Principles of Personal Data Processing (GDPR) Smartflow AI

1. Data Controller and Contact

The data controller is Smartflow AI with its registered office in Sweden: Viksberg 101, 73397 Sala. Contact e-mail for matters concerning personal data protection: info@smartflowai.eu

(Data subjects may contact this address with questions or requests to exercise their rights.)

2. Scope of Processed Data and Their Purpose

We process only data necessary for the performance of a contract and legal obligations:

  • Identification and invoicing data: First name, surname, company registration number/VAT number, registered office address.
  • Contact data: E-mail address, telephone number.
  • Operational and technical data: To ensure the security and stability of services, we process IP addresses, access logs, timestamps, and metadata of digital tools.
3. Legal Basis and Purposes of Processing
  • Performance of a contract (Article 6(1)(b) GDPR): Provision of services and communication.
  • Legal obligation (Article 6(1)(c) GDPR): Archiving of accounting documents is carried out in accordance with the Swedish Accounting Act (Bokföringslag 1999:1078), which sets a mandatory retention period of 7 years.
  • Legitimate interest (Article 6(1)(f) GDPR): Cybersecurity and protection of legal claims.
4. Data Security

The provider has implemented technical and organisational measures pursuant to Article 32 GDPR: data encryption (SSL/TLS), two-factor authentication (2FA), regular backups, and restriction of access only to authorised persons.

5. Recipients of Data and Transfers to Third Countries

Data may be made available to verified processors (Google Workspace, accounting system). Due to the use of Google LLC, data are transferred to third countries (USA). Such transfers are safeguarded by Standard Contractual Clauses (SCC) pursuant to Article 46 GDPR.

6. Rights of the Data Subject

You have the right of access, rectification, erasure (unless prevented by retention obligations), restriction of processing, and data portability. We respond to requests within 1 month.

7. Data Breaches and Complaints

In the event of a serious data breach, we will inform the supervisory authority within 72 hours. You have the right to lodge a complaint with the Swedish authority (Integritetsskyddsmyndigheten - IMY) or the authority in your country.