PRIVACY POLICY

This privacy notice explains how Digituals AB (org. no: 559526-4903) processes personal data ("we", "our" or "us"). References to "you", "your" or "yourself" refer to the data subject whose personal data we process.

We explain, among other things, what personal data we process, why the processing takes place, where the data is stored, who may have access to it, and what rights you have under GDPR.

This privacy notice uses definitions that correspond to those found in the EU General Data Protection Regulation 2016/679 ("GDPR"), such as "personal data", "processing", "data subject", "supervisory authority", "third party", "data controller", "data processor", and others. Each of these definitions has the same meaning as set out in Article 4 of the GDPR. For a complete list and exact definitions, please see this article.

We are the data controller for the processing of personal data where we determine the means and purposes, according to the principle of accountability. The processing is carried out in accordance with GDPR and, where applicable, SCCs, and follows fundamental data protection principles. Unless otherwise stated, this applies to all processing in this privacy notice.

When we process personal data as a data processor, this is done according to a data processing agreement with the data controller and in accordance with their instructions. Such processing is not covered by this privacy notice.

We primarily obtain access to your personal data when you visit our website, enter into an agreement with us, use our digital services (such as mobile applications or web platforms), contact our support, or subscribe to our newsletter.

We only process personal data that is adequate, necessary and relevant to fulfill the purpose for which it was collected (according to the principle of data minimization). Information about specific categories of personal data can be found in section 7 below.

We process personal data only for specific, explicitly stated and legitimate purposes in accordance with the principle of purpose limitation. The processing is primarily based on one of the following legal bases:

• •

  Consent (Article 6.1.a GDPR) – You have given your consent to the processing of your personal data for specific purposes.

• •

  Contract (Article 6.1.b GDPR) – The processing of your personal data is necessary to enter into or fulfill a contract with you.

• •

  Legal obligation (Article 6.1.c GDPR) – We must process your personal data according to legal requirements.

• •

  Legitimate interest (Article 6.1.f GDPR) – The processing is necessary for our or a third party's legitimate interests, after weighing against your rights and freedoms.

In some cases, it is voluntary to provide personal data, but without it we may not be able to provide certain support, enter into or fulfill contracts. If processing is based on consent, you can withdraw it at any time without affecting the legality of previous processing.

For processing based on legitimate interest, we have conducted an interest assessment and determined that the processing does not infringe on your right to privacy and integrity.

Below you can read more about the legal basis and purpose of specific processing of personal data.

1) Use of cookies on our website

We use cookies on our website. Necessary cookies are used without your prior consent based on our legitimate interest in maintaining a functioning website. Non-necessary cookies are only used if you give your consent, which you can withdraw at any time without affecting the legality of processing performed before the withdrawal.

Personal data that may be processed through cookies includes:

• •

  Device information: information about the device (computer, tablet or phone) used when visiting the website, browser version, IP address, time zone, cookie information, operating system, language settings, screen resolution and other information provided via cookies.

• •

  Consent to use of non-necessary cookies.

More information about the use of cookies, storage times for cookies, recipients of information, etc. is provided in our cookie notice published on our website.

2) Customer service, support and other contact

When you contact us, we process your personal data to identify you, understand and handle your case, and provide you with the best possible service. Processing also takes place to ensure effective communication, follow up on the case and improve our customer service. We offer several contact methods, including email, telephone, contact forms and social media, where we process the personal data you provide and that otherwise appears during communication. Personal data that may be processed includes:

• •

  Identifying information (e.g. first name, last name)

• •

  Contact information (e.g. email address, phone number)

• •

  Account and user information (e.g. username, user ID)

• •

  Support cases (e.g. description of the case and any previous correspondence)

Case information is stored for up to 2 years after the last contact in the case to ensure follow-up and improved service. If the case concerns warranty, complaint or an ongoing dispute, the information may be stored longer in accordance with legal requirements.

The following actors may be recipients of relevant personal data: IT suppliers (such as email service provider, telephone operator and customer support system).

Legal basis for processing personal data: our legitimate interest.

We strive to process personal data within the European Union (EU) or the European Economic Area (EEA). In some cases, however, personal data may be transferred and processed outside the EU/EEA. To ensure adequate protection of your personal data in such transfers, we take appropriate safeguards in accordance with GDPR rules. This may include using standard contractual clauses approved by the European Commission or ensuring that the recipient country has adequate data protection laws.

We process personal data only as long as necessary to fulfill the purposes for which they were collected, including any legal, accounting or reporting requirements, in accordance with the principle of storage minimization.

The exact storage period depends on the type of personal data and the purpose of processing. For detailed information about storage periods for specific processing, see the relevant sections in chapter 7 of this privacy notice.

We process personal data with care and sharing of personal data takes place in accordance with applicable data protection legislation.

Service providers: We use services from various providers to help us provide our services, comply with legal requirements and fulfill our contracts. Examples of such services include: cloud storage and server hosting, finance and accounting systems, customer service systems, etc. These providers may act as our data processors (or sub-processors) and in such cases we enter into data processing agreements with them in accordance with Article 28 of GDPR. Legal basis for processing personal data is our legitimate interest.

Authorities: We may share personal data if required to comply with applicable laws and regulations when we are legally obliged to do so, for example to police, tax authorities or other authorities, to fulfill our legal obligations. Legal basis for this processing: Legal obligation.

As a data subject under GDPR, you have the following rights:

Right to information: You have the right to receive clear information about how we process your personal data, including purposes, categories of data and any recipients. We inform about our processing in this privacy notice.

Right of access: You can request a copy of your personal data that we process and receive information about the processing, including any cross-border transfers and safeguards.

Right to rectification: If your personal data is incorrect or incomplete, you have the right to have it corrected.

Right to erasure ("right to be forgotten"): Under certain circumstances, you may request that we delete your personal data, for example if it is no longer needed for the purpose it was collected for or if you withdraw your consent.

Right to restrict processing: You may request that we restrict the processing of your personal data, for example if you dispute their accuracy or if the processing is unlawful.

Right to data portability: If we process your personal data based on consent or contract, you have the right to receive them in a structured, machine-readable format and to have them transferred to another data controller, where technically possible.

Right to object: You may object to our processing of your personal data if it is based on legitimate interest. You always have the right to object to processing for direct marketing purposes.

You can contact us via our contact details at the end of this privacy notice if you wish to exercise any of your rights under GDPR. Exercising your rights is free of charge, unless your request is unreasonable, unfounded or repetitive.

To ensure that we handle your request correctly, we may need to verify your identity. We respond to your request within one month, but in complex cases or high workload, the response time may be extended by up to two months.

We update this privacy notice as needed to keep the information correct and current. You are responsible for reading the latest version which is always available on our website. If we make significant changes that affect how we process your personal data, we will inform you if required by law.

If you have questions about this privacy notice or our processing of personal data, you can contact us via:

If you are dissatisfied with our processing of your personal data, you can file a complaint with the Swedish Data Protection Authority (IMY):

You can also turn to a supervisory authority in your country of residence. A list of EU supervisory authorities can be found here: https://edpb.europa.eu/about-edpb/about-edpb/members_en