Privacy policy

Approved by the CEO

Document manager

Document owner

Information class

2025-12-

CTO

CEO

Public

External rules

General Data Protection Regulation (GDPR) (EU 2016/679)

Previous versions

Contact information

If you have any questions regarding our processing of your personal data, or any question, complaint or claim, please contact us at:

Nooga Solutions AB

Sveavägen 9, 111 57 Stockholm, Sweden

info@nooga.net

Background

Nooga Solutions i Sverige AB (hereinafter referred to as Nooga) shall have good governance and internal control. The CEO is responsible for ensuring that Nooga complies with laws and applicable national and European regulations governing Nooga's operations. Nooga's governance documents consist of documents decided upon by the CEO or the respective person responsible. The CEO establishes Master Policies and if necessary, these Master Policies can be further broken down into Policies, and more detailed Standards, which are established by the respective responsible person.

This policy covers Nooga's Board of Directors, management, all employees, consultants, partners, agents and contractors involved in Nooga's operations. The policy applies to all parts of the business and also includes operations and areas that have been outsourced to another party.

The Policy shall be annually assessed and updated as necessary. Material changes to this policy shall be communicated to relevant stakeholders in timely manner.

1. Personal data that you give us

You may choose to give us your personal data. This includes information submittedwhen you visit our website, use our services or if you contact us (collectivelyreferred to as “Services” in this privacy policy).

Wewill process the following categories of personal data[SS1] [SS2] that you give us:

  • When you use our Services (customer): name, email address, alias and phone number ofthe contact person as well as your office address. Other personal data that youchoose to give us through for example customer tickets, work items and issues,such as user aliases and emergency contact information for incidents.
  • When you supply us with products and/or services (supplier): name, email address andphone number of the contact person as well as your office address.
  • When you send us a job application: name, email address, records to evaluate yoursuitability for the position, your CV and personal letter, as well as otherpersonal data as may be relevant for the specific application.
  • If you contact us: We may ask for additional personal data other than as informedabove, in order to assist you.

2. Personal data that we collect

  • Tomanage the customer or supplier relationship: name, email address and companyname.
  • Toadminister payments and invoice you: name, email address and company name.

3. How we use and keep your personal data

  • Weuse your personal data to be able to provide our Services and fulfill ourcommitments towards you. We process personal data based on the following legalgrounds.

Purpose of the Processing

Personal Data Categories

Legal Basis for the Processing

Storage Period

To provide our Services.

Name, email address, alias and phone number of the contact person(s) as well as your office address. Other personal data that you choose to give us through for example customer tickets, work items and issues, such as user aliases and emergency contact information.

Fulfill our contractual obligations towards you.

As long as you are a customer, and you have granted us access.

Administer customer and supplier relationships, including order and payment processing.

Name, email address and phone number of the contact person.

Fulfill our contractual obligations towards you, and a legal obligation.

7 years after creation due to bookkeeping legislation.

Provide support services.

Name, email address and phone number of the contact person(s).

Fulfill our contractual obligations towards you.

As long as necessary to provide the support, and one year thereafter.

If you contact us.

Name, email address and phone number of the contact person.

Fulfill our contractual obligations towards you and to pursue legitimate interest.

As long as is necessary to assist you and one year thereafter.

Send you our newsletter, event invitations and other information regarding our Services.

Name and email address.

Fulfill our contractual obligations towards you and to pursue legitimate interest.

As long as we send out such information, unless you unsubscribe.

Manage your job application.

Name, email address and phone number as well as other personal data provided by you

Pursue legitimate interest, and consent if stored longer

Until the position has been filled. Subject to your explicit consent, we may ask to store it for a longer period.
  • Your personal data will be deleted by us when the processing is no longer necessary for the purposes stated above, except if required by applicable laws. In such case, we keep the data only as long as necessary or mandated by law for such purpose, such as for bookkeeping purposes.

4. Sharing of personal data

  • We share your personal data with the following subcontractors to provide our Services and perform our contractual obligations towards you:

Subcontractor name (service name)

Region for processing

Transfer mechanism

Services provided

Microsoft Corporation (Azure, Azure DevOps, Azure OpenAI)

EU/EEA and the U.S.

EU-U.S. Data Protection Framework (EU-U.S. DPF)

Hosting and storing cloud services, Performing Services, Backup

Microsoft Corporation (M365)

EU/EEA and the U.S.

EU-U.S. Data Protection Framework (EU-U.S. DPF)

Email services

Hubspot Inc.

EU/EEA and the U.S.

EU-U.S. Data Protection Framework (EU-U.S. DPF)

Customer management

Stripe Inc.

EU/EEA and the U.S.

EU-U.S. Data Protection Framework (EU-U.S. DPF)

Payment processing services

Fortnox AB

Sweden

Not applicable

Accounting and invoicing services
  • These third parties are limited by law or contract from using the personal data for purposes beyond those for which the personal data is shared. We take all reasonable legal, technical, and organizational measures to ensure that your personal data is treated securely and with an adequate level of protection when transferred to or shared with such selected third parties.
  • Some of the subcontractors we share your personal data with are located outside the EU/EEA (in a third country). Depending on which part of our Services you use, your personal data may be transferred to the United States. When doing so, we are committed to protect your data and comply with applicable data protection laws, adhering to the EU-U.S. Data Protection Framework (EU-U.S. DPF) as well as having supplemental measures to ensure adequate protection of your personal data. Such supplemental measures include i.a. encryption at rest as well as in transit and role-based access on a need-to-know basis.
  • If we are required by law or you have agreed to it, we will disclose necessary personal data to authorities such as the police, tax agencies or other authorities. An example of legally required sharing is for the purposes of anti-money laundering and counter-terrorist financing.
  • In the event that we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer of such business or assets. If we or substantially all of our assets are acquired by a third party, personal data about our customers may be disclosed and transferred.

5. Artificial intelligence (AI) features

  • We offer optional AI-powered features within our Services. These features use artificial intelligence to analyze and generate content based on your work items and organizational data, such as providing suggestions, identifying patterns, and answering questions. AI features are disabled by default and require explicit organizational opt-in to enable. AI features are only used to the extent you decide and do not make decisions on behalf of users or the organization.
  • When your organization chooses to enable AI features for a project or organization workspace, work item content and related organizational data within that scope may be processed by Microsoft Azure OpenAI Service. This service is hosted in European data centers.

We implement the following protections for AI-processed data:

  • All data is encrypted in transit and at rest.
  • Pre-processing and post-processing of data occur within our controlled systems.
  • Your data is not used to train AI models.
  • Data minimization ensures only necessary context is sent to AI services.
  • Access is restricted on a need-to-know basis.
  • Processing is limited to projects/organizations where AI features are enabled.

Organizational administrators can enable or disable AI features at the organization or project level through administrative settings. When disabled, data from that scope will no longer be processed by AI services.

The legal basis for processing personal data through AI features is the performance of our contract with your organization (Article 6(1)(b) GDPR) and/or your organization's consent (Article 6(1)(a) GDPR). Organizational administrators can withdraw consent at any time by disabling AI features in administrative settings.

6. Your rights

The right to a register excerpt. You have the right to request a transcript of your personal data that we store and process. Your request must be submitted in writing to us using the contact information in this policy, including your signature.

The right to rectification. We want you to correct inaccurate or incomplete information about you and kindly ask you to contact us in this case.

The right to be forgotten. You have the right to object to our processing of your personal data. The consequence of this may be that we are no longer able to carry out the Services. Contact us and we’ll see to what extent this is possible.

Marketing communications. You may at any time decline marketing communications from us. Let us know in that case.

7. Complaints

If you are displeased with our processing of personal data, you should contact us and let us know. You can also turn to the Swedish Authority for Privacy Protection (Sw. Integritetsskyddsmyndigheten), Box 8114, 104 20 Stockholm, Sweden, phone number + 46 8 657 61 00, email address imy@imy.se, or the equivalent authority in the EU-member state where you live, to file a complaint.

8. Security

We are using adequate technical and organizational security measures to ensure that your personal data is not misused, lost or unlawfully accessed. We only give access to your personal data to those employees who require it to provide our Services.

We are regularly evaluating our security measures.

We have a process to detect, report and manage incidents according to regulatory requirements.

All incidents are documented.

9. Register

We keep a register of our privacy activities.

The register includes:

  • Name
  • Contact details
  • Purpose
  • Categories and type of data
  • Storage time
  • Third country transfers

10. Updates and information

We may occasionally update this privacy policy. If we make significant changes, we will notify you of the changes through our Services or through other means, such as email. To the extent permitted under applicable law, by using our Services after such notice, you accept the updates.

We encourage you to periodically review this privacy policy for the latest information on our privacy practices.