Privacy Policy

Privacy Policy

Last updated: April 10, 2026

This privacy policy describes how SveaStream collects, uses and protects your personal data when you use our IPTV service or visit sveastream.com. We comply with the EU General Data Protection Regulation (GDPR 2016/679) and the corresponding Nordic data protection laws in Sweden, Norway, Denmark and Finland.

01Data Controller

SveaStream is the data controller responsible for the processing of your personal data under Article 4(7) of the GDPR. We are a digital IPTV service provider with business address at 6 Bedford St, London WC2E 9HZ, United Kingdom.

We have not appointed a Data Protection Officer (DPO) because our processing does not require one under Article 37 of the GDPR. All enquiries about this policy should be sent to support@sveastream.com or via WhatsApp at +447933286686.

02Personal data we collect

We collect the following categories of personal data:

  • Contact form: name, email address, phone number (optional), subject and message.
  • Subscription data: email address, selected plan, number of devices and activation time.
  • Technical data: IP address (temporarily, for rate limiting and security), browser and language preference.
  • Payment data: We do not store any card or payment details. All payments are handled by external payment providers acting as independent data controllers.

We do not collect sensitive personal data (e.g. health, ethnic origin or political opinions) and do not use any marketing or tracking cookies.

03Purposes of processing

We process your personal data exclusively for the following purposes:

  • To provide, activate and manage your IPTV subscription.
  • To respond to your support and contact enquiries.
  • To send necessary service information (login credentials, activation messages).
  • To protect our service against fraud, abuse and security threats.
  • To comply with legal obligations (accounting, tax reporting, responses to authorities).

04Legal basis under Article 6 GDPR

We process your personal data on the basis of the following legal grounds:

  • Article 6(1)(b) — performance of a contract: to deliver your IPTV subscription and manage the customer relationship.
  • Article 6(1)(b) — pre-contractual measures: to respond to enquiries via the contact form.
  • Article 6(1)(c) — legal obligation: for accounting and tax reporting under applicable law.
  • Article 6(1)(f) — legitimate interest: to prevent abuse, ensure service stability and protect our rights.

We do not request consent (Article 6(1)(a)) for any processing described in this policy, as our processing operations rely on other legal grounds.

05Recipients and data processors

We never sell your personal data and never share it for marketing purposes. We use the following data processors, which handle data under our documented instructions and pursuant to a signed Data Processing Agreement (DPA) in accordance with Article 28 of the GDPR:

  • Vercel Inc. (USA) — web hosting and infrastructure for sveastream.com.
  • Resend (USA) — email delivery for contact form and transactional messages.
  • Upstash (EU/USA) — rate limiting and security logging (IP addresses, temporary).
  • Payment providers (e.g. Stripe) — processing of payment transactions as independent data controllers.

We may also share your data with public authorities, courts or legal counsel where we are required to do so under applicable law.

06International data transfers

Your personal data is processed primarily within the EU/EEA. Some of our data processors are based outside the EU/EEA (mainly in the United States). In such cases, the transfer is carried out with the following safeguards under Chapter V of the GDPR:

  • European Commission Standard Contractual Clauses (SCC) pursuant to Decision 2021/914.
  • EU-US Data Privacy Framework, where the provider is certified.
  • Technical safeguards: encryption in transit (TLS 1.3) and at rest.

You can request a copy of the applicable safeguards by contacting support@sveastream.com.

07Retention periods

We retain your personal data only for as long as necessary for the purpose or as required by law:

  • Contact form messages: up to 12 months after the last contact.
  • Subscription data: for the duration of the subscription + up to 7 years under applicable accounting and tax law.
  • Technical data and IP logs: up to 30 days.
  • Email correspondence: up to 24 months.

After the retention period expires, your data is securely deleted or anonymised.

08Security measures and incidents

We implement appropriate technical and organisational security measures in accordance with Article 32 of the GDPR:

  • TLS 1.3 encryption for all data transfer (HTTPS).
  • Security headers: CSP, HSTS, X-Frame-Options and others.
  • Rate limiting and protection against known attack patterns.
  • Access control: only authorised personnel have access to personal data.
  • Regular security updates and dependency reviews.

In the event of a personal data breach, we will notify the competent supervisory authority within 72 hours pursuant to Article 33 of the GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will inform you directly under Article 34 of the GDPR.

09Your rights under the GDPR

Under Articles 15–22 of the GDPR you have the following rights:

  • Right of access (Art. 15) — obtain a copy of your data.
  • Right to rectification (Art. 16) — have inaccurate data corrected.
  • Right to erasure / 'right to be forgotten' (Art. 17).
  • Right to restriction of processing (Art. 18).
  • Right to data portability (Art. 20) — receive your data in a machine-readable format.
  • Right to object to processing (Art. 21).
  • Right not to be subject to automated decision-making (Art. 22).
  • Right to withdraw consent when processing is based on consent.

We will respond to your request within 30 days. Contact support@sveastream.com to exercise any of these rights. Exercising your rights is free of charge.

10Automated decision-making and minors

SveaStream does not use automated decision-making or profiling under Article 22 of the GDPR. All decisions that affect you are made by humans.

Our service is intended for users aged 18 or over. We do not knowingly collect personal data from individuals under 18. If you are a parent or guardian and believe your child has provided us with data, please contact us so we can delete it immediately.

11Complaints to a supervisory authority

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with your national supervisory authority:

  • United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
  • Sweden: Integritetsskyddsmyndigheten (IMY) — imy.se
  • Norway: Datatilsynet — datatilsynet.no
  • Denmark: Datatilsynet — datatilsynet.dk
  • Finland: Tietosuojavaltuutetun toimisto — tietosuoja.fi

We encourage you to first contact us at support@sveastream.com so that we can resolve any issues directly.

12Changes and contact

We may update this privacy policy from time to time. The latest version is always published on this page with its update date. Material changes will be notified via email to active subscribers at least 30 days before they take effect.

  • Email: support@sveastream.com
  • WhatsApp: +447933286686
  • Response time: within minutes, 24 hours a day, 365 days a year.

If you have any questions about this privacy policy or how we handle your personal data, please do not hesitate to contact us.

WhatsApp
Telegram
Email