[hakparenteser] ska fyllas i.Privacy Policy
Template, review by qualified counsel before publishing. Replace every [bracketed] placeholder. A Swedish-language version is required for the consumer-facing site at vattenlarmet.se. *Last updated: [date].*Partsnord Europe AB ("Partsnord", "we", "us") is committed to protecting your personal data. This Privacy Policy explains what we collect through the Site (vattenlarmet.se) and the Service, why, on what legal basis, and what rights you have. We process personal data in accordance with the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and the Swedish Supplementary Data Protection Act (2018:218).
1. Controller and contact
Partsnord Europe AB, Torshamnsgatan 27, SE-164 40 Kista, Sweden ([org.nr 559XXX-XXXX]) is the controller for personal data processed for our own purposes (visitors, account holders, billing, security).
Data Protection Officer / privacy contact: dpo@partsnord.com.
2. Controller vs. processor, important
- For website visitors, account data, billing and security, Partsnord is the
controller.
- For a business customer's recipient lists (names, phone numbers and email
addresses of caretakers/residents that the customer enters to receive alarms), the business customer is the controller and Partsnord is the processor, acting on the customer's instructions under a Data Processing Agreement (DPA).
- For a private individual using the Service for their own property,
Partsnord is the controller of the data they provide.
3. What we collect and why
| Category | Examples | Purpose | Legal basis (GDPR Art. 6) |
|---|---|---|---|
| Account data | Name, email, role, organisation | Provide and secure the Service | Contract (b) |
| Recipient data | Name, phone, email of alarm recipients | Deliver SMS/email alarms | Contract (b); for B2B, processed on the controller-customer's behalf |
| Device & event data | Device ID, valve status, timestamps | Operate alarm logic, support | Contract (b); legitimate interest (f) |
| Usage & technical | IP (hashed), browser, log data | Security, troubleshooting, abuse prevention | Legitimate interest (f) |
| Consent records | Cookie choices, timestamp, version | Demonstrate valid consent | Legal obligation (c) / consent (a) |
| Support & enquiries | Messages you send us | Respond to you | Legitimate interest (f) |
| Cookies | See the Cookie Policy | See the Cookie Policy | Consent (a), except strictly necessary |
We do not sell personal data, and we do not use automated decision-making that produces legal or similarly significant effects.
4. Recipients and sub-processors
We share personal data only with service providers ("sub-processors") that help us run the Service, under written agreements and only as needed:
- Supabase, application database, authentication and serverless functions
(hosting region: [EU]).
- Twilio. SMS delivery.
- Resend, email delivery.
- Lovable / [hosting provider], website hosting.
- Public authorities where required by law.
A current list of sub-processors is available on request from dpo@partsnord.com.
5. International transfers
We seek to keep processing within the EU/EEA. Where a sub-processor processes data outside the EU/EEA, we rely on an adequacy decision or the EU Standard Contractual Clauses together with supplementary measures, as appropriate.
6. Retention
We keep personal data only as long as necessary for the purposes above or as required by law: account data for the life of the account and a reasonable period thereafter; device/event logs for up to [90 days] (operational logs) / [period] (records); consent records for [the statutory limitation period]; support enquiries for [period]. We then delete or anonymise the data.
7. Security
We maintain appropriate technical and organisational measures, governed by our ISO/IEC 27001:2022 information-security management system. These include role-based access control and tenant isolation (row-level security), encryption in transit, secrets management, audit logging, least-privilege keys, and a documented incident-response process.
8. Your rights
You have the right to: access your data; rectify inaccurate data; erase data ("right to be forgotten"); restrict or object to processing; data portability; and to withdraw consent at any time (without affecting prior processing). To exercise any right, contact dpo@partsnord.com or use the privacy controls in your account. If a business customer is the controller of your data, we will refer your request to that customer.
You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY), Box 8114, SE-104 20 Stockholm, imy@imy.se.
9. Cookies
The Site uses cookies and similar technologies. For details and to manage your choices, see the Cookie Policy and the cookie preference centre.
10. Changes
We may update this Privacy Policy from time to time. Your data will always be processed under the policy in effect at the time of collection. We encourage you to review this page periodically.