Privacy Policy

1. What data we process

We process the following categories of personal data:

• Account data — email address, hashed password, account creation date, last login.
• Billing data — name, billing address, VAT number (if applicable), and a Stripe customer identifier. Card numbers are handled by Stripe; we never see or store them.
• Usage data — server logs of API requests (timestamp, route, response status, user identifier, IP address). We never log email addresses in correlation logs.
• Preference data — language preference cookie, saved favourite companies, and any preferences you explicitly configure.

2. Why we process it (purposes and lawful basis)

We process your personal data on the following lawful bases under the GDPR:

• Performance of a contract (Art. 6(1)(b)) — providing the Service, authenticating you, processing payments.
• Legitimate interests (Art. 6(1)(f)) — keeping the Service secure, preventing abuse, basic aggregated analytics. Our interest is balanced against your rights.
• Legal obligation (Art. 6(1)(c)) — retaining accounting records under the Swedish Accounting Act (bokföringslagen).
• Consent (Art. 6(1)(a)) — for any non-essential cookies and for sending optional marketing emails. You may withdraw consent at any time.

3. Who we share data with (sub-processors)

We use a small number of trusted sub-processors to operate the Service. Each is bound by a Data Processing Agreement and processes data only on our instructions:

• Stripe Payments Europe Ltd. (Ireland) — payment processing and subscription billing.
• Fly.io (USA, with EU regions) — application hosting and managed database.
• Cloudflare Inc. (USA, with EU edge) — CDN, DNS, and the marketing site hosting.

4. International transfers

Some of our sub-processors are based outside the EU/EEA. Where they process personal data outside the EU/EEA, transfers are protected by Standard Contractual Clauses approved by the European Commission, and by additional safeguards where required. You may request a copy of the safeguards by contacting us.

5. How long we keep data

We keep personal data only for as long as necessary for the purposes described above:

• Account data — deleted immediately when you delete your account.
• Favourites and preferences — deleted immediately when you delete your account.
• Server logs — kept for up to 30 days, then deleted automatically.
• Accounting and invoicing data — retained for seven (7) years from the end of the calendar year to which they relate, as required by the Swedish Accounting Act.

6. Your rights

Under the GDPR you have the right to:

• Access the personal data we hold about you;
• Have inaccurate data corrected;
• Have your data erased (subject to legal retention obligations);
• Restrict or object to certain processing;
• Receive your data in a portable format;
• Withdraw consent, where processing is based on consent;
• Lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) — see imy.se.

7. Security

We use industry-standard security measures: encrypted connections (TLS), hashed passwords, least-privilege access controls, and audit logging. No system is perfectly secure, but we work to reduce the risk of unauthorised access or loss.

If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the Swedish Authority for Privacy Protection within 72 hours and, where the risk is high, notify affected users without undue delay.

8. Cookies

See our Cookie Policy for the cookies we set and how to manage them.

9. Changes to this policy

We may update this policy from time to time. Material changes will be announced via the Service or by email at least thirty (30) days before they take effect.

10. Contact

Privacy questions or requests: privacy@verket.app.