Privacy Policy

Svea AI may act both as a data controller and as a data processor, depending on the situation:

• Data controller when we process data about our business contacts, suppliers, website visitors, and in connection with our own marketing and customer relationships, such as quotations, agreements and support.
• Data processor when we process personal data on behalf of customers within our services, such as web and SMS chatbots, email automation, forms, booking, document Q&A, case/triage flows and API integrations. In such cases, the processing is governed by a Data Processing Agreement (DPA).

Svea AI does not use customer data to train general AI models. Embeddings may be created technically; they are treated as personal data if the source data contains personal data.

• Web and mobile chatbots (customer service, service and sales)
• SMS AI and email AI (inbox/triage, auto-replies, routing, SLA/escalation)
• Forms and booking (simple integrations, calendar/CRM)
• Internal automation (cases/triage, document Q&A, knowledge base)
• API integrations with, for example, ERP/CRM/ticketing systems

We mainly process the following categories of data, depending on the service and relationship:

• Contact details: name, title, employer, business address, telephone number and email address.
• Customer and contract data: orders, agreements, invoicing information, correspondence and support matters.
• Usage and log data: technical event logs, timestamps, IP address, session and system information for operations, troubleshooting and security. These data are never used for marketing.
• Content entered into our solutions: messages in chatbot/email flows, form responses and attachments, on the customer’s instruction when we act as processor.

We do not request, and our services are not specifically designed to process, special categories of personal data under Article 9 GDPR, such as health data or trade union membership. However, we are aware that such information may occur in certain cases. In these situations, we intend to implement and maintain appropriate technical and organisational safeguards in accordance with applicable law and our internal security procedures.

When we act as data processor, the customer, as data controller, is responsible for ensuring a legal basis under Article 9 GDPR and for providing documented instructions. We process such data only in accordance with the customer’s instructions.

Customer data is used only within the relevant customer’s instance and is never shared between customers’ systems.

Sources: directly from you or your employer, through the use of our services, from public registers, or from partners/sub-processors such as operations and SMS providers.

Purposes and legal basis (examples):

• Delivery and operation of services — to provide, administer and improve our services, including support. Legal basis: contract (Article 6.1(b)) and, where applicable, legitimate interest (Article 6.1(f)).
• Security and incident management — logging, operational security, fraud prevention, troubleshooting and incident management. Legal basis: legitimate interest (Article 6.1(f)) and, where required by law, legal obligation (Article 6.1(c)).
• Invoicing, accounting and regulatory compliance — to meet requirements for financial and legal documentation. Legal basis: legal obligation (Article 6.1(c)).
• Customer care and B2B marketing — to maintain customer relationships and communicate with professional roles within companies. Legal basis: legitimate interest (Article 6.1(f)). You can always object to marketing.

When we rely on legitimate interest, we conduct a balancing test to ensure that the processing is necessary and proportionate.

We retain personal data for as long as necessary for the purposes above or as required by law, such as under accounting legislation.

Usage and security logs are normally retained for no more than six (6) months, unless longer retention is required for legal obligations, incident management or legal claims. Thereafter, the data is deleted or anonymised.

When we act as data processor, we process and retain personal data in accordance with the customer’s instructions in the Data Processing Agreement (DPA). Upon termination of the agreement, data is deleted or returned in accordance with the DPA, unless the law requires otherwise.

We share data only when necessary and with appropriate safeguards:

• Sub-processors/suppliers: operations/hosting, SMS/email delivery, security/log management, and development/support partners. We enter into data processing agreements and review their security.
• Group companies or collaboration companies for coordination of delivery and support, where applicable.
• Authorities when required by law, or to protect legal claims.
• Other recipients only on instruction from the customer when we act as processor, or where there is a lawful basis.

We never share personal data with third parties for their own marketing or their own purposes.

To generate AI-powered responses in our services, we use external AI providers (LLM models) and technical providers for, for example, vector storage and semantic search. We currently use OpenAI LLC (GPT models).

Processing by AI providers takes place solely for the purpose of providing and operating the customer’s service, and never for the provider’s own marketing purposes. Customer data is not used to train or improve general AI models.

When processing takes place outside the EU/EEA, the transfer is protected by the European Commission’s Standard Contractual Clauses (SCCs), and where necessary a Transfer Impact Assessment (TIA) is carried out. When we act as data processor, the use of AI providers and sub-processors is regulated in the Data Processing Agreement (DPA).

As a first priority, we process data within the EU/EEA. Transfers outside the EU/EEA take place only where permitted under the GDPR, for example based on an adequacy decision or the European Commission’s Standard Contractual Clauses (SCCs), and after any necessary Transfer Impact Assessment (TIA). In customer assignments, this is documented in the DPA and in our current list of sub-processors, which is provided upon request.

Personal data is encrypted in transit and, where possible, at rest. Administrative functions and access to systems are protected by multi-factor authentication (MFA).

• Access controls, encryption where appropriate, logging and monitoring.
• Procedures for incident management and continuity/backup.
• Secure development practices, access management and confidentiality commitments for personnel and suppliers.
• Regular risk and vulnerability assessments and supplier follow-up.

No automated decisions with legal or similarly significant effects are made within our services.

As a data subject, you have the right under the GDPR to access, rectification, erasure (“the right to be forgotten”), restriction of processing, data portability and to object to processing. When we act as processor, we refer your request to the customer who is the data controller. You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY), imy.se.

Data controller: Svea AI Technology AB (corp. reg. no. 559455-2514), 115 23 Stockholm, Sweden.

Email: info@sveaai.se — Please write “Privacy question” in the subject line. Please also state the company/organisation and which service the matter concerns.

We may update this policy when our services or applicable rules change. The latest version is published on sveaai.se. Material changes may also be communicated by email or in another appropriate manner.