Privacy Policy

Norra Hamn Kliniken AB (org. no. 559249-4081), operating as Dibélle, is the data controller for personal data processed in connection with our operations.

Address: Kullagatan 40, 252 20 Helsingborg, Sweden

Phone: +46 72-020 20 62

Email: info@dibelle.se

Responsible person: Abir Mustafa, Licensed Nurse

We collect the following categories of personal data depending on how you interact with us:

Via the contact form:

• Name
• Email address
• Subject (optional)
• Message

Via the newsletter:

• Email address
• Date of consent

Via the AI chat (treatment guide):

• Your questions (sanitised, up to 500 characters per message)
• A random session key (not linked to identity)
• The page you are on

Via website visits (with analytics consent):

• IP address (anonymised by Google Analytics)
• Device and browser information
• Pages visited and interaction
• Approximate location (city level)
• A sessionStorage session key (deleted when the tab closes) used to group page views into a visit journey

Via booking on Bokadirekt:

• Booking data is handled by Bokadirekt AB under their own privacy policy. We do not have access to your payment details.

In server memory (volatile, not persisted):

• IP address for spam protection and rate limiting. Cleared on next server restart, typically within hours.

We process your personal data for the following purposes:

• Responding to enquiries (contact form). Legal basis: Legitimate interest in providing good customer service
• Managing bookings (via Bokadirekt). Legal basis: Performance of a contract
• Analysing website traffic (Google Analytics). Legal basis: Consent
• Improving website performance (Vercel Analytics). Legal basis: Legitimate interest (no cookies, no personal data)
• Compliance with accounting law. Legal basis: Legal obligation

We never process your personal data for advertising, profiling or resale.

Providing personal data to us is voluntary. If you don't fill in the contact form or newsletter, you can still use the website and book via Bokadirekt. Contact form and newsletter are optional services.

To actually book a treatment, Bokadirekt (third party, separate data controller) needs certain data under contract.

Our website uses cookies and local storage (localStorage) in accordance with LEK (2022:482) Ch. 9 § 28 and the ePrivacy Directive (2002/58/EC) Art. 5(3). We divide them into three categories that you choose in our cookie banner:

Necessary (always active, no consent required):

• Consent setting: saves your cookie choice (localStorage, 6 months)
• Session data: AI chat during the current visit (sessionStorage, deleted when the tab is closed)

Analytics (requires your consent):

• Google Analytics 4: measures website traffic and behaviour. Only activated after your consent via the cookie banner.

Functional (requires your consent):

• Chat history: saves your conversation with the treatment guide for return visits (localStorage, 7 days)
• Treatment recommendations: aggregated anonymous data about which treatments visitors view is used to show recommendations

You can change your consent at any time by clearing your browser data and revisiting the website. The banner reappears after 6 months.

With analytics consent we use two tools:

Google Analytics 4 (Google Ireland Limited, processor):

• Measures page views, session length, device type, traffic source
• IP address is anonymised before reaching Google's servers
• Google Consent Mode v2 — the service does not load at all until you give consent
• Data retention in GA4: up to 14 months

Microsoft Clarity (Microsoft Corporation, independent controller):

• Heatmaps and anonymised session recordings
• Microsoft acts as its own controller and may use the data for its own purposes per Microsoft's privacy statement (https://privacy.microsoft.com/privacystatement)
• Recordings automatically mask text and form fields
• Data retention: 30 days to 13 months depending on data type

Journey tracking: With analytics consent we pseudonymously log which pages you visit during the session and whether you click the booking button. Stored in Vercel logs per their default retention. Without consent the feature is fully disabled.

Without analytics consent none of these services are activated and no data is collected.

We share personal data with the following third parties (processors or separate controllers), strictly to deliver our services:

• Bokadirekt AB (Sweden): Booking platform. Separate controller.
• Resend Inc. (USA): Email delivery. Certified under EU-US Data Privacy Framework (2025) + SCCs. Data deleted within 90 days of termination.
• Vercel Inc. (USA): Web hosting and server logs. Certified under EU-US Data Privacy Framework since 2019 (active, re-certification due 2026-04-29) + SCCs. Sub-processors: AWS, Microsoft Azure, Google Cloud. Runtime logs retained a few days by default.
• Upstash Inc. (EU region, Ireland): Redis database. GDPR-compliant, DPAs with sub-processors. No transfer outside the EU.
• Moonshot AI Ltd. (servers in Singapore): Runs the AI chat. Important: their policy allows content to be used for model training. We never send name, email or IP — only chat content and the system prompt.
• Google Ireland Limited (Google Analytics 4, Google Maps): Google LLC is certified under EU-US Data Privacy Framework + SCCs. Requires consent.
• Microsoft Corporation (Clarity): Certified under EU-US Data Privacy Framework + SCCs. Microsoft acts as an independent controller for Clarity data. Requires consent.
• Cloudflare Inc. (USA): DNS and CDN. Certified under EU-US Data Privacy Framework + SCCs. Access logs up to 12 months.

We never sell your data. DPAs in place with every processor.

When you send a message via the contact form, we collect your name, email address and message. The data is used solely to respond to your enquiry.

The message is sent via Resend to our email. We do not store your data in any database, it exists only in our inbox.

Your IP address is temporarily stored in server memory to prevent abuse (spam). It is automatically deleted at the next server restart and is never stored permanently.

We offer a voluntary newsletter via Resend. We use double opt-in: after signup we send a confirmation email you must click before being added. This fulfils the explicit consent requirement in the Swedish Marketing Act (2008:486).

• Legal basis: Consent (GDPR art. 6.1.a)
• What we store: Your email address and the date of consent
• Unsubscribe: A one-click unsubscribe link appears at the bottom of every email (RFC 8058). You can also email info@dibelle.se.
• Provider: Resend Inc. — data may be transferred to the USA under standard contractual clauses

Our AI treatment guide helps visitors find the right treatment. The chat is powered by Moonshot AI (servers in Singapore).

What we collect:

• Your questions in the chat (sanitised)
• A random session key in sessionStorage (deleted when you close the tab)
• The page you are on

What we DON'T collect:

• AI responses are never logged
• No IP, name or email is stored with the chat

Note — Moonshot model training: Moonshot's policy allows API content to be used to improve their models. Since we never send directly identifiable information, the risk is limited, but if your questions might identify you (e.g. medical history, address) use the contact form instead. Your in-clinic consultation is covered by entirely separate confidentiality rules (Swedish Patient Data Act).

Question storage on our side: Questions are temporarily stored in Upstash Redis (EU, Ireland) in a rolling FIFO list capped at the 500 most recent entries, cleared automatically by our daily digest job. Legal basis: legitimate interest (GDPR art. 6.1.f) to improve FAQs and treatment descriptions.

Chat history (with functional consent): If you allow functional cookies, your conversation is stored in your browser's localStorage (up to 7 days). The data never leaves your browser.

Aggregate analysis: The number of times a treatment is mentioned is aggregated in Upstash Redis to identify trending treatments — with no link to an individual user.

On our contact page, we display a Google Maps map to help you find the clinic. When the map loads, Google may collect your IP address and set cookies.

Read Google's privacy policy for more information: https://policies.google.com/privacy

Dibélle displays before and after photos on the website to illustrate treatment results. These images constitute special categories of personal data (health data) under GDPR art. 9.

• Legal basis: Explicit written consent (GDPR art. 9.2.a) — collected separately from each patient on a dedicated consent form before publication
• Scope of consent: Each patient receives specific information about how, where and for how long the images are published
• Right to withdraw: You can request image removal at any time by emailing info@dibelle.se — images are removed as soon as possible, within 14 days at the latest
• Storage: Original images are stored encrypted and are not shared with third parties beyond web publication

If you recognise yourself in a published image and have not consented, contact us immediately — this should not happen and we will fix it the same day.

When you actually receive a treatment from us, the Patient Data Act (2008:355) and the Aesthetic Surgery and Injection Treatments Act (2021:363) apply. We are then the controller of your patient record.

• Legal basis: Legal obligation (GDPR art. 6.1.c) and healthcare (art. 9.2.h)
• Record content: Anamnesis, treatment documentation, products and doses, follow-up
• Retention: 10 years from the last entry (Patient Data Act ch. 3 § 17)
• Confidentiality: Only licensed staff have access. Professional secrecy under the Patient Safety Act (2010:659)
• Supervision: The Health and Social Care Inspectorate (IVO)

This processing is fully separate from the website's data processing — the record is not handled via dibelle.se.

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you (GDPR art. 22).

Treatment recommendations shown in the AI chat are informational and never replace a personal consultation. No booking or treatment is approved automatically — everything requires personal assessment by licensed staff.

• Contact form: Until your enquiry has been answered, plus 12 months for follow-up
• Booking details: Handled by Bokadirekt according to their policy
• Accounting records: 7 years under Swedish accounting law
• Google Analytics data: Maximum 14 months
• Consent setting: 6 months (then the cookie banner reappears)

When the storage period expires, the data is deleted or anonymised.

Under GDPR, you have the following rights:

• Right of access: You can request to know what data we hold about you.
• Right to rectification: You can request that incorrect data be corrected.
• Right to erasure: You can request that your data be deleted, unless legal requirements prevent it.
• Right to restriction: You can request that we restrict the processing of your data.
• Right to data portability: You can request to receive your data in a machine-readable format.
• Right to object: You can object to processing based on legitimate interest.
• Right to withdraw consent: You can withdraw consent at any time without affecting the lawfulness of prior processing.

Contact us at info@dibelle.se to exercise your rights. We will respond to your request within 30 days.

Some service providers process data outside the EU/EEA:

• USA (Google, Vercel, Resend, Microsoft, Cloudflare): All are certified under the EU-US Data Privacy Framework — an EU Commission adequacy decision (July 2023) that makes the transfer safe without additional safeguards. We also have SCCs as a backup.
• Singapore (Moonshot AI): No adequacy decision. We restrict the transfer to chat content only without directly identifiable information. Legal basis: legitimate interest (GDPR art. 6.1.f). Moonshot's policy allows model training.

If you don't want your chat sent to Singapore, use the contact form, phone or email instead.

We take appropriate technical and organisational measures to protect your personal data. All data traffic is encrypted with SSL/TLS. Access to personal data is limited to authorised personnel.

In the event of a personal data breach that poses a risk to your rights, we will notify you and the Swedish Authority for Privacy Protection (IMY) within 72 hours.

Dibélle does not perform treatments on persons under 18 years of age. We do not knowingly collect personal data from minors. If you are under 18, please do not submit personal information through our website.

If you believe that we are processing your personal data incorrectly, you have the right to file a complaint with:

The Swedish Authority for Privacy Protection (IMY)

Box 8114, 104 20 Stockholm, Sweden

Phone: +46 8-657 61 00

Email: imy@imy.se

Website: www.imy.se

We may update this privacy policy. In the event of material changes, we will inform you via the website. The date of the latest update is always stated at the top of the page.