We care about your privacy and want you to feel safe with how we at Ellos Group process your personal data. In this privacy policy, we explain how we process your personal data when you visit our website ellosgroup.com or our premises. In this policy you can find out about what personal data we collect, how we use it, your rights and what measures we take to ensure that it is processed in a secure manner.

This policy does not include information regarding how we process personal data regarding our customers or visitors at our e-commerce websites (Ellos, Jotex, Homeroom and Elpy). How we process such personal data is to be found at each respective e-commerce website. 
 

1. DATA CONTROLLER

   When you visit our website ellosgroup.com or premises, Ellos Group Sweden AB. reg. no. 556217-1925, Ödegärdsgatan 6, 504 64 Borås, Sweden ("Ellos Group") will process your personal data. The terms "we, our, ours and us" below refer to Ellos Group.

    

2. DEFINITIONS

   Our processing of personal data is governed by the EU's General Data Protection Regulation (GDPR) and other laws and regulations. The personal data policy therefore contains certain concepts that come from law. In order for you to have the opportunity to understand the personal data policy, we would like to explain in particular some of the terms that appear in the text. If you have any questions, please feel free to contact us using the contact details in section 8 below.

   "Personal data" means any information that can directly or indirectly identify you as a natural person. The personal data policy describes in more detail the types of personal data we process for different purposes.

   "Data Controller" means the person who decides why and how personal data is to be processed, and is the person responsible for ensuring that the processing takes place in accordance with law. It is Ellos Group as an organisation that is the data controller and not individuals working within Ellos Group.

   "Processing" means any processing of personal data, such as collection, recording, structuring, storage, processing, modification, transfer or reading. The treatment is usually done automatically in a system.

   "Legitimate interest" means an interest that Ellos Group pursues in its business and that is legally acceptable. The privacy policy describes in more detail the cases in which we process personal data to achieve our legitimate interests.

    

3. HOW WE PROCESS YOUR PERSONAL DATA

   3.1. When you visit ellosgroup.com

   Below you will find more information about the purposes for which we use your personal data, what the legal basis is and how long we keep your data when you visit our website.

   Some of the personal data that we process about you when you visit the website is collected through cookies. You can read more about how we use cookies in our cookie policy Cookie Policy | ELLOS Group

   3.1.1. Ensuring website functionality, optimizing our websites, following up visitor statistics and improving your experience of our websites
   Description	Personal data processed	Legal basis
   Provide necessary features on our websites, analyse how you interact with us on our websites and customise our websites according to your preferences and settings.	From you:  IP address, information about the hardware and software you use, browser settings, time zone.	Consent
   Retention: The retention time varies depending on the cookies set in your browser. Please see our Cookie Policy for more information.

   3.2. When you subscribe to our press releases or other news  

   If you subscribe to our press releases and news, we will process your personal data in order to provide you with the relevant subscription service. 
   Below you will find more information about the purposes for which we use your personal data, what the legal basis is and how long we keep your data when you subscribe to our press releases and other news.  

   3.2.1. Subscription services
   Description	Personal data	Legal basis
   Send you the e-mail that you have subscribed to.	From you: e-mail address	Consent
   Retention: The data is deleted 90 days after your withdrawn your consent.

   3.3. Visitors

   When you visit our premises, you might be subject to visitor logs and camera surveillance. Below you can find information on how we process your data when you are visiting our premises.

   3.3.1. Camera surveillance
   Description	Personal data	Legal basis
   Prevent and investigate thefts from our premises. Prevent and investigate crimes and accidents, such as sabotage, vandalism, burglary, threatening situations and workplace accidents.	Images and film material.	Legitimate interest. Our legitimate interest to process personal data for security purposes.
   Retention: The data is deleted after 30 days unless it is subject to investigation. In such case the data is deleted when the investigation is complete and the material is handed over to the law enforcement authorities.

    

   3.3.2. Visitor logs
   Description	Personal data	Legal basis
   Prevent and investigate thefts from our premises. Prevent and investigate crimes and accidents, such as sabotage, vandalism, burglary and threatening situations.	From you: Name, information of the time for your visit and who you are visiting.	Legitimate interest. Our legitimate interest to process personal data for security purposes.
   Retention: The data is deleted 1 year after your visit unless it is subject to investigation. In such case the data is deleted when the investigation is complete and the material is handed over to the law enforcement authorities or other authority.

4. HOW WE SHARE YOUR PERSONAL INFORMATION WITH OTHERS

   We share your personal data with companies within the Ellos Group, our partners or other parties who perform services on our behalf. Below we summarize who we share your data with:

   • Partners and advertising networks for marketing e.g. Meta, Google. 
   • Authorities, e.g. law enforcement authorities if needed to investigate a criminal action. 
   • Professional advisors and consultants.
   • Companies within the Ellos Group.

   
   When we use partners and service providers who process personal data on our behalf, we enter into a data processing agreement to ensure that they process your personal data in accordance with this privacy policy and our instructions.

    

5. TRANSFER OF DATA OUTSIDE THE EU AND EEA

   In certain situations, we transfer your personal data to partners or service providers located outside the EU and EEA (so-called "third countries").

   The third country to which we transfer personal data is primarily the United States. Transfer takes place if you visit our websites and allow our use of cookies.

   Before transferring personal data to a recipient in a third country, we take certain steps to ensure that your personal data is protected in the same way as if it had remained in the EU and EEA, including:

   • that the European Commission has decided that the country outside the EU/EEA to which your personal data is transferred achieves an "adequate" level of protection equivalent to that provided by the GDPR. More information on which countries are considered to have an "adequate level of protection" can be found on the European Commission's website, or 
   • that we have entered into the European Commission's standard contractual clauses with our service providers or partners who process personal data in third countries, or
   • that the transfer is covered by the EU-US Data Privacy Framework Adequacy decision for the EU-US Data Privacy Framework, which is a self-certification system for US companies;

   • and that we have taken additional technical and organizational protective measures when needed.

      

6. YOUR RIGHTS

   When we process your personal data, you have certain rights. You can find more information about these rights below. If you wish to exercise any of your rights, please contact us or our Data Protection Officer at the contact details provided below.

   In order for you to be able to exercise your rights, we need to be able to identify you in a secure way. This means that unauthorised persons should not be given the opportunity to access or change your data. We will get back to you as soon as we can, and no later than one month, from receiving your request. If we are unable to respond to your request or need more time, we will explain why.

   Right to information and access

   You have the right to know whether or not we process personal data about you. If we do so, you also have the right to receive information about what personal data we process and how we process it. You also have the right to receive a copy of the personal data we process about you.

   If you are interested in certain specific data, please indicate this in your request. For example, you can specify whether you are interested in a certain type of data (e.g. what contact and identity data we process about you), or if you want to receive information about data from a certain period of time.

   Right to rectification

   If any of the personal data we process about you is incorrect, you have the right to have it corrected. You also have the right to supplement incomplete personal data with additional information necessary for the data to be correct.

   Once we have corrected your personal data, or supplemented it with new information, we will inform those to whom we have disclosed your data of the updated data, provided that it is not impossible or too cumbersome. If you request it, we will also tell you to whom we have disclosed your data.

   If you request correction, you also have the right to request that we limit our processing of your data while we investigate the matter.

   Right to erasure

   In some cases, you have the right to request that we delete the personal data we have registered about you. You have the right to have your data erased if:

   • the data is no longer needed for the purposes for which it was collected;
   • We process your data only on the basis of your consent and you withdraw your consent,
   • The data is used for direct marketing purposes and you unsubscribe from it,
   • You object to the processing of the data that takes place on the basis of our legitimate interest and we cannot demonstrate that our reasons for the processing outweigh your interests;
   • The data has been used unlawfully, or
   • Deletion is required to comply with a legal obligation.

   In some cases, we are unable to delete all of your personal data despite your request. This is because in some cases the data is necessary to process for the purpose for which it was collected, that our interest in continuing to process the personal data outweighs your interest in having it deleted, or because the data is needed for us to be able to comply with legal requirements.

   If we delete your data after you have requested it, we will also inform those to whom we have disclosed the data of the deletion, provided that it is not impossible or too cumbersome. If you ask us, we will also tell you who we have disclosed your data to.

   Right to data portability

   Data portability means that you have the right to receive the data we have collected about you from you in a structured, publicly available and machine-readable format and that you have the right to transmit this to another data controller.

   The right to data portability only applies:

   1. For information collected about you;
   2. If the use is based on your consent or for the performance of a contract with you, and
   3. The data is not in paper format.

   
   Right to object to our processing of personal data

   You have the right to object to our processing of your personal data that takes place on the basis of our legitimate interest. If you object to the processing, we will, based on your particular situation, evaluate whether our interests in processing the data outweigh your interests in the data not being processed for that purpose. If we cannot demonstrate compelling legitimate grounds that outweigh yours, we will stop the processing to which you object – provided that we do not have to process the data for the establishment, exercise or defence of legal claims.

   If you object to the processing, you also have the right to request restriction during the time we investigate the matter. With regard to direct marketing, you always have the right to object, and thereby unsubscribe from, such processing.

   Right to withdraw consent 

   You have the right to withdraw a consent you have given for a particular processing at any time. A withdrawal does not affect the lawfulness of our processing before the consent was withdrawn.

   Right to request restriction

   Restriction means that the data is marked so that in the future it may only be processed for certain limited purposes.

   The right to restriction applies to:

   1. When you believe that the information is incorrect and you have requested correction. In this case, you can also request that the processing of the data be restricted while we investigate whether the data is correct or not. 
   2. If the processing is unlawful and you do not want the data to be erased, 
   3. When we no longer need to process the data for the purposes for which we collected it, but you need it to establish, exercise or defend legal claims, or
   4. If you have objected to the treatment. In this case, you can request that we restrict the processing while we investigate whether our interest in processing your data outweighs your interests. 

   Even if you have requested that we restrict the processing of your data, we are entitled to use it for storage, if we have obtained your consent to the processing, to exercise or defend legal claims, or to protect someone's rights. We may also process the data for reasons of important public interest.

   When the restriction ends, we will inform you of this.

   If we restrict the processing of your data, we will also inform those to whom we have disclosed the data of the restriction, provided that it is not impossible or too cumbersome. If you ask us, we will also tell you who we have disclosed your data to.

   Right to lodge a complaint

   If you have questions about our processing of your personal data, wish to exercise any of your rights or have a complaint about the processing, you are welcome to contact our Data Protection Officer via the contact details below.

   The Swedish Authority for Privacy Protection (IMY) is the Swedish supervisory authority for our use of your personal data. If you are unsatisfied with our use of your personal data, you can also turn to the Swedish Data Protection Authority with a complaint. You also have the right to lodge a complaint about our processing of personal data with the supervisory authority in the country where you have your habitual residence or place of work, or in the country where the processing of personal data with which you are unsatisfied has been carried out.

    

7. CHANGES

   If we make changes to this Privacy Policy, we will post an updated version here.

   The personal data policy was last updated on 2025-06-10.

    

8. CONTACT 

   If you have any questions or would like us to explain any part of this Privacy Policy to you, please contact us.

    

   Customer Service	Data Protection Officer
   Email: [email protected] Telephone: +46 (0)33-160 000	Email: [email protected]