Privacy Policy

[COMPANY_NAME_AB] is responsible for personal data that we process as controller for our own business operations, including account administration, billing, security, support, marketing to business contacts, service analytics, legal compliance, and communications with prospective customers.

For personal data that a Customer or its authorized users submit into a Fonoria workspace, the Customer is normally the controller and [COMPANY_NAME_AB] is normally the processor. In that case, our processing is governed by the Customer's instructions, our data processing agreement, and Article 28 of the EU General Data Protection Regulation (GDPR). Privacy questions can be sent to [SUPPORT_EMAIL].

Fonoria is designed for business use, but business information may still contain personal data. We may process account names, business email addresses, phone numbers, job titles, company names, billing contacts, authentication records, role assignments, profile settings, language preferences, notification settings, support messages, feedback, CRM notes, supplier or reseller contact details, audit logs, device and browser information, IP addresses, and usage metadata.

We may also process commercial records connected to product lists, stock updates, quotes, order preparation, supplier relationships, reseller relationships, alerts, exports, billing events, subscriptions, and administrative decisions. Customers should avoid submitting unnecessary special category data, national identification numbers, payment card data outside approved payment flows, or personal data that is not needed for the business workflow.

We receive personal data directly from users during registration, onboarding, workspace use, support conversations, billing setup, forms, feedback, and communications. We may also receive data from the Customer's administrators, invited team members, suppliers, resellers, payment providers, authentication providers, email providers, analytics tools, security logs, integrations, or public business sources used for company verification.

Where a Customer provides personal data about its personnel, suppliers, resellers, or other business contacts, the Customer is responsible for giving appropriate privacy notices and ensuring it has a lawful basis for sharing that data with Fonoria.

We process personal data to provide and secure the platform, create and manage accounts, approve onboarding, assign roles, deliver dashboards, process supplier and reseller workflows, maintain audit trails, send operational notifications, provide support, administer subscriptions, issue invoices, prevent fraud, troubleshoot incidents, improve the product, and comply with legal obligations.

Our GDPR legal bases may include performance of a contract or pre-contractual steps, legitimate interests in operating and securing a B2B SaaS platform, compliance with legal obligations, consent where required for optional communications or non-essential cookies, and the Customer's documented instructions where we act as processor.

When we act as processor, we process Customer Personal Data only on documented instructions from the Customer, including instructions reflected in the agreement, product configuration, user actions, support requests, and applicable data processing agreement. We assist Customers with GDPR obligations where reasonably possible and legally required, including data subject requests, security measures, breach notifications, data export, and deletion or return of data at the end of service.

Customers are responsible for configuring access controls, limiting user permissions, reviewing invitations, keeping workspace data accurate, and responding to data subject requests where the Customer is the controller. We may refuse or delay instructions that are unlawful, technically unsafe, outside the agreed service scope, or likely to violate another party's rights.

We may share personal data with carefully selected service providers that help us host infrastructure, provide databases, authenticate users, send email, process payments, provide analytics, manage support, monitor security, back up data, and operate the platform. These providers may process personal data only under appropriate contractual, confidentiality, security, and data protection obligations.

We may also disclose information where necessary to comply with law, respond to lawful requests, enforce agreements, protect the platform, investigate misuse, complete a corporate transaction, work with professional advisers, or resolve disputes. We do not sell personal data. If we introduce material subprocessors for Customer Personal Data, we will provide notice or information as required by the applicable data processing agreement.

Fonoria is operated from Sweden for European B2B customers, but some service providers or support operations may involve processing outside Sweden, the European Union, or the European Economic Area. Where personal data is transferred internationally, [COMPANY_NAME_AB] will use appropriate safeguards required by GDPR, such as adequacy decisions, EU Standard Contractual Clauses, transfer impact assessments where required, and supplementary measures appropriate to the risk.

Customers should review the applicable subprocessor list or data processing agreement for details about hosting regions, support locations, and transfer safeguards relevant to their subscription.

We keep personal data only for as long as necessary for the purposes described in this Policy, including platform operation, customer administration, security, billing, legal compliance, dispute resolution, backups, and auditability. Retention periods vary depending on account status, workspace configuration, contractual commitments, legal duties, and whether the data forms part of a business record.

The Swedish Bookkeeping Act (bokforingslagen) may require [COMPANY_NAME_AB] and Swedish Customers to retain invoices, accounting records, supporting documentation, and related digital information for statutory retention periods. Where information in Fonoria is relevant to bookkeeping or audit obligations, deletion requests may be limited by legal retention requirements. Customers remain responsible for determining whether their exports, order records, quotes, invoices, and supporting documentation must be retained under Swedish or other applicable bookkeeping rules.

The EU Data Act may apply to certain data access, sharing, portability, and switching requests involving data generated by connected products, related services, or data processing services. Fonoria may store customer-entered business data, generated workflow data, usage metadata, audit logs, and integration data. To the extent the EU Data Act applies, [COMPANY_NAME_AB] will handle eligible requests in line with applicable law and the rights of other parties.

Data access or export requests may be scoped to protect personal data, trade secrets, security information, confidential supplier or reseller terms, third-party rights, and records that [COMPANY_NAME_AB] must retain for legal, accounting, or security reasons.

Fonoria may use cookies, local storage, session storage, pixels, and similar technologies to keep users signed in, secure sessions, remember preferences, measure platform performance, troubleshoot errors, and understand product usage. Essential storage is required for core functionality. Optional analytics or marketing technologies will be used only where permitted and, where required, after consent.

More detail is provided in the Cookie Notice. Users can control cookies through their browser settings, but blocking essential storage may prevent secure login, workspace access, or core platform features from working properly.

[COMPANY_NAME_AB] uses technical and organizational measures intended to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, and unauthorized access. Measures may include role-based access controls, authentication safeguards, encryption in transit, logging, backups, least-privilege administration, vulnerability management, provider due diligence, and operational monitoring.

No system is perfectly secure. Customers must protect credentials, manage user access, use appropriate devices and networks, review workspace permissions, and report suspected security incidents to [SUPPORT_EMAIL] without undue delay.

Depending on the circumstances and applicable law, individuals may have rights to access, rectify, erase, restrict, object to, or receive a copy of their personal data, and to withdraw consent where processing is based on consent. Individuals also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) or another competent supervisory authority.

Where [COMPANY_NAME_AB] acts as processor, we will normally refer the request to the relevant Customer or assist the Customer in responding. To help us handle a request, please include enough information to identify the account, workspace, company, and data concerned, but do not send unnecessary sensitive information by email.

Fonoria may use automated rules, search, filters, alerts, analytics, and AI-assisted tools to help organize product data, detect platform events, prepare administrative views, or improve workflows. These features are designed to support business users and administrators, not to make legally binding decisions about individuals without human involvement.

Customers are responsible for reviewing AI-assisted or automated outputs before relying on them for commercial, legal, accounting, or compliance decisions. Where AI providers process Customer Personal Data as subprocessors, appropriate contractual and technical safeguards will apply.

We may send service messages, security notices, account updates, billing notices, onboarding guidance, support replies, and administrative communications. We may also send B2B marketing or product updates where permitted by law and subject to opt-out rights.

Users can manage certain notification preferences in the platform or by contacting [SUPPORT_EMAIL]. Some operational, legal, security, and billing messages cannot be disabled because they are necessary for the service relationship.

We may update this Privacy Policy to reflect changes in Fonoria, our providers, legal requirements, data processing practices, or security measures. Material changes will be communicated through reasonable channels, such as the platform, email, account notices, or an updated effective date.

Questions, requests, or concerns about privacy should be sent to [SUPPORT_EMAIL]. If a Customer has appointed its own privacy contact or data protection officer, users should also contact that Customer for questions about workspace data controlled by the Customer.