Policy on Privacy and Personal Data Processing

(Version 1:2023)


Privacy in personal data processing is paramount to Comlink AB. Therefore, we strive towards maintaining a high level of data security. This document describes our policy, what personal data we collect and how we use it within our Service. The policy also includes your rights and how you can use them.

Please feel free to contact us anytime when you have questions about how we process your personal data. Our contact information is at the end of this text.

What is personal data, and what does processing personal data involve? Everything that can directly or indirectly be attributable to a living, natural person is covered by the term personal data. This involves more than simply name and personal identity number, including images and email addresses.

Processing personal data involves everything that is done to your personal data in an electronic processing system, whether this involves using mobile units or computers. This includes collecting, registration, structuring, storing, processing, and transferring any information. In certain instances, processing may also involve actions taken outside a digital system. This applies to using a registry.

GDPR roles and how they apply within our Service
Data Controller All "Users" of the Service (entity or person) that register for accounts in our Service in accordance with the "General Terms of Service" GTS and "Data Processing and Data Security Agreement" DPA. These terms, which may be changed from time to time, are available for review at https://www.comlinksweden.com/terms/ These Users determines the purpose of the processing of personal data and how the data is processed in the Service. Data Controller is responsible for obtaining consent from Data Subjects.
Joint Data Controller Users can share access to "Devices" (Physical hardware which is connected to and administrated in our Service) with other Users. They thereby become Joint Data Controllers and enter into a Joint Data Controller Agreement which is integrated as part of the Data Processing and Data Security Agreement.
Data Processor Comlink AB is the processor of personal data (Comlink AB, CRN. 556514-0190, Energigatan 10B, 434 37 Kungsbacka, Sweden).
Data Subject Users may store information about individuals (Data Subjects) which are thereby granted limited (non admin) access to a Device. This data is generally limited to name, phone number and email address. No sensitive (special category) data may be stored within the Service.

What personal data do we collect about you, and why?
Data Controller Users of the Service register for an account and we process the relevant personal data such as name, email address, phone number, company, address, zip-code, city, country, selected language, and owned Devices. We also process Data Controller interactions with the Service.
Data Subjects We primarily process name, email address and phone number of Data Subjects. We also process the Data Subjects interactions with Devices along with timestamp of the event.

We process personal data for the purpose of providing the agreed services and products to the User. We will also process personal data to manage and administer our relationship with the User.

Comlink AB always processes personal data in compliance with applicable laws. We process personal data when necessary to fulfil our obligations under a contract for the Service, respond to your request for service, or when we have another legitimate and justified interest in processing your personal data, such as to inform you about changes in the Service.

The lawful basis for us to process personal data is User's explicit consent (when registering for User account) and on the following lawful bases:
Performance of contract
- Provision of the Service (administratively and electronically) and supporting the Service (such as keeping statistics, optimizing, uphold safety and security relating to the Service and to comply with legal requirements).
- Billing and payment processes.
- Establish and defend legal claims.
- To ensure the security of our services and products, to detect and prevent use of the Service that is in violation of law or the terms and conditions for the Service. We also process data to prevent abuse of the Service, and to detect and prevent fraud, virus attacks etc.
Compliance with legal obligation
- To ensure the security of our services and products, to detect and prevent use of the Service that is in violation of law or the terms and conditions for the Service. We also process data to prevent abuse of the Service and subscriptions, and to detect and prevent fraud, virus attacks etc.
- To meet our obligations under law, for example the Swedish Bookkeeping Act, and to response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Legitimate interest
- To ensure necessary performance of functionality of the Service, to do technical enhancements and for improving the standard of the Service and security, to collect statistics for the Service, and to perform necessary log/register maintenance.
- To ensure adequate and correct communication with the User in relation to the Service subscriptions. Communication calls, emails, and customer support online with our customer support may be recorded, analysed, and stored to train our employees and improve our ways of working.
User consent
- To ensure adequate and correct communication with the User in relation to the Service subscriptions. Communication calls, emails, and customer support may be recorded, analysed, and stored to train our employees and improve our ways of working.
- Processing of different types of data to market our products and services. For this purpose, we may also compile statistics for analysis.

We follow generally accepted standards to protect the personal data submitted to us, both during transmission and once it is received and stored. These security and privacy practices, including how we protect, collect, and use electronic data, text, messages, communications, or other materials submitted to and stored within the Service are found in our applicable Data Security Standards in the DPA. Below is more detailed information on what data is collected and what it is used for.

What sources do we retrieve personal data from?
User account information We collect and process personal data when User registers for a User account to access or utilize our Service.
Using the Service, Device transaction data and other statistics While using our Service the Service collects information about Device operations or whatever operation that may be available from such an operation. This information belongs to and is controlled by the User which enables the operation. We may also collect anonymous usage statistics to be used solely by us to improve the Service and to find and fix problems and for improving safety and security when using the Service. We may also use mobile analytics software to allow us to better understand the functionality of our mobile versions of the App and the Service on mobile devices. This mobile analytics software may record information such as how often the App, the events that occur within the App, aggregated usage, performance data, and where the application was downloaded from. We do not link any information that we store as usage statistics to any personally identifiable information that is submitted for the mobile application.
Location data You may choose to activate location data in the mobile device to use the App to locate position (GPS positioning and Beacons) in relation to Service. The Service will then request permission to use the location for displaying Devices, but the Service does not (itself) process and store this location data, and as such this location data is not included in the Service, not covered by this policy. The Service also use Device location data within the Service. Such location data is a special functionality or configuration to the Service and Devices. The location data together with the geographical position of a Device will indicate performed operations at a certain time at a certain geographical place. Such location data is included in the Service and will be stored in the Service related to Devices and as such covered by this Policy and our responsibility.
App When registering an App and downloading the App to a mobile device, the Service automatically collects information on the type of mobile device, and the operating Service version.
Other As for most websites and services delivered over the Internet, we gather certain information and stores it in log files while interacting with our websites and Service. This information includes internet protocol (IP) addresses as well as browser type, internet service provider, URLs of referring/exit pages, operating system, date/time stamp, searched information, locale and language preferences, identification numbers associated with Devices, mobile carrier, and system configuration information. Occasionally, we connect personal data to information gathered in our log files as necessary to improve our Websites and the Service. In such a case, we will treat the combined information in accordance with this Policy.

Who do we share your personal data with?
Data Subprocessor In certain situations, it may become necessary for us to hire a third party to perform some of our processing. For example, this may be when we hire various IT service providers to provide, for example, hosting for and maintenance of the Service, App development, backup, storage, payment processing, analytics, and other services for us. These third-party service providers may have access to or process personal data for the purpose of providing services to us. These parties are considered personal data subprocessors for us. An updated list of subprocessors is available at https://www.comlinksweden.com/terms/

Comlink AB is liable to enter contracts with all our personal data subprocessors and provide them with instructions regarding how they may process personal data. We naturally check to ensure that all our personal data subprocessors can provide sufficient guarantees regarding security and confidentiality of your personal data.

When we hire a personal data subprocessor, we do this only in full compliance with the purposes for which we process such data ourselves.

Personal information related to User account and Service operation will, as a technical necessity, be automatically shared with the User and its designated administrators, for the purpose of administering the Service and the subscription to the Service. We do not permit any third-party to use personal data for marketing purposes or for any other purpose than in connection with the services they provide to us. In certain situations, we may be required to disclose personal data, or specific operation data, in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may disclose such data to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims. We may also share such information to the extent necessary to investigate, prevent, or act regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our applicable subscription/license agreements, or as otherwise required by law. We may also share personal data with other third parties when we have consent to do so.

Where is your personal data stored? Personal data in the Service is processed and stored in in data-centres located Sweden.

All communication and transfer of personal data to and from the data-centres is encrypted. We use best practices in terms of encryption and security.

An updated list of data-centres is available at https://www.comlinksweden.com/terms/.

How long do we save your personal data? We only collect and process personal data for as long as needed for us to perform our contractual obligations to User, to comply with legal obligations, to resolve disputes, to preserve legal rights, or to enforce agreements.

We never save your personal data for longer than necessary for the purpose at hand. We have instituted clearing procedures to ensure that personal data is not stored longer than necessary for each specific purpose. The length of time this involves varies depending on the purpose for the processing. Certain bookkeeping data are required by law to be saved for seven years.

Once an User account is terminated, we will automatically delete or anonymize all personal data within 3 months from account-closure in accordance with the capabilities of the Service in accordance with GDPR Article 28(3)(g). Please note that data may be retained longer for reasons described herein, but then such data will be kept in an aggregated and anonymized way.

How do we process your personal identity number? We avoid processing personal identity numbers to the extent possible. Regarding processing of personal identity numbers, such as the corporate registration number for sole traders, this is necessary when such companies are customers, since the registration number is the same as the sole trader’s personal identity number.

Security breach? We have implemented and maintains appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (a Data Security Breach), taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the processing and the nature of the Personal Data to be protected, including data security consistent with our applicable Data Security Standards in the DPA.

To report a Data Security Breach, please contact us at info@comlink.se or by phone at: +46 (0) 31-208600.

What are your rights regarding registered information? When you are recorded in a registry, you have several legally enforceable rights. The procedures available to you in enforcing these rights are described in the paragraph below headed ‘Exercising your rights.’ Here, we list the rights you have relating to registered data.
Right to registry extract (Right of access) If you want to know what personal data of yours that we process, you can request access to the data. When you submit such a request, we may ask you several questions to ensure efficient handling of your request. We will also take measures to ensure the information is requested by and provided to the right person.
Right of rectification If you find an error in your data, you have the right to request that it be corrected. You may also supplement any incomplete personal data. In certain instances, you can make the corrections yourself, in which case we will inform you.

Right to erasure You can request that we erase the personal data about you that we process, including:


- Data that is no longer necessary for the purposes for which they are processed.
- You object to the balancing of interests we have made regarding our legitimate interest, where your reasons for objecting weigh greater than our legitimate interest.
- Personal data is being processed illegally.
- The personal data has been collected regarding a child (less than 13 years) for whom you have parental responsibility.
- If the data was obtained based on your consent and you want to rescind that consent.

However, we may have the right to deny your request when legal duties prevent us from immediately erasing certain portions of your personal data. We may also be required to process such information to be able to establish, pursue, or defend a legal claim. If we are prevented from erasing your personal data, we will block that data from being able to be used for other purposes than those preventing their erasure.

Right to restriction You have the right to request that our processing of your personal data be restricted. If you object to the factual correctness of the personal data that we process, you may request restriction to that processing for the period we need to ensure that the personal data is correct.

If, and when, we no longer need your personal data for the established purposes, our normal procedure is to delete them. If you require them to be able to establish, pursue, or defend a legal claim, you may request restrictions to our processing of your personal data. This means that you can request that we do not delete and erase your data. If you have objected to a balancing of legitimate interests that we have made as legal grounds for a purpose, you may request restriction to that processing for the period we need to ensure that our legitimate interest weighs greater than your interests in having the data erased.

If the processing has been restricted as provided in any of the situations described above, we may, in addition to simply storing that data, only process them to establish, pursue, or defend a legal claim, to protect the rights of a third party, or where you have issued your consent.
Right to object certain types of processing At all times, you have a right to object to all processing of your personal data that relies on a balancing of interest. You also have the right to stop their use for direct marketing.
Right to data portability As the person registered, you have the right to data portability if our right to process your personal data relies on either your consent or fulfilment of a contract with you. A prerequisite for data portability is that the transfer is technically possible and can be done automatically.
Exercising your rights Your request for a registry extract, or your demand to invoke any of your other rights, shall be made in writing with your handwritten signature. We will respond to your request without undue delay, or not later than within 30 days. Email your request to info@comlink.se. The email shall, to the extent possible, be sent from the email address you are registered with at Comlink AB.

Cookies and why we use them We use cookies for our website and Service. According to the Electronic Communications Act, all those visiting a website with cookies shall be given access to information that the website contains cookies and the purpose of these. The user shall also be given the opportunity to consent to cookies being saved on the computer. We use two types of cookie. Persistent cookies, which are a text file stored on your computer, and session cookies, which are only stored temporarily and disappear when the user shuts down the web browser. We use these two types of cookie to both optimize the functionality of the Website and Service and to be able to analyze statistics so that we will be able to provide the best possible service and offers in its contact with the user. In order to be given access to the Service, it is necessary for the user to approve our use of cookies. By using the Service, the user consents to us using cookies in order to offer the Service and the best possible experience to the user.

Supervisory Authority You have the right to complain to a Data Protection Authority about our collection and use of personal data. For more information, please contact your local data protection authority in the EEA. If you are in Sweden, you may complain to Integritetsmyndigheten (imy.se).

Will this Policy change? Should European Parliament and/or the Council pass new regulations and/or issue any guidelines which contains terms that conflict with those used in this Policy, we reserve the right to change this policy from time to time to make it compliant with any such new legislation or guideline. The latest version of our privacy policy is always available at our website https://www.comlinksweden.com/terms/.

Contact us when you have any question about how we process personal data! Our data protection representative is Peder Kierkemann. If you have any question about how we process personal data, or you want to request to invoke your rights as detailed above, you are always welcome to contact us at: info@comlink.se or by phone at: +46 (0) 31-208600.