Privacy Policy
Information regarding processing of your personal data
Hippoly AB, Reg. No. 559101-3320, (“Hippoly”, “we”, “our” or “us”) provides a service with tools for safe and smooth board work. We value your privacy and are therefore committed to protecting your personal data and ensuring that your personal data is processed safely.
Hippoly is the data controller regarding the processing of personal data that is conducted within our business including this website, which is described in more detail in this policy. Should you have any questions regarding our processing of your personal data, please contact us at privacy@hippoly.com or via the contact details in section 7.
What kind of processing (which is a generic term in the EU Data Protection Regulation (”GDPR”) for operations which is performed on your personal data) that we carry out regarding your personal data, depends on the context in which you come into contact with us and in which capacity you act. To make it easier for you, we have divided this policy into different category sections based on which services you use with us, for example if you register as a user or contact us with a question, where under each category you can read about what kinds of processing are carried out.
After the category sections, follows multiple sections that are common to all types of services. These sections contain information about e.g., who we share your personal data with, where we process your personal data, what rights you have vis-à-vis us and how you get in touch with us.
It is important to us that you feel safe with what types of personal data we collect and, even more importantly, how we process them. Thus, this policy covers the necessary information about this, which is why we think it is important that you read and understand the information.
Please note that our website contains links to websites managed by somone other than us. These websites have (or should have) their own regulations about how that company processes personal data. We have no control over, nor can we take any responsibility for, what happens there. Thus, if you use these websites, you should take a closer look at that website’s privacy policy.
Protecting your personal and business data is an absolute priority for us at Hippoly. We have therefore implemented a wide range of technical and organisational security measures that ensure that your data is not lost or destroyed and that no unauthorised person accesses or use the data in an unauthorised way. You can read more about these measures and our security in our Security Policy.
1. Which personal data are used for what, on which legal basis and for how long?
1.1 Request for quotation
| For what purposes we process your personal data, i.e. what we do and why | What personal data we process and where they come from | What is the legal basis for our processing? | For how long do we process your personal data for the specific purpose? |
| We collect your personal data and send you a quote based on these, as agreed. | From you: name, e-mail, phone number. | To be able to perform preparing measures on your request before we enter into a contract. | This processing takes place for as long as the quotation is in force. |
1.2 Purchase of service
| For what purposes we process your personal data, i.e. what we do and why | What personal data we process and where they come from | What is the legal basis for our processing? | For how long do we process your personal data for the specific purpose? |
| Upon purchase of a subscription, we collect your personal data and use them to manage purchases, complaints and payment for our services. | From you: name, e-mail, phone number. | To be able to perform under the contract with you. | This processing takes place for as long as it is required for our performance under the contract.Invoice documentation is stored in accordance with applicable legislation. |
1.3 Use of the service
| For what purposes we process your personal data, i.e. what we do and why | What personal data we process and where they come from | What is the legal basis for our processing? | For how long do we process your personal data for the specific purpose? |
| We collect your personal data and use it to provide the service, including for example offering you the possibility to e-sign documents. | From you: name, personal identification number (in specific countries), e-mail, phone number, title/role, profile picture, IP-address, Device-ID.From other sources:Company engagement (in specific countries). | To be able to perform under the contract with you or the company in which you are a board member/user. | This processing takes place for as long as it is required for our performance under the contract.However, if you are a board member and terminates your use of the service, information on your assignment as board member/user and the posts or the material that you have posted on the service will not be removed. This processing continues until the organisation/workspace is deleted from the service. |
1.4 When you contact Hippoly
| For what purposes we process your personal data, i.e. what we do and why | What personal data we process and where they come from | What is the legal basis for our processing? | For how long do we process your personal data for the specific purpose? |
| We collect your personal data when you contact us, either by sending us an e-mail, by using our chat function or by a phone call with you. The data you provide will be used for the purpose of answering your questions. | From you: name, e-mail, phone number, IP-address, Device ID. | Our legitimate interest in being able to provide you with customer service or to be able to perform under the contract with you. | This processing takes place for as long as the matter for which you requested customer service is operative. |
1.5 When Hippoly contacts you
| For what purposes we process your personal data, i.e. what we do and why | What personal data we process and where they come from | What is the legal basis for our processing? | For how long do we process your personal data for the specific purpose? |
| We collect your personal data and use it to contact you by email or phone in order to in order to inform you about updates or changes to the service. If we use a service provider for distribution of this, your personal data may be shared with them for this purpose. For more information on transfer of data can be found in section 2.1.1 | From you: name, e-mail, phone number. | To be able to perform under the contract with you. | This processing takes place for as long as it is required for our performance under the contract. |
1.6 Job application
| For what purposes we process your personal data, i.e. what we do and why | What personal data we process and where they come from | What is the legal basis for our processing? | For how long do we process your personal data for the specific purpose? |
| We collect your personal data and use them to carry out a recruitment process. | From you: name, social security number, e-mail, phone number, address, application documents (e.g. a resumé and a personal letter), notes from interview(s), additional information obtained from you in connection with your application. From other sources: Information about you as an employee from references provided by you. |
To comply with a legal obligation as employer and our legitimate interest in conducting a recruitment process. | This processing takes place during the recruitment process and for a period of two years thereafter, in order for us to be able to defend ourselves against any legal claims. |
1.7 Website users
We collect certain information about you when you visit our website without being logged in. This collection and processing are further described under section 5. below and in our Cookie Policy.
1.8 How have we performed the assessment of the balance of interests when the legal basis for processing your personal data is our legitimate interest?
For certain purposes, we process your personal data and rely on our legitimate interest as the legal basis for the processing. In assessing the legal basis, we rely on a balancing of interests test by which we have determined that our legitimate interests of the processing override your interest and your fundamental right not to have your personal data processed. We have stated our legitimate interest in the tables above. Please contact us if you want to read more about how this test has been performed. Our contact details can be found in section 7.
2. With whom do we share your personal data?
If we process your personal data pursuant to section 1, some or all of such personal data may be shared with certain specific recipients. When we share your personal data, we ensure that the recipient processes them in accordance with this privacy notice, by, e.g. entering into Data Transfer Agreements or Personal Data Processing Agreements with the recipients. The agreements ensure that your data are processed in accordance with the GDPR and this privacy policy. We would like to emphasize that we do not sell your personal data to any third party.
2.1 Categories of recipients with whom we may share your personal data
2.1.1 Suppliers and subcontractors
Recipients: We have agreements with other companies that perform certain services on our behalf. These services include, e.g. cloud infrastructure, data storage, email notifications, error monitoring, electronic document signing, SMS for two-factor authentication and security and operational monitoring. These companies gain access to your personal data to the extent necessary for them to fulfill their assignment, but they may not use or share the data for other purposes. Some of these companies are located outside the EU/EEA.
Purpose and legal basis: We sometimes need to access the services of other companies. In such cases, we have a legitimate interest of being able to access these. If the sharing of your personal data is necessary to fulfill that interest, and that interest overrides your right not to have your data processed, sharing may take place on the legal basis of legitimate interest. However, these companies may not process or use your personal for any other purposes than to perform the services pursuant to the agreement.
2.1.2 Third party in corporate transaction
Recipients: If we, or a significant part of our business, were to be sold to or integrated with a third party, your personal data may be passed on to the new owner of the business. Thereafter, the new owner of the business will be the data controller of your personal data.
Purpose and legal basis: If whole or part of our business is sold or integrated with another business, your personal data may be disclosed to our advisers, the potential buyer and their advisers and passed on to the new owner of the business.
2.2 Objections to the sharing of your personal data
You have the right to object to the sharing of your personal data, due to circumstances in your individual case. More information about your right to object can be found in section 4.5.
3. Where do we process your personal data?
The transfers described above may be made to recipients in Member States of the EU/EEA as well as in third countries whose legislation may differ from the rules for data protection within the EU/EEA. In the case of transfers to such third countries, we will take appropriate measures to ensure that your personal data are adequately protected.
We will ensure that appropriate safeguards are put in place by ensuring that at least one of the following conditions is met in each such transfer.
| Safeguard and description thereof | Which countries we transfer personal data to on the basis of the specified safeguard |
| Adequate level of protection according to art. 45 GDPR The European Commission has decided that certain countries outside the EU/EEA have a sufficiently high level of security. This means that personal data can be transferred there without any further action having to be taken with regard to the transfer itself (beyond what applies under the GDPR in general). A list of which countries are included can be found here. |
|
| EU-U.S Data Privacy Framework The European Commission has determined that U.S. organisations participating in, and certified under, the EU-U.S. Data Privacy Framework have a sufficiently high level of security, which means that personal data can be transferred to such recipients without the need to take any additional measures with regard to the transfer itself (in addition to what applies under the GDPR in general). A list of which organisations are certified can be found here. |
USA |
| Standard Contractual Clauses according to art. 46.2 GDPR Since only a few countries are considered to have an adequate level of protection, the most common measure to ensure sufficient protection in the event of a transfer outside the EU/EEA is to annex the EU Commission’s Standard Contractual Clauses pursuant to Implementing Decisions 2001/497/EC, 2010/87/EU or 2021/914/EU, without any changes or amendments in conflict with the clauses.If you want to read them in their entirety, you can download them via the European Commission’s website (under the heading Standard contractual clauses for international transfers (Word)). |
|
| Binding Corporate Rules according to art. 47 GDPR In some cases, a group may have established, and gotten approved by the competent supervisory authority (after review), Binding Corporate Rules, to ensure adequate protection of transfers between the Group’s companies. |
Right to obtain a copy – If you would like to receive further information about transfers to countries outside the EU/EEA, or if you would like to receive a copy of the safeguard we have used, you can contact us using the contact details set out in section 7. below.
4. What rights you have vis-à-vis us
According to applicable legislation, you have the right to exercise certain rights against us, when we process your personal data. Below we describe each right, and what it means for you in relation to the personal data we process. If you want to read more about what the Swedish Authority for Privacy Protection (Sw. Integritetsskyddsmyndigheten) writes about these rights, there are links under each section to the relevant page on the Swedish Authority for Privacy Protection’s website.
If you want to exercise any of these rights, want to know more, or have questions, please feel free to contact us at privacy@hippoly.com or by using the contact details set out in section 7. below.
4.1 Right to information
You have the right to be informed about how we process your personal data. In this privacy policy, we generally describe what personal data are processed by us in different contexts. If you want to know more about whether we process your personal data, and to what extent it is done, you can contact us as described above and request information about what personal data we process.
If you want to read more about the right to information – please see here.
4.2 Right to access your personal data (register extract)
We can also provide you with a copy, a so-called register extract, of the personal data processed by us. In the register extract, we provide information about e.g. which categories of personal data are processed, what the personal data are used for, for how long the data will be stored, with whom the personal data has been shared and where the data come from.
If you want to read more about the right to access – please see here.
4.3 Right to rectification
We strive to always have accurate personal data about you and to update them when necessary. If you discover that we process inaccurate data about you, you have the right to contact us as described above to have these corrected. You also have the possibility to correct your data as logged into Hippoly under your Profile and account settings. You also have the right to ask us to complete incomplete data if this is relevant based on the purposes for which your data are processed, by providing us with additional information.
If you want to read more about the right to rectification – please see here.
4.4 Right to erasure (right to be forgotten)
You have the right to request the erasure of your personal data. However, this right is not absolute. Certain conditions must be at hand in order for us to erase your data. For example, you may have the right to have data erased if they are no longer necessary for the purposes for which they were collected, if you withdraw your consent or if you object to us using your data for direct marketing.
The right to erasure is also limited in the event that an exception applies to the data in question. For example, we have the right to retain the data if it is necessary for establishing, exercising or defending legal claims.
If you want to read more about the right to erasure – please see here.
4.5 Right to object
You always have the right to object to our processing if the legal basis for the processing (this is stated in the various processing operations above in section 1) is that it is necessary for purposes relating to our legitimate interest.
If you object, we do not have the right to process the data anymore, unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or if it is needed for the establishment, exercise or defense of legal claims. If we consider that we have such legitimate grounds, or if the data are needed for the establishment, exercise or defense of legal claims, we will notify you of this, and the reasons for such assessment.
You can also object to your personal data being processed for marketing purposes (including profiling if this is included as part of this). If you do so, we will cease the processing for these purposes.
If you want to read more about the right to object – please see here.
4.6 Right to restriction
You can request that the processing of your personal data should be restricted, for example if you do not think that the information we have about you is correct or if you believe that the processing is unlawful. Such request can also be made during the time we investigate whether our legitimate interests override your interest of privacy when you object to the processing (see more about this under section 4.5 above).
If you want to read more about the right to restriction – please see here.
4.7 Right to transmit personal data (data portability)
You have the right to receive your personal data, that you have provided to us (in case the legal basis for our processing is consent or performance of a contract), in a structured, commonly used and machine-readable format. However, this presupposes that the processing takes place by automated means (i.e. not in physical form on paper). If technically possible, and you wish to do so, we may also transmit such personal data to another data controller.
If you want to read more about the right to transmit personal data (data portability) – please see here.
4.8 Right to withdraw your consent
You can withdraw the whole or part of the consent you have given at any time, with effect as from the withdrawal (i.e. the processing of personal data that we have carried out before the withdrawal will not be affected). This can be done by contacting us via the contact details in section 7.
4.9 Right to lodge a complaint with the competent supervisory authority
You can lodge a complaint to the Swedish Authority for Privacy Protection (or with another supervisory authority) if you believe that our processing of your personal data is not in accordance with applicable legislation.
If you want to read more about the right to lodge a complaint – please see here.
4.10 Requirements for exercising your rights
To protect your privacy, we may (if necessary) require you to prove your identity when you contact us to exercise your rights.
We handle your request to exercise your rights promptly. Your request will normally be answered within one month from the date the request was received by us. Only in the case of an unusually complicated request, or if we have received a large number of requests, the response time may be extended by up to two months. If an extension of the response time is decided upon, you will be notified of that.
5. Cookies and other tracking technologies
In order for us to deliver our services with the highest possible quality, we use so-called cookies and similar tracking technologies on our website.
When you visit our website, you will be asked if you consent to our use of cookies (with the exception of such necessary cookies that do not require your consent). You can delete cookies from your browser or adjust your settings for the use of cookies, at any time. You can read more about this in our Cookie Policy. In the cookie policy, we describe, e.g. what types of cookies we use, what they are used for and for how long they are stored.
6. Changes to, and updates of, the Privacy Policy
We may make changes to the privacy policy if this is necessary to describe how we process your personal data. All such changes are posted here on the website, which is why you should review the privacy policy at regular intervals and each time you use our services.
7. How you get in touch with us
If you have any questions or comments regarding the processing of your personal data, you can contact us via the e-mail address below.
Hippoly AB
Address: Masthamnsgatan 3,
SE 413 27 Gothenburg
E-mail: privacy@hippoly.com.