GDPR Compliance

Yes. Jaapi AB is a Swedish company fully compliant with the EU General Data Protection Regulation (GDPR). We maintain EU data residency, process data under valid legal bases, and uphold all data subject rights. Our ISO 27001:2022 certification further demonstrates our commitment to data protection.

Your data is stored in the European Union, primarily in Frankfurt, Germany. As an EU-based company, we maintain strict EU data residency. For services requiring US-based providers (customer support, team communication), we ensure GDPR compliance through EU Standard Contractual Clauses.

We collect only essential data: account information (name, email), shipping addresses for orders, and order history. We do not store credit card numbers, government IDs, health information, or biometric data. Payment processing is handled by Stripe—card details never touch our systems.

You have the right to access your data, correct inaccuracies, request deletion, receive your data in a portable format, object to processing, and restrict how we use your data. To exercise any right, contact lynn@jaapi.store. We respond within one month as required by GDPR.

Our primary sub-processors are: AWS (database hosting, Frankfurt), Vercel (application hosting, Frankfurt), Stripe (payments, Ireland), MailerSend (email, Belgium), Pylon (support tickets, US with EU SCCs), and Slack (team communication, US with EU SCCs). A complete list is available at trust.jaapi.com/vendors.

Account and order data is retained during your service period. System logs are automatically deleted after 30 days. Upon account deletion request, we remove personal data except where legally required (e.g., tax records retained 7+ years). Session data expires automatically.

For privacy questions, data subject requests, or GDPR inquiries, contact Lynn Smeria at lynn@jaapi.store. We respond to all data protection requests within one month. For detailed compliance documentation, visit trust.jaapi.com.