1. Introduction

Vakteye AB (org.nr 559563-9146), operating under the brand name Vakteye (“Vakteye,” “we,” “us,” or “our”), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our compliance scanning platform and related services.

We process personal data in accordance with the General Data Protection Regulation (GDPR) and Swedish data protection laws.

2. Data Controller

The data controller responsible for your personal data is:

Vakteye AB (org.nr 559563-9146)

Söder Mälarstrand, kajplats 16, 118 25 Stockholm, Sweden

Email: privacy@vakteye.com

We have not appointed a Data Protection Officer (DPO) as our core activities do not involve large-scale processing of special categories of data or large-scale systematic monitoring of individuals (Art 37(1)(b)-(c) GDPR). For all privacy inquiries, contact privacy@vakteye.com.

3. Information We Collect

3.1 Information You Provide

Account information (name, email, company name)
Billing information (invoiced via our accounting system; we do not process online payments)
Website URLs you submit for scanning
Communications with our support team

3.2 Information Collected Automatically

Log data (browser type, pages visited; raw IP addresses are used at request time and discarded — a one-way SHA-256 hash with a server-side salt is retained only as part of cookie-consent audit records to evidence your consent decision). Additionally, when you save a cookie-consent decision the following are persisted alongside the hashed IP: user-agent string (capped at 500 characters) and Referer URL of the page on which consent was given (capped at 500 characters).
Device information
Anonymous behavioral and performance analytics on our marketing website (page views, page performance metrics, aggregated interaction events). All cookieless. All consent-gated. Self-hosted within the EU. No personal data, no IP addresses, no form contents, no identifiers.

3.3 Scan Data

When scanning websites, we collect publicly available information from the target URLs including cookies, scripts, headers, and page content. This data is processed to generate compliance reports. Scan data may incidentally contain personal data present on the target website.

4. Purpose and Legal Basis for Processing

We process your personal data for the following purposes, each with its corresponding legal basis under Article 6(1) of the GDPR:

Purpose	Data Used	Legal Basis
Providing and maintaining our scanning services	Account data, website URLs, scan data	Contract (Art 6(1)(b))
Processing payments and billing	Email, payment information	Contract (Art 6(1)(b))
Anonymous cookieless analytics — page views, page performance metrics (load time, rendering speed), and aggregated interaction events to understand how visitors navigate the marketing website and improve it.	Aggregate page-view counts, anonymized referrer source, device category, country, language, page performance metrics (load time, rendering speed), anonymized interaction counts (button section, navigation milestone). No IP addresses. No identifiers. No form input. No search queries. No keystrokes. No mouse movements. No session recordings.	Consent (Art 6(1)(a)) gated by ePrivacy Art 5(3) / LEK 9 kap §28. Analytics toggle is OFF by default — script loads only after explicit opt-in.
Sending technical notices, updates, and support messages	Email, account data	Legitimate Interest (Art 6(1)(f))
Detecting, preventing, and addressing security issues	Log data, IP address	Legitimate Interest (Art 6(1)(f))
Complying with legal obligations	Account data, payment records	Legal Obligation (Art 6(1)(c))
Sending marketing communications	Email	Consent (Art 6(1)(a)) (reserved for future use — no marketing campaigns are active at the time of writing). Marketing-email consent will be captured at sign-up via opt-in checkbox; withdrawal will be available via the one-click unsubscribe link in every marketing email and by emailing privacy@vakteye.com (GDPR Art 7(3)).
Replying to enquiries via the website chat	Name, email, messages you send in the chat	Consent (Art 6(1)(a))

Where we rely on legitimate interest, we have assessed that our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us.

5. Data Sharing and Disclosure

We do not sell your personal data. We may share your information with:

Sub-processors (Articles 13(1)(e) and 28 GDPR): We rely on a small set of categorised sub-processors to deliver the platform: a primary database, authentication and file-storage provider; a frontend hosting and edge-network provider; a cloud infrastructure provider for scanner egress, container runtime, and scan-report storage; an EU-established AI provider for the customer-facing chat assistant; a background task orchestration provider; a transactional email provider within the EU; an error-monitoring provider; a rate-limit cache provider; and a DNS and bot-protection provider that operates a globally distributed anycast network for domain name resolution and bot challenges. Scan-result personal data is processed within the EU/EEA except for the limited DNS/bot-protection metadata described in the DPA. Internal tools used solely for our own marketing, billing, anonymous website analytics, and staff workflows are not listed because they do not process Controller data and are therefore not sub-processors under Article 28 GDPR. All sub-processors are bound by Article 28-compliant written contracts. The full list of named sub-processor entities and contracting countries is available to customers on written request to privacy@vakteye.com.
Legal Requirements: When required by law or to protect our rights
Business Transfers: In connection with a merger or acquisition

6. Data Retention

We retain your personal data for the periods necessary to fulfill the purposes described in this policy:

Data Category	Retention Period
Account data	Until you close your account
Scan results	180 days, or upon earlier request
Log data and IP addresses	12 months
Analytics data	Not currently collected; reserved for future use
Payment and billing records	7 years (Swedish Bookkeeping Act 1999:1078, 7 kap. 2 §)
Support correspondence	24 months after resolution
Chat enquiries and messages	12 months from last activity
Cookie-consent audit log	Anonymous-device rows (no logged-in user at consent time): 5 years from the consent action. Authenticated-user rows: retained for the lifetime of the customer relationship, then 5 years from account closure. Fields stored: one-way SHA-256 hash of IP with server-side salt, user-agent (≤500 chars), Referer URL (≤500 chars), decision timestamp, status, analytics + marketing booleans, policy version, locale. Backs GDPR Article 7(1) demonstrable-consent obligation under the accountability principle (Article 5(2)).

7. Your Rights

Under GDPR, you have the following rights:

Access: Request a copy of your personal data
Rectification: Request correction of inaccurate data
Erasure: Request deletion of your data
Restriction: Request limitation of processing
Portability: Receive your data in a portable format
Objection: Object to certain types of processing
Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal
Automated Decisions: Not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects (Art 22(1) GDPR)

To exercise these rights, contact us at privacy@vakteye.com. We may request proof of identity before processing your request. We will respond without undue delay and in any event within one month of receiving your request. If we need additional time (up to two further months) due to the complexity or number of requests, we will inform you within the initial one-month period.

You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se.

8. International Transfers

Scan-result personal data and customer account data are processed within the European Economic Area. Where any limited transfer outside the EEA may occur — for example bot-protection challenges on public forms routed through a globally distributed anycast network, or cross-region AI inference capacity allocation for the customer-facing chat assistant — we rely on the following safeguards:

Currently applicable adequacy decisions of the European Commission under Article 45 GDPR for any inference or processing routed outside the EEA
Standard Contractual Clauses Module 2 (Commission Implementing Decision (EU) 2021/914), where a sub-processor's operational footprint extends beyond the EEA
Contractual obligations on every sub-processor under Article 28(3) GDPR, flowed down by written contract under Article 28(4) GDPR

9. Security

We implement appropriate technical and organizational measures to protect your personal data, including:

Encryption in transit (TLS 1.3) and at rest (AES-256)
Role-based access controls with multi-factor authentication for administrative access
Row-level database isolation ensuring each customer can only access their own data
Regular security assessments and vulnerability management
Immutable audit logging for all evidence collection activities

10. Automated Processing

Our compliance scanning platform uses AI-assisted analysis to support the identification of potential compliance issues. Lower-confidence findings go into a review queue and are assessed by a human analyst before being published to you; high-confidence findings backed by behavioural proof are published directly and can be challenged after the fact. No solely automated decisions with legal or similarly significant effects are made about you under Article 22(1) of the GDPR.

11. Processor and Controller Roles

When you use Vakteye to scan your own websites, we act as a Data Processor on your behalf, processing scan data according to your instructions. For your account data (name, email, billing information), we act as the Data Controller.

Our processing as a Processor is governed by our Data Processing Agreement, available upon request.

12. Data Breach Notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the supervisory authority (IMY) without undue delay and, where feasible, within 72 hours of becoming aware (GDPR Article 33). Where the breach is likely to result in a high risk, we will also notify affected users without undue delay (GDPR Article 34). Notifications describe the nature of the breach, its likely consequences, and the measures we have taken or propose to take to address the breach.

13. Children's Data

Our services are intended for business use and are not directed at individuals under 13 years of age (the age of consent under Chapter 2, Section 4 of the Swedish Data Protection Act (2018:218), which derogates from the default sixteen-year threshold in Article 8(1) GDPR). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@vakteye.com and we will take steps to delete it.

14. Data Minimization

We collect and process only the personal data that is necessary for the purposes described in this policy. Scan data is limited to publicly available website metadata required for compliance analysis. We do not collect or store directly identifying personal data of your website visitors. For our own marketing-site visitors we retain only pseudonymous accountability records (one-way hashed IP plus user agent) for cookie-consent decisions, plus aggregate page-view counts after explicit opt-in.

15. Cookies

We use cookies and similar technologies. For more information, please see our Cookie Policy.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the “Last updated” date.

17. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:

Vakteye AB (org.nr 559563-9146)

Söder Mälarstrand, kajplats 16, 118 25 Stockholm, Sweden

Email: privacy@vakteye.com

You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se.

1. Introduction

We process personal data in accordance with the General Data Protection Regulation (GDPR) and Swedish data protection laws.

2. Data Controller

The data controller responsible for your personal data is:

Vakteye AB (org.nr 559563-9146)

Söder Mälarstrand, kajplats 16, 118 25 Stockholm, Sweden

Email: privacy@vakteye.com

3. Information We Collect

3.1 Information You Provide

Account information (name, email, company name)
Billing information (invoiced via our accounting system; we do not process online payments)
Website URLs you submit for scanning
Communications with our support team

3.2 Information Collected Automatically

Log data (browser type, pages visited; raw IP addresses are used at request time and discarded — a one-way SHA-256 hash with a server-side salt is retained only as part of cookie-consent audit records to evidence your consent decision). Additionally, when you save a cookie-consent decision the following are persisted alongside the hashed IP: user-agent string (capped at 500 characters) and Referer URL of the page on which consent was given (capped at 500 characters).
Device information
Anonymous behavioral and performance analytics on our marketing website (page views, page performance metrics, aggregated interaction events). All cookieless. All consent-gated. Self-hosted within the EU. No personal data, no IP addresses, no form contents, no identifiers.

3.3 Scan Data

4. Purpose and Legal Basis for Processing

We process your personal data for the following purposes, each with its corresponding legal basis under Article 6(1) of the GDPR:

Purpose	Data Used	Legal Basis
Providing and maintaining our scanning services	Account data, website URLs, scan data	Contract (Art 6(1)(b))
Processing payments and billing	Email, payment information	Contract (Art 6(1)(b))
Anonymous cookieless analytics — page views, page performance metrics (load time, rendering speed), and aggregated interaction events to understand how visitors navigate the marketing website and improve it.	Aggregate page-view counts, anonymized referrer source, device category, country, language, page performance metrics (load time, rendering speed), anonymized interaction counts (button section, navigation milestone). No IP addresses. No identifiers. No form input. No search queries. No keystrokes. No mouse movements. No session recordings.	Consent (Art 6(1)(a)) gated by ePrivacy Art 5(3) / LEK 9 kap §28. Analytics toggle is OFF by default — script loads only after explicit opt-in.
Sending technical notices, updates, and support messages	Email, account data	Legitimate Interest (Art 6(1)(f))
Detecting, preventing, and addressing security issues	Log data, IP address	Legitimate Interest (Art 6(1)(f))
Complying with legal obligations	Account data, payment records	Legal Obligation (Art 6(1)(c))
Sending marketing communications	Email	Consent (Art 6(1)(a)) (reserved for future use — no marketing campaigns are active at the time of writing). Marketing-email consent will be captured at sign-up via opt-in checkbox; withdrawal will be available via the one-click unsubscribe link in every marketing email and by emailing privacy@vakteye.com (GDPR Art 7(3)).
Replying to enquiries via the website chat	Name, email, messages you send in the chat	Consent (Art 6(1)(a))

Where we rely on legitimate interest, we have assessed that our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us.

5. Data Sharing and Disclosure

We do not sell your personal data. We may share your information with:

Sub-processors (Articles 13(1)(e) and 28 GDPR): We rely on a small set of categorised sub-processors to deliver the platform: a primary database, authentication and file-storage provider; a frontend hosting and edge-network provider; a cloud infrastructure provider for scanner egress, container runtime, and scan-report storage; an EU-established AI provider for the customer-facing chat assistant; a background task orchestration provider; a transactional email provider within the EU; an error-monitoring provider; a rate-limit cache provider; and a DNS and bot-protection provider that operates a globally distributed anycast network for domain name resolution and bot challenges. Scan-result personal data is processed within the EU/EEA except for the limited DNS/bot-protection metadata described in the DPA. Internal tools used solely for our own marketing, billing, anonymous website analytics, and staff workflows are not listed because they do not process Controller data and are therefore not sub-processors under Article 28 GDPR. All sub-processors are bound by Article 28-compliant written contracts. The full list of named sub-processor entities and contracting countries is available to customers on written request to privacy@vakteye.com.
Legal Requirements: When required by law or to protect our rights
Business Transfers: In connection with a merger or acquisition

6. Data Retention

We retain your personal data for the periods necessary to fulfill the purposes described in this policy:

Data Category	Retention Period
Account data	Until you close your account
Scan results	180 days, or upon earlier request
Log data and IP addresses	12 months
Analytics data	Not currently collected; reserved for future use
Payment and billing records	7 years (Swedish Bookkeeping Act 1999:1078, 7 kap. 2 §)
Support correspondence	24 months after resolution
Chat enquiries and messages	12 months from last activity
Cookie-consent audit log	Anonymous-device rows (no logged-in user at consent time): 5 years from the consent action. Authenticated-user rows: retained for the lifetime of the customer relationship, then 5 years from account closure. Fields stored: one-way SHA-256 hash of IP with server-side salt, user-agent (≤500 chars), Referer URL (≤500 chars), decision timestamp, status, analytics + marketing booleans, policy version, locale. Backs GDPR Article 7(1) demonstrable-consent obligation under the accountability principle (Article 5(2)).

7. Your Rights

Under GDPR, you have the following rights:

Access: Request a copy of your personal data
Rectification: Request correction of inaccurate data
Erasure: Request deletion of your data
Restriction: Request limitation of processing
Portability: Receive your data in a portable format
Objection: Object to certain types of processing
Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal
Automated Decisions: Not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects (Art 22(1) GDPR)

You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se.

8. International Transfers

Currently applicable adequacy decisions of the European Commission under Article 45 GDPR for any inference or processing routed outside the EEA
Standard Contractual Clauses Module 2 (Commission Implementing Decision (EU) 2021/914), where a sub-processor's operational footprint extends beyond the EEA
Contractual obligations on every sub-processor under Article 28(3) GDPR, flowed down by written contract under Article 28(4) GDPR

9. Security

We implement appropriate technical and organizational measures to protect your personal data, including:

Encryption in transit (TLS 1.3) and at rest (AES-256)
Role-based access controls with multi-factor authentication for administrative access
Row-level database isolation ensuring each customer can only access their own data
Regular security assessments and vulnerability management
Immutable audit logging for all evidence collection activities

10. Automated Processing

11. Processor and Controller Roles

Our processing as a Processor is governed by our Data Processing Agreement, available upon request.

12. Data Breach Notification

13. Children's Data

14. Data Minimization

15. Cookies

We use cookies and similar technologies. For more information, please see our Cookie Policy.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the “Last updated” date.

17. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:

Vakteye AB (org.nr 559563-9146)

Söder Mälarstrand, kajplats 16, 118 25 Stockholm, Sweden

Email: privacy@vakteye.com

You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se.