This policy explains what personal data agnesofficial.com (the "site") collects about you, why we collect it, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR) and the Swedish Data Protection Act.
Who is responsible for your data
The data controller is Step Music Management, acting on behalf of the recording artist Agnes. You can reach us about anything in this policy at privacy@agnesofficial.com.
Newsletter sign-ups
When you sign up for the mailing list we collect the following, all of which you provide voluntarily on the form:
Name — so we can address you personally in emails.
Email address — so we can actually send the emails you asked for.
Postal code and country — so we can tell you about tour dates, releases and events relevant to where you live.
Approximate location — when you sign up we also estimate your city, region and country from your IP address (via our hosting provider) and store that estimated location — not the IP address itself — on your subscriber record, so we can group subscribers by area and send locally relevant updates (for example, a show in your city). It is approximate and reflects your network, not a precise position.
Where you signed up — which part of the site you subscribed from (e.g. the footer, the sign-up page, the socials page, or a pop-up), so we can understand which channels work.
Your consent — we record the fact that you ticked the consent box, alongside the date and time, so we can demonstrate (as GDPR requires) that you opted in.
Why we're allowed to do this: Article 6(1)(a) GDPR — your explicit consent. You can withdraw it at any time by using the unsubscribe link in every email, or by emailing us. Withdrawing consent does not affect the lawfulness of anything we did before you withdrew it.
How long we keep it: we keep your subscriber details for as long as you're subscribed. When you unsubscribe we stop emailing you and keep only a minimal record (your email address and the fact that you unsubscribed) so we don't accidentally add you again — you can ask us to erase that too at any time. We also remove addresses that repeatedly bounce or have been inactive for an extended period.
Email open and click tracking
When we send you a newsletter, our email provider (Resend) can record whether you opened the email and which links you clicked. We use this only to understand which updates are relevant and to improve future emails — we don't build advertising profiles from it. Open tracking uses a small invisible image in the email; click tracking routes links through our provider before forwarding you to the destination. Each newsletter is tagged so we can see open and click rates per issue. We also receive automatic notifications from Resend if an email to you bounces or is marked as spam — when that happens we flag your address as undeliverable and stop sending to it, to protect delivery for everyone else.
Why we're allowed to do this: Article 6(1)(a) GDPR — your consent, given when you subscribe. You can withdraw it at any time using the unsubscribe link in every email.
How we tailor what you get
We group subscribers by approximate location, where they signed up, and how they engage with our emails, so we can send more relevant updates — for example, telling people near a city about a show there. This is "profiling" in the language of the GDPR, but it is light-touch: it never makes a decision that has a legal or similarly significant effect on you, and there is no purely automated decision-making about you under Article 22 GDPR.
Your right to object: you can object to this profiling, and to direct marketing in general, at any time (Article 21(2) GDPR) — just use the unsubscribe link in any email or email us, and we'll stop.
Security, spam and abuse prevention
To stop the sign-up form from being abused by bots and scrapers, our server briefly processes:
Your IP address (taken from the standard X-Forwarded-For / X-Real-IP request headers), so we can apply a rate limit of five sign-ups per ten minutes per address.
A hidden "honeypot" form field — a field invisible to humans that bots tend to fill in. If it's filled, the submission is silently discarded.
Why we're allowed to do this: Article 6(1)(f) GDPR — our legitimate interest in keeping the service available and free from abuse. The IP address is held in the server's memory for the length of the rate-limit window (about ten minutes) and then discarded; we don't write it to a long-term database. Our hosting provider may keep request logs separately — see below.
Cookies, local storage and analytics
The site uses one piece of local storage by default, regardless of consent:
agnes-consent-v1 — stores your answer to the cookie banner (granted, denied, or absent if you haven't answered yet) so we don't keep asking. This is strictly necessary for the consent mechanism itself and does not require consent under the ePrivacy Directive.
The following only load after you press "Accept" in the banner. Pressing "Reject" or ignoring the banner means none of them ever run.
Google Analytics 4 (Google Ireland Ltd.) — measures page views, device type, browser, referrer and approximate location. We configure it with IP anonymisation enabled.
Meta Pixel (Meta Platforms Ireland Ltd.) — records page views so we can understand which content resonates and, if we run ads, measure their performance.
Both tools set their own cookies once loaded. You can change your mind at any time using the Cookie settings link, which re-opens the banner. Rejecting consent stops the scripts from loading on future page views.
Why we're allowed to do this: Article 6(1)(a) GDPR — your explicit consent. How long: cookie lifetimes are set by Google and Meta; see their own policies for details.
Who we share your data with
We don't sell your data. We share it only with the service providers we need to actually run the site:
Resend (Resend, Inc., USA) — our email delivery provider. Resend sends the newsletters on our behalf and processes delivery events (opens, clicks, bounces and spam complaints) as our processor under a data-processing agreement.
Sanity (Sanity AS, Norway) — our content management system. As well as the editorial content on the site, Sanity is where your newsletter subscription record is stored — your name, email address, postal code, country and the approximate location we derive at sign-up. Sanity acts as our processor under a data-processing agreement.
Vercel Inc. — our hosting provider. They process the HTTP requests for every page and form submission, derive the approximate location passed to us, and keep short-lived request logs. We deploy to their European region where possible.
Google Ireland Ltd. and Meta Platforms Ireland Ltd. — only if you've consented to analytics (see above).
Where your data leaves the EU/EEA we rely on recognised safeguards: Resend (USA) — the European Commission's Standard Contractual Clauses; Google and Meta (EU entities, with onward transfer to the USA) — the EU–US Data Privacy Framework; Sanity (Norway) and Vercel (EU region) keep your data within the EEA where possible. You can ask us for a copy of these safeguards.
Your rights under the GDPR
You have the right to:
Access — ask for a copy of the personal data we hold about you.
Rectification — ask us to correct anything inaccurate or incomplete.
Erasure — ask us to delete your data ("right to be forgotten").
Restriction — ask us to pause processing while a question about your data is resolved.
Portability — receive your data in a machine-readable format so you can take it elsewhere.
Objection — object to processing we've based on legitimate interest (such as our anti-abuse measures).
Withdraw consent — at any time, for anything you consented to (newsletter, analytics).
To exercise any of these, email us at privacy@agnesofficial.com. We'll respond within one month, as the GDPR requires.
Right to lodge a complaint
If you believe we've mishandled your data, you have the right to complain to the Swedish data protection authority, Integritetsskyddsmyndigheten (IMY) — imy.se. You can also complain to the data protection authority in the EU country where you live or work.
Children
The site is not directed at children and we don't knowingly collect personal data from anyone under 16. If you're a parent or guardian and believe your child has signed up, email us and we'll delete the record.
Changes to this policy
We may update this policy when the site, our providers, or the law change. The "Last updated" date below always reflects the most recent revision. Material changes that affect how we use your data will be flagged on the homepage or by email before they take effect.