Sana is committed to protecting and respecting your privacy.

We at Sana Labs AB, reg. no. 559060–6579, (“Sana,” "us," “we,” or "our") want you to feel safe when we process your personal data. This Privacy Notice (“Privacy Notice”) explains how we ensure that your personal data is handled in compliance with applicable legislation and it applies to our processing of personal data, in the capacity of data controller, relating to our customers and users of our services, visitors to our websites, and to other business contacts. We use your personal data to be able to operate our business and meet our obligations and responsibilities in relation to applicable legislation and good industry practice.

If you are a user of our services, one of the following user categories applies to you:

1. a user that signed up for our services independently in our online purchasing portal or applied for our free services including the free services we offer within the Civic Tier ("Self-Serve User”); or
2. a user invited to use a service by a company or other entity which is a customer of ours (“User of Company Subscriber”), for example, if you are invited to use the services by your employer.
3. you applied for a job at Sana, filled in a survey or otherwise communicate with Sana for example through email or social media platforms (“User of Communication Services”)

Please note that some of our processing of personal data differs depending on what User category applies to you, which is why we ensure to always state in our Privacy Notice if the processing only applies for a particular group of users.

We only use your personal data for the purposes specified in this Privacy Notice and not in any manner that is incompatible with those purposes.

1. Sana’s role when processing your data

If you are a User of a Company Subscriber, we process your personal data in the capacity of data processor or service provider, when providing our services to our customer that is a company subscriber (i.e., the entity that invited you to use the service, for example, your employer). In relation to such processing, the company subscriber is data controller or business and hence responsible for providing information to you about its processing of personal data and addressing your rights as a data subject. We will endeavor to provide assistance to our customers to address any concerns you may have in accordance with the terms of our contract with such customer. Additionally, for any deidentified data that we collect from you on behalf of our customer or receive directly from a customer in our role as a data processor or service provider, we commit to processing that deidentified data only in a deidentified fashion and will not attempt to re-identify personal data.

Sana is the data controller for the processing of your personal data other than when we act as a processor or service provider on behalf of a customer that is a company subscriber, as described above. Sana is responsible for ensuring that the processing is carried out in accordance with applicable legislation. If you have any questions regarding the processing of your personal data, you will find our contact details at the end of this Privacy Notice.

2. Our use of your personal data

1. Collection of personal data

1. Personal data you provide to us

The personal data that we process about you is data that you have provided us with or that we have otherwise acquired as part of the provision of our services. We collect personal data:

• Business with company subscriber: If you are a User of a Company Subscriber, when we initiate a business relationship with a new company subscriber;
• Account Creation: When you create an account to use our services, create a new user for that account or complete transactions through our websites, such as fulfilling an order for our services;
• Content: When you provide content to our services, e.g. search queries or uploaded files.  
• Interaction Data: When you submit user-interaction data, e.g. feedback ratings, to our services;
• Communication Services: When you contact our support team or otherwise communicate with us and share information with us through other means such as online forms, websites, emails sent to and from Sana, or social media.
• Job Applications: When you apply for a job; or
• Other events: When you seek general information about the company, participate in events or surveys.

1. Personal data that we collect from other sources

We may also collect or receive information about you from other sources such as public registers. If you are a User of a Company Subscriber, we may collect personal data provided by the company subscriber, for example when the company subscriber invites you to use the service. We collect personal data from other sources such as:

• If you are a User of a Company Subscriber, the company subscriber;
• Public registers;
• UC (a business and credit reference agency);
• Swedish Companies Registration Office (Sw. Bolagsverket);
• LinkedIn Website Retargeting;
• Google Analytics (Google Ireland Limited);
• Google Workspace APIs (Google Ireland Limited);
• Google Tag Manager (Google Ireland Limited);
• G2 (G2.com),
• Clearbit (APIHub, Inc.),
• Bombora (Bombora, Inc.),
• Mutiny (Mutiny HQ Corporation), and
• Meta Ads conversion tracking (Meta pixel) (Meta Platforms Ireland Ltd).

1.  The purposes of processing

We use your personal data for the following purposes:

• If you are a Self-Serve User, to provide and manage our services;
• If you are a User of a Company Subscriber, to administer the agreement with our subscriber;
• If you are a User of Communication Services, to communicate with you regarding job offerings, surveys and other communication initiated by you;
• Administration and provision of support services and account services;
• For statistics, analysis, business development and improvement of services;
• To market our services through newsletters, social media, publications, and events;
• To prevent fraud and other abuse;
• To comply with legal obligations;
• To establish and defend legal claims; and
• To reorganize or make changes to our business.

We may also aggregate or de-identify personal data so that it no longer identifies you, and use that information for the purposes described above, such as analyzing how our services are used, improving and adding features to them, and conducting surveys. We will store and use the de-identified information in de-identified form and will not attempt to re-identify it, unless required by law.

2. Categories of personal data processed

Category	Details
User	Name Email Username Password Alphanumeric identifier Access level and system role Profile picture Custom attributes from Subscriber’s pre-approved integrations
Content	In-meeting content: video, audio, images, chat, text, recordings, transcriptions, interactive card responses, files, calendar dates Any content or files provided or uploaded by the user to the platform Self-paced content: video, audio, images, chat, text, interactive card responses, files, calendar dates Search queries: end-user’s submitted queries AI chat interactions: messages, reactions, responses Interaction Data: query ratings, user feedback messages. Created content: authored course content, comments, generative input, uploaded files, videos, images Third-party content: Content from user’s connected integrations
Performance	Time Completion data Progress Content assignments Favorites Event attendance
Device	Browser type IP-address Operating system Location Locale Device type MAC address
Activity	Event logs (e.g., action taken, event type, event location, timestamp, client UUID, user ID, and channel ID) Cookies Session information (e.g., frequency, average and actual duration, quantity, quality, network activity, and network connectivity)
Telemetry	In video meetings during Live sessions in Sana Learn: network connectivity information, browser performance, microphone information, camera information Error and crash information
Support	Troubleshooting subject Problem description

3. How we process your personal data for each purpose

Below you can find more information about our processing of your personal data in relation to our purposes of processing:

​​Here is a general explanation of each 'legal basis' that Sana relies on to process your personal data to help you understand the table below:

• Performance of a Contract: When it is necessary for Sana (or a third party) to process your personal data to provide you with the Sana services we promised you and meet our obligations under the applicable agreement.. Where the legal basis for processing your personal data is performance of a contract, and you choose not to provide the information, you may be unable to use the Sana services.
• Legitimate Interests: When we process your personal data relying on legitimate interest grounds. This includes our commercial and non-commercial interests in providing an innovative and personalised service to you. Where the table below states that we rely on legitimate interests, we have provided a brief description of the legitimate interest. If you would like more information about this (including the balancing test), please contact us using the methods set out in Section 11 “Contact Details” below. In countries where legitimate interest is not an available lawful basis for Sana’s processing activities, we will instead rely on an alternative valid legal basis.
• Consent: When we ask you to actively indicate your agreement to our use of your personal data for a certain purpose of which you have been informed of. ​​Where we rely on consent to process your personal data, you can withdraw your consent to such activities at any time. Withdrawal of the consent does not affect the lawfulness of any processing which took place prior to you giving your consent to us.
• Compliance with Legal Obligations: When we must process your personal data to comply with a law or regulation in the markets we operate in, such as to comply with our obligations under tax and accounting laws. Where the legal basis for processing your personal data is compliance with legal obligations, and you choose not to provide the information, you may be unable to use the Sana services.
  

Purpose: If you are a Self-Serve User, to provide and manage our services.
Categories of personal data: User Content Device User activity Telemetry Technical support and feedback Any additional information you share through email / chat communication with us
What we do: We process your personal data in order to provide you with our services and use of our services and to communicate with you.	Legal basis: Performance of Contract.	Retention period: Personal data stored to provide and manage our services will be stored during the time period that it is necessary in order to fulfill the purposes with our processing, which is usually as long as you have an account to use our services or websites, or as set forth in our agreement. We may also need to store your personal data for a reasonable time thereafter in order to fulfill any surviving terms of our agreements.
Purpose: If you are a User of a Company Subscriber, to administer the agreement with our subscribers.
Categories of personal data: Technical support and feedback Billing and administration Any additional information you share through email / chat communication with us
What we do: We process your personal data in order to be able to administrate the agreement with the Company Subscriber by processing information such as the contact person at the Company Subscriber.	Legal basis: Performance of Contract. Legitimate Interest. The processing is necessary for our legitimate interest in processing your personal data in order to administer the agreement with our customers, which we assess, outweighs the data subjects’ interest in privacy.	Retention period: Personal data stored to administer the agreement with our customer will be stored during the time period that it is necessary in order to fulfill the purposes with our processing, which is usually as long as the agreement is valid, and you are the appointed contact person or similar. We may also need to store your personal data for a reasonable time thereafter in order to fulfill any surviving terms of our agreement with our customer.
Purpose: If you are a User of Communication Services
Categories of personal data: User Any information you share through email / chat communication with us
What we do: We process your personal data in order to provide communication to you e.g. in relation to job applications	Legal basis: Performance of Contract. Legitimate Interest. The processing is necessary for our legitimate interest of processing your personal data in order to respond to communication initiated by you, which we assess outweighs the data subjects’ interest in privacy.	Retention period:  Personal data stored to administer the provision of communication services will be stored during the time period that it is necessary in order to fulfill the purposes with our processing, which is usually as long as you are a user of the services or the communication matter is ongoing. We may also need to store your personal data for a reasonable time thereafter in order to administer the ending of your account and fulfill any terms of our agreement with our customer.
Purpose: Administration and provision of support services and account services.
Categories of personal data: Technical support and feedback Billing and administration Any additional information you share through email / chat communication with us
What we do: We process your personal data in order to provide our support services, account services, etc.	Legal basis: Performance of Contract.	Retention period:  Personal data stored to administer the provision of the services will be stored during the time period that it is necessary in order to fulfill the purposes with our processing, which is usually as long as you are a user of the services. We may also need to store your personal data for a reasonable time thereafter in order to administer the ending of your account and fulfill any terms of our agreement with our customer.
Purpose: For statistics, analysis, business development, improvement of services and recruiting.
Categories of personal data: User Content Device User activity Telemetry Technical support and feedback Billing and administration Any information shared through meetings / email / chat communication with us
What we do: We use your personal data within our market and customer analyses of our services which mainly constitute usage statistics, interaction data provided by the User, and data from customer analyses. We also use third party tracking services to provide relevant and tailored services. We do not share your personal data with our affiliates and / or partners of Sana. The result of our analysis is used to get insight into the needs of our users and understand how we can improve our services. We will ensure the personal data is pseudonymized and anonymized to the extent possible for us to fulfill the purpose of processing. For Self-Serve Users in Sana Agents, which are not within the Civic Tier, we may review your Content to understand the use of our services and improve the user experience. You can opt out from this feature at any time within the Sana Agents platform. We do not review specific Content of Civic Tier Users or Users of Company Subscribers. We, or any of our third party service providers, do not use your personal data to train artificial intelligence and/or machine learning models.	Legal basis: Legitimate Interest. Processing is necessary for our legitimate interest in analyzing the use of our services and websites in order to improve our business and services or develop new services. Consent. Your consent, in relation to the processing of personal data in the form of cookies that is not necessary for the function of the service, in order to analyze the use of our website and our services.	Retention period:  Personal data stored in order to create statistics, analysis, and business development will be retained as long as necessary to fulfill the purpose, but no longer than one year without anonymizing it.
Purpose: To market our Company and services through newsletters, social media, publications, and events
Categories of personal data: User Billing and administration IP Address Any information shared through meetings / email / chat communication with us
What we do: We process your personal data within the scope of our marketing, as we provide relevant and tailored communication to our audience. We do not share your personal data with our affiliates and / or partners.	Legal basis: Legitimate Interest. Processing is necessary for the purposes of our legitimate interests to be able to market our services. Sana’s legitimate interest outweighs the data subjects’ right to privacy as Sana processes personal data that is not characterized by sensitivity to data subjects’ integrity and because the data subject has the right to object to the processing of their personal data for marketing purposes. Consent. Your opt-in consent, in relation to our processing of your personal data in social media, publications, and events, when the applicable law requires it.	Retention period: Personal data processed to contact you for marketing purposes will be stored for one year from the date when we collected your data or the date when we last used your data to contact you. You may at any time unsubscribe from our mailings. If you unsubscribe, you will no longer receive mailings.
Purpose:  To prevent fraud and other abuse.
Categories of personal data: User Content Device User activity Telemetry Technical support and feedback Any additional information you share through email / chat communication with us
What we do: We process your personal data in order to prevent fraud and other abuse of our services or etc.	Legal basis: Legitimate Interest. Legitimate interest of preventing fraud related to our services and ensuring that our services and/or websites are not used for other purposes than intended.	Retention period:  We will store your personal data for the purposes to prevent fraud and other abuse as long as you are necessary to fulfill the purpose but no longer than one year.
Purpose: To comply with legal obligations.
Categories of personal data: User Content Device User activity Telemetry Technical support and feedback Any additional information you share through email / chat communication with us
What we do: We process your personal data to comply with our legal obligations under applicable law.	Legal basis: Compliance with Legal Obligations. We need to process personal data to comply with our legal obligations under applicable legislation, such as the Anti-Money Laundering Act, the Accounting Act and to respond to your request to exercise your rights under the GDPR.	Retention period: We will store your personal data as long as necessary for us to fulfill our legal obligations. Personal data processed to fulfill legal obligations in the Accounting Act will be stored for seven years. Data processed to fulfill the Anti-Money Laundering Act will be stored for five to ten years depending on the circumstances.
Purpose: To establish and defend against legal claims.
Categories of personal data: All of the above.
What we do: In case of a dispute, we are entitled to process your personal data to establish, exercise, or defend the legal claim.	Legal basis: Legitimate Interest.  Establishment, exercise, or defense of legal claims. In case of a dispute, we are entitled to process your personal data since we assess that our interest in safeguarding our interests in a dispute overrides your interest in the protection of your privacy.	Retention period: We will store your data for the purposes of establishing or defending Sana against legal claims for as long as you can make legal claims against us. This means that we may store personal data during any warranty period and until any limitation period has expired. The general limitation period is ten years under the Act on Limitations.
Purpose: To reorganize or make changes to our business.
Categories of personal data: All of the above.
What we do: In case of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of Sana Lab’s assets we may need to process your personal data in order to enable such transfer.	Legal basis: Legitimate Interest. Processing is necessary for the purposes of our legitimate interests of enabling mergers, divestitures, restructuring, reorganization, dissolution and other sale or transfers of Sana assets.	Retention period: The personal data will be processed as long as necessary to fulfill the purpose of the processing. Personal data that is transferred to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Sana’s assets will not be stored by Sana after such transfer unless required to fulfill any of the other purposes set out above.

When we process your personal data for a new purpose different from the purpose your personal data was originally collected for and we haven't asked for your consent, we will have to ensure that this new purpose is compatible with the initial purpose we collected it for. We will take into account any link between the two purposes and decide if the personal data can be used for this new purpose. Otherwise, we will take appropriate steps to ask for your consent or refrain from processing your personal data.

Your Rights: You have the right to object to the processing of your personal data based upon legitimate interest as legal basis. When our processing of your personal data is based on your consent you have the right to withdraw your consent at any time. Please see Section 7 below for more information about your rights.

3. Automated decision-making

We do not use processes for automatic decision-making.

4. Retention of personal data

We retain your personal data only for as long as necessary for the legitimate purposes for which we originally collected the data in accordance with this Privacy Notice and relevant privacy and data protection regulations. When we no longer need to store your data, we will remove it from our systems, databases, and backups. The retention time depends on the context and cannot in all cases be specified, in that case, we will provide information about the factors deciding the retention time.

If return or destruction is incidentally prohibited by a valid legal order, Sana shall take measures to inform you and block such personal data from any further processing (except to the extent necessary for its continued hosting or processing required by applicable law) and shall continue to appropriately protect the personal data remaining in its possession, custody, or control and, where any authorized sub-processor continues to possess personal data, require the authorized sub-processor to take the same measures that would be required of Sana. Sana shall, as soon as such valid legal order allows for it, at the choice of Subscriber, securely delete or return all Personal Data to Subscriber.

For more detailed information on how long we retain your personal data in relation to our purposes of the processing, see Section 3.

5.  With whom do we share your personal data?

We may share personal data with third parties that are trusted recipients and with whom we have an agreement ensuring that your personal data is processed in accordance with this Privacy Notice. We may share data with:

• Company Subscriber. If you are a User of a Company Subscriber, the respective Company Subscriber under the terms of the Agreement;
• Sana subsidiaries and affiliates.
• Third party service providers. Our third-party vendors and other service providers and contractors have access to your personal data, which may be raw personal data obtained from third party sources such as Google Workspace APIs (see section 2.1.2), to help carry out the services they are performing for us or on behalf of us. This may include vendors and providers who provide email or electronic communication services, tax, legal and accounting services, product fulfilment, payment processing, customer support, fraud prevention and detection, data enhancement, web hosting and cloud storage, research, analytics, and artificial intelligence, machine learning and statistical services. Such as for example, Google (Google Ireland Limited), Intercom (Intercom R&D Unlimited Company), Open AI (Open AI LP), SFDC Sweden AB (Salesforce.com, inc.), Slack (Slack Technologies, LLC), Segment (Segment.io, Inc.). We, or any of our third party service providers, do not use your personal data to train artificial intelligence and/or machine learning models.
• Other third parties. A buyer or other successor in the event of reorganization or changes to our business.
• Law Enforcement. In certain circumstances, we may also need to disclose personal data upon the request from authorities or to third parties in connection with court proceedings or business acquisition or combination processes, or other similar processes.

We will not sell your personal data.

6. Where do we use your personal data?

Sana will process your personal data within the EU/EEA. However, we occasionally need to transfer personal data to third countries, either directly or through our sub-processors. If we engage in such transfer, we will ensure that there is a legal basis for the transfer and that the level of protection is equivalent to that applicable within the EU/EEA, either by ensuring that the country has an adequate level of protection, that we have taken adequate protective measures such as the European Commission’s standard contractual clauses, that you have given your explicit consent or that the transfer is necessary with regards to the purposes set out in article 49 of the GDPR.

7. Your rights

1. Our responsibilities for your rights

In the capacity of data controller, we are responsible for ensuring that your personal data is processed in compliance with applicable laws and that you can exercise your rights. You may contact us at any time if you wish to exercise your rights. You will find our contact details at the end of this Privacy Notice.

We have an obligation to respond to your requests to exercise your rights within one month of receiving your request. If your request is complex or if we have received many requests, we have the right to extend this deadline to two more months. If we are unable to take the action you request within one month, we will inform you of the reason for the delay and of your right to lodge a complaint with a supervisory authority and to seek judicial remedy.

You will not be charged for requesting information, for communication, or measures that we carry out. However, if your request is manifestly unfounded or excessive, we may charge an administrative fee for providing the information or taking the action requested or refuse to act on your request altogether.

2. Your rights to access, rectification, erasure, and restriction

As a data subject you have the following rights:

Access to your personal data. This means that you have the right to request access to the personal data that we hold about you. You also have the right to be provided, at no cost, a copy of the personal data about you that we are processing. We have the right to charge a reasonable administration fee if you request further copies. If you make a request in electronic form, e.g. via email, we will provide you with the information in a commonly used electronic format.

Rectification of your personal data. At your request or on our own initiative, we will correct, anonymize, delete or complement data that is inaccurate, incomplete, or misleading. You also have the right to complete any incomplete personal data if something relevant is missing.

Erasure of your personal data. You have the right to request that we delete your personal data if there is no compelling reason for us to continue processing the data. Personal data should therefore be erased if:

• it is no longer needed for the purpose for which we collected it;
• we process your personal data based on the consent provided by you and you withdraw your consent;
• you object to us processing your data based on a legitimate interest assessment and we have no compelling interest that overrides your interests and rights;
• we have processed the personal data unlawfully;
• or we have a legal obligation to erase personal data.

However, there may be legal requirements or other compelling reasons that prevent us from immediately erasing your personal data. We will then stop processing your personal data for purposes other than in compliance with the law or where there are no compelling legitimate grounds for doing so.

In the event you would like to exercise your right for the erasure of your personal data, please use this form and send an email with the subject line “Erasure of Personal Data Request” and the completed form attached to privacy@sanalabs.com. We will confirm receipt of the completed form and take reasonable steps to ensure you are the data subject. Upon verification, we will complete the erasure without undue delay.

Restriction of processing. This means that we temporarily restrict the processing of your data. You have the right to request restriction under certain conditions, e.g. when: you consider your data to be inaccurate and you have requested rectification as defined above, while we establish the accuracy of the data; the processing is unlawful and you do not want the data to be erased; as the personal data controller, we no longer need the personal data for our processing purposes, but you need them to be able to establish, exercise, or defend a legal claim; or you have objected to processing as defined in Section 9.3.1, while waiting for us to consider whether our legitimate interests override yours.

We will take all reasonable measures possible to notify everyone who has received personal data as stated in Section 7 above if we have rectified, erased, or restricted access to your personal data after you have requested us to do so. If you request information on recipients of your personal data, we will inform you about the recipients.

Right to Object. You have the right to object to the processing of your personal data if our processing is based upon legitimate interests (see Section 3 above). If you object to such processing, we will only continue to process your data if we have compelling reasons for doing so that override your interests.

If you do not wish that we use your personal data for direct marketing, you have the right to object to such processing by contacting us. We will cease to use your data for that purpose when we have received your objection.

Right to withdraw your consent. When we need your consent in order to process your personal data, you always have the right to withdraw such consent at any time by contacting us.

Right to data portability. You have the right to data portability. This means the right to receive your personal data in a structured, commonly used, and machine-readable format, and to request that these data are transferred to another personal data controller. The right to data portability only applies when the processing is being carried out by automated means and our lawful basis for processing your data is the performance of an agreement between you and us or your consent.

File a complaint. You have the right to lodge a complaint with the Swedish Data Protection Authority (Sw. Integritetsskyddsmyndigheten) if you are not satisfied with our processing of your personal data.

8. Protection of your personal data

We always want you to feel confident about providing us with your personal data. We have therefore taken appropriate security measures to protect your personal data against unauthorized access, alteration, and erasure. Even though we work hard to protect your data, no security measures are perfect or impenetrable. Should a security breach occur that may materially impact you or your personal data, e.g., risk of fraud or identity theft, we will contact you to explain what action you can take to mitigate potential adverse effects of the breach.

We strongly advise you to be cautious and to protect your own personal data. You are responsible for keeping your passwords confidential and avoiding others from observing your personal data when using our services in public spaces.

9. Collection of personal data from children

Our services are not directed to or intended for children under 18 years of age, other than the free services provided to Civic Tier users above the age of 13 years. Processing of personal data relating to children using our Civic Tier services is subject to our Children’s Privacy Policy. We do not knowingly collect personal data from children under 13 under any circumstance. If you have reason to believe that a child under 13 has provided personal data to Sana via the service, we ask you to contact us at privacy@sanalabs.com. We will investigate every report and, if applicable, delete the personal data from our systems.

10. Cookies

We use cookies that may include personal data to improve, analyze and administer our websites and services and your experience of them. You can find more information about this in our Cookie Notice.

11. Changes to the Privacy Notice

We have the right to make changes to this Privacy Notice at any time. When we make significant changes that materially affect you, we will inform you of these changes and what they mean for you before they become effective.

12. Contact details

Do not hesitate to contact us if you have any questions about this Privacy Notice, our processing of your personal data, or if you wish to exercise your rights.

Sana is the data controller of your personal data processed under this Privacy Notice, unless you are a User of a Company Subscriber. We have appointed a Data Protection Officer who can be contacted by emailing our Privacy Mailbox at privacy@sanalabs.com - please mark the subject line of the email ‘For the attention of Sana’s Data Protection Officer'. You can also raise any privacy-related questions by contacting our Support Team on the Sana platform.

Sana Labs AB, reg. no. 559060–6579 E-mail: legal@sanalabs.com Website: https://sanalabs.com/