Back

Privacy Policy

Art. 13 GDPR — Information about the processing of personal data

Last updated: March 2026

1. Controller

AMS Vision AB ("ASPACE Vision")
Org. No: 559517-5950
Valhallavägen 56, 114 27 Stockholm, Sweden
Privacy contact: privacy@aspace.tech

ASPACE has not appointed a formal Data Protection Officer (DPO). Art. 37(1) GDPR does not require one for ASPACE's processing profile: ASPACE is not a public authority, does not carry out large-scale systematic monitoring, and does not carry out large-scale processing of special-category (Art. 9) or criminal-conviction (Art. 10) personal data. The Privacy Contact role is fulfilled by the named Internal Privacy Lead: Pelle Nyman, Head of Product; Internal Privacy Lead — privacy@aspace.tech. Data-subject requests (Art. 15–22) and all privacy questions can be sent to this address.

2. What personal data we process

When you use the aprivacy compliance portal, we process:

  • Account data (admin users): Name, email address, organisation, profile picture (from Google OAuth)
  • Portal session data (signers): Signer name, title, email, portal progress, step completion timestamps, electronic acknowledgment data
  • Technical data: Browser type, access timestamps, IP address (server logs)

3. Purpose and legal basis

The lawful bases for our processing differ by data subject category. Customer signers (named representatives of customer organisations) and ASPACE admin users (ASPACE employees and contractors) are processed on different bases — see the "Data subject" column.

PurposeData subjectLegal basisDetails
Provide the compliance portal serviceCustomer signersArt. 6(1)(f) legitimate interestDelivery of the contracted compliance documentation service to the customer organisation via its named representatives. The customer organisation (not the individual signer) is the contracting party with ASPACE; per EDPB Guidelines 2/2019 on Art. 6(1)(b) Section 3, Art. 6(1)(b) does not cleanly extend to employees of the contracting organisation who are not personally party to the contract. The inline three-step balancing test is documented in our Record of Processing Activities (ROPA), Processing Activity 3 (Customer Organization Management).
Record compliance acknowledgments and e-signaturesCustomer signersArt. 6(1)(f) legitimate interestRecording the signer's identity, title, and timestamp as evidence of the customer organisation's compliance documentation acceptance. Art. 5(2) accountability and legal-claim defence. Same EDPB 2/2019 analysis as above.
Authenticate admin users via Google OAuthASPACE admin usersArt. 6(1)(b) contractual necessityNecessary to provide secure access to the admin interface. Admin users are personally party to their employment or engagement contract with ASPACE.
Server logging, activity logging, and security monitoringBothArt. 6(1)(f) legitimate interestIT security, incident detection, service reliability, access-control enforcement, compliance accountability, and legal-claims defence.

We do not rely on consent as a legal basis for any portal processing. The portal does not use "accept" or "agree" mechanisms to establish lawfulness.

You have the right to object (Art. 21 GDPR) to any processing based on legitimate interest. See §7 for full details.

4. Recipients and data sharing

Your data may be shared with:

  • Your organisation: Admin users within your customer organisation can view portal session data and completed compliance packages
  • Google Ireland Ltd (OAuth provider): Authentication is handled via Google OAuth. Google Ireland Ltd receives authentication requests and provides account data (name, email, profile picture). Google Ireland Ltd is an independent controller for authentication data and processes it under its own privacy policy. Transfers involving Google services are covered by the EU–US Data Privacy Framework (DPF) and Google's applicable data processing terms.
  • Infrastructure providers: Server hosting within the EEA

We do not sell personal data or share it with third parties for marketing purposes.

5. International transfers

Google OAuth authentication may involve data transfers to the United States. These transfers are covered by Google's participation in the EU–US Data Privacy Framework (DPF), as recognised by the European Commission's adequacy decision of 10 July 2023. All other processing occurs within the EEA.

6. Retention periods

Data categoryRetention period
Customer portal working records (session progress, signer input, and package administration)Duration of the customer relationship; after termination, deleted or returned unless continued storage is required for signed-package evidence, security, compliance, or legal claims
Completed/signed compliance packagesDuration of the service contract plus 10 years
Admin account dataDuration of employment plus 6 months; deleted upon request or account closure
Server logs90 days
Activity logs5 years; logs relating to signed compliance packages are retained for the same duration as the corresponding signed package

Activity and audit logs are retained where necessary to demonstrate compliance, investigate incidents, enforce access controls, or defend legal claims. Access to these logs is restricted, and they are not used for marketing or profiling.

These retention periods represent our data management targets. Automated enforcement of retention limits is planned but not yet fully implemented. Data may be retained beyond the stated periods until automated deletion is deployed; manual deletion is available on request.

7. Your rights (Arts. 15–22 GDPR)

Under GDPR, you have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data (Art. 17), subject to our retention obligations
  • Restrict processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing based on legitimate interest (Art. 21)
  • Not to be subject to a decision based solely on automated processing, including profiling that produces legal effects or similarly significantly affects you (Art. 22). See §8 — this portal does not engage in such processing.

To exercise any of these rights, contact privacy@aspace.tech. We will respond within 30 days. If we need additional time (up to 60 additional days for complex requests), we will notify you within the initial 30-day period.

8. Automated decision-making (Art. 13(2)(f))

This portal does not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects individuals.

9. Obligation to provide data (Art. 13(2)(e))

Providing your name, email, and title is necessary to use the compliance portal and complete the e-signature process. If you do not provide this data, we cannot deliver the compliance documentation service. There is no statutory obligation to provide data.

10. Cookies, local storage, and PDF generation

This portal uses:

  • Session cookies: Strictly necessary for authentication (NextAuth session cookie)
  • Local storage: Portal progress is saved in your browser's localStorage to preserve your work between sessions. This data stays on your device and is synced to our servers when you save progress.
  • Puppeteer (server-side): PDF documents are generated server-side using Puppeteer (headless Chromium). This processing occurs entirely on our servers; no additional data is collected from your browser for this purpose.

No analytics cookies, tracking pixels, or third-party advertising technologies are used.

11. Supervisory authority

You have the right to lodge a complaint with the Swedish Data Protection Authority:

Integritetsskyddsmyndigheten (IMY)
www.imy.se
Box 8114, 104 20 Stockholm

12. Changes to this policy

We may update this Privacy Policy to reflect changes in our processing activities or legal requirements. Material changes will be communicated through the portal interface. The "Last updated" date at the top indicates the most recent revision.