Data Policy

Privacy Policy

Effective date: 4 November 2026 Company: Antioch in Focus Website:antiochinfocus.com

Note to publisher: Placeholders marked [ ] below must be filled in before publication. Leaving them blank means the policy does not meet GDPR Article 13 identification requirements or the disclosure requirements under the Swedish E-handelslagen (2002:562) § 8.

1. Data Controller

Antioch in Focus is operated as an enskild näringsidkare (sole trader) registered with Skatteverket. The data controller for the personal data described in this Privacy Policy is:

As Antioch in Focus is operated as an enskild näringsidkare, the trader's personal identity number (personnummer) serves the function of an organisation number under Swedish law. To protect the trader's personal integrity, the full identity number is not published on the website. It is provided on request to the extent required by applicable law, including to consumers, counterparties with a legitimate interest, and authorities.

We have assessed that we are not required to appoint a Data Protection Officer under GDPR Article 37. For privacy-related questions please use the privacy contact above.

2. Scope of This Policy

This Privacy Policy explains how we collect, use, disclose, store, and otherwise process personal data when you:

  • visit antiochinfocus.com

  • place an order or create an account

  • request a return, refund, or complaint handling

  • contact us through any channel

  • sign up for marketing communications or our newsletter

  • leave a review or testimonial

  • interact with cookies or similar technologies on our website

  • engage with our pages on third-party platforms (e.g. social media) where we operate as controller

This policy does not cover the independent processing carried out by third parties (such as payment providers, shipping carriers, or social media platforms) in their own capacity as controllers. Their processing is governed by their own privacy notices.

3. A Note on Sensitive Data and the Nature of Our Products

We sell religious items (Christian Orthodox icons). Under GDPR Article 9, religious beliefs are special category personal data subject to stricter rules.

We want to be clear about our position:

  • We do not infer religious beliefs from purchase data. A purchase from our website does not, and will not, be treated by us as disclosure of a customer's religious beliefs. Customers include collectors, gift-buyers, academics, institutions, and persons of many faiths or none.

  • We do not use religious or belief-based profiling for marketing or segmentation.

  • We do not require you to share sensitive data to purchase from us. Please do not include in your messages to us information revealing health, religion or belief, political opinions, trade-union membership, racial or ethnic origin, sexual orientation, biometric or genetic data, or similar special categories, unless it is strictly necessary for your request.

  • If you voluntarily provide special category data (for example, in a message describing the purpose of a commission), we will process it only to handle your request, and only on the basis of your explicit consent under GDPR Article 9(2)(a), or on another lawful basis under Article 9 where applicable.

4. Personal Data We Collect

Depending on how you use the website and our services, we may collect the following categories of personal data.

4.1 Identity and Contact Data

Name; billing address; shipping address; phone number; email address; any other contact details you provide.

4.2 Order and Transaction Data

Order number; products purchased; purchase date; amount paid; currency; payment status; payment method type; delivery method and tracking; return, refund, and complaint history.

4.3 Payment Data

Payments are processed by our payment service provider(s). Full card numbers and equivalent payment credentials are handled by the payment provider as an independent controller and are not stored on our systems. We receive only the information necessary to confirm, reconcile, and administer the transaction (for example: transaction ID, last four digits of the card, cardholder name, approval status).

4.4 Account Data (Where Applicable)

If you create a customer account: username; hashed password; saved addresses; order history; saved preferences.

4.5 Technical and Usage Data

IP address; browser type and version; device type and identifiers; operating system; language settings; time zone; pages visited and timestamps; referral source; session data; cookie identifiers and similar online identifiers.

4.6 Communication Data

Messages you send through our forms, email, or other contact channels; customer service history; information and attachments provided in return or complaint requests.

4.7 Marketing and Preference Data

Newsletter subscription status; consent records; opt-out history; stated preferences; interaction with marketing emails (opens and clicks, where measured under a valid legal basis).

4.8 Reviews and User-Generated Content

Content of any review, testimonial, rating, or comment you submit, together with the name or display name you choose to publish with it.

4.9 Fraud Prevention Data

Where relevant: address validation results; payment provider fraud signals; unusual order patterns; IP reputation data.

5. Purposes of Processing

We process personal data only for specific and legitimate purposes.

5.1 Order Fulfilment

Receiving and confirming orders; processing payment; preparing, packing, and shipping goods; providing delivery updates; administering returns, refunds, and complaints.

5.2 Customer Service

Answering questions; handling support requests; resolving issues relating to purchases, delivery, or returns.

5.3 Account Management

Where you hold a customer account: authenticating you; maintaining your account; enabling you to view your order history and manage your preferences.

5.4 Legal and Regulatory Compliance

Complying with accounting and bookkeeping rules under Swedish law (Bokföringslagen); complying with consumer law obligations; documenting refunds, disputes, and legal claims; complying with lawful requests from authorities; handling VAT, tax, and customs obligations.

5.5 Business Protection and Security

Detecting and preventing fraud; securing the website against attack; investigating misuse of our services; establishing, exercising, or defending legal claims.

5.6 Website Improvement and Analytics

Understanding how the website is used; improving navigation, performance, and design; fixing errors and technical issues. Where analytics cookies are used, this processing takes place only after consent.

5.7 Marketing

Sending newsletters and marketing communications where you have subscribed, or where we are otherwise permitted under applicable law (for example, to existing customers for similar goods, in line with the soft opt-in rules under Swedish marketing law). You can opt out at any time.

5.8 Reviews and Testimonials

Publishing and administering reviews or testimonials you submit.

6. Legal Bases for Processing

We rely on one or more of the following legal bases under GDPR Article 6 (and, where relevant, Article 9).

6.1 Performance of a Contract (Article 6(1)(b))

Taking and processing orders; accepting payment; shipping products; handling statutory returns and refunds; account management; communicating about your purchase.

6.2 Legal Obligation (Article 6(1)(c))

Bookkeeping and accounting (Swedish Bokföringslagen); consumer law obligations; tax and customs obligations; responses to lawful requests from authorities.

6.3 Legitimate Interests (Article 6(1)(f))

Where necessary for our legitimate interests and not overridden by your rights and freedoms. This covers:

  • customer service beyond what is strictly contract-necessary

  • fraud prevention and network/information security

  • internal administration and business records

  • limited service improvement and business analytics (non-cookie based, or where cookies are not required)

  • direct marketing to existing customers of similar goods, where permitted by law

  • defending and enforcing legal claims

You have the right to object to processing based on legitimate interests (see section 11). On request, we will provide a summary of our balancing assessment (legitimate interests assessment) for the relevant processing.

6.4 Consent (Article 6(1)(a), and Article 9(2)(a) for any special category data)

Used for:

  • optional cookies (see our Cookie Policy)

  • newsletter and marketing communications where required

  • processing of any special category data you voluntarily provide

  • publication of reviews or testimonials under your name

You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal. Withdrawing consent is as simple as giving it.

7. Who We Share Data With

We do not sell personal data.

We share personal data only where necessary, with the following categories of recipients:

7.1 Payment Service Providers

To process payments, refunds, and fraud checks. These providers normally act as independent controllers for their own compliance, fraud, and anti-money-laundering purposes.

7.2 Shipping and Logistics Providers

To deliver orders and handle returns and delivery issues. These providers act as independent controllers for their own transport and logistics obligations.

7.3 IT, Hosting, and Website Service Providers

To host, maintain, secure, operate, and back up the website and related systems. These providers act as processors on our behalf.

7.4 Email, Marketing, and Review Platform Providers

To send transactional and marketing emails, and to host reviews. Processor or separate controller status depends on the provider.

7.5 Analytics and Cookie Technology Providers

To measure traffic and improve the website, where permitted and — when required — after your consent. Some of these may involve joint controllership (see section 7.7).

7.6 Professional Advisers and Authorities

Accountants, auditors, lawyers, insurers, and authorities (such as the Swedish Tax Agency, IMY, or courts) where necessary for legal, regulatory, tax, accounting, or dispute-related purposes.

7.7 Joint Controllers

Where we embed certain third-party services (for example, social media pixels or measurement tools), we may act as a joint controller with the relevant provider for specified processing. We make a summary of the essence of any such arrangement available on request.

7.8 Business Transfers

In the event of a reorganisation, transfer, or sale of the business, personal data may be transferred to the successor, subject to this Privacy Policy.

Where a third party processes personal data strictly on our behalf and under our instructions, a written data processing agreement under GDPR Article 28 is in place.

8. International Transfers

Some service providers may process personal data outside Sweden or the EU/EEA.

Where personal data is transferred outside the EU/EEA, we take appropriate safeguards as required by GDPR Chapter V, which may include:

  • an adequacy decision by the European Commission; or

  • Standard Contractual Clauses (SCCs) approved by the European Commission, combined with supplementary technical, organisational, or contractual measures where necessary following the Schrems II judgment; or

  • another lawful transfer mechanism under Articles 46–49 of the GDPR.

You may request a copy or summary of the transfer safeguards for a specific recipient category through antiochinfocus.com/contact.

9. Retention Periods

We keep personal data only for as long as necessary for the purpose for which it was collected, unless a longer retention period is required by law or is necessary to establish, exercise, or defend legal claims.

9.1 Orders, Invoices, and Accounting Records

Retained for 7 years after the end of the calendar year in which the relevant financial year ended, as required by the Swedish Bokföringslagen.

9.2 Customer Service, Return, and Complaint Data

Retained for the duration of the matter and then for a further 3 years after closure, reflecting the statutory consumer claim period under Konsumentköplagen. Data referenced in accounting records follows section 9.1.

9.3 Customer Account Data

Retained for as long as your account remains active, plus a further 12 months of inactivity, after which the account may be closed and the data deleted or anonymised — except data retained for legal reasons under section 9.1.

9.4 Marketing and Newsletter Data

Retained until you unsubscribe or withdraw consent, plus a suppression record retained indefinitely for the sole purpose of honouring your opt-out. Engagement data (opens, clicks) is retained for up to 24 months from collection.

9.5 Technical, Analytics, and Cookie Data

Retained per cookie duration as described in the Cookie Policy and the settings of the relevant tool. Server log data is retained for up to 12 months for security and diagnostic purposes, except where investigation of an incident requires longer retention.

9.6 Fraud Prevention Data

Retained for up to 3 years from the relevant order or event, or longer if required for investigation or the defence of legal claims.

9.7 Reviews and Testimonials

Retained for as long as the review is published. You may request removal at any time under section 11.

10. Security

We apply appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, alteration, disclosure, or misuse. These include, as relevant:

  • encryption in transit (TLS/HTTPS)

  • encryption at rest for sensitive stores where applicable

  • access controls and authentication

  • logging and monitoring

  • supplier due diligence and written data processing agreements

  • confidentiality obligations for anyone acting on our behalf

  • regular review of security measures

No website or internet transmission is completely secure, and we cannot guarantee absolute security.

Personal Data Breaches

If a personal data breach occurs and is likely to result in a risk to your rights and freedoms, we will notify the Swedish Authority for Privacy Protection (IMY) within 72 hours of becoming aware of it, as required by GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected individuals without undue delay.

11. Your Rights

Subject to the conditions in the GDPR, you have the right to:

  • Access — obtain confirmation of processing and a copy of your personal data (Article 15)

  • Rectification — request correction of inaccurate or incomplete data (Article 16)

  • Erasure — request deletion of your personal data where the conditions apply (Article 17)

  • Restriction — request restriction of processing (Article 18)

  • Data portability — receive your data in a structured, commonly used, machine-readable format, and transmit it to another controller where applicable (Article 20)

  • Object — object to processing based on legitimate interests, including profiling (Article 21)

  • Object to direct marketing — an absolute right, at any time, free of charge

  • Withdraw consent — at any time, without affecting prior lawful processing

  • Not be subject to solely automated decisions that have legal or similarly significant effects (Article 22)

  • Lodge a complaint with a supervisory authority (section 12)

How to Exercise Your Rights

Submit your request through antiochinfocus.com/contact. We may need to verify your identity to protect your data — in that case, we will ask for the minimum necessary information.

Our Response

We will respond without undue delay and in any event within one month of receiving your request. Where the request is complex or we receive a high volume of requests, we may extend this by up to a further two months, and will inform you of the extension and its reasons within the first month.

Requests are free of charge. For manifestly unfounded or excessive requests (in particular, repetitive ones), we may charge a reasonable fee or refuse the request in accordance with GDPR Article 12(5).

12. Complaints

If you believe your personal data is being processed incorrectly, please contact us first so we can try to resolve the issue.

If you remain dissatisfied, you have the right to lodge a complaint with a supervisory authority — in particular, the supervisory authority of the EU/EEA member state of your habitual residence, place of work, or where the alleged infringement occurred.

The Swedish supervisory authority is:

Integritetsskyddsmyndigheten (IMY) Box 8114, 104 20 Stockholm, Sweden Telephone: +46 (0)8 657 61 00 Email: imy@imy.se Website: imy.se

13. Children

Our website and products are not directed specifically to children. In Sweden, the age threshold for a child's own consent to information society services offered directly to children is 13 years, under the Swedish implementation of GDPR Article 8.

We do not knowingly collect personal data from children under 13 without the consent of a holder of parental responsibility. If you believe a child has provided us with personal data without appropriate consent, please contact us and we will take reasonable steps to delete it.

14. Automated Decision-Making and Profiling

We do not make decisions based solely on automated processing that produce legal effects or similarly significant effects on you.

Certain fraud prevention tools operated by our payment providers may involve automated risk scoring. These tools inform, but do not solely determine, order acceptance; a manual review is possible in borderline cases. For more information on specific provider practices, please consult the relevant provider's privacy notice.

15. Sources of Data

We collect personal data primarily from you directly. We may also receive data from:

  • payment service providers (transaction outcomes and fraud signals)

  • shipping providers (delivery status and related events)

  • publicly accessible sources, where necessary to validate information you have provided

  • third parties acting on your instructions (for example, a person placing a gift order to be delivered to you)

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The version published on antiochinfocus.com at the relevant time applies to ongoing processing.

Where changes are material, we will take reasonable steps to bring them to your attention in advance (for example, by email notice to subscribers or by a prominent website notice).

17. Contact

For privacy questions or requests concerning your personal data: antiochinfocus.com/contact

Cookie Policy

Effective date: 4 November 2026

1. What Cookies Are

Cookies are small text files stored on your device when you visit a website. Similar technologies are also covered by this policy and include pixels, tracking tags, scripts, software development kits (SDKs), device fingerprinting techniques, and browser-based local or session storage.

For simplicity, this policy refers to all of these as cookies.

Cookies may help the website function, remember your choices, analyse site usage, and — where applicable — support marketing.

2. Legal Framework

Our use of cookies is governed by:

  • the Swedish Lag om elektronisk kommunikation (LEK), which implements the EU ePrivacy Directive and governs the storage of and access to information on user devices; and

  • the GDPR, which governs any personal data processed by or through cookies.

Under LEK, cookies may only be stored on, or read from, your device after you have received clear information and — for non-essential cookies — given your consent.

3. Categories of Cookies We Use

3.1 Strictly Necessary Cookies

Required for the website to function or to deliver a service you have explicitly requested. Uses include:

  • shopping cart and checkout functionality

  • security and fraud prevention

  • load balancing

  • user session management

  • saving your cookie and privacy choices

These cookies do not require consent, but we inform you of their use.

3.2 Preference Cookies

Remember choices you make, such as language, region, display settings, or other user preferences. These are optional unless strictly necessary for a feature you have requested.

3.3 Analytics Cookies

Help us understand how visitors use the website — which pages are visited, how visitors move around the site, session duration, and technical errors — so we can improve performance and user experience.

These cookies are activated only after your consent.

3.4 Marketing Cookies

May be used to measure campaign performance, show relevant marketing, track visitors across websites, and build audience segments for advertising.

These cookies are activated only after your consent.

4. Legal Basis for Cookies

  • Strictly necessary cookies — used on the basis that they are technically required to provide a service you have explicitly requested (LEK and GDPR Article 6(1)(f) or (b), as applicable).

  • All other cookies — used only on the basis of your consent (LEK and GDPR Article 6(1)(a)).

5. How You Can Manage Cookies

You can manage your cookie preferences through our cookie banner or the cookie settings tool available on the website. Rejecting non-essential cookies is as easy as accepting them, and you can change or withdraw your consent at any time through the cookie settings tool.

You can also block or delete cookies through your browser settings. Most browsers (Chrome, Firefox, Safari, Edge, and others) allow you to view, block, and delete cookies through their privacy or settings menus. Consult the help pages of your browser for current instructions.

If you block strictly necessary cookies, parts of the website may not function correctly.

6. Third-Party Cookies

Some cookies are placed by third parties that support payment, analytics, embedded content, advertising, or other website functionality. These providers process personal data in accordance with their own privacy notices and legal responsibilities.

Where a third-party cookie involves joint controllership (for example, certain social media measurement pixels), we disclose this in section 7.7 of the Privacy Policy and make a summary of the arrangement available on request.

7. Do Not Track and Global Privacy Control

Web browsers may transmit a "Do Not Track" (DNT) signal or a Global Privacy Control (GPC) signal. There is no common industry standard for responding to DNT signals. Where technically feasible and required by law, we treat a GPC signal as a valid signal to reject non-essential cookies.

8. Changes to This Cookie Policy

We may update this Cookie Policy from time to time. The version published on antiochinfocus.com at the relevant time applies.

9. Contact

For questions about our use of cookies: antiochinfocus.com/contact