With the 25 of may 2018 introduction of the General Data Protection Regulation (GDPR) across Europe it is our obligation to make clear, in plain English, how we manage the data that our customers and users provide to us. This document aims to give a clear, simple, breakdown of our role, the data we and our clients collect, and your rights.
This document replaces our previous policies regarding the PUL (Personuppgiftslagen) Personal Data Act. If you have any concerns or questions, please contact us via email@example.com
For the purposes of this document, we need to make a few definitions to ensure clarity. We, Sweplex or other references to ourselves means Sweplex AB – Company number 556588-9465 or the pltfom we provide. The Platform refers explicitly to the Sweplex platform that we provide access to.
Clients refers to our direct clients who have either signed up to use Sweplex platform or who otherwise have a contract with us to provide access to their Users. Users refers to individuals who log into Sweplex, having been onboarded or invited by a Client. Sweplex platform refers to a Client’s isolated environment, supplied for their users to log in to and develop their leadership skills.
1.2 About Sweplex
Sweplex develops, manages and sells the proprietary platform "Leaders Best Support" including the unique method to develop leadership skills. Our clients are normally businesses or organisations who wish to use the Sweplex platform to help their users (leaders) collaborate more effectively and increase the company's leadership skills.
Sweplex has a relationship with both Clients and their Users, and the data collected can vary depending on these relationships. Clients can decide how to control access to their Users by contacting our administrator.
3. What information we collect
In order to provide our service we collect and hold information that broadly falls into three categories as described in this section. This information may come from the client or directly from the users themselves.
3.1 Information about clients
We hold information about our clients in order that we can supply a service, and where relevant manage any contractual relationship. This information includes:
- Client name and contact details
- Contractual information
- Background information (e.g number of users)
- Any information you communicate during the process of us supporting you (such as support tickets)
Administrator user information is classed the same way as any other user information and is covered by section 3.2 below.
3.2 Information about users
We collect and store a standard set of information about each user in order to provide the service. This information includes:
- Email address
- First and last name
- Telephone number (Sms Text Reminders)
- Password details (Encrypted)
- Data about user actions in the system (e.g. login history etc)
- Any content posted or otherwise entered into the platform, including e-mail messages
3.3 Additional information form Anonymous users, defined by Users
Through the Sweplex survey service, we collect information from anonymous users / employees to provide relevant information to help develop user leadership. The information we collect is:
- Anonymous survey answers
- Anonymous notes and reply
It is important, however, to understand that Sweplex considers that you are providing this information to our Client that we are simply holding on their behalf. Sweplex provides default terms of service for end users, however many of our Clients will instead provide their own specific terms, and you should refer to them in the first instance regarding any concerns you may have.
4. How we handle your personal data
We have systems and processes in place to protect the data we receive from you, and we take this commitment very seriously. We can provide, upon request, our detailed data protection, data handling, and privacy policies. Otherwise, we’re happy to talk through any concerns or questions you have directly.
4.1 Handling and storage
Broadly speaking, we follow best practices and store your data on an environment hosted by DigitalOcean, LLC, based in New York, USA. DigitalOcean has extensive documentation on their security and legal compliance available on their website at www.digitalocean.com
In handling your data we follow best practices such as:
- Using encryption to communicate between users and ourselves.
- Restricting and logging those who have access to the data we hold.
- Not moving data from production to test environments.
- Having outside security companies perform penetration tests on the platform.
4.2 Providing your personal data to others
In order to both operate the platform and our business as a whole we need to involve some third party suppliers and platforms. We have detailed each, and the reason we use them below. We may use more third parties than this, however these are the ones that would potentially see personal information.
4.2.1 In order to provide the platform
- My Codeworks AB, development an platform services
- DigitalOcean , for cloud hosting of the Sweplex platform and storage of the data
- Postmark, to send startup emails and reset passwords
- Google Analytics, to track user behaviour
- BugSnag, to monitor bugs in our software
4.2.2 In order to operate our business
- Squarespace, to handle and update our web site www.sweplex.com
- Loopia, for email and domain administration
- Slack, for internal communications
4.3 Retaining your data
We will need to keep hold of your data while you as a User are active (not deleted). The primary reason for this is Sweplex is a community built from your contributions made on the Sweplex platform. For example your contributions to surveys and comments, all need to persist while your User are active.
There are two conditions where your data will be deleted:
- You or the administrator elect to delete your User account on the Sweplex platform, by contacting us via firstname.lastname@example.org
- The administrator or Client requests to close down the user or the company profile, by contacting us via email@example.com
After processing your request to delete data, it will almost immediately be made inactive, meaning your data will not be visible to any other User within Sweplex. Then, within 30 days Sweplex Platform will automatically delete your data entirely from our platform, including backups.
4.4 Notify Clients/User/Controlling authority
The controlling authority will always be notified in case of a breach, except if the incident is classified as “White”. The user shall be notified if the breach is classified as “Red”. The following information will, if possible, be included:
- A description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned
- The name and contact details of the data protection officer or other contact point where more information can be obtained
- Description of likely consequences of the personal data breach
- Description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Sweplex will notify the controlling authority and/or the Clients and user as soon as possible, but at the latest 72 hours from when the breach was discovered.
5. Your rights
GDPR provides for several rights for individuals, if you wish to exercise any of these rights we request that you contact us via firstname.lastname@example.org where will arrange for the required work to be undertaken.
5.1 Data formats
In order to service rights requests in the timeframe required by the law, Sweplex may not be able to provide data in a specific format defined by the user making the request. We will, however, aim to provide the data in a machine-readable format (such as RTF or Word DOC) to enable portability.
6. Other websites
If you feel that your personal data has been processed in a way that does not meet the GDPR, you have a specific right to lodge a complaint with the relevant supervisory authority. The supervisory authority will then tell you of the progress and outcome of your complaint. The supervisory authority in Sweden is the Dataskyddsinspektionen which you will find on this web address: www.datainspektionen.se
Box 4, SE-363 21 ROTTNE, SWEDEN