Educational content only. We do not provide medical advice, sell health products, or claim effects on the body. For health questions, consult a qualified professional.
Bonebios
Legal Document

Privacy Policy

This document explains how Bonebios collects, uses, stores, and protects personal data when you visit bonebios.world or interact with our educational services.

Last updated:

1. Data Controller Information

The data controller responsible for processing your personal data is Bonebios, located at Hamngatan 27, 111 47 Stockholm, Sweden. You may contact our data protection representative at hello@bonebios.world or by telephone at +46 8 411 29 70 during business hours, Monday through Friday, 09:00 to 17:00 CET.

As the data controller, we determine the purposes and means of processing personal data collected through our website, contact forms, educational program enrollments, and cookie technologies. We are committed to complying with the General Data Protection Regulation (GDPR), the Swedish Data Protection Act (Dataskyddslagen), and other applicable international privacy legislation.

2. Scope of This Policy

This Privacy Policy applies to all personal data processed by Bonebios in connection with:

  • Visits to our website at bonebios.world
  • Submissions through our contact form
  • Enrollment in educational programs, workshops, and consulting services
  • Communication via email, telephone, or in-person visits to our Stockholm office
  • Cookie and similar tracking technologies deployed on our website
  • Newsletter subscriptions and marketing communications where consent has been provided

This policy does not apply to third-party websites linked from our pages. We encourage you to review the privacy policies of any external sites you visit.

3. Categories of Personal Data We Collect

3.1 Data You Provide Directly

When you interact with our services, you may voluntarily provide the following categories of personal data:

  • Identity data: Full name, title, and preferred form of address
  • Contact data: Email address, telephone number, postal address
  • Communication data: Content of messages submitted through our contact form or email correspondence
  • Program data: Preferences related to herbal tea education, workshop selections, and blending consultation requests
  • Consent records: Documentation of your GDPR consent choices and cookie preferences

3.2 Data Collected Automatically

When you browse our website, certain technical data may be collected automatically through cookies and server logs:

  • Technical data: IP address, browser type and version, operating system, device type
  • Usage data: Pages visited, time spent on pages, referral source, click patterns
  • Location data: Approximate geographic location derived from IP address (country and city level)

Automatic data collection occurs only when you have provided consent for analytics and marketing cookies, except for strictly necessary cookies required for basic website functionality.

4. Legal Basis for Processing

We process personal data only when a valid legal basis exists under Article 6 of the GDPR:

  • Consent (Article 6(1)(a)): For analytics cookies, marketing communications, and newsletter subscriptions. You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
  • Contract performance (Article 6(1)(b)): To respond to inquiries, deliver educational programs, and fulfill consulting agreements you have entered into with us.
  • Legitimate interests (Article 6(1)(f)): To improve our website, ensure security, prevent fraud, and analyze aggregated usage patterns. We balance our interests against your rights and freedoms.
  • Legal obligation (Article 6(1)(c)): To comply with accounting, tax, and regulatory requirements under Swedish law.

5. Purposes of Data Processing

We use personal data exclusively for the following purposes:

  • Responding to contact form submissions and email inquiries about our educational content
  • Administering enrollment in workshops, courses, and personalized blending consultation programs
  • Processing payments and issuing invoices for paid educational services
  • Sending service-related communications such as workshop confirmations and schedule updates
  • Analyzing website usage to improve content quality and user experience (with consent)
  • Delivering marketing communications about programs and events (with consent)
  • Maintaining website security and preventing unauthorized access
  • Fulfilling legal and regulatory obligations including record-keeping requirements

We do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects.

6. Data Retention Periods

We retain personal data only for as long as necessary to fulfill the purposes described in this policy:

  • Contact form submissions: Retained for 24 months from the date of submission, unless an ongoing correspondence relationship exists
  • Program enrollment records: Retained for 5 years after program completion for quality assurance and dispute resolution
  • Financial and invoicing records: Retained for 7 years in accordance with Swedish accounting legislation (Bokföringslagen)
  • Marketing consent records: Retained for the duration of consent plus 3 years for compliance documentation
  • Server logs and analytics data: Retained for 12 months, then anonymized or deleted
  • Cookie consent preferences: Stored locally on your device until you clear browser data or change preferences

When retention periods expire, data is securely deleted or irreversibly anonymized.

7. Data Sharing and Third Parties

We do not sell personal data to third parties. Data may be shared with the following categories of recipients when necessary:

  • Service providers: Hosting providers, email delivery services, payment processors, and analytics platforms that process data on our behalf under data processing agreements
  • Professional advisors: Legal counsel and accountants bound by confidentiality obligations
  • Public authorities: When required by law, court order, or regulatory request

All third-party processors are located within the European Economic Area or provide adequate safeguards such as Standard Contractual Clauses approved by the European Commission.

8. International Data Transfers

Our primary data processing occurs within Sweden and the European Union. If data is transferred outside the EEA, we ensure appropriate safeguards are in place, including adequacy decisions, Standard Contractual Clauses, or binding corporate rules. You may request information about specific transfer mechanisms by contacting us at hello@bonebios.world.

9. Security Measures

We implement technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction:

  • HTTPS encryption for all data transmitted between your browser and our servers
  • Access controls limiting personal data access to authorized personnel on a need-to-know basis
  • Regular security assessments of our hosting infrastructure and applications
  • Employee training on data protection principles and incident response procedures
  • Encrypted storage for sensitive data categories where technically feasible
  • Documented incident response plan for personal data breaches

While we strive to protect your data, no method of electronic transmission or storage is completely secure. We encourage you to use strong passwords and exercise caution when sharing personal information online.

10. Your Rights Under GDPR

As a data subject, you have the following rights regarding your personal data:

  • Right of access (Article 15): Request confirmation of whether we process your data and obtain a copy
  • Right to rectification (Article 16): Request correction of inaccurate or incomplete personal data
  • Right to erasure (Article 17): Request deletion of your data when no compelling reason exists for continued processing
  • Right to restriction (Article 18): Request limitation of processing under certain circumstances
  • Right to data portability (Article 20): Receive your data in a structured, machine-readable format
  • Right to object (Article 21): Object to processing based on legitimate interests or for direct marketing
  • Right to withdraw consent: Withdraw previously given consent at any time without detriment
  • Right to lodge a complaint: File a complaint with Integritetsskyddsmyndigheten (IMY), the Swedish Authority for Privacy Protection, at imy.se

To exercise any of these rights, contact us at hello@bonebios.world. We will respond within 30 days, extendable by two additional months for complex requests with prior notification.

11. Children's Privacy

Our website and services are directed at adults interested in herbal tea education. We do not knowingly collect personal data from individuals under 16 years of age without parental consent. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will take steps to delete such information.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated through a notice on our website. The date at the top of this page indicates when the policy was last revised. We encourage you to review this policy periodically.

13. Contact Information

For questions, concerns, or requests related to this Privacy Policy or our data processing practices, please contact:

Bonebios
Hamngatan 27, 111 47 Stockholm, Sweden
Email: hello@bonebios.world
Phone: +46 8 411 29 70