EVERTIN Privacy Policy

Postal contact: Millijoin AB Mariestadsvägen 3 121 50 Johanneshov Sweden

1. Who we are

This Privacy Policy explains how Millijoin AB ("we", "us", "Millijoin"), a Swedish Aktiebolag (org-nr 559069-3593, registered office at Mariestadsvägen 3, 121 50 Johanneshov, Sweden), collects and uses personal data when you:

• visit our marketing website at evertin.com; or
• sign in to the EVERTIN platform as a brand administrator to manage your flagship store.

EVERTIN is the multi-tenant platform we operate — a network of digital flagship stores for e-commerce brands. The legal entity that controls your personal data is Millijoin AB.

Note on end-shoppers. If you are a shopper buying from a brand's flagship store on EVERTIN, the brand you are buying from is the data controller for your shopper data, and Millijoin acts as a processor on the brand's behalf. The brand's own privacy policy governs that relationship. Brand administrators accept a controller-processor data processing agreement at signup that governs Millijoin's processing on their behalf; enterprise brands may sign an out-of-band DPA on request via privacy@evertin.com. This document covers the personal data that Millijoin controls directly.

2. What personal data we collect, why, and on what lawful basis

We apply data minimization — we collect the smallest dataset that lets us run the service — and purpose limitation — we only use data for the purpose it was collected for. Each processing activity below names its lawful basis under GDPR Article 6.

2.1 Visitors to evertin.com (marketing site)

We do not run analytics, marketing tracking, or non-essential cookies at v1 GA. See §7.

2.2 Brand administrators (EVERTIN customers)

When a brand signs up to use EVERTIN to operate a flagship store, the named brand administrator(s) become our direct customers.

2.3 AI-assisted features

EVERTIN uses Anthropic Claude to help brand administrators draft store content (product copy, on-brand suggestions). Prompts you send to those features, and the outputs returned, are processed by Anthropic on our instructions.

• Lawful basis: Contract (Art. 6(1)(b)) — providing the AI assistance you asked for.
• What we send: the content of the prompt and any context the brand admin chooses to include. We do not knowingly send end-shopper personal data to Anthropic for these features.
• Retention: Anthropic retains prompt and response data for up to 30 days under their standard API retention policy. We have not enabled zero retention for our workspace; work to sign Anthropic's Zero Retention Addendum is tracked separately and is not a prerequisite for this policy version.
• Automated decision-making: these AI features assist drafting only. They do not make decisions about you with legal or similarly significant effects (GDPR Art. 22 does not apply).

3. How we share your personal data — subprocessors

We use the following processors (subprocessors) to run EVERTIN. Each is bound by a Data Processing Agreement (DPA) and, where applicable, Standard Contractual Clauses (SCCs) for transfers outside the EEA/UK.

Internal company operations are agent-orchestrated via Paperclip. Paperclip is not engaged as a subprocessor of customer personal data; company personnel (human or agent) may incidentally access production data under our internal access controls when handling support, security, or engineering tasks. These activities are governed by our internal Acceptable Use and access policies rather than a standalone DPA.

We publish and keep this list current at evertin.com/subprocessors. We will give brand administrators reasonable advance notice of any new subprocessor and a chance to object before that subprocessor processes their personal data.

We do not sell personal data and do not share it with advertisers or data brokers.

4. International transfers

Some of our subprocessors are located in the United States. For those transfers we rely on the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum (UK-IDTA) where UK personal data is involved, and, where available, additional safeguards such as encryption in transit and at rest. For each US-based subprocessor we maintain a Transfer Impact Assessment per EDPB guidance; the relevant TIA is available to data subjects and supervisory authorities on request. A copy of the relevant clauses is available on request from privacy@evertin.com.

5. How long we keep your personal data

Retention windows are listed alongside each data category in section 2. Where we don't have a fixed window, we keep data only for as long as we need it for the purpose it was collected, and then delete or anonymise it. Production database backups are taken daily and retained for 7 days, after which they are overwritten.

6. Your rights

Under the GDPR you have the right to:

• Access a copy of the personal data we hold about you;
• Rectify inaccurate or incomplete data;
• Erase ("right to be forgotten") your data, subject to legal retention requirements (e.g. bookkeeping);
• Restrict or object to processing based on legitimate interest;
• Data portability — receive a machine-readable copy of the data you provided;
• Withdraw consent at any time, where consent is the lawful basis;
• Lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten — IMY, https://imy.se), or the supervisory authority in your country of residence.

To exercise any of these rights, email privacy@evertin.com. We respond within 30 days of receiving a verifiable request, in line with GDPR Art. 12(3). Identity verification may be required to protect against impersonation.

We do not charge for the first copy of your data; subsequent or manifestly excessive requests may attract a reasonable fee.

7. Cookies

EVERTIN v1 GA does not set non-essential cookies and does not run analytics or marketing tracking. The only cookies set are strictly necessary cookies used to keep you signed in and to protect against CSRF; under the ePrivacy Directive these are exempt from the consent requirement. No cookie banner is therefore necessary at launch. If we add analytics or other non-essential tracking in the future, this policy will be updated and a consent surface deployed before that feature ships.

8. Security

We protect personal data with technical and organisational measures appropriate to the risk, including encryption in transit (TLS), encryption at rest for database and object storage, least-privilege access controls, and audit logging. Detailed security commitments are documented in our Security Overview, available on request from privacy@evertin.com.

If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware, in line with GDPR Art. 33. Where the risk is high, we will also notify you directly without undue delay.

9. Children

EVERTIN is a B2B platform for brand administrators and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@evertin.com and we will delete it.

10. Changes to this policy

We will post any material change to this policy at evertin.com/privacy, update the version number and date at the top, and — where the change affects an active processing activity for which you have an account — notify you by email at least 14 days before the change takes effect.

Version history

Tobias Svenlöv, VD, Millijoin AB (org. nr. 559069-3593)