Privacy Policy
Last updated: April 9, 2024
Sana Labs is committed to protecting and respecting your privacy.
We want you to feel safe when we process your personal data. Our Privacy Policy explains how we ensure that your personal data is handled in compliance with applicable legislation and it applies to our processing of personal data, in the capacity of data controller relating to our customers and users of our services, visitors to our websites, and to other business contacts.
If you are a user of our services, you either use our services as:
- a consumer user ("Consumer User”), for example, if you have signed up for our services yourself, visiting our website, or if you apply for a job; or
- a user invited to use a service by a company or other entity which is a customer of ours (“User of Company Subscriber”), for example, if you are invited to use the services by your employer.
Please note that some of our processing of personal data differs depending on if you are a Consumer User or a User of Company Subscriber, which is why we ensure to always state in our Privacy Policy if the processing only applies for a particular group of users. If you are a User of a Company Subscriber, we process your personal data in the capacity of data processor or service provider, when providing our services to our customer that is a company subscriber (i.e., the entity that invited you to use the service, for example, your employer). In relation to such processing, the company subscriber is data controller or business and hence responsible for providing information to you about its processing of personal data and addressing your rights as a data subject. We will endeavor to provide assistance to our customers to address any concerns you may have in accordance with the terms of our contract with such customer. Additionally, for any deidentified data that we collect from you on behalf of our customer or receive directly from a customer in our role as a data processor or service provider, we commit to processing that deidentified data only in a deidentified fashion and will not attempt to re-identify personal data.
We only use your personal data for the purposes specified in this Privacy Policy and not in any manner that is incompatible with those purposes.
1. General
Sana Labs AB, reg. no. 559060–6579, (“Sana Labs,” "us," “we,” or "our") is committed to protecting and respecting your privacy. We want you to feel that we respect your privacy when we process your personal data. This Privacy Policy (“Privacy Policy”) explains how we ensure that your personal data is handled in compliance with applicable legislation and applies to all of our processing of personal data relating to our customers and users of our services, visitors to our websites, and to other business contacts.
We use your personal data to be able to operate our business and meet our obligations and responsibilities in relation to applicable legislation and good industry practice.
2. Data controller
Sana Labs is the data controller for the processing of your personal data other than when we act as a processor or service provider on behalf of a customer that is a company subscriber, as described above. Sana Labs is responsible for ensuring that the processing is carried out in accordance with applicable legislation. If you have any questions regarding the processing of your personal data, you will find our contact details at the end of this Privacy Policy.
3. Our use of your personal data
3.1 The purposes of processing
We use your personal data for the following purposes:
● If you are a Consumer User, to provide and manage our services;
● If you are a User of a Company Subscriber, to administer the agreement with our subscriber;
● Administration and provision of support services and account services;
● To improve our services by training our algorithms using user feedback data;
● For statistics, analysis, and business development;
● To market our services through newsletters, social media, publications, and events;
● To prevent fraud and other abuse;
● To comply with legal obligations;
● To establish and defend legal claims; and
● To enable mergers, divestitures, restructuring, reorganization, dissolution, and other sale or transfers of Sana Labs' assets.
We, or any of our third party service providers, do not train large language models with your data.
3.2 Categories of personal data processed
● User:
○ Name
○ Username
○ Password
○ Alphanumeric identifier
○ Access level and system role
○ Profile picture
○ Custom attributes from Subscriber’s pre-approved integrations
● Content:
○ In-meeting content: video, audio, images, chat, text, recordings, transcriptions, interactive card responses, files, calendar dates
○ Self-paced content: video, audio, images, chat, text, interactive card responses, files, calendar dates
○ Search queries: end-user’s submitted queries
○ Third-party content: Content from Subscriber’s pre-approved integrations
● Performance:
○ Time
○ Completion data
○ Progress
○ Course and path assignments
○ Favorites
● Device:
○ Browser type
○ IP-address
○ Operating system
○ Location
○ Device type
○ MAC address
● Activity:
○ Event logs (e.g., action taken, event type, event location, timestamp, client UUID, user ID, and channel ID)
○ Cookies
○ Session information (e.g., frequency, average and actual duration, quantity, quality, network activity, and network connectivity)
○ Session facilitator/participant ID
● Telemetry:
○ Sound output and input
○ Video
○ Network type
● Support:
○ Troubleshooting subject
○ Problem description
○ Post-session feedback (score of 1-5 and free text)
○ User-supplied attachments (e.g., recordings, transcripts or screenshots, text, post-session feedback)
● Billing and administration:
○ First and last name
○ Signature
○ Phone number
○ Address
3.3 How we process your personal data for each purpose
Below you can find more information about our processing of your personal data in relation to our purposes of processing:
Purpose: If you are a Consumer User, to provide and manage our services. |
||
Categories of personal data: ● User ● Content ● Learning ● Device ● User activity ● Telemetry ● Technical support and feedback ● Any additional information you share through email / chat communication with us |
||
What we do: We process your personal data in order to provide you with our services and use of our services and to communicate with you.
|
Legal basis: The processing is necessary for the purpose of fulfilling the agreement with you, including administering our services.
|
Retention period: Personal data stored to provide and manage our services will be stored during the time period that it is necessary in order to fulfill the purposes with our processing, which is usually as long as you have an account to use our services or websites, or as set forth in our agreement. We may also need to store your personal data for a reasonable time thereafter in order to fulfill any surviving terms of our agreements. |
Your rights: Please see Section 9 below for information about your rights. |
||
Purpose: If you are a User of a Company Subscriber, to administer the agreement with our subscribers. |
||
Categories of personal data: ● Technical support and feedback ● Billing and administration ● Any additional information you share through email / chat communication with us |
||
What we do: We process your personal data in order to be able to administrate the agreement with the Company Subscriber by processing information such as the contact person at the Company Subscriber.
|
Legal basis: The processing is necessary for our legitimate interest in processing your personal data in order to administer the agreement with our customers, which we assess, outweighs the data subjects’ interest in privacy.
|
Retention period: Personal data stored to administer the agreement with our customer will be stored during the time period that it is necessary in order to fulfill the purposes with our processing, which is usually as long as the agreement is valid, and you are the appointed contact person or similar. We may also need to store your personal data for a reasonable time thereafter in order to fulfill any surviving terms of our agreement with our customer. |
Your rights: You have the right to object to the processing of your personal data based upon legitimate interest as legal basis. Please see Section 9 below for more information about your rights. |
||
Purpose: Administration and provision of support services and account services. |
||
Categories of personal data: ● Technical support and feedback ● Billing and administration ● Any additional information you share through email / chat communication with us |
||
What we do: We process your personal data in order to provide our support services, account services, etc.
|
Legal basis: The processing is necessary for our legitimate interest of processing your personal data in order to administer the provision of our services, which we assess outweighs the data subjects’ interest in privacy.
|
Retention period: Personal data stored to administer the provision of the services will be stored during the time period that it is necessary in order to fulfill the purposes with our processing, which is usually as long as you are a user of the services. We may also need to store your personal data for a reasonable time thereafter in order to administer the ending of your account and fulfill any terms of our agreement with our customer. |
Your rights: You have the right to object to processing of your personal data based upon a legitimate interest as legal basis. Please see Section 9 below for more information about your rights. |
||
Purpose: To improve our services by training our algorithms. |
||
Categories of personal data: ● User ● Content ● Learning ● Device ● User activity ● Telemetry ● Technical support and feedback ● Any additional information you share through email / chat communication with us
|
||
What we do: We process your personal data in order to improve our services by training our algorithms. We will ensure the personal data is pseudonymized and anonymized to the extent possible for us to fulfill the purpose of processing. |
Legal basis: Processing is necessary for our legitimate interest in improving our services by training our algorithms, which we assess outweighs the data subjects’ interest in privacy. We will ensure the personal data is pseudonymized and anonymized to the extent possible for us to fulfill the purpose of processing. |
Retention period: We store your personal data as long as necessary in order to train and improve the algorithms used in our services. We will not store such personal data for a longer time period than one year without anonymizing it.
|
Your rights: You have the right to object to the processing of your personal data based upon legitimate interest as legal basis. Please see Section 9 below for more information about your rights. |
||
Purpose: For statistics, analysis, business development, and recruiting. |
||
Categories of personal data: ● User ● Content ● Learning ● Device ● User activity ● Telemetry ● Technical support and feedback ● Billing and administration ● Any information shared through meetings / email / chat communication with us |
||
What we do: We use your personal data within our market and customer analyses of our services which mainly constitute usage statistics and data from customer analyses. We also use third party tracking services to provide relevant and tailored services. We do not share your personal data with our affiliates and / or partners of Sana Labs. The result of our analysis is used to get insight into the needs of our users. We will ensure the personal data is pseudonymized and anonymized to the extent possible for us to fulfill the purpose of processing.
|
Legal basis: Processing is necessary for our legitimate interest in analyzing the use of our services and websites in order to improve our business and services or develop new services, which we assess outweighs the data subjects’ interest in privacy.
Your consent, in relation to the processing of personal data in the form of cookies that is not necessary for the function of the service, in order to analyze the use of our website and our services. We will ensure the personal data is pseudonymized and anonymized to the extent possible for us to fulfill the purpose of processing. |
Retention period: Personal data stored in order to create statistics, analysis, and business development will be retained as long as necessary to fulfill the purpose, but no longer than one year without anonymizing it.
|
Your rights: You have the right to object to the processing of your personal data based upon legitimate interest as legal basis. When our processing of your personal data is based on your consent you have the right to withdraw your consent at any time. Please see Section 9 below for more information about your rights. |
||
Purpose: To market our Company and services through newsletters, social media, publications, and events |
||
Categories of personal data: ● Billing and administration ● IP Address ● Any information shared through meetings / email / chat communication with us |
||
What we do: We process your personal data within the scope of our marketing, as we provide relevant and tailored communication to our audience. We do not share your personal data with our affiliates and / or partners. |
Legal basis: Processing is necessary for the purposes of our legitimate interests to be able to market our services. Sana Labs’ legitimate interest outweighs the data subjects’ right to privacy as Sana Labs processes personal data that is not characterized by sensitivity to data subjects’ integrity and because the data subject has the right to object to the processing of his or her personal data for marketing purposes. Your consent, in relation to our processing of your personal data in social media, publications, and events. |
Retention period: Personal data processed to contact you for marketing purposes will be stored for one year from the date when we collected your data or the date when we last used your data to contact you. You may at any time unsubscribe from our mailings. If you unsubscribe, you will no longer receive mailings.
|
Your rights: You have the right to object to the processing of your personal data based upon legitimate interest as legal basis. When our processing of your personal data is based on your consent you have the right to withdraw your consent at any time. Please see Section 9 below for more information about your rights. |
||
Purpose: To prevent fraud and other abuse. |
||
Categories of personal data: ● User ● Content ● Learning ● Device ● User activity ● Telemetry ● Technical support and feedback ● Any additional information you share through email / chat communication with us |
||
What we do: We process your personal data in order to prevent fraud and other abuse of our services or etc. |
Legal basis: Processing is necessary for our legitimate interest of preventing fraud related to our services and ensuring that our services and/or websites are not used for other purposes than intended which overrides the interest of protection of your privacy. |
Retention period: We will store your personal data for the purposes to prevent fraud and other abuse as long as you are necessary to fulfill the purpose but no longer than one year.
|
Your rights: You have the right to object to the processing of your personal data based upon legitimate interest as legal basis. Please see Section 9 below for more information about your rights. |
||
Purpose: To comply with legal obligations. |
||
Categories of personal data: ● User ● Content ● Learning ● Device ● User activity ● Telemetry ● Technical support and feedback ● Any additional information you share through email / chat communication with us |
||
What we do: We process your personal data to comply with our legal obligations under applicable law.
|
Legal basis: We need to process personal data to comply with our legal obligations under applicable legislation, such as the Anti-Money Laundering Act, the Accounting Act and to respond to your request to exercise your rights under the GDPR. |
Retention period: We will store your personal data as long as necessary for us to fulfill our legal obligations. Personal data processed to fulfill legal obligations in the Accounting Act will be stored for seven years. Data processed to fulfill the Anti-Money Laundering Act will be stored for five to ten years depending on the circumstances. |
Your rights: Please see Section 9 below for information about your rights. |
||
Purpose: To establish and defend against legal claims. |
||
Categories of personal data: ● All of the above. |
||
What we do: In case of a dispute, we are entitled to process your personal data to establish, exercise, or defend the legal claim.
|
Legal basis: Processing is necessary for the purposes of our legitimate interests of the establishment, exercise, or defense of legal claims. In case of a dispute, we are entitled to process your personal data since we assess that our interest in safeguarding our interests in a dispute overrides your interest in the protection of your privacy. |
Retention period: We will store your data for the purposes of establishing or defending Sana Labs against legal claims for as long as you can make legal claims against us. This means that we may store personal data during any warranty period and until any limitation period has expired. The general limitation period is ten years under the Act on Limitations. |
Your rights: You have the right to object to the processing of your personal data based upon legitimate interest as legal basis. Please see Section 9 below for more information about your rights. |
||
Purpose: To enable mergers, divestitures, restructuring, reorganization, dissolution, and other sale or transfers of Sana Labs’ assets. |
||
Categories of personal data: ● All of the above. |
||
What we do: In case of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of Sana Lab’s assets we may need to process your personal data in order to enable such transfer. |
Legal basis: Processing is necessary for the purposes of our legitimate interests of enabling mergers, divestitures, restructuring, reorganization, dissolution and other sale or transfers of Sana Labs' assets which we assess overrides your interest in the protection of your personal data. |
Retention period: The personal data will be processed as long as necessary to fulfill the purpose of the processing. Personal data that is transferred to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Sana Labs' assets will not be stored by Sana Labs after such transfer unless required to fulfill any of the other purposes set out above. |
Your rights: You have the right to object to the processing of your personal data based upon legitimate interest as legal basis. Please see Section 9 below for more information about your rights. |
4. Collection of personal data
4.1 Personal data you provide to us
The personal data that we process about you is data that you have provided us with or that we have otherwise acquired as part of the provision of our services. We collect personal data:
● If you are a User of a Company Subscriber, when we initiate a business relationship with a new company subscriber;
● When you create an account to use our services or create a new user for that account;
● When you submit user-interaction data to our services;
● When you complete transactions through our websites, such as fulfilling an order for our services;
● When you perform search queries on our services;
● When you contact our support team;
● Through online forms and otherwise through our websites;
● When you apply for a job;
● When you seek general information about the company;
● Through emails sent to and from Sana Labs; and
● When you share information with us through other means, such as meetings, conversations, social media, or online forms.
4.2 Personal data that we collect from other sources
We may also collect or receive information about you from other sources such as public registers. If you are a User of a Company Subscriber, we may collect personal data provided by the company subscriber, for example when the company subscriber invites you to use the service. We collect personal data from other sources such as:
● If you are a User of a Company Subscriber, the company subscriber;
● Public registers;
● UC (a business and credit reference agency);
● Swedish Companies Registration Office (Sw. Bolagsverket);
● LinkedIn Website Retargeting;
● Google Analytics (Google Ireland Limited);
● Google Tag Manager (Google Ireland Limited);
● G2 (G2.com),
● Clearbit (APIHub, Inc.),
● Bombora (Bombora, Inc.),
● Mutiny (Mutiny HQ Corporation), and
● Facebook Ads conversion tracking (Facebook pixel) (Facebook Ireland Ltd).
5. Automated decision-making
We do not use processes for automatic decision-making.
6. Retention of personal data
We retain your personal data only for as long as necessary for the purposes for which we originally collected the data in accordance with this Privacy Policy. When we no longer need to save your data, we will remove it from our systems, databases, and backups. The retention time depends on the context and cannot in all cases be specified, in that case, we will provide information about the factors deciding the retention time.
If return or destruction is incidentally prohibited by a valid legal order, Sana Labs shall take measures to inform you and block such personal data from any further processing (except to the extent necessary for its continued hosting or processing required by applicable law) and shall continue to appropriately protect the personal data remaining in its possession, custody, or control and, where any authorized sub-processor continues to possess personal data, require the authorized sub-processor to take the same measures that would be required of Sana Labs. Sana Labs shall, as soon as such valid legal order allows for it, at the choice of Subscriber, securely delete or return all Personal Data to Subscriber.
For more detailed information on how long we retain your personal data in relation to our purposes of the processing, see Section 3.
7. With whom do we share your personal data?
We may share personal data with third parties that are trusted recipients and with whom we have an agreement ensuring that your personal data is processed in accordance with this Privacy Policy. We may share data with:
● If you are a User of a Company Subscriber, the respective Company Subscriber under the terms of the Agreement;
● Third party service providers. The categories of third party service providers to whom we entrust your information include service providers for: (i) the provision of the Services; (ii) the provision of information, products, and other services you have requested, including Non-Sana Labs Services as that term is defined in the Agreement; (iii) marketing and advertising; (iv) payment and transaction processing; (v) customer service activities; (vi) the provision of IT and related services; and (vii) fraud prevention and user authentication.
● Our subsidiaries and affiliates;
● A buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Sana Labs' assets;
In certain circumstances, we may also need to disclose personal data upon the request from authorities or to third parties in connection with court proceedings or business acquisition or combination processes, or other similar processes.
We will not sell your personal data.
8. Where do we use your personal data?
Sana Labs will process your personal data within the EU/EEA. However, we occasionally need to transfer personal data to third countries, either directly or through our sub-processors. If we engage in such transfer, we will ensure that there is a legal basis for the transfer and that the level of protection is equivalent to that applicable within the EU/EEA, either by ensuring that the country has an adequate level of protection, that we have taken adequate protective measures such as the European Commission’s standard contractual clauses, that you have given your explicit consent or that the transfer is necessary with regards to the purposes set out in article 49 of the GDPR.
9. Your rights
9.1 Our responsibilities for your rights
In the capacity of data controller, we are responsible for ensuring that your personal data is processed in compliance with applicable laws and that you can exercise your rights. You may contact us at any time if you wish to exercise your rights. You will find our contact details at the end of this Privacy Policy.
We have an obligation to respond to your requests to exercise your rights within one month of receiving your request. If your request is complex or if we have received many requests, we have the right to extend this deadline to two more months. If we are unable to take the action you request within one month, we will inform you of the reason for the delay and of your right to lodge a complaint with a supervisory authority and to seek judicial remedy.
You will not be charged for requesting information, for communication, or measures that we carry out. However, if your request is manifestly unfounded or excessive, we may charge an administrative fee for providing the information or taking the action requested or refuse to act on your request altogether.
9.2 Your rights to access, rectification, erasure, and restriction
You have the right to request:
Access to your personal data. This means that you have the right to request access to the personal data that we hold about you. You also have the right to be provided, at no cost, a copy of the personal data about you that we are processing. We have the right to charge a reasonable administration fee if you request further copies. If you make a request in electronic form, e.g. via email, we will provide you with the information in a commonly used electronic format.
Rectification of your personal data. At your request or on our own initiative, we will correct, anonymize, delete or complement data that is inaccurate, incomplete, or misleading. You also have the right to complete any incomplete personal data if something relevant is missing.
Erasure of your personal data. You have the right to request that we delete your personal data if there is no compelling reason for us to continue processing the data. Personal data should therefore be erased if:
● it is no longer needed for the purpose for which we collected it;
● we process your personal data based on the consent provided by you and you withdraw your consent;
● you object to us processing your data based on a legitimate interest assessment and we have no compelling interest that overrides your interests and rights;
● we have processed the personal data unlawfully;
● or we have a legal obligation to erase personal data.
However, there may be legal requirements or other compelling reasons that prevent us from immediately erasing your personal data. We will then stop processing your personal data for purposes other than in compliance with the law or where there are no compelling legitimate grounds for doing so.
In the event you would like to exercise your right for the erasure of your personal data, please use this form and send an email with the subject line “Erasure of Personal Data Request” and the completed form attached to legal@sanalabs.com. We will confirm receipt of the completed form and take reasonable steps to ensure you are the data subject. Upon verification, we will complete the erasure without undue delay.
Restriction of processing. This means that we temporarily restrict the processing of your data. You have the right to request restriction when:
● you consider your data to be inaccurate and you have requested rectification as defined above, while we establish the accuracy of the data;
● the processing is unlawful and you do not want the data to be erased;
● as the personal data controller, we no longer need the personal data for our processing purposes, but you need them to be able to establish, exercise, or defend a legal claim;
● or you have objected to processing as defined in Section 9.3.1, while waiting for us to consider whether our legitimate interests override yours.
We will take all reasonable measures possible to notify everyone who has received personal data as stated in Section 7 above if we have rectified, erased, or restricted access to your personal data after you have requested us to do so. If you request information on recipients of your personal data, we will inform you about the recipients.
Your right to object to processing
You have the right to object to the processing of your personal data if our processing is based upon legitimate interests (see Section 3 above). If you object to such processing, we will only continue to process your data if we have compelling reasons for doing so that override your interests.
If you do not wish that we use your personal data for direct marketing, you have the right to object to such processing by contacting us. We will cease to use your data for that purpose when we have received your objection.
Your right to withdraw your consent
When we need your consent in order to process your personal data, you always have the right to withdraw such consent at any time by contacting us.
Your right to data portability
You have the right to data portability. This means the right to receive your personal data in a structured, commonly used, and machine-readable format, and to request that these data are transferred to another personal data controller. The right to data portability only applies when the processing is being carried out by automated means and our lawful basis for processing your data is the performance of an agreement between you and us or your consent.
Your right to complain to a supervisory authority
You have the right to lodge a complaint with the Swedish Data Protection Authority (Sw. Integritetsskyddsmyndigheten) if you are not satisfied with our processing of your personal data.
10. Protection of your personal data
We always want you to feel confident about providing us with your personal data. We have therefore taken appropriate security measures to protect your personal data against unauthorized access, alteration, and erasure. Even though we work hard to protect your data, no security measures are perfect or impenetrable. Should a security breach occur that may materially impact you or your personal data, e.g., risk of fraud or identity theft, we will contact you to explain what action you can take to mitigate potential adverse effects of the breach.
We strongly advise you to be cautious and to protect your own personal data. You are responsible for keeping your passwords confidential and avoiding others from observing your personal data when using our services in public spaces.
11. Cookies
We use cookies that may include personal data to improve, analyze and administer our websites and services and your experience of them. You can find more information about this in our Cookie Notice.
12. Changes to the Privacy Policy
We have the right to make changes to this Privacy Policy at any time. When we make changes that are not purely editorial, such as formatting, typographical error corrections, or other changes that do not materially affect you, we will inform you of these changes and what they mean for you before they become effective.
13. Contact details
Do not hesitate to contact us if you have any questions about this Privacy Policy, our processing of your personal data, or if you wish to exercise your rights.
Sana Labs AB, reg. no. 559060–6579 E-mail: legal@sanalabs.com Website: https://sanalabs.com/