Privacy Policy

Privacy policy for elastisys.com and elastisys.io, business contacts, authorized users, and recruitment.​

Elastisys Privacy Policy

  • Date: 2024-05-30
  • Author: DPO
  • Reviewed by: Management Team
  • Approved by: CEO
  • Information owner: CEO

The latest version is available on our website.

Data of our Customers is processed only according to Appendix 1 Data Protection Agreement in our Terms of Service.

Introduction

Elastisys prides itself with being a data protection and privacy front-runner. Therefore, we take privacy seriously.

No "we value your privacy" BS. No "dark pattern" consent forms. No complicated cookie banners that try to trick you. No profiling.

We process personal data for various purposes, each with its own privacy policy. Please read the full details below.

Your Rights

You have the right to:

  • access your personal data;
  • request rectification or erasure of your personal data;
  • object to the processing of your personal data;
  • withdraw your consent to the processing of your personal data at any time;
  • file a complaint with the Swedish Authority for Privacy Protection (IMY).

Contact Information

If you have any questions or concerns about our privacy policy or wish to file a complaint under GDPR, the EU ePrivacy Directive or the EU Digital Services Act, please contact our Data Protection Officer (DPO) at dpo@elastisys.com.

Name and contact details of the Data Controller:

Elastisys AB Org.nummer 556873-6135 Kuratorvägen 2A, 907 36 Umeå, Sweden

Privacy Policy for elastisys.com and elastisys.io

Purpose

We collect personal data for the following purposes:

  • track campaign success;
  • understand visitor demography and website journey.

Personal Data We Process

We collect:

  • operating system;
  • browser;
  • browser plugins;
  • IP address;
  • browser language; and
  • tracking links.

to compute a privacy-friendly industry-leading visitor "hash" number, which is valid for 24 hours. This solution is recommended by the CNIL, the French GDPR and ePrivacy supervisory authority.

You can find more information under:

We anonymize IPv4 addresses to /24 as soon as technically possible, and our self-hosted, first-party Matomo instance does not store the full information, as per their description of privacy controls.

We believe we have a legitimate interest in processing IP addresses for the purpose of tracking campaign success and understanding visitors. IP addresses are expected to belong to corporate network endpoints and not identify data subjects. Furthermore, we anonymize IP addresses as soon as technically possible. Hence the impact on your privacy as a data subject is minimal.

Retention

IP addresses are anonymized as soon as technically feasible. Anonymized IP addresses are retained indefinitely.

Protection of Personal Data

We protect personal data as following:

  • Encryption: Personal data is encrypted in-transit. If supported by the underlying subprocessor, personal data is also encrypted at-rest.
  • Data minimization: We only process a minimal amount of personal data and anonymize it as soon as technically possible.
  • Access minimization: Access to personal data is only permitted to Elastisys employees needing it.

Processors and Third Countries

We use the following Processors for processing personal data:

Name of SubprocessorDescription of ProcessingLocation of ProcessingCorporate LocationDPA
SafeSpringSelf-hosted Matomo instanceSwedenSwedenDPA stored internally
Bahnhofwebsite hosting elastisys.comSwedenSwedenDPA stored internally
GitHubwebsite hosting elastisys.ioGlobalUSDPA

As of 2023-04-18, the US is a third country. See what this means on IMY's website: EN SE.

Cookies and Similar Technologies

We only use cookies and similar technologies in a way that do not invade your privacy and are exempted from requiring your consent, accoding to the Directive 2009/136/EC (a.k.a. ePrivacy Directive) Article 5.3.

We only use your browser's session storage to keep track of whether you've closed the information box informing you about our privacy policy. According to Opinion 04/2012 on Cookie Consent Exemption, this qualifies as "UI customization cookies" and does not require consent, if stored for no longer than a browser session or no more than a few additional hours.

NameTypeDomainPurposeExpirationVendor
consentDismisssessionStorageelastisys.comWe use this to remember if you dismissed the no-consent-needed popup.SessionElastisys

To understand website visitor interactions, we use cookieless tracking technology by Matomo. We self-host the Matomo instance, and it is thus not a third-party cloud service. Read more about cookieless tracking under:

Elastisys is aware of Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive published by the European Data Protection Board. Elastisys has participated in the public consultation to better understand whether our current practices comply with the ePrivacy Directive.

Automated Decision-Making, Including Profiling

We don't use automated decision-making or profiling.

IT Systems Outside the Scope of this Privacy Policy

We may link to various external websites, such as Google, YouTube, LinkedIn, Twitter, Instagram and Calendly. We make it very clear when you are about to exit our websites. By continuing to navigate to external websites, you accept their privacy policy. For your convenience, please find the privacy policies of external website below:

Privacy Policy for Business Contacts

Purpose

We collect personal data for the following purposes:

  • discuss our offers;
  • fulfill our business agreements;
  • improve customer satisfaction.

Personal Data We Process

We collect business contact information, such as first name, last name, business email address, business phone number, title and LinkedIn profile URL.

For discussing our offers, we process personal data based on legitimate interest. Please find our Legitimate Interests Assessment below.

We collect personal data as part of our surveys based on your consent (GDPR Art 6. § 1.a).

Otherwise, we process personal data because it is necessary to fulfill our business agreement (GDPR Art. 6 § 1.b).

Retention

Business contact information is retained for as long as:

  • we have an active dialog about our offers; or
  • we have a business relationship.

Note that invoices may contain business contact information. We need to store those for at least 7 years, as required to comply with Swedish Accounting Laws (Bokföringslag 1999:1078).

Personal data in connection to surveys are stored until you withdraw your consent.

Protection of Personal Data

We protect personal data as following:

  • Encryption: Personal data is encrypted in-transit. If supported by the underlying subprocessor, personal data is also encrypted at-rest.
  • Data minimization: We only process a minimal amount of personal data and anonymize it as soon as technically possible.
  • Access minimization: Access to personal data is only permitted to Elastisys employees needing it.

Processors and Third Countries

We use the following Processors for processing personal data:

Name of SubprocessorDescription of ProcessingLocation of ProcessingCorporate LocationDPA
MembrainCustomer Relationship ManagementSwedenSwedenDPA
TelavoxPhone communication, storing contact informationSwedenSwedenDPA is stored internally
GetAcceptManaging contractsUSUS, GermanyDPA
Google Workspace (GMail, Drive)Email communication, storing contact informationGlobalUSDPA
SurveyMonkeyCustomer SurveysGlobalUSDPA

As of 2023-03-16, the US is a third country. See what this means on IMY's website: EN SE.

Legitimate Interests Assessment

Our assessment, based on the "three-part test" looks as follows:

  • Purpose test:
    • We want to collect business contact information to present our offering to potential new customers.
    • Without processing this information, we would not be able to grow our business.
  • Necessity test:
    • Some public business contact information cannot be obtained with prior consent. This includes contact information which you made available on your company website. (For example: How would we write an email to ask for your consent without processing your email address in our email client first?)
  • Balancing test:
    • We only collect contact information found in a business context, such as company websites.
    • We only collect your information if we assessed that you would likely benefit from knowing about our offering.
    • This information is already public, hence neither sensitive nor private.
    • In our experience, such usage of public business contact information can be expected, as long as the email is hand-written and tailored manually to the interests recipient.
    • Swedish law allows for such communication on an opt-out basis. See Marknadsföringslag (1995:450) 13 b § 2st. "Obeställd reklam" and E-privacy Directive 2009/136/EC Article 13 "Unsolicitated communication" paragraph 3.
    • Elastisys does not work with automated electronic communication, such as marketing, sequencing or equivalent, whether email, LinkedIn or similar. As an organization we do not believe that an automated first contact is an effective and appreciated way of doing business with other organizations.
    • We only send automated emails if you gave your consent, for instance by subscribing to a newsletter or Terms of Service updates.

Privacy Policy for Office Visitors

Purpose

We collect personal data for the purpose of visitor management.

Personal Data We Process

We collect your name, company affiliation, mobile phone and which Elastisys employee you are visiting.

We process personal data based on legitimate interest (GDPR Art 6. § 1.f).

Our assessment, based on the "three-part test" looks as follows:

  • Purpose test: We need to collect personal data on visitors to ensure physical security of our offices.
  • Necessity test: Collecting visitor information can help us deter information security incidents at our offices and also investigate information security incidents after-the-fact.
  • Balancing test: Collecting visitor's information is an expected from an ISO 27001-certified company as Elastisys.

Retention

We retain visitor data for 90 days.

Protection of Personal Data

We protect personal data as following:

  • Encryption: Personal data is encrypted in-transit. If supported by the underlying subprocessor, personal data is also encrypted at-rest.
  • Data minimization: We only process a minimal amount of personal data and anonymize it as soon as technically possible.
  • Access minimization: Access to personal data is only permitted to Elastisys employees needing it.

Processors and Third Countries

We use the following Processors for processing personal data:

Name of SubprocessorDescription of ProcessingLocation of ProcessingCorporate LocationDPA
VizitoVizitor ManagementBelgiumBelgiumDPA stored internally

Privacy Policy for Authorized Users

Please read Terms of Service, Appendix 4 "Privacy Policy for Authorized Users".

Privacy Policy for Recruitment

Purpose

We collect personal data for the purpose of recruitment.

Personal Data We Process

We collect:

  • your contact information, such as first name, last name, email address and phone number;
  • your CV.

We collect this information based on consent. By responding to an Elastisys job ad, you consent to process your personal data as laid out in this privacy policy.

Retention

We retain candidate information for a maximum of 12 months. The retention period is based on our desire to keep a pool of candidates, in case we suddenly have a large number of openings. You may remove your personal data earlier by withdrawing your consent.

Protection of Personal Data

We protect personal data as following:

  • Encryption: Personal data is encrypted in-transit. If supported by the underlying subprocessor, personal data is also encrypted at-rest.
  • Data minimization: We only process a minimal amount of personal data and anonymize it as soon as technically possible.
  • Access minimization: Access to personal data is only permitted to Elastisys employees needing it.

Processors and Third Countries

We use the following Processors for processing personal data:

Name of SubprocessorDescription of ProcessingLocation of ProcessingCorporate LocationDPA
Google Workspace (GMail, Drive)Email communication, storing candidate databaseGlobalUSDPA

As of 2023-02-03, the US is a third country. See what this means on IMY's website: EN SE.

Cookies and Similar Technologies

We don't use cookies and similar technologies.

Automated Decision-Making, Including Profiling

We don't use automated decision-making nor profiling.

IT Systems Outside the Scope of this Privacy Policy

If you apply to jobs via LinkedIn, you accept their privacy policy. For your convenience, please find the privacy policies of external website below:

If you do not accept the LinkedIn Privacy Policy, please apply via email. This will in no way affect how we evaluate your fitness for the job ad.