Privacy Policy — Frostmoln

This privacy policy describes how Svenska Moln AB ("Frostmoln", "we", "us") collects, processes, and protects your personal data when you use our cloud infrastructure services and website. We are committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR) and Swedish data protection legislation.

1. Data Controller

The data controller for the processing described in this policy is: Svenska Moln AB Organisation number: 559576-4555 Box 10074 434 21 Kungsbacka Sweden Data Protection Officer (DPO): dpo@frostmoln.se If you have questions about how we process your personal data, you are welcome to contact our Data Protection Officer at the address above.

2. Personal Data We Collect

We collect and process the following categories of personal data: Account data: Name, email address, phone number, organisation name, and organisation number that you provide when creating an account. Billing data: Invoicing address, VAT number, payment method details. Payment card processing is handled by our payment processor (Swedbank Pay) and we do not store full card numbers. Usage data: Information about your use of our services, including API calls, resource consumption, login times, and IP addresses. Technical data: Browser type, operating system, device identifiers, and similar technical information collected automatically when you visit our website. Support data: Information you provide when contacting our support team, including correspondence and any attachments. Communication data: Your preferences for receiving communications from us, and records of communications we send to you.

3. Purposes of Processing

We process your personal data for the following purposes: Service delivery: To create and manage your account, provision and operate cloud infrastructure resources, and provide the services you have requested. Billing and payments: To calculate charges, generate invoices, process payments, and comply with accounting obligations under Swedish law (Bokföringslagen 1999:1078). Security and fraud prevention: To protect our infrastructure, detect and prevent unauthorised access, and ensure the integrity of our services. Customer support: To respond to your enquiries, troubleshoot issues, and provide technical assistance. Legal compliance: To comply with applicable laws, regulations, and legal proceedings, including tax obligations and anti-money laundering requirements. Service improvement: To analyse usage patterns (in aggregated, anonymised form) and improve our services. Communications: To send you service-related notifications (e.g., maintenance windows, security alerts) and, with your consent, marketing communications about our services.

4. Legal Bases for Processing

We process your personal data based on the following legal grounds under Article 6(1) of the GDPR: Performance of contract (Art. 6(1)(b)): Processing necessary to provide our cloud services to you, including account management, resource provisioning, and customer support. Legal obligation (Art. 6(1)(c)): Processing necessary to comply with Swedish and EU legal obligations, including bookkeeping requirements (Bokföringslagen), tax reporting, and anti-money laundering obligations. Legitimate interest (Art. 6(1)(f)): Processing necessary for our legitimate interests, including security monitoring, fraud prevention, and service improvement through aggregated analytics. We have conducted balancing tests to ensure our interests do not override your fundamental rights. Consent (Art. 6(1)(a)): For marketing communications and non-essential cookies. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

5. Data Retention

We retain your personal data only for as long as necessary for the purposes described in this policy: Account data: For the duration of your account and up to 30 days after account closure to resolve any outstanding matters. Billing data: For 7 years after the end of the financial year in which the transaction occurred, as required by Swedish bookkeeping law (Bokföringslagen 1999:1078). Usage and technical data: For up to 12 months for operational purposes, after which it is anonymised or deleted. Support data: For up to 24 months after the support case is closed. Security logs: For up to 12 months, unless required longer for investigation of a security incident. When your data is no longer needed, it is securely deleted or irreversibly anonymised.

6. Recipients and Sub-processors

We may share your personal data with the following categories of recipients: Payment processor: Swedbank Pay (for payment processing). Swedbank Pay acts as an independent data controller for payment data. Datacenter providers: Our colocation partners who provide physical hosting facilities within the EU/EEA. They do not have access to your data. Professional advisors: Auditors, legal counsel, and accountants as necessary for our business operations, bound by professional confidentiality obligations. Public authorities: Tax authorities (Skatteverket), law enforcement, or other authorities when required by Swedish or EU law. We do not sell your personal data. We do not share your personal data with third parties for their own marketing purposes.

7. International Data Transfers

All personal data is stored and processed exclusively within the EU/EEA. Our infrastructure is located in Swedish datacenters and we do not transfer personal data to countries outside the EU/EEA. This means your data is not subject to foreign surveillance orders such as the US CLOUD Act or FISA Section 702. In the unlikely event that a transfer outside the EU/EEA would become necessary in the future, we will ensure appropriate safeguards are in place in accordance with Chapter V of the GDPR (e.g., Standard Contractual Clauses, adequacy decisions) and will update this policy accordingly.

8. Your Rights

Under the GDPR, you have the following rights regarding your personal data: Right of access (Art. 15): You may request a copy of the personal data we hold about you. Right to rectification (Art. 16): You may request that we correct inaccurate or incomplete personal data. Right to erasure (Art. 17): You may request that we delete your personal data, subject to our legal obligations to retain certain data. Right to restriction of processing (Art. 18): You may request that we restrict the processing of your personal data in certain circumstances. Right to data portability (Art. 20): You may request to receive your personal data in a structured, commonly used, and machine-readable format. Right to object (Art. 21): You may object to processing based on legitimate interest. For direct marketing, your objection will always be honoured. Right to withdraw consent: Where processing is based on your consent, you may withdraw it at any time. To exercise your rights, contact us at privacy@frostmoln.se. We will respond within 30 days as required by the GDPR. If you are not satisfied with our response, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at www.imy.se.

9. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you, as described in Article 22 of the GDPR. Automated systems are used for operational purposes such as resource provisioning and usage metering, but these do not involve decisions about individuals based on personal characteristics.

10. Cookies and Local Storage

Our website uses cookies and local storage. For detailed information about which cookies we use and how to manage them, please see our Cookie Policy.

11. Children’s Data

Our services are not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will take steps to delete such information.

12. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes by email or through a prominent notice on our website at least 30 days before the changes take effect. The "last updated" date at the top of this page indicates when the policy was most recently revised.

13. Contact

If you have questions or concerns about this privacy policy or our processing of your personal data, please contact: Svenska Moln AB Email: privacy@frostmoln.se Box 10074 434 21 Kungsbacka Sweden You may also contact the Swedish Authority for Privacy Protection (IMY): Integritetsskyddsmyndigheten Box 8114 104 20 Stockholm www.imy.se