Privacy Policy

This is a statement on the processing of personal data pursuant to the EU's General Data Protection Regulation (2016/679) (GDPR). This privacy policy ("Policy") describes how Ansvar Systems AB ("Controller") collects and processes personal data when data subjects register for and use the Ansvar AI threat modeling platform ("Service").

Controller

Communication Regarding Privacy Matters

We request that data subjects contact the person listed hereinabove for all questions related to the processing of personal data and situations related to the exercising of your rights.

Basis and Purpose of Processing Personal Data

The legal basis for the processing of personal data is the contractual relationship between the data subject and controller.

The purposes of processing personal data include:

• Providing access to the Ansvar AI platform and delivering threat modeling services
• Processing payments and managing billing
• Communicating with customers regarding their orders, support requests, and service updates
• Complying with legal and regulatory obligations, including accounting requirements
• Improving the Service based on usage patterns and feedback

Personal Data Being Processed

The controller only collects personal data concerning the data subjects that are essential and relevant for the purposes explained in this privacy statement.

The following data concerning the data subjects are processed:

• Name and contact information (email address, phone number)
• Company name and business address
• Account credentials (email, hashed password)
• Payment information (processed via Stripe; card details are not stored by the Controller)
• Technical data (IP address, browser type, access logs)
• Content uploaded to the Service (system architecture documentation, which may incidentally contain personal data)
• Communication records (support emails, feedback)

Disclosure of Personal Data

The Controller may disclose personal data to the following categories of third parties in connection with providing the Service:

• Payment processors (Stripe) for handling transactions
• Cloud infrastructure providers (Microsoft Azure) for hosting and data storage
• AI service providers (OpenAI, Anthropic) for processing threat model analysis
• Professional advisors (accountants, legal counsel) as required

All third-party processors are bound by data processing agreements and process personal data only on the Controller's instructions.

Transfers of Personal Data to Third Countries

Personal data may be transferred outside the EU/EEA in connection with the following third-party services:

• Stripe (USA) - EU-US Data Privacy Framework certified
• OpenAI (USA) - Standard Contractual Clauses in place
• Anthropic (USA) - Standard Contractual Clauses in place

The Controller ensures that appropriate safeguards are in place for any such transfers in accordance with GDPR Chapter V.

Protection of Personal Data

The Controller implements appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit and at rest
• Access controls and authentication requirements
• Regular security assessments
• Audit logging of data access
• Employee confidentiality obligations

Retention Period for Personal Data

The controller will process the personal data for the duration of the customer relationship and for 30 days following termination of the Service agreement. At the end of this period, the controller will delete or anonymize the data within 30 days in accordance with the deletion processes it follows.

The controller may be obliged to process some personal data for longer than stated above to comply with legislation or authority requirements. Specifically, billing and accounting records are retained for 7 years in accordance with Swedish accounting law (bokforingslagen).

Rights of the Data Subject

Right to Request Access to Personal Data

The data subject has the right to receive confirmation regarding whether personal data concerning them is being processed and, if it is, the right to receive a copy of their personal data.

Right to Rectification

The data subject has the right to request that inaccurate and erroneous personal data concerning them be rectified. The data subject also has the right to supplement incomplete personal data by submitting the required additional information.

Right to Erasure

The data subject has the right to request the erasure of their personal data. This applies, for example, when the personal data is no longer needed for the purpose for which it was collected, when the personal data has been processed unlawfully, or if the data subject withdraws the consent on which the processing is based.

Right to Restriction of Processing

The data subject has the right to request the restriction of processing of their personal data if, for example, the data subject objects to the correctness of the data or believes that the processing is against the law.

Right to Transfer Data (Data Portability)

The data subject has the right to obtain the personal data relating to them and the personal data that the data subject themself has submitted. The personal data must be disclosed in a structured, commonly used, and machine-readable format. The data subject also has the right to transfer this data to another controller.

Right to Lodge a Complaint with a Supervisory Authority

The Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten) is the national supervisory authority for personal data matters. The data subject has the right to bring your case to the supervisory authority if you consider that the processing of personal data concerning you is in violation of applicable law.

Amending the Privacy Policy

The Controller reserves the right to amend this privacy policy. The current version is always available at https://www.ansvar.eu/privacy. Material changes will be communicated to registered users via email.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us: