Privacy Policy

Sana Labs AB is committed to protecting and respecting your privacy.

We want you to feel safe when we process your personal data. Our Privacy Notice explains how we ensure that your personal data is handled in compliance with applicable legislation and it applies to all of our processing of personal data relating to our customers and user of our services, visitors to our websites and to other business contacts. We only use your personal data for the purposes specified in the Privacy Notice and not in any manner that is incompatible with those purposes. Kindly see our Privacy Notice for further information about our use of personal data and your rights related thereto.

1. GENERAL

1.1 Sana Labs AB, reg. no. 559060–6579, (“Sana Labs”) is committed to protecting and respecting your privacy. We want you to feel safe when we process your personal data. This Privacy Notice (“Privacy Notice”) explains how we ensure that your personal data is handled in compliance with applicable legislation and applies to all of our processing of personal data relating to our customers and user of our services, visitors to our websites and to other business contacts. 1.2 We need to use your personal data to be able to operate our business and meet our obligations and responsibilities in relation to applicable legislation and good industry practice.

2. DATA CONTROLLER

Sana Labs is the data controller for the processing of your personal data and is responsible for ensuring that the processing is carried out in accordance with applicable legislation. If you have any questions regarding the processing of your personal data, you will find our contact details at the end of this Privacy Notice.

3. OUR USE OF YOUR PERSONAL DATA

3.1 We use your personal data for the following purposes

  • To provide and manage our services;
  • To improve our services by training our algorithms;
  • For statistics, analysis and business development;
  • To market our services e.g. through newsletters, social media, publications and events;
  • To prevent fraud and other abuse;
  • To comply with legal obligations;
  • To establish and defend legal claims.
  • To enable mergers, divestitures, restructuring, reorganization, dissolution and other sale or transfers of Sana Labs’ assets.

3.2 Below you can find more information about our processing of your personal data:

3.2.1 To provide and manage our services Categories of personal data:

  • Contact information such as name, address, email address, phone number.
  • Work related data such as employer and title.
  • Payment information.
  • Education related data, such as test results and learning curves.
  • Any additional information you share through email or in relation to your use of our services or websites.

Legal basis:

  • Processing is necessary for the purpose of fulfilling the agreements with our customers and to receive payments for our services.
  • If we have an agreement with a legal person that you represent, the processing is necessary for the purposes of our legitimate interests of managing the relationship with you or the legal person that you represent.
  • In relation to processing of students’ and other third parties’ data, the processing is necessary for our legitimate interests to enable the provision of our services to our customers.

3.2.2 To improve our services by training our algorithms

Categories of personal data:

  • Education related data, such as test results and learning curves.

Legal basis:

  • Processing is necessary for our legitimate interest of improving our services by training our algorithms.

3.2.3 For statistics, analysis and business development Categories of personal data:

  • Contact information such as name, address, email address, phone number.
  • Usage data such as cookie information, browsing pattern, behaviour on website and information you fill into online forms.
  • Device data such as IP-address, internet service provider, browser type, operating system and equipment used.
  • Demographic data, such as age and gender.
  • Survey data, such as responses to surveys we ask you to complete. Legal basis:
  • Processing is necessary for our legitimate interest of analysing the use of our services and websites in order to improve our business and services or develop new services.

3.2.4 To market our services e.g. through newsletters, social media, publications and events Categories of personal data:

  • Contact information such as name, address, email address, phone number.
  • Work related data such as employer and title.
  • Information shared through email.
  • Information that you share in meetings or at events.
Legal basis:
  • Processing is necessary for the purposes of our legitimate interests to be able to market our services.
3.2.5 To prevent fraud and other abuse Categories of personal data:
  • Contact information such as name, address, email address, phone number.
  • Payment information.
  • Usage data such as cookie information, browsing pattern, behaviour on website and information you fill into online forms.
  • Device data such as IP-address, internet service provider, browser type, operating system and equipment used.
  • Information shared through email.
Legal basis:
  • Processing is necessary for our legitimate interest of preventing fraud related to our services and ensuring that our services and/or websites are not used for other purposes than intended.
3.2.6 To comply with legal obligations Categories of personal data:
  • Contact information such as name, address, email address, phone number.
  • Payment information.
  • Work related data such as employer and title.
  • Identity documentation or background information that we have received from you or collected as a part of our customer intake process.
Legal basis:
  • We need to process personal data to comply with our legal obligations under applicable legislation, such as the Anti-Money Laundering Act, the Accounting Act and to respond to your request to exercise your rights under the GDPR.

3.2.7 To establish and defend legal claims Categories of personal data:

  • All of the above.
Legal basis:
  • Processing is necessary for the purposes of our legitimate interests of the establishment, exercise or defence of legal claims.
3.2.8 To enable mergers, divestitures, restructuring, reorganization, dissolution and other sale or transfers of Sana Labs’ assets Categories of personal data:
  • All of the above.
Legal basis:
  • Processing is necessary for the purposes of our legitimate interests of enabling mergers, divestitures, restructuring, reorganization, dissolution and other sale or transfers of Sana Labs’ assets.

4. COLLECTION OF PERSONAL DATA

4.1 The personal data that we process about you are data that you have provided us with or that we have otherwise acquired as part of the provision of our services. This data may be collected from the customer or from end-users of our services. We collect personal data:

  • When we initiate a business relationship with a new customer;
  • When you create an account to use our services or create a new user for that account;
  • When you submit user-interaction data to our services;
  • When you complete transactions through our websites, such as fulfilling an order for our services;
  • When you perform search queries on our websites;
  • When you contact our support team;
  • Through online forms and otherwise through our websites;
  • Through emails sent to and from Sana Labs; and
  • When you share information with us through other means, such as meetings, conversations, social media, events or online forms.
4.2 We may also collect or receive information about you from other sources, such as:
  • Public registers;
  • Bisnode Infotorg;
  • UC;
  • Swedish Companies Registration Office (Sw. Bolagsverket); and
  • Other third-party service providers.

5. AUTOMATED DECISION-MAKING

We do not use processes for automatic decision-making.

6. RETENTION OF PERSONAL DATA

6.1 We retain your personal data only for as long as necessary for the purposes for which we originally collected the data in accordance with this Privacy Notice. When we no longer need to save your data, we will remove it from our systems, databases and backups. The retention time depends on the context and cannot in all cases be specified in advance. Below you will find more information about our retention of your personal data. 6.2 Personal data stored to provide and manage our services will always be stored during the time period that you have an account to use our services or websites, or as set forth in our subscription agreements. We may also need to store the data for a reasonable time thereafter in order to fulfil any surviving terms of our agreements. Data stored for statistics, analysis and business development will not be stored for a longer time period than 4 years. 6.3 We store education related personal data for as long as necessary to train and improve the algorithms used in our services. We will not store such personal data for a longer time period than 4 years without anonymizing it. 6.4 Personal data processed to contact you for marketing purposes will be stored for one year from the date when we collected your data or the date when we last used your data to contact you. You may at any time unsubscribe from our mailings. If you unsubscribe, you will no longer receive mailings. 6.5 Personal data processed to fulfil legal obligations in the Accounting Act will be stored for seven years. Data processed to fulfil the Anti-Money Laundering Act will be stored for five to ten years depending on the circumstances. We may also retain personal data for 4 years to prevent fraud and other misuse of our services or websites. 6.6 We will store your data for the purposes of establishing or defending Sana Labs against legal claims for as long as you can make legal claims against us. This means that we may store personal data during any warranty period and until any limitation period has expired. The general limitation period is ten years under the Act on Limitations. 6.7 Personal data that is transferred to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Sana Labs’ assets will not be stored by Sana Labs after such transfer unless required to fulfil any of the other purposes set out above.

7. WITH WHOM DO WE SHARE YOUR PERSONAL DATA?

7.1 We may share personal data with third parties that are trusted recipients and with whom we have an agreement ensuring that your personal data is processed in accordance with this Privacy Notice. We may share data with:

  • Our customers;
  • Our subsidiaries and affiliates;
  • Third party service providers such as Stripe, IT-suppliers, accountants and other support functions;
  • Third parties involved in organising events, such as hotels, restaurants, lecturers and other organisers;
  • To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Sana Labs’ assets.
  • Social media providers, such as Instagram, Facebook, LinkedIn and YouTube. We kindly refer to the policy of each service provider for information on their processing of personal data.
7.2 In certain circumstances, we may also need to disclose personal data upon the request from authorities or to third parties in connection with court proceedings or business acquisition or combination processes, or other similar processes. 7.3 We will not sell your personal data.

8. WHERE DO WE USE YOUR PERSONAL DATA?

8.1 Sana Labs will mostly only process your personal data within the EU/EEA. However, we may sometimes need to transfer personal data to third countries. If we engage in such transfer, we will ensure that there is a legal basis for the transfer and that the level of protection is equivalent to that applicable within the EU/EEA, either by ensuring that the country has an adequate level of protection, that we have taken adequate protective measures, that you have given your explicit consent or that the transfer is necessary with regards to the purposes set out in article 49 of the GDPR. 8.2 Furthermore, some of our IT-suppliers may in some cases transfer personal data provided by us to the USA. Such IT-suppliers are certified to the EU-US Privacy Shield Framework for all personal data received from within the EU and also implements the EU Model Clauses. Privacy Shield is available here and the EU Model Clauses are available here.

9. YOUR RIGHTS

9.1 Our responsibilities for your rights 9.1.1 In the capacity of data controller, we are responsible for ensuring that your personal data is processed in compliance with applicable laws and that you can exercise your rights. You may contact us at any time if you wish to exercise your rights. You will find our contact details at the end of this Privacy Notice. 9.1.2 We have an obligation to respond to your requests to exercise your rights within one month of receiving your request. If your request is complex or if we have received many requests, we have the right to extend this deadline to two more months. If we are unable to take the action you request within one month, we will inform you of the reason for the delay and of your right to lodge a complaint with a supervisory authority and to seek judicial remedy.

9.1.3 You will not be charged for any information, communication or measures that we implement. However, if your request is manifestly unfounded or excessive, we may charge an administrative fee for providing the information or taking the action requested or refuse to act on your request altogether. 9.2 Your rights to access, rectification, erasure and restriction 9.2.1 You have the right to request: Access to your personal data. This means that you have the right to request access to personal data that we hold about you. You also have the right to be provided, at no cost, with a copy of the personal data that we are processing. We have the right to charge a reasonable administration fee if you request further copies. If you make a request in electronic form, e.g. via email, we will provide you with the information in a commonly used electronic format. Rectification of your personal data. At your request or on our own initiative, we will correct, anonymise, delete or complete data that we know to be inaccurate, incomplete or misleading. You also have the right to complete any incomplete personal data if something relevant is missing. Erasure of your personal data. You have the right to request that we delete your personal data if there is no compelling reason for us to continue processing the data. Personal data should therefore be erased if: they are no longer needed for the purpose for which we collected them; we process your data based on consent provided by you and you withdraw your consent; you object to us processing your data after a legitimate interest assessment and we have no compelling interest that overrides your interests and rights; we have processed the personal data unlawfully; or we have a legal obligation to erase the personal data. However, there may be legal requirements or other compelling reasons that prevent us from immediately erasing your personal data. We will then stop processing your personal data for purposes other than in compliance with the law or where there are no compelling legitimate grounds for doing so. Right to restrict processing. This means that we temporarily restrict the processing of your data. You have the right to request restriction when: you consider your data to be inaccurate and you have requested rectification as defined in section 9.2.1b) above, while we establish the accuracy of the data; the processing is unlawful and you do not want the data to be erased; as the personal data controller, we no longer need the personal data for our processing purposes, but you need them to be able to establish, exercise or defend a legal claim; or you have objected to processing as defined in section 9.3.1, while waiting for us to consider whether our legitimate interests override yours.

9.2.2 We will take all reasonable measures possible to notify everyone who has received personal data as stated in Section 7 above if we have rectified, erased or restricted access to your personal data after you have requested us to do so. If you request information on recipients of your personal data, we will inform you about the recipients. 9.3 Your right to object to processing 9.3.1 You have the right to object to the processing of your personal data if our processing is based upon legitimate interests or public task (see section 3 above). If you object to such processing, we will only continue to process your data if we have compelling reasons for doing so that override your interests. 9.3.2 If you do not wish that we use your personal data for direct marketing, you have the right to object to such processing by contacting us. We will cease to use your data for that purpose when we have received your objection. 9.4 Your right to data portability You have the right to data portability. This means the right to receive your personal data in a structured, commonly used and machine-readable format, and to request that these data are transferred to another personal data controller. The right to data portability only applies when the processing is being carried out by automated means and our lawful basis for processing your data is the performance of an agreement between you and us or your consent. 9.5 Your right to complain to a supervisory authority You have the right to lodge a complaint with the Swedish Data Protection Authority (Sw. Datainspektionen) if you are not satisfied with our processing of your personal data.

10. PROTECTION OF YOUR PERSONAL DATA

10.1 We always want you to feel confident about providing us with your personal data. We have therefore taken appropriate security measures to protect your personal data against unauthorised access, alteration and erasure. Even though we work hard to protect your data no security measures are perfect or impenetrable. Should a security breach occur that may materially impact you or your personal data, e.g. risk of fraud or identity theft, we will contact you to explain what action you can take to mitigate potential adverse effects of the breach. 10.2 We strongly advise you to be cautious and to protect your own personal data. You are responsible for keeping your passwords confidential and to avoid others from observing your personal data when using our services in public spaces.

11. COOKIES

We use cookies that may include personal data to improve, analyse and administer our websites and services and your experience of them. You can find more information about this in our cookie policy.

12. CHANGES TO THE PRIVACY NOTICE

We have the right to make changes to this Privacy Notice at any time. When we make changes that are not purely editorial, such as formatting, typographical error corrections or other changes that do not materially affect you, we will inform you of these changes and what they mean for you before they become effective.

13. CONTACT DETAILS

Do not hesitate to contact us if you have any questions about this Privacy Notice, our processing of your personal data or if you wish to exercise your rights.

Sana Labs AB, reg. no. 559060–6579 E-mail: [email protected] Telephone: +46 70 875 27 93 Website: https://sanalabs.com/