Privacy Policy
We value your privacy. Learn how we collect, use, and protect your personal information across our platform.
INTRODUCTION
Welcome to Things at Web Sweden AB’s Privacy Policy. We respect your privacy and are committed to protecting your personal data. This privacy policy will inform you about how we look after your personal data when you use our services and tell you about your privacy rights and how the law protects you.
1.1 Controller Information
Things at Web Sweden AB is the controller and responsible for your personal data (collectively referred to as “Things at Web”, “we”, “us” or “our” in this privacy policy).
Company Details
- Organization Number: 559299-2241
- Address: Sockerbruksgatan 7, 531 40 Lidköping, Sweden
- Phone: +46707770727
- Email: kontakt@thingsatweb.se
- Website: https://www.thingsatweb.com
1.2 Data Protection Officer
We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact:
Data Protection Officer
- Email: dpo@thingsatweb.com
- Phone: +46707770727
- Postal: DPO, Things at Web Sweden AB, Sockerbruksgatan 7, 531 40 Lidköping, Sweden
1.3 Changes to This Policy
We may update this privacy policy from time to time. We will notify you of any changes by posting the new privacy policy on this page and updating the “Last Updated” date. For material changes, we will provide additional notice through email or on our website.
OUR SERVICES AND DATA PROCESSING ROLES
2.1 Services We Provide
Things at Web Sweden AB provides comprehensive technology services including:
- Web Development and Design: Custom websites, e-commerce platforms (WooCommerce, Magento), WordPress development
- Mobile App Development: iOS and Android application development with AI integration
- IoT Solutions: Internet of Things implementations for real-time monitoring and predictive maintenance
- Digital Marketing: SEO optimization, Google Ads, social media marketing campaigns
- Domain and Hosting Services: Web hosting on Amazon AWS, domain registration, SSL certificates
- Cloud Infrastructure Management: AWS and Google Cloud Platform hosting and management
2.2 Our Data Processing Roles
We process personal data in two distinct capacities:
As Data Controller:
- For our own business operations (website visitors, contact form submissions, marketing communications)
- For direct client relationships where we determine processing purposes
- For recruitment and employment data
As Data Processor:
- When providing technology services to clients (we process data on their behalf)
- When managing cloud infrastructure containing client data
- When developing applications that handle end-user data for our clients
PERSONAL DATA WE COLLECT
3.1 Data We Collect as Controller
When you interact with our website or request our services, we collect:
- Identity Data: First name and last name, Company name and title, Organization number (for business clients)
- Contact Data: Email address, Telephone number, Business address
- Technical Data: IP address, Browser type and version, Device information, Time zone setting and location, Operating system and platform
- Usage Data: Information about how you use our website, Pages visited and time spent, Referral source
- Marketing and Communications Data: Your preferences for receiving marketing from us, Your communication preferences
3.2 Data We Process as Processor
When providing services to our clients, we may process various types of personal data on their behalf, including but not limited to:
- End-user account information (names, emails, phone numbers)
- Transaction and payment data (tokenized payment information)
- Usage analytics and behavioral data
- Device and technical information
- Location data (when relevant to services)
- Any other data our clients collect through systems we develop and maintain
Important: When we act as a processor, our clients (the data controllers) are responsible for informing their users about data collection and use. We process this data only according to our clients’ documented instructions and applicable data processing agreements.
HOW WE COLLECT YOUR PERSONAL DATA
4.1 Direct Interactions
You provide personal data directly when you:
- Submit contact forms on our website
- Request quotes or services
- Subscribe to newsletters or marketing communications
- Engage with us via email, phone, or social media
- Participate in surveys or provide feedback
4.2 Automated Technologies
We automatically collect technical and usage data when you visit our website using:
- Cookies and similar tracking technologies
- Server logs
- Analytics tools (Google Analytics)
4.3 Third Parties
We may receive personal data from:
- Business partners and referral sources
- Analytics providers
- Publicly available sources (business registries)
HOW WE USE YOUR PERSONAL DATA
5.1 Legal Basis for Processing
We will only use your personal data when the law allows us to. Most commonly, we use your personal data in the following circumstances:
- Contract Performance (Article 6(1)(b) GDPR): To provide our services and fulfill our contractual obligations
- Legal Obligation (Article 6(1)(c) GDPR): To comply with legal requirements such as accounting and tax obligations
- Legitimate Interests (Article 6(1)(f) GDPR): For business development, service improvement, and security purposes
- Consent (Article 6(1)(a) GDPR): For marketing communications and optional data processing
5.2 Purposes of Processing
We use your personal data for the following purposes:
| Purpose | Data Categories | Legal Basis |
|---|---|---|
| Service delivery and project management | Identity, Contact, Technical | Contract Performance |
| Customer support and communication | Identity, Contact, Communications | Contract Performance, Legitimate Interests |
| Marketing and business development | Identity, Contact, Marketing | Consent, Legitimate Interests |
| Website analytics and improvement | Technical, Usage | Legitimate Interests |
| Security and fraud prevention | Technical, Usage | Legitimate Interests |
| Legal compliance and reporting | All categories | Legal Obligation |
5.3 Marketing Communications
We will only send you marketing communications if you have opted in. You can opt out at any time by:
- Using unsubscribe links in emails
- Contacting dpo@thingsatweb.com
- Updating your preferences in your account settings
WHO WE SHARE YOUR DATA WITH
6.1 Service Providers (Data Processors)
We share personal data with trusted third-party service providers who assist in delivering our services:
| Service Provider | Location | Services | Safeguards |
|---|---|---|---|
| Amazon Web Services (AWS) | Stockholm, Sweden | Cloud hosting and infrastructure | ISO 27001, SOC 2, AWS DPA |
| Google Cloud Platform | Finland (EU) | Backup and disaster recovery | ISO 27001, Google Cloud DPA |
| Google Analytics | USA (EU processing) | Website analytics | IP anonymization, SCCs |
| Email service providers | EU/EEA | Email communications | GDPR compliance, DPAs |
6.2 Other Recipients
We may also share your personal data with:
- Professional Advisors: Lawyers, accountants, auditors (under confidentiality obligations)
- Government Authorities: Tax authorities (Skatteverket), law enforcement when legally required
- Business Partners: With your consent or when necessary for service delivery
6.3 Data Processing Agreements
All our data processors are required to sign Data Processing Agreements (DPAs) that ensure they:
- Process data only on our documented instructions
- Implement appropriate security measures
- Assist with GDPR compliance obligations
- Delete or return data upon termination
INTERNATIONAL DATA TRANSFERS
7.1 Primary Data Location
Your personal data is primarily stored and processed within the European Economic Area (EEA):
- Primary Location: AWS eu-north-1 (Stockholm, Sweden)
- Backup Location: Google Cloud europe-north1 (Hamina, Finland)
7.2 Transfers Outside EEA
When we transfer data outside the EEA, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): EU Commission approved contracts for data transfers
- EU-US Data Privacy Framework: For certified US companies
- Adequacy Decisions: For countries deemed adequate by the EU Commission
- Transfer Impact Assessments: Risk assessments for all third-country transfers
You can request copies of our transfer safeguards by contacting dpo@thingsatweb.com
DATA SECURITY
8.1 Security Measures
We implement appropriate technical and organizational measures to protect your personal data:
Technical Measures:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Multi-factor authentication for system access
- Regular security audits and vulnerability assessments
- Firewalls and intrusion detection systems
- Secure backup and disaster recovery procedures
Organizational Measures:
- Limited access on need-to-know basis
- Employee confidentiality agreements
- Regular data protection training
- Incident response procedures
- Vendor security assessments
8.2 Data Breach Response
In the unlikely event of a personal data breach:
- We will notify Integritetsskyddsmyndigheten (Swedish Data Protection Authority) within 72 hours
- If the breach poses high risk to your rights, we will notify you directly
- We maintain a breach register as required by GDPR
DATA RETENTION
We retain personal data only as long as necessary for the purposes collected:
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Client project data | Duration of relationship + 3 years | Legal claims defense |
| Financial records | 7 years | Swedish Accounting Act |
| Marketing consents | Until withdrawn | Active consent required |
| Website analytics | 14 months | Google Analytics default |
| Customer support logs | 3 years | Service improvement |
| Anonymized data | Indefinite | No longer personal data |
YOUR LEGAL RIGHTS
Under GDPR, you have the following rights regarding your personal data:
10.1 Your Rights
- Right to Access (Article 15): Request a copy of your personal data
- Right to Rectification (Article 16): Correct inaccurate personal data
- Right to Erasure (Article 17): Request deletion of your data (‘right to be forgotten’)
- Right to Restriction (Article 18): Limit how we process your data
- Right to Data Portability (Article 20): Receive your data in machine-readable format
- Right to Object (Article 21): Object to certain processing activities
- Rights regarding Automated Decision-Making (Article 22): Not be subject to purely automated decisions
10.2 How to Exercise Your Rights
Contact our Data Protection Officer:
DPO Contact
- Email: dpo@thingsatweb.com
- Phone: +46707770727
- Mail: DPO, Things at Web Sweden AB, Sockerbruksgatan 7, 531 40 Lidköping, Sweden
10.3 Response Timeline
- Acknowledgment: Within 3 business days
- Response: Within 30 days
- Complex requests: May extend to 90 days total (we’ll inform you of delays)
10.4 Right to Complain
If you’re not satisfied with our response, you have the right to complain to:
Integritetsskyddsmyndigheten (IMY)
- Website: imy.se
- Email: imy.se" class="text-brand-green hover:underline">imy@imy.se
- Phone: 08-657 61 00
- Address: Box 8114, 104 20 Stockholm
COOKIES AND SIMILAR TECHNOLOGIES
11.1 What Are Cookies
Cookies are small text files stored on your device when you visit our website. They help us provide you with a better experience and allow certain features to work.
11.2 Types of Cookies We Use
- Essential Cookies (Always Active): Required for website functionality, Enable security features
- Analytics Cookies (With Consent): Google Analytics: Track website usage and visitor patterns, Help us improve our website and services
- Marketing Cookies (With Consent): Track advertising campaign effectiveness, Enable targeted advertising
11.3 Managing Cookies
You can control cookies through:
- Our cookie consent banner when you first visit
- Your browser settings (all browsers allow cookie blocking)
- Contacting us to update your preferences
THIRD-PARTY LINKS
Our website may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to read their privacy policies when you leave our site.
CHILDREN’S PRIVACY
Our services are intended for business-to-business purposes and are not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.
CHANGES TO THIS PRIVACY POLICY
We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. When we make material changes:
- We will update the “Last Updated” date at the top
- We will post a notice on our website
- We will notify you by email (for significant changes)
CONTACT INFORMATION
15.1 General Inquiries
Things at Web Sweden AB
- Address: Sockerbruksgatan 7, 531 40 Lidköping, Sweden
- Phone: +46707770727
- Email: kontakt@thingsatweb.se
- Website: https://www.thingsatweb.com
15.2 Data Protection Inquiries
Data Protection Officer
- Email: dpo@thingsatweb.com
- Phone: +46707770727
- Post: DPO, Things at Web Sweden AB, Sockerbruksgatan 7, 531 40 Lidköping, Sweden
15.3 Supervisory Authority
Integritetsskyddsmyndigheten (IMY)
- Website: www.imy.se
- Email: imy.se" class="text-brand-green hover:underline">imy@imy.se
- Phone: 08-657 61 00
GLOSSARY
- Personal Data: Information relating to an identified or identifiable person
- Processing: Any operation on personal data (collection, storage, use, deletion, etc.)
- Controller: Organization determining purposes and means of processing
- Processor: Organization processing data on controller’s behalf
- Data Subject: Individual whose personal data is processed
- GDPR: General Data Protection Regulation (EU) 2016/679
- DPA: Data Processing Agreement
- EEA: European Economic Area
- SCCs: Standard Contractual Clauses for international data transfers
