Privacy Policy
Last updated: April 2026
1. Introduction
Nordic Technologies AB (org.nr 559563-9146), operating under the brand name Vakteye (“Vakteye,” “we,” “us,” or “our”), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our compliance scanning platform and related services.
We process personal data in accordance with the General Data Protection Regulation (GDPR) and Swedish data protection laws.
2. Data Controller
The data controller responsible for your personal data is:
Nordic Technologies AB (org.nr 559563-9146)
Köpmangatan 1, 972 33 Luleå, Sweden
Email: privacy@vakteye.com
We have not appointed a Data Protection Officer (DPO) as our core activities do not involve large-scale processing of special categories of data or large-scale systematic monitoring of individuals (Art 37 GDPR). For all privacy inquiries, contact privacy@vakteye.com.
3. Information We Collect
3.1 Information You Provide
- Account information (name, email, company name)
- Payment information (processed securely by our payment provider)
- Website URLs you submit for scanning
- Communications with our support team
3.2 Information Collected Automatically
- Log data (IP address, browser type, pages visited)
- Device information
- Usage data and analytics
3.3 Scan Data
When scanning websites, we collect publicly available information from the target URLs including cookies, scripts, headers, and page content. This data is processed to generate compliance reports. Scan data may incidentally contain personal data present on the target website.
4. Purpose and Legal Basis for Processing
We process your personal data for the following purposes, each with its corresponding legal basis under Article 6(1) of the GDPR:
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Providing and maintaining our scanning services | Account data, website URLs, scan data | Contract (Art 6(1)(b)) |
| Processing payments and billing | Email, payment information | Contract (Art 6(1)(b)) |
| Analyzing usage patterns to improve our platform | Usage data, device information | Legitimate Interest (Art 6(1)(f)) |
| Sending technical notices, updates, and support messages | Email, account data | Legitimate Interest (Art 6(1)(f)) |
| Detecting, preventing, and addressing security issues | Log data, IP address | Legitimate Interest (Art 6(1)(f)) |
| Complying with legal obligations | Account data, payment records | Legal Obligation (Art 6(1)(c)) |
| Sending marketing communications | Consent (Art 6(1)(a)) |
Where we rely on legitimate interest, we have assessed that our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us.
5. Data Sharing and Disclosure
We do not sell your personal data. We may share your information with:
- Service Providers: Database and hosting providers, payment processors, task execution services, email delivery providers, and AI-assisted analysis services necessary to deliver our platform. All processors are bound by Data Processing Agreements. A current list is available upon request.
- Legal Requirements: When required by law or to protect our rights
- Business Transfers: In connection with a merger or acquisition
6. Data Retention
We retain your personal data for the periods necessary to fulfill the purposes described in this policy:
| Data Category | Retention Period |
|---|---|
| Account data | Until you close your account |
| Scan results | 90 days, or upon earlier request |
| Log data and IP addresses | 12 months |
| Analytics data | Aggregated and anonymized |
| Payment and billing records | 7 years (Swedish Bookkeeping Act) |
| Support correspondence | 24 months after resolution |
7. Your Rights
Under GDPR, you have the following rights:
- Access: Request a copy of your personal data
- Rectification: Request correction of inaccurate data
- Erasure: Request deletion of your data
- Restriction: Request limitation of processing
- Portability: Receive your data in a portable format
- Objection: Object to certain types of processing
- Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal
- Automated Decisions: Not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects (Art 22)
To exercise these rights, contact us at privacy@vakteye.com. We may request proof of identity before processing your request. We will respond without undue delay and in any event within one month of receiving your request. If we need additional time (up to two further months) due to the complexity or number of requests, we will inform you within the initial one-month period.
You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se.
8. International Transfers
Some of our service providers operate in countries outside the European Economic Area (EEA), including the United States. When your data is transferred outside the EEA, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions by the European Commission, where applicable
- The EU-US Data Privacy Framework, where the recipient is certified
9. Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Role-based access controls with multi-factor authentication for administrative access
- Row-level database isolation ensuring each customer can only access their own data
- Regular security assessments and vulnerability management
- Immutable audit logging for all evidence collection activities
10. Automated Processing
Our compliance scanning platform uses AI-assisted analysis to support the identification of potential compliance issues. All findings are reviewed and verified by qualified human analysts before being included in reports. No solely automated decisions with legal or similarly significant effects are made about you under Article 22 of the GDPR.
11. Processor and Controller Roles
When you use Vakteye to scan your own websites, we act as a Data Processor on your behalf, processing scan data according to your instructions. For your account data (name, email, billing information), we act as the Data Controller.
Our processing as a Processor is governed by our Data Processing Agreement, available upon request.
12. Data Breach Notification
In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay. The notification will describe the nature of the breach, its likely consequences, and the measures we have taken or propose to take to address the breach.
13. Children's Data
Our services are intended for business use and are not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@vakteye.com and we will take steps to delete it.
14. Data Minimization
We collect and process only the personal data that is necessary for the purposes described in this policy. Scan data is limited to publicly available website metadata required for compliance analysis. We do not collect or store directly identifying personal data of your website visitors.
15. Cookies
We use cookies and similar technologies. For more information, please see our Cookie Policy.
16. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the “Last updated” date.
17. Contact Us
If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:
Nordic Technologies AB (org.nr 559563-9146)
Köpmangatan 1, 972 33 Luleå, Sweden
Email: privacy@vakteye.com
You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se.