Privacy Policy

Last updated: 2026-03-21

Idun Blue is a creator platform operated by Ideäng Productions AB ("we", "us", "our"), a company registered in Sweden. This Privacy Policy explains how we collect, use, and protect personal data when you use our platform at idun.blue and related services.

We are committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR) and Swedish data protection law.

1. Data Controller

The data controller for the Idun Blue platform is:

When a creator ("operator") uses Idun Blue to run their business, the operator is the data controller for their members' data, and Ideäng Productions AB acts as the data processor.

2. What Data We Collect

2.1 Account Information

• Name and email address — provided when you create an account or sign up for a creator's offering.
• Password — stored as a secure hash (never in plain text).
• Profile information — optional details such as bio and profile picture.

2.2 Payment Information

• Payment processing is handled entirely by Stripe. We do not store credit card numbers or bank details on our servers.
• We store transaction references (Stripe customer ID, payment intent ID) to manage subscriptions and orders.

2.3 Usage Data

• Course progress — which lessons you have completed and when.
• Page views and interactions — aggregated analytics to help creators improve their content.
• Community activity — posts, comments, and messages you create.
• Email engagement — open and click tracking for emails sent through the platform.

2.4 Social Media Data

• If you connect a Meta (Instagram/Facebook) account, we store an access token and basic account information (account ID, username, profile picture).
• We use this data solely to publish and schedule content on your behalf, as you explicitly direct.
• We request only the permissions necessary for content publishing: instagram_basic, instagram_content_publish, pages_show_list, and pages_read_engagement.
• We do not access your private messages, contacts, or personal media beyond what is needed for publishing.

2.5 Technical Data

• IP address — used for rate limiting and security; not stored long-term.
• Browser and device type — from standard HTTP headers, used for compatibility.
• Cookies — see section 7 below.

3. How We Use Your Data

We process personal data for the following purposes:

• Providing the service — account management, course delivery, community features, email delivery.
• Payment processing — managing transactions, subscriptions, invoices, and refunds via Stripe.
• Social media publishing — scheduling and posting content to Instagram/Facebook when you connect your account and initiate publishing.
• Platform security — rate limiting, fraud prevention, and abuse detection.
• Service improvement — aggregated, anonymized analytics to improve the platform.
• Communication — transactional emails (receipts, password resets, magic links) and, where you opt in, marketing emails from creators you follow.

Legal Basis (GDPR Art. 6)

• Contract performance (Art. 6(1)(b)) — processing necessary to provide the services you signed up for.
• Legitimate interests (Art. 6(1)(f)) — security, fraud prevention, service improvement.
• Consent (Art. 6(1)(a)) — marketing emails, social media account connection, optional analytics cookies.

4. Third-Party Services

We share data with the following third-party services, only as necessary to operate the platform:

• Stripe (payments) — processes and stores payment information. See Stripe's Privacy Policy.
• Meta Platforms (Instagram, Facebook) — receives content you choose to publish. See Meta's Privacy Policy.
• Cloudflare (CDN and security) — proxies web traffic for performance and DDoS protection. See Cloudflare's Privacy Policy.
• Google (SMTP) — sends transactional and marketing emails on behalf of creators. See Google's Privacy Policy.

We do not sell personal data to third parties.

5. Data Retention

• Account data is retained as long as your account is active.
• Social media tokens are deleted immediately when you disconnect your account or when the token expires.
• Payment records are retained for the period required by Swedish bookkeeping regulations (7 years).
• Email tracking data is retained for 12 months, then anonymized.
• When you delete your account, your personal data is permanently removed within 30 days, except where legal retention requirements apply.

6. Your Rights (GDPR)

As a data subject under GDPR, you have the following rights:

• Access — request a copy of your personal data.
• Rectification — correct inaccurate data.
• Erasure — request deletion of your data ("right to be forgotten"). See Data Deletion Instructions.
• Data portability — receive your data in a machine-readable format.
• Restriction — request that we limit processing of your data.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY).

7. Cookies

We use cookies and similar technologies for:

• Essential cookies — authentication tokens (JWT) stored in localStorage, necessary to keep you logged in. These are not cookies in the traditional sense but function similarly.
• Cloudflare cookies — security and performance cookies set by Cloudflare's CDN.

We do not use third-party advertising or tracking cookies. We do not use Google Analytics or similar analytics platforms that track users across sites.

8. Data Security

We implement appropriate technical and organizational measures to protect your data:

• All data is transmitted over HTTPS/TLS.
• Passwords are hashed using strong cryptographic algorithms.
• API endpoints are protected by rate limiting and input validation.
• Access to production systems is restricted and monitored.
• Database backups are encrypted and stored securely.

9. International Transfers

Our servers are located in Europe. Some third-party services (Stripe, Cloudflare, Meta) may process data outside the EU/EEA. Where this occurs, we ensure appropriate safeguards are in place (Standard Contractual Clauses or adequacy decisions).

10. Children

Idun Blue is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [email protected].

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the platform. The "Last updated" date at the top indicates the most recent revision.

12. Contact