retention Periods for Different DataWe do not retain your personal data longer than necessary for each purpose. How long a data item needs to be stored depends on legal requirements and our needs to fulfill contracts or provide service. Once the data is no longer needed for its purpose, we delete or anonymize it so that it can no longer be linked to you. Below we outline our retention guidelines for different categories:
Purchase and customer dataInformation related to your purchase (contact details, order history, receipt/invoice, warranty information) is stored for as long as you are an active customer with us and thereafter generally for three years after your last purchase. Three years is often regarded as the general complaint and warranty period under law and contractual terms, and retaining data for that period allows us to assist you with late complaints or questions. However, some data must be stored longer due to legal requirements – for example, the Accounting Act requires us to archive accounting information for at least seven years after the end of the financial year. This means that invoices, receipts, and documentation containing personal data (e.g. your name and address on an invoice) are retained in our financial archives for up to seven years.
Customer accountsIf you have created an account on our website (“My Ecoride”), we retain the data you have entered there (name, contact details, any settings) for as long as the account is active. If your account has been inactive for a long period, we may contact you and potentially delete the account if it is no longer needed. If you choose to close/delete your account yourself, we remove or anonymize the account data shortly thereafter (unless certain information must be retained under another section, e.g. purchase history in accounting records).
IoT and app dataPersonal data linked to the IoT service (e.g. history of your bicycle and usage linked to you) is stored for the duration of your active IoT service and while it serves the purpose of displaying data and providing functions to you. If you terminate your IoT subscription or deregister the bicycle from the app, we will stop collecting new data from that bicycle on your behalf. We will thereafter delete or anonymize the personally linked historical IoT data within a relatively short period. Personal data directly linked to your specific use of the electric bicycle’s connected functions, such as GPS positioning and trip data, is stored for 12 months. Thereafter, the data is deleted or anonymized so that it can no longer be linked to you.
(Note that anonymized, aggregated data may be retained longer for statistics, as it no longer constitutes personal data – see section 5.)
If you do not activate the IoT function at all on a purchased bicycle, only basic data (e.g. the bicycle’s ID linked to your purchase/warranty) is stored, and no ongoing location or usage data is collected.
Communication with you (emails, chat logs, support cases, complaint cases) is stored for as long as it is relevant to handle your case and usually for some time thereafter so that we have a reference if you return. A general guideline is that ordinary customer service cases are stored for up to one year after the case has been closed, in case follow-up is needed. Complaint or warranty cases may be stored longer – at least for the product’s warranty/complaint period (e.g. three years from purchase or longer in case of extended warranty) – and sometimes up to ten years if the case relates to product liability claims (the limitation period for product liability is ten years). This is to allow us to defend ourselves against potential legal claims or to have documentation if similar defects arise and need investigation. Sensitive data (e.g. personal identity numbers in a credit check or health data you may have inadvertently provided) is deleted immediately when no longer needed for the case, so that it is not retained unnecessarily.
Marketing dataWe retain your contact details for newsletters and marketing communications for as long as you are subscribed to our mailings. If you choose to unsubscribe from, for example, newsletters, we remove your email address from the mailing list immediately and you will no longer receive such emails. However, we may retain information about your original consent and unsubscribe for a certain period (often one year) if needed as evidence that we have complied with the law (this aligns with our legitimate interest in being able to demonstrate that we had permission to send emails until the unsubscribe). If we have not heard from you for a long time, we may also remove you from lists – for example, if email addresses bounce repeatedly or a campaign does not reach you. The same principle applies to phone numbers and postal addresses used for marketing: we use them until you inform us that you do not wish to be contacted or we determine that the number/address is no longer valid.
Event and competition dataData about you in connection with events or competitions is retained during the event and for a reasonable period thereafter for follow-up. We normally delete participant lists and related personal data within a couple of months after the event has ended, unless they are needed longer. For example, we may retain a winner’s contact information a little longer to ensure that the prize has been delivered and for possible tax reporting of prizes, etc. In general, however, event data is deleted once the purpose (execution and evaluation) has been fulfilled.
After the above retention periods have expired, we delete the data securely so that it cannot be recreated or identified. In some cases, we anonymize data instead of deleting it, particularly if the information is valuable for statistics or development – but then without any link to individuals.
Exception – longer retention:
Please note that we may need to retain personal data longer than stated above in special situations, for example if there is an ongoing legal process, a warranty case, or a dispute where the data constitutes evidence or documentation. In such cases, we retain relevant data until the matter is fully resolved, even if this exceeds the normal retention periods. Retention may also be extended if you have ongoing communication with us (e.g. a quotation request that has not yet resulted in a purchase) – then we retain your data until it is reasonable to assume that you no longer wish to maintain contact. However, we always strive not to retain information longer than necessary.
As a data subject (i.e. a person whose data we process), you have a number of statutory rights to maintain control over your personal data. Below we explain these rights and how you can exercise them. You can contact us at any time (see section 1 for contact details) if you wish to invoke any right or have questions regarding your rights.
Right to information and access (so-called data subject access request)You have the right to receive confirmation as to whether we process personal data relating to you, and if so, to receive information about which data it is and why we have it. You also have the right to receive a copy of the personal data we process about you. This is known as requesting a register extract. To protect your privacy, we will need to verify your identity before providing such an extract. Register extracts are free of charge once per 12-month period; for repeated requests we may charge an administrative fee as permitted by law. We aim to respond to your request as soon as possible, normally within one month.
Right to rectificationIt is important that the data we have about you is accurate and up to date. If you discover that something is incorrect (e.g. misspelling of your name or a changed address) or incomplete, you have the right to request that we correct or supplement the data. We will then correct the information without undue delay. In some cases, we may need to verify accuracy (e.g. request documentation for a change) if it is unclear, but we generally rely on your own updates for contact information.
Right to erasure (“right to be forgotten”)Under certain circumstances, you have the right to request that we delete personal data relating to you. This applies, for example, if the data is no longer necessary for the purposes for which it was collected, if the processing was based solely on your consent and you now withdraw that consent, if you object to processing based on legitimate interest and we have no overriding grounds to continue, or if we process your data unlawfully. If you want us to delete data, please contact us and specify what you want to be deleted. We will assess your request in accordance with the GDPR.
Please note that the right to erasure is not absolute – sometimes we cannot delete certain data immediately due to legal obligations to retain it or other valid grounds. For example, we cannot delete your purchase transactions as long as we are required to retain them under the Accounting Act, and we cannot delete information needed to defend a legal claim that you or someone else may have against us. We will inform you if this is the case and then restrict the use of the data in question to the necessary purpose. If we delete data at your request, we will inform you and ensure that it is no longer processed in any other way.
You have the right to request that we restrict the processing of your personal data in certain situations. This means that we temporarily “freeze” the use of the data so that we may only store it, not actively use it (except for defending legal claims or similar exceptions). You may request restriction if, for example, you believe the data we have is inaccurate (then you may want us not to use it until it has been corrected), or if you have objected to processing based on legitimate interest (then you may request restriction while we perform a balancing test). You may also obtain restriction if the processing is unlawful but you want us to retain the data (e.g. for a legal claim) instead of deleting it, or if we no longer need the data but you need it to establish, exercise, or defend a legal claim. If processing is restricted, we will inform you before the restriction is lifted.
Right to data portabilityFor personal data that you yourself have provided to us, and which we process based on your consent or to perform a contract with you, you have the right to receive such data in a structured, commonly used, machine-readable format. You also have the right to request that we transfer this data directly to another data controller (e.g. if you wish to switch to another service provider), where technically feasible. This right, known as data portability, makes it easier for you to reuse your data with other services. At Ecoride, this may be relevant, for example, for account data or IoT data that you yourself have generated. If you wish to exercise portability, let us know and we will assist you. Please note that the right applies to data processed by automated means (digitally) – not paper or manual records.
Right to object to processingYou always have the right to object to certain types of processing of your personal data.
Direct marketing:
You can at any time inform us that you do not want us to use your data for direct marketing (e.g. newsletters, offers, customer surveys, etc.). If you object to marketing, we will immediately cease using your data for that purpose. This is an absolute right – you do not need to provide any reason for the objection, and we may not continue marketing to you after you have said no. (Note that unsubscribing from newsletters via the link in the email is an easy way to exercise this right.)
Legitimate interest:
If we process your data based on legitimate interest (see section 3 for such cases), you have the right to object to the processing if you have personal reasons related to your situation. We must then conduct a new assessment and demonstrate compelling legitimate grounds to continue the processing – grounds that override your interests, rights, and freedoms – otherwise we must stop the processing. In practice: if you believe that our use of your data based on a balancing of interests affects your privacy too much, contact us and explain why, and we will review it.
(Direct marketing is excluded from interest balancing, as the absolute right to object applies there, see above.)
Where we base processing on your consent (e.g. sending newsletters, or if in the future we request your consent for new data uses), you have the right to withdraw your consent at any time. Withdrawing consent means that we stop the processing that was based on the consent. It is as easy to withdraw consent as it was to give it – for example, you can click “unsubscribe” in an email newsletter to withdraw consent, or change a selection you made in the app’s settings. Once consent is withdrawn, we will delete or anonymize the personal data that was processed solely on that basis and, of course, stop collecting such data.
Please note: If the same data is also processed on other grounds, it may remain with us for that purpose even after consent-based use has ceased (e.g. if you withdraw consent for marketing, we remove you from marketing lists, but your address may remain in order history because we need it for contract/legal purposes). Withdrawal of consent does not affect the lawfulness of processing already carried out, and it may affect our ability to provide certain services (e.g. if you do not consent to IoT tracking, you cannot use that function).
If you believe that we have processed your personal data in a way that violates the GDPR or other data protection law, you have the right to lodge a complaint with the responsible supervisory authority. In Sweden, the supervisory authority is the Swedish Authority for Privacy Protection (IMY) (formerly the Data Inspection Board). You can contact IMY via their website imy.se for instructions on how to file a complaint. Of course, we appreciate it if you first contact us with any concerns – we take your feedback very seriously and try to correct any mistakes – but it is your legal right to involve IMY at any time. If you live in or are located in another EU country, you may also contact the supervisory authority there.
We will help you exercise your rights free of charge. If for any reason we cannot fulfill your request (e.g. for legal reasons), we will provide you with an explanation. We strive to respond within one month of receiving your request, but where necessary we may extend the time by an additional two months (in which case we will inform you of the delay).
10. Security of Your Personal DataEcoride takes information security very seriously. We implement both technical and organizational security measures to protect the personal data we process against unauthorized access, loss, alteration, or disclosure. Below are some key measures we have implemented:
Restricted accessOnly authorized employees at Ecoride (and at our trusted IT partners) who need the information to perform their work duties have access to personal data. We have internal authorization controls and role-based access, meaning that only staff working, for example, in customer service can access customer registers, the finance department can access invoicing data, etc. All employees are trained to handle personal data responsibly and are bound by confidentiality agreements. If an employee leaves or changes role, access is removed or adjusted immediately.
Encryption and pseudonymizationSensitive personal data (e.g. passwords, payment information, GPS data transmission) is protected by encryption during transmission and storage where possible. This means that the data is rendered unreadable to unauthorized parties. Our website uses HTTPS/SSL for secure connections (which you can see via the padlock in the browser), so that information you submit via forms cannot be intercepted. Communication between the IoT device and the server is also encrypted. We pseudonymize data in our internal systems where possible – for example, analysis data may be stored using customer IDs instead of names to reduce direct identifiability.
Firewalls and network securityWe protect our servers and systems using modern firewalls, antivirus software, and intrusion detection systems. These help prevent and detect unauthorized intrusion attempts. Our cloud service providers also have robust security measures and 24/7 monitoring.
Secure development and testingWhen we develop our app, website, or other IT systems, we follow the principles of data protection by design and by default. This means that we consider privacy from the design stage (e.g. not collecting more data than necessary, building in features for user control over data, etc.). We test new functions in secure test environments using anonymized test data, so that real personal data is not unnecessarily exposed during development work.
Continuous risk assessmentWe regularly assess the risks associated with our processing of personal data and update our security measures as needed. Technology evolves and threat landscapes change, so we periodically review our procedures, conduct penetration tests of systems, and keep up to date with recommendations from authorities such as IMY and the Swedish Civil Contingencies Agency (MSB) regarding IT security.
Incident managementDespite all precautions, no security solution can guarantee 100% protection. Therefore, we have an incident management plan in case something unexpected occurs. If a security incident involving personal data (a so-called personal data breach) occurs – for example data loss or unauthorized access – we will act promptly to limit the incident, investigate what happened, and prevent similar events in the future. We document all incidents. In the event of serious incidents that pose risks to you as a data subject, we will inform you and report the incident to IMY within 72 hours in accordance with GDPR requirements.
Supplier securityWhen we engage external IT suppliers, we also impose strict requirements on their security practices. Data processing agreements specify that they must implement adequate technical and organizational safeguards. We verify that major suppliers have relevant certifications (e.g. ISO 27001 for information security or similar) where applicable. If any supplier reports a vulnerability or incident affecting our data, we cooperate closely with them to ensure protection.
In short, your data is processed with confidentiality, integrity, and availability in mind. If you have specific questions about our data security, you are welcome to contact us, but for security reasons we cannot share all details of our safeguards (as doing so could itself benefit malicious actors). However, you should be able to feel confident entrusting us with your personal data – protecting it is a core part of our operations.
11. Cookies and Tracking TechnologiesOn our website ecoride.com, we use cookies and similar technologies to provide you with a good and personalized experience. Cookies are small text files stored on your device (computer, mobile phone, etc.) when you visit the website. They help with basic functions such as shopping cart and login, and they can also be used to analyze traffic and remember your preferences.
We have a separate Cookie Policy that describes in detail which cookies we use, their purposes, which third parties are involved, and how you can manage your cookie settings. We refer you to that policy for full information. You can change or withdraw your consent for non-essential cookies at any time via the settings provided on the website (e.g. through our cookie banner/tool).
Please note that some cookies are necessary for the webshop to function (e.g. keeping you logged in or remembering that a product has been added to the cart), and these are set based on legitimate interest/statutory exceptions. Other, non-essential cookies (e.g. for analytics or personalized marketing) are only set with your consent as required by law. When you visit ecoride.com for the first time, we ask for your consent for the different cookie categories.
For more information, see Ecoride’s Cookie Policy (available via our website or by clicking “Cookies” at the bottom of the page).
12. Changes to This PolicyThis privacy policy may be updated from time to time, for example due to changes in our processing of personal data or changes in legislation. We reserve the right to make changes to the policy, but in the case of major or significant changes we will inform you clearly.
How you are notified of changesMinor adjustments to the policy text (that do not significantly affect your rights or our obligations) may be implemented by publishing the updated policy on our website. The date of the latest update will then be changed at the top or bottom of the policy.
For more substantial changes – for example if we start collecting new types of data or change how/why we use your data – we will notify you in advance via appropriate channels. This may be through an email to you (if you are a customer and we have your email address), a pop-up notification when you visit our website, and/or via the app. This gives you the opportunity to review the changes and raise objections or terminate a service if you do not agree to the new terms (to the extent that processing is based on consent).
We always indicate in the policy when it was last updated. The version you are currently reading was last updated as stated below. Older versions can be provided upon request if you wish to compare changes.
By continuing to use our services after an updated privacy policy has entered into force, you are deemed to have taken note of it. We nevertheless recommend that you review our policy from time to time to stay informed about how we protect your privacy.
If you have questions about this policy or how Ecoride AB handles your personal data, please do not hesitate to contact us at info@ecoride.com or +46 744 10 22 12. We appreciate your trust and do our utmost to live up to it through responsible handling of your data.
Last updated: 2026-02-01