Privacy Policy | Conshultocracy

1. Introduction

Conshultocracy AB, org. no. 559419-4697 ("Conshultocracy", "we", "us"), is the data controller for the processing of your personal data in connection with the use of our services.

This privacy policy describes how we collect, use, store, and protect your personal data in accordance with the EU General Data Protection Regulation (GDPR) and other applicable data protection legislation.

We process your personal data based on the legal bases described in section 4 below, primarily for the performance of our contract with you and our legitimate interests in providing and improving our services.

2. What Personal Data Do We Collect?

2.1 Data you provide

Account information: Name, email address, password (encrypted), organization name, organization number
Billing information: Company address, contact person, payment information (handled by Stripe)
Contact information: Information you provide via contact forms

2.2 Data we collect automatically

Usage data: Information about how you use the service, including number of screenings, timestamps, and usage patterns
Technical information: IP address, browser type, device information
Login logs: Timestamp and status of login attempts

2.3 Screening data

Privacy by Design: We do not store screening results

Screening reports are generated in real-time and downloaded directly to your device. We do not store the results of your screenings on our servers. Two separate logging systems capture limited operational data:

Usage logs (billing): Timestamp, user ID, report type, jurisdiction, entity count. No company names are recorded.
Audit trail (compliance): Timestamp, user ID, company name, jurisdiction, recommendation, IP address (anonymized after 90 days).

Recent screening summaries may be stored locally on your device (in your browser) for up to 7 days to allow you to review past results. This data is never uploaded to our servers.

3. Nature of Screening Outputs

Important: Recommendations, Not Automated Decisions

Our screening services generate recommendations (such as GO, CAUTION, or STOP indicators) based on aggregated data from multiple sources. These outputs are:

Initial recommendations only – They represent one input among many that you may consider in your decision-making process
Not automated decisions – The application does not make any decisions on your behalf. All decisions rest solely with you, the user
Indicative, not conclusive – Results should be verified through your own due diligence processes before any business decisions are made
Supporting information – The recommendations are designed to support and inform your professional judgment, not replace it

You retain full control and responsibility for any decisions made based on information obtained through our services. We strongly recommend that screening results be reviewed by qualified personnel and supplemented with additional verification as appropriate for your specific use case.

4. Why Do We Process Your Personal Data?

Purpose	Legal Basis
Provide and administer the service	Performance of contract
Manage subscriptions and billing	Performance of contract
Send service-related communications	Performance of contract
Track usage and prevent abuse	Legitimate interest
Improve and develop the service	Legitimate interest
Fulfill legal obligations (accounting, tax)	Legal obligation

5. How Long Do We Keep Your Data?

We retain your personal data only for as long as necessary for the purposes described in this policy:

Account information: As long as you have an active account, plus 12 months after termination
Billing information: 7 years according to Swedish accounting law (Bokföringslagen)
Usage logs (billing): 7 years (Bokföringslagen). Contains no company names – only timestamps, user IDs, report type, and entity count.
Screening audit trail: 7 years (company name, jurisdiction, recommendation). IP addresses are anonymized after 90 days.
Contact inquiries: 12 months

6. Who Do We Share Data With?

We share your personal data with the following categories of recipients:

6.1 Service Providers (Data Processors)

Provider	Purpose	Location
Supabase	Database hosting, authentication	EU
Stripe	Payment processing	EU/USA*
Vercel	Web hosting	EU/USA*
Google (Gmail SMTP)	Transactional email delivery	EU/USA*
Google (Gemini)	AI-powered analysis and report generation (primary)	USA*
OpenAI	AI-powered analysis (fallback)	USA*
Perplexity	AI-powered web research for screening and enrichment	USA*
Fly.io	Backend API hosting	EU
Sentry	Error monitoring and application performance	USA*
Resend	Transactional email delivery	USA*

* Transfer to USA is made pursuant to the EU-US Data Privacy Framework or Standard Contractual Clauses (SCC).

6.2 Data Sources for Screening

When you perform screenings, queries are sent to external data sources (sanctions lists, company registers, news databases). These services receive the search terms but not your personal data.

7. Your Rights

Under GDPR, you have the following rights regarding your personal data:

Right of access: You have the right to receive information about what personal data we process about you and to obtain a copy of this data.
Right to rectification: You have the right to request correction of inaccurate or incomplete data.
Right to erasure: You have the right to request deletion of your personal data under certain circumstances ("right to be forgotten").
Right to restriction: You have the right to request restriction of the processing of your data.
Right to data portability: You have the right to receive your data in a structured, machine-readable format.
Right to object: You have the right to object to processing based on legitimate interest.
Right to withdraw consent: If processing is based on consent, you may withdraw it at any time.

To exercise your rights, contact us at conshultocracy@gmail.com.

8. Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, or destruction. This includes:

Encryption of data in transit (HTTPS/TLS)
Password encryption (bcrypt)
Access controls and authentication
Regular security reviews
Row Level Security (RLS) in the database

9. Cookies

Our service uses only necessary cookies for the service to function:

Session cookies: To manage login and authentication. These are deleted when you close your browser.
Authentication cookies: To keep you logged in between sessions if you choose to stay logged in.
Local storage: Recent screening summaries are stored in your browser's local storage for up to 7 days. This data stays on your device and is never sent to our servers.

We do not use tracking cookies, analytics cookies, or marketing cookies.

10. Third-Party Screening and Legitimate Interests

Our service enables screening of third-party companies. If you use the service to screen other companies or individuals:

You are responsible for having a legitimate purpose (e.g., due diligence, compliance, know your customer)
Screening results are downloaded to your device and are not stored by us
You are responsible for proper handling of the information you obtain

11. Use of Artificial Intelligence

Certain tools within our platform use artificial intelligence (AI) and large language models to assist with analysis and report generation. Specifically:

AI-assisted analysis: Some tools use AI models provided by Google (Gemini) and OpenAI to analyze data, generate summaries, and produce recommendations. Perplexity is used for web-based research.
No automated decision-making: AI outputs are recommendations only. No decisions are made automatically on your behalf (see section 3).
Data handling: When AI models are used, only the data necessary for the specific analysis is sent to the AI provider. We use API configurations that minimize data retention by the AI provider.
Human oversight: All AI-generated outputs are presented to you for review. You retain full control over how to interpret and act on the results.

AI Transparency Notice

In accordance with the EU AI Act, we disclose that our tools use AI-generated content. AI outputs may contain inaccuracies and should always be verified through independent sources before being relied upon for business decisions.

12. Changes to This Policy

We may update this privacy policy from time to time. For material changes, we will notify you via email or through a notice in the service.

The latest version of the privacy policy is always available on this page.

13. Supervisory Authority

If you believe that we process your personal data in violation of GDPR, you have the right to file a complaint with the supervisory authority:

Swedish Authority for Privacy Protection (IMY)

Box 8114

104 20 Stockholm, Sweden

Website: www.imy.se

14. Contact Information

For questions about this privacy policy or our handling of personal data, contact us:

Conshultocracy AB

Org. no: 559419-4697

Svartbäcksgatan 133

753 34 Uppsala

Email: conshultocracy@gmail.com