Privacy Policy
Elastisys Privacy Policy
Last updated: 2026-01-30 (revision 2 — minor corrections) | Author: DPO | Reviewed by: Management team | Approved by: CEO | Information owner: CEO
The latest version is available on our website.
Data of our Customers is processed only according to Appendix 1 Data Protection Agreement in our Terms of Service.
Introduction
Elastisys prides itself with being a data protection and privacy front-runner. Therefore, we take privacy seriously.
No “we value your privacy” BS. No “dark pattern” consent forms. No complicated cookie banners that try to trick you. No profiling.
We process personal data for various purposes, each with its own privacy policy. Please read the full details below.
Your Rights
You have the right to:
- access your personal data;
- request rectification or erasure of your personal data;
- object to the processing of your personal data;
- withdraw your consent to the processing of your personal data at any time;
- file a complaint with the Swedish Authority for Privacy Protection (IMY).
Contact Information
If you have any questions or concerns about our privacy policy or wish to file a complaint under GDPR, the EU ePrivacy Directive or the EU Digital Services Act, please contact our Data Protection Officer (DPO) at dpo@elastisys.com.
Name and contact details of the Data Controller:
Elastisys AB
Org.nummer 556873-6135
Kuratorvägen 2A, 907 36 Umeå, Sweden
Privacy Policy for elastisys.com and elastisys.io
Purpose
We collect personal data for the following purposes:
- track campaign success;
- understand visitor demography and website journey.
Personal Data We Process
We collect:
- IP address (anonymized to /24)
- Location data: city, region, country, longitude/latitude, at a granularity allowed by anonymized IP addresses
- Browser, browser version, device type, operating system, user agent
- Date, time, time zone
- Pages visited (page URLs and page titles)
- Screens visited
- Referrer URL
- Marketing campaign URL parameters
- Files clicked and downloaded
- Links to an outside domain that were clicked
- Screen resolution
- Session recording storing the HTML page, and all mouse events (movements, scrolls, locations and clicks), and keypresses
- Search terms used on an internal mobile’s or web properties’ search engine
- Content pieces
- JavaScript errors
- User ID
- Media titles and URLs
- Participation in A/B tests
You can find more information under:
- CNIL’s assessment on cookieless tracking
- Matomo cookieless tracking
- Configure Privacy Settings in Matomo
- Matomo Cloud Data Processing Agreement (DPA)
Legal Basis
We believe we have a legitimate interest in processing IP addresses for the purpose of tracking campaign success and understanding visitors. IP addresses are expected to belong to corporate network endpoints and not identify data subjects. Furthermore, we anonymize IP addresses as soon as technically possible. Hence the impact on your privacy as a data subject is minimal.
Retention
Raw data (which contains personal data) is retained for a maximum of 24 months. Report results (which no longer contain person data) may be retained indefinitely.
Protection of Personal Data
We protect personal data as following:
- Encryption: Personal data is encrypted in-transit. If supported by the underlying subprocessor, personal data is also encrypted at-rest.
- Data minimization: We only process a minimal amount of personal data and anonymize it as soon as technically possible.
- Access minimization: Access to personal data is only permitted to Elastisys employees needing it.
Processors and Third Countries
We use the following Processors for processing personal data:
| Name of Subprocessor | Description of Processing | Location of Processing | Corporate Location | DPA |
|---|---|---|---|---|
| InnoCraft | tracking and analytics | EU | New Zealand | Matomo Cloud DPA |
| Oderland Webbhotell AB | website hosting elastisys.com | Sweden | Sweden | DPA stored internally |
| GitHub, Inc. | website hosting elastisys.io | Global | US | DPA |
As of 2023-04-18, the US is a third country. See what this means on IMY’s website: EN SE.
Cookies and Similar Technologies
We only use cookies and similar technologies in a way that do not invade your privacy and are exempted from requiring your consent, according to the Directive 2009/136/EC (a.k.a. ePrivacy Directive) Article 5.3.
We only use your browser’s session storage to keep track of:
- whether you’ve closed the information box informing you about our privacy policy;
- whether you chose light or dark mode.
According to Opinion 04/2012 on Cookie Consent Exemption, this qualifies as “UI customization cookies” and does not require consent, if stored for no longer than a browser session or no more than a few additional hours.
| Name | Type | Domain | Purpose | Expiration | Vendor |
|---|---|---|---|---|---|
consentDismiss |
sessionStorage |
elastisys.com | We use this to remember if you dismissed the no-consent-needed popup. | Session | Elastisys |
/welkin/.__palette |
sessionStorage |
elastisys.io | We use this to remember if you have chosen light or dark mode. | Session | Elastisys |
To understand website visitor interactions, we use cookieless tracking technology by Matomo. Read more about cookieless tracking under:
Automated Decision-Making, Including Profiling
We don’t use automated decision-making or profiling.
IT Systems Outside the Scope of this Privacy Policy
We may link to various external websites, such as Google, YouTube, LinkedIn, Twitter, Instagram and Calendly. We make it very clear when you are about to exit our websites. By continuing to navigate to external websites, you accept their privacy policy. For your convenience, please find the privacy policies of external website below:
- Facebook Privacy Policy
- Google / YouTube Privacy Policy
- LinkedIn Privacy Policy
- Twitter Privacy Policy
- Instagram Privacy Policy
- Calendly Privacy Policy
Privacy Policy for Business Contacts
Purpose
We collect personal data for the following purposes:
- discuss our offers;
- fulfill our business agreements;
- improve customer satisfaction.
Personal Data We Process
We collect business contact information, such as first name, last name, business email address, business phone number, title and LinkedIn profile URL.
Legal Basis
For discussing our offers, we process personal data based on legitimate interest. Please find our Legitimate Interests Assessment below.
We collect personal data as part of our surveys based on your consent (GDPR Art 6. § 1.a).
Otherwise, we process personal data because it is necessary to fulfill our business agreement (GDPR Art. 6 § 1.b).
Retention
Business contact information is retained for as long as:
- we have an active dialog about our offers; or
- we have a business relationship.
Note that invoices may contain business contact information. We need to store those for at least 7 years, as required to comply with Swedish Accounting Laws (Bokföringslag 1999:1078).
Personal data in connection to surveys are stored until you withdraw your consent.
Protection of Personal Data
We protect personal data as following:
- Encryption: Personal data is encrypted in-transit. If supported by the underlying subprocessor, personal data is also encrypted at-rest.
- Data minimization: We only process a minimal amount of personal data and anonymize it as soon as technically possible.
- Access minimization: Access to personal data is only permitted to Elastisys employees needing it.
Processors and Third Countries
We use the following Processors for processing personal data:
| Name of Subprocessor | Description of Processing | Location of Processing | Corporate Location | DPA |
|---|---|---|---|---|
| Upstream Business Solutions AB | Customer Relationship Management | Sweden | Sweden | DPA |
| Telavox AB | Phone communication, storing contact information | Sweden | Sweden | DPA is stored internally |
| GetAccept AB | Managing contracts | US | US, Germany | DPA |
| Google Cloud EMEA Limited (Workspace, GMail, Drive) | Email communication, storing contact information | Global | US | DPA |
| SurveyMonkey Europe UC | Customer Surveys | Global | US | DPA |
As of 2023-03-16, the US is a third country. See what this means on IMY’s website: EN SE.
Legitimate Interests Assessment
Our assessment, based on the EDPB Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR looks as follows:
- Purpose test:
- We need to get in touch with people who might be interested in our offers.
- Without this activity, we would not be able to grow our business.
- Necessity test:
- We need to process business contact information to pursue the legitimate interest described above.
- Some public business contact information cannot be obtained with prior consent. This includes contact information which you made available on your company website. (For example: How would we write an email to ask for your consent without processing your email address in our email client first?)
- Balancing test:
- We only collect contact information found in a business context, such as company websites.
- We only collect your information if we assessed that you would likely benefit from knowing about our offering.
- This information is already public, hence neither sensitive nor private.
- In our experience, such usage of public business contact information can be expected, as long as the email is hand-written and tailored manually to the interests recipient.
- Swedish law allows for such communication on an opt-out basis. See Marknadsföringslag (1995:450) 13 b § 2st. “Obeställd reklam” and E-privacy Directive 2009/136/EC Article 13 “Unsolicitated communication” paragraph 3.
- Elastisys does not work with automated electronic communication, such as marketing, sequencing or equivalent, whether email, LinkedIn or similar. As an organization we do not believe that an automated first contact is an effective and appreciated way of doing business with other organizations.
- We only send automated emails if you gave your consent, for instance by subscribing to a newsletter or Terms of Service updates.
- As a result, we assess that an individual would reasonably expect us processing their personal data for the specific purpose, in the specific context and with the limitations described above.
Privacy Policy for Event Attendees
If you attend our events, your personal data is processed according to the Confetti Privacy Policy – Attendee.
Privacy Policy for Badge Earners
If you choose to earn a badge via Credly, then Elastisys will transfer your first name, last name, email address and Credential to Credly.
Your personal data is then processed according to the Credly Privacy Policy.
Privacy Policy for Office Visitors
Purpose
We collect personal data for the purpose of visitor management.
Personal Data We Process
We collect your name, company affiliation, mobile phone and which Elastisys employee you are visiting.
Legal Basis
We process personal data based on legitimate interest (GDPR Art 6. § 1.f).
Our assessment, based on the EDPB Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR looks as follows:
- Purpose test: We need to know who visited our offices to ensure physical security of our offices. This is required to maintain our ISO 27001 certification.
- Necessity test: We need to collect visitor information to help us deter information security incidents at our offices and also investigate information security incidents after-the-fact.
- Balancing test: Individuals visiting an ISO 27001-certified company like Elastisys, reasonably expect their personal data to be collected when visiting the company’s premises.
Retention
We retain visitor data for 90 days.
Protection of Personal Data
We protect personal data as following:
- Encryption: Personal data is encrypted in-transit. If supported by the underlying subprocessor, personal data is also encrypted at-rest.
- Data minimization: We only process a minimal amount of personal data and anonymize it as soon as technically possible.
- Access minimization: Access to personal data is only permitted to Elastisys employees needing it.
Processors and Third Countries
We use the following Processors for processing personal data:
| Name of Subprocessor | Description of Processing | Location of Processing | Corporate Location | DPA |
|---|---|---|---|---|
| Vizito BV | Vizitor Management | Belgium | Belgium | DPA stored internally |
Privacy Policy for Authorized Users
Please read Terms of Service, Appendix 4 “Privacy Policy for Authorized Users”.
Privacy Policy for Recruitment
Purpose
We collect personal data for the purpose of recruitment.
Personal Data We Process
We collect:
- your contact information, such as first name, last name, email address and phone number;
- your CV.
Legal Basis
We collect this information based on consent. By responding to an Elastisys job ad, you consent to process your personal data as laid out in this privacy policy.
Retention
We retain your personal data for as long as we have an active dialog with you plus 12 months. The retention period is based on our desire to keep a pool of candidates, in case we suddenly have a large number of openings. You may remove your personal data earlier by withdrawing your consent.
Protection of Personal Data
We protect personal data as following:
- Encryption: Personal data is encrypted in-transit. If supported by the underlying subprocessor, personal data is also encrypted at-rest.
- Data minimization: We only process a minimal amount of personal data and anonymize it as soon as technically possible.
- Access minimization: Access to personal data is only permitted to Elastisys employees needing it.
Processors and Third Countries
We use the following Processors for processing personal data:
| Name of Subprocessor | Description of Processing | Location of Processing | Corporate Location | DPA |
|---|---|---|---|---|
| Google Cloud EMEA Limited (Workspace, GMail, Drive) | Email communication, storing candidate database | Global | US | DPA |
As of 2023-02-03, the US is a third country. See what this means on IMY’s website: EN SE.
Cookies and Similar Technologies
We don’t use cookies and similar technologies.
Automated Decision-Making, Including Profiling
We don’t use automated decision-making nor profiling.
IT Systems Outside the Scope of this Privacy Policy
If you apply to jobs via LinkedIn, you accept their privacy policy. For your convenience, please find the privacy policies of external website below:
If you do not accept the LinkedIn Privacy Policy, please apply via email. This will in no way affect how we evaluate your fitness for the job ad.