INTRODUCTION:
In this privacy policy, you can read about how Jonas & Linda AB with organisation number 559509-1447 (referred to as "we," "our," "us") processes personal data. References to "you," "your," refer to the registered person whose personal data we process.
We have compiled information on, among other things, what personal data we process, why processing takes place, and where it is stored. We also describe who personal data may be shared with, what rights the registered individuals have under GDPR, and other information about our processing of personal data. This privacy policy covers all types of personal data, in both structured and unstructured data.
We review the contents of this privacy policy at least once a year and as needed to ensure that the information is accurate and up-to-date. The latest version is always published on our website.
DEFINITIONS:
The following terms shall have the meanings set forth below, both when expressed in the plural and singular:
Client: A person who orders our services.
Payment service provider:
A third party that processes payments from clients or performs invoicing on our behalf.
Personal data:
Any data that, directly or indirectly, alone or together with other data, can be linked to an identified or identifiable living individual, is personal data under GDPR. Common examples of personal data include name, phone number, address, email address, user ID, credit card number, vehicle registration number, IP address, etc.
Registered:
The physical person who can be identified by the personal data.
Processing:
Processing of personal data can occur in different ways. Anything that happens to personal data, automated or otherwise, is a form of processing. Processing can be done by a single action or by a combination of actions. Examples of common processing of personal data are storage, deletion, sharing, loading, registration, copying, collection, organization, use, adjustment, destruction, etc.
Controller:
The person who determines the purpose of a particular processing of personal data and how processing should be carried out is considered the controller under GDPR. Natural persons, legal entities, authorities, institutions, or other bodies can be data controllers.
Processor:
The person who processes personal data on behalf of a data controller, in accordance with the controller's instructions, is considered a processor under GDPR.
Third party:
Third party means anyone other than the data controller (and those authorized to process the personal data), registered individuals, or the processor (and those authorized to process the personal data). A third party can be a legal person or a natural person, institution, authority, or other body.
GDPR:
The European Parliament and Council Regulation (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
SCC:
Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, or later updated version.
Any other GDPR-related terms that are not defined here shall have the same meaning in this privacy policy as set out in Article 4 of the GDPR.
Data Controller.
"We are the Data Controller for all Processing of Personal Data carried out by us or on our behalf, to the extent that we determine the means and purposes of the Processing (according to the principle of accountability).
Your personal privacy is very important to us, and we handle all Personal Data that we have access to with care and do not share the Personal Data with unauthorized parties.
Our Processing of Personal Data is carried out in accordance with the GDPR (and SCC where applicable) as well as the fundamental principles of data protection.
How we access Personal Data that we process
The most common way we receive your Personal Data is when you contact us, enter into an agreement with us, provide information to us in connection with the provision of our services, or when you register to receive newsletters from us.
Categories of Personal Data we process
In accordance with the principle of data minimization, we only process Personal Data that is adequate, necessary, and relevant to fulfill the purposes for which it was collected.
We primarily process the following categories of Personal Data:
Identification information: first name, last name, personal identification number, or equivalent.
Contact information: telephone number, email address, address, user ID for social media.
Financial information:
The last four digits of the payment card used to complete the payment for the Service, as well as information on whether it was a Visa or Mastercard.
Sensitive personal data:
Any sensitive personal data that you choose to voluntarily disclose to us, such as information about health, ethnic origin, sexual orientation, religious beliefs.
Other personal data:
Any other personal data that is provided to us, such as information included in a message sent to us or information provided in connection with the performance of the Service (during sessions), such as partners and children's names, ages, backgrounds, goals, etc.
Purpose and legal basis for processing
In accordance with the principle of purpose limitation, we only process personal data for specific, explicitly stated and legitimate purposes. In addition, each processing activity is legally based in accordance with the provisions of the GDPR.
We primarily process personal data on the basis of one of the following legal bases: contract, consent, legitimate interest, or legal obligation.
You may need to disclose your personal data in order to enter into a contract with us, receive the services you have ordered, or for us to fulfill legal or contractual obligations. Unless otherwise specified, you will not suffer any negative legal consequences if you do not provide us with your personal data. In some cases, it may be optional for you to provide your personal data to us, but if you do not provide the personal data we request, we may not be able to handle the matter in question or enter into a contract with you.
When the processing of your personal data is based on your consent, you have the right to revoke your consent at any time without affecting the legality of the processing based on the consent prior to its revocation.
When processing personal data based on legitimate interest as the legal basis, our assessment is that the processing does not constitute any infringement of your right to privacy and data protection. We have reached this conclusion after balancing the interests of the processing in question against your interests and right to privacy. However, we never process sensitive personal data on the basis of legitimate interest as the legal basis.
Below, you can read more about the legal basis and purposes of our processing of personal data.
1. When you visit our website:
This website uses cookies. The use of non-essential cookies only occurs if you give your consent to it. You can withdraw consent at any time (without affecting the lawfulness of the processing carried out based on the consent before its withdrawal). Legal basis for processing: Consent.
You can read more information about how cookies are used in the website's cookie policy:
https://mastermanifester.se/cookie
2.When contacting us:
2.1 When we receive contact via email, phone, or social media:
We may have access to the following Personal Data when we receive contact via email, phone, or social media: first name, last name, phone number, email address, user ID from social media (if applicable), message content, and other information that you provide to us.
In our assessment, both we and you have a legitimate interest in processing the Personal Data so that we can know who we are speaking with and keep in touch regarding the matter.
We also assess that the processing is necessary for a purpose related to a legitimate interest, and that your interest in protecting your Personal Data does not outweigh that legitimate interest, and that the processing does not infringe on your fundamental rights and freedoms.
Providing the Personal Data to us is voluntary, meaning that it is not a statutory or contractual requirement or a requirement necessary to enter into an agreement with us, and you are not obliged to provide the Personal Data, but the potential consequences of not providing such data are that we will not be able to handle the matter.
Legal basis for processing: Legitimate interests.
2.2 When you fill out a contact form on our website to schedule a call:
You can contact us by filling out a contact form on our website to schedule a call with us. In doing so, we gain access to the following personal information belonging to you: first name, last name, phone number, email address, responses to all the questions requested in the form, and any information you include in the free text field.
Providing your first name, last name, phone number, email address, and responses to all the questions requested in the form is mandatory for the message in question to be sent to us.
However, providing this information is not a statutory or contractual requirement, but it is a necessary requirement to be able to book an initial consultation call. You are not obligated to provide this information, but the possible consequences of not doing so are that you cannot make the booking.
Before the message is sent to us, you give your active consent to our Processing of your Personal Information in accordance with the above by checking a checkbox for approval.
Legal basis for the Processing: Consent.
3. When you complete payment for our services through our website:
When you complete payment for our services through our website, we gain access to your Personal Information that you provide in connection with the purchase process. We process Personal Information belonging to you in order to fulfill the purchase agreement regarding the order.
We need to process the following Personal Information to perform the purchased service: your name, personal identification number, email address, and phone number.
Providing the above Personal Information to us is necessary for us to enter into a purchase agreement with you and for us to be able to fulfill our contractual obligations. The possible consequences of not providing such information to us are that we cannot fulfill the purchase agreement.
Legal basis for the Processing: Contract.
Payment is made through the payment solutions integrated into the website and provided by Payment Service Providers. The information you register in the Payment Service Provider's payment solution is also shared with the Payment Service Provider. You are responsible for reading the Payment Service Provider's terms and privacy policy.
The Payment Service Provider's terms can be found on their website.
4.When processing orders, the following information is collected:
4.1 Payment Information
When you make a payment through the website, we collect the following payment information: payment method, the last four digits of the card used for payment, and whether it was a Visa or Mastercard. We process this information to track your payments and link them to your orders, to facilitate the delivery of your order, and to fulfill our contractual obligations under the agreement.
Legal Basis for Processing: Contract
4.2 Accounting Records
We process the following accounting records within the scope of our business: invoices, receipts, and other accounting records that we are required to process and store in accordance with the Swedish Tax Agency's requirements and/or applicable legislation, such as the Accounting Act (1999:1078). Accounting records and verifications may in some cases contain personal data, such as name, address, order information, and any other contact information for the client. Such data is stored for as long as the law requires.
Legal Basis for Processing: Legal Obligation
5.In connection with our sessions/execution of service
In connection with performing a session or other service included in the ordered service, we have access to the personal data provided by the client. We take notes during the service to offer personalized treatment based on the client's situation and needs, and these notes are also used to follow up on the client's progress.
The client is responsible for and decides on the information, including personal data, provided to us in connection with the service's execution, such as information about their life situation, family relationships, etc. Providing this information is voluntary, meaning it is not a statutory or contractual requirement or a requirement necessary to enter into an agreement with us. However, failure to provide such information may affect the quality of the analysis, which may affect the service's outcome.
We store our notes from sessions and meetings with the client even after the service is completed, to be able to offer continued personal service in case the client returns and hires us again. The notes are stored securely and archived when the service is completed.
Legal Basis for Processing: Contract
6. When you receive newsletters from us:
If you have made a purchase of our services, we may send newsletters to the email address that you have registered with your purchase, which we believe may be of interest to you and for marketing our services.
In our assessment, both we and you have a legitimate interest in processing your email address for the above purposes. The processing is necessary for a purpose related to a legitimate interest, and your interest in protecting your personal data does not outweigh our legitimate interest in direct marketing of our services. Our assessment is that the processing in question does not infringe on your fundamental rights and freedoms.
Legal basis for the processing: Legitimate interest.
You can also voluntarily consent to receive newsletters from us before making any purchase of our services by registering your email address for that purpose through our website.
Legal basis for the processing: Consent.
6.1 Unsubscribe from newsletters
If you no longer wish to receive newsletters or marketing from us via email, you can object to this at any time by clicking on the unsubscribe link at the bottom of each email.
If you unsubscribe from newsletters, you will be removed from the email list of newsletter recipients, but your email address will remain in the database with a block for receiving newsletters. The purpose of this is to ensure that you do not receive multiple newsletters from us. In our assessment, both we and you have a legitimate interest in processing personal data for this purpose. The processing is necessary for a purpose related to a legitimate interest, and your interest in protecting your personal data does not outweigh our legitimate interest. Our assessment is that the processing in question does not infringe on your fundamental rights and freedoms.
Legal basis for the processing: Legitimate interest.
If you want your email address to be deleted from the block list as well, you can contact us via email and request this. You are hereby informed that if your email address is deleted from the block list, it means that you may receive newsletters from us again if you or someone else registers your email address to receive newsletters again.
7. Other purposes for our processing of personal data:
If we are obliged by law, court or authority decision to process certain personal data, the processing is done with legal obligation as legal basis. The processing is only done to the extent necessary for us to fulfill our legal obligations and we only process necessary personal data for as long as the law requires (in accordance with the principle of storage minimization).
Storage Location
We strive to store all Personal Data that we process within the EU/EEA area, in accordance with the principles of integrity and confidentiality. If Personal Data is stored in a country outside the EU/EEA area, we will ensure that such storage location provides an adequate level of protection in accordance with the provisions of GDPR and SCC.
Storage Period
Personal Data is stored for as long as necessary to fulfill the purposes for which it was collected. When Personal Data is no longer needed for the purposes, it is either deleted or anonymized in accordance with the principle of storage minimization.
Identification information, contact information, and financial information belonging to clients are stored for up to seven (7) years after payment is completed. This is stored so that we can handle cases in accordance with applicable consumer protection legislation and to match a payment to a receipt while we are required to store such accounting records in accordance with applicable legislation.
Transfer of Personal Data
Based on our legitimate interest, we may transfer and process Personal Data with support from the balancing of interests as a legal basis for carrying out the actions specified below:
✓Personal Data that we process is not shared with unauthorized persons. However, we may transfer Personal Data to someone else, such as authorities, if it is necessary to:
✓prevent, detect, prevent, or investigate criminal activity,
✓protect our interests and our property,
✓comply with applicable laws
✓and more.
We may transfer Personal Data to regulatory authorities, other public entities, legal advisers, external consultants, and partners in accordance with applicable data protection laws if such transfer is necessary for us to comply with legal obligations or to satisfy our legitimate interests.
In the event of a sale of our business, merger or similar transaction, Personal Data may be transferred to third parties involved in the transaction.
We may also share Personal Data with contracted data processors, such as web developers, document management systems, accounting consultants, freight carriers, and others, for purposes including:
✓Protecting our legal interests,
✓Fulfilling our contractual and legal obligations,
✓Detecting and preventing technical, operational, or security issues, and
✓Providing, improving, and maintaining our website.
Before sharing any Personal Data with such service providers acting as data processors on our behalf, we enter into a data processing agreement with them in accordance with the provisions of the GDPR (or SCC if the data processor is located in a country outside the EU/EEA). This is to ensure safe and proper processing of Personal Data.
We have concluded that we have a legitimate interest in processing Personal Data for the purposes set out above, and that our legitimate interest does not infringe on your right to privacy and data protection, and that your interest in protecting your Personal Data does not outweigh ours.
Legal basis for processing:
Legitimate interest
.
Technical and organizational security measures
We take various technical and organizational security measures focused on the integrity of the data subjects. The measures are intended to protect against intrusion, abuse, loss, destruction, and other changes that may pose a risk to integrity (in accordance with the principles of confidentiality and integrity).
Below are some examples of security measures we take:
✓We have designated a contact person for data protection matters.
✓Access to our databases and IT systems requires a password.
✓Our employees are obliged to maintain confidentiality regarding, among other things, Personal Data processed within the scope of the operation.
✓We follow the basic data protection principles in all processing of Personal Data.
Rights under GDPR registration
If we process your personal data, you have various rights under the General Data Protection Regulation (GDPR) regarding our processing of your personal data. Below is a description of these rights:
Right to information:
You have the right to receive information about our collection and use of your personal data when we process your personal data. This privacy policy has been created to provide you with information about our processing of personal data. Additionally, you have the right to request information about the processing of your personal data. In certain cases, we must also inform you if there has been a personal data breach involving your personal data, such as a data breach.
Right of access:
You have the right to know whether we are processing your personal data and to access the personal data we are processing, as well as information about how the personal data is used. If we are processing your personal data, you have the right to receive a copy of the processed personal data in the form of a register extract (a summary of the personal data we are processing about you). You also have the right to information about, among other things: the categories of personal data we process, the purpose of the processing, the duration of the processing, how we collected the personal data, who has accessed the personal data, and more. The purpose of the register extract is for you to be able to verify the legality and accuracy of the information. However, this does not mean that you have the right to receive the documents containing the processed personal data.
Exceptions to the right of access:
There may be situations where the disclosure of certain information would disadvantage other individuals, where other legislation or exceptions prevent the disclosure of certain information or register extracts. In such situations, we may not disclose the information in question, and there may therefore be information about you that you do not have the right to access.
Right to rectification:
We are responsible for ensuring that the personal data we process is accurate and up-to-date over time. However, it may happen that personal data is incorrect or incomplete. If we process personal data about you that is incorrect or incomplete, you have the right to contact us to have your personal data corrected. After we have corrected the information, we will notify you of this, provided that it is not too burdensome for us.
Right to erasure:
We will delete your personal data at your request if the data is no longer needed for the purposes for which it was collected. This is also known as the "right to be forgotten." In addition, there are other occasions when we must delete your personal data that we are processing. For example, when they are no longer necessary for the purposes for which they were collected, when the legal basis is consent and you withdraw your consent, when you object to direct marketing, when the processing is not lawful, and more. When we delete your personal data at your request, we will inform you after the deletion has been completed, provided that it is possible and not too burdensome for us.
Exceptions to the right to erasure:
However, we have the right to continue processing your personal data and not delete it despite your request if the processing is necessary to:
a) comply with the right to freedom of expression and information,
b) comply with a legal obligation,
c) perform a task in the public interest or exercise official authority,
d) defend, establish or exercise legal claims,
e) archive for purposes of public interest or for statistical, historical, or scientific purposes, or
f) for reasons of public interest in the area of public health
Right to limitation:
In certain cases, you have the right to request that our processing of your personal data be restricted. This means that the personal data can only be processed in the future for the specific purpose of limitation. Examples of situations where this right applies to you include when the personal data we process is inaccurate and you ask us to correct it. Additionally, we will inform you when the restriction is lifted.
Right to data portability:
In some cases, you have the right to request that we transfer your personal data to you or another third party. This right is also called the right to data portability. You are hereby informed that this right only applies if the processing of personal data is carried out automatically, and only if our processing is based on an agreement that you are a party to or based on your consent. Transfer of personal data to another company also only occurs if it is technically feasible. If you have the right to data portability, we will provide your personal data in a structured, commonly used, machine-readable format upon your request.
Right to object:
You have the right to object when your personal data is processed to: 1) perform a task in the public interest, 2) as part of the exercise of official authority, or 3) when processed based on a balancing of interests.
If you object to the processing of your Personal Data under this right, we will cease processing unless our interests outweigh your interests, rights, and freedoms. If this is the case, we will inform you of the balancing test we have undertaken and our interests. If we process your Personal Data for direct marketing purposes, you have the right to request that we immediately cease processing your Personal Data for that purpose. In such cases, we will also inform you when we have deleted your Personal Data upon your request.
Rights when automated decisions are made:
In short, automated decisions refer to processing that is automatic, such as through algorithms, where Personal Data is processed to assess and analyze personal characteristics of a person. Automated decisions can have legal effects on or significantly affect the Data Subject, and if so, the Data Subject has the right not to be subject to the automated decision. If an automated decision has been made, with or without profiling, you have the right to request a review of the automated decision or to contest it.
How to exercise your rights:
You are welcome to contact us using the contact information provided below if you would like to exercise any of the aforementioned rights regarding your Personal Data that we process.
Exercising these rights is free of charge, provided that your requests are not excessive, repetitive, or manifestly unfounded. In such cases, we may charge a reasonable fee to process your request or refuse to carry out your request.
Before we handle or respond to your request, we may need to request additional information from you to confirm your identity.
We will inform you of our handling of your request without undue delay and no later than one (1) month after receiving your request. If the request is complex or if we have received a large number of requests, this period may be extended by an additional two (2) months. In such cases, we will notify you of the extension within the first month after receiving your request.
If we cannot fulfill your request due to applicable law or other exceptions, we will notify you of this and explain the reasons why we cannot fulfill your request (within the limitations of the law).
Personal Data Incidents
According to GDPR, a personal data incident refers to a security incident that has resulted in the destruction, loss, alteration, or unauthorized disclosure of processed personal data. An incident can be intentional or unintentional, for example, due to negligence or because of a crime (such as a data breach). We follow the provisions of GDPR regarding the handling, reporting, and documentation of personal data incidents.
When required by GDPR, we will report any personal data incidents that occur to the Data Protection Authority within 72 hours and notify the affected data subjects of the incident.
Changes
The contents of this privacy policy may be updated from time to time without prior notice. For example, if necessary to clarify something, due to changes in or new legislation, or if our processing of personal data changes. You are responsible for reading the content of the current privacy policy and keeping yourself informed of any changes.
The latest version is always published on our website.
Questions or complaints
If you have any questions or concerns, or are dissatisfied with our processing of your personal data, you are always welcome to contact us.
Below are our company and contact details:
Company:
Jonas & Linda AB
Organisation number:
Email:
Our contact person for personal data matters:
We have also appointed a contact person for personal data matters whom you can contact if you have any questions regarding our processing of personal data.
Name:
Jonas Hereora
Email:
You also have the right to contact the Swedish supervisory authority to file a complaint regarding our processing of your personal data.
Name: The Swedish Data Protection Authority (IMY).
Telephone: 08-657 61 00.
Email:
Postal address: The Swedish Data Protection Authority, Box 8114, 104 20 Stockholm.