Privacy Policy

1. Introduction

We respect your privacy and are committed to protecting your personal data in compliance with:

  • EU General Data Protection Regulation (GDPR)

  • Swedish Data Protection Act (2018:218)

  • ePrivacy Directive (2002/58/EC)

This policy explains how we collect, use, and safeguard data when you:

  • Visit our website ([URL])

  • Use our consulting services

  • Engage with us as a supplier/client

2. Data We Collect

A. From Website Visitors

  • Identity Data: Name, email, company (via contact forms)

  • Technical Data: IP address, browser type, cookies (see Section 6)

  • Usage Data: Pages visited, session duration (Google Analytics)

B. From Clients/Suppliers

  • Business Contact Data: Name, title, email, phone

  • Contractual Data: Purchase history, NDA terms, payment details

  • Operational Data: Production volumes, cost structures (for service delivery)

Sensitive Data

We do not collect:
- Racial/ethnic origin
- Political opinions
- Health data (unless required for workplace accommodations)

3. Legal Basis & Purpose

We process data under these GDPR Article 6 grounds:

PurposeLegal BasisService deliveryContractual necessityMarketing (e.g., newsletters)Consent (opt-in required)Legal compliance (e.g., invoicing)Legal obligationSupplier negotiationsLegitimate interest

4. Data Sharing & Transfers

We may share data with:

  • Subprocessors:

    • Cloud storage (Google Drive – EU servers)

    • Accounting software (Fortnox – Sweden-based)

  • Authorities: When required by Swedish law (e.g., Skatteverket)

International Transfers: If data leaves the EU, we use:
✓ GDPR-approved Standard Contractual Clauses (SCCs)
✓ EU-US Data Privacy Framework-certified providers

5. Data Retention

We delete data when no longer necessary:

  • Client contracts: 7 years (Swedish accounting law)

  • Marketing contacts: Until consent withdrawal

  • Supplier bids: 3 years post-project

6. Cookies & Tracking

We use:

  • Necessary cookies (session management) – No consent required

  • Analytics cookies (Google Analytics) – Consent via cookie banner

  • Marketing cookies (LinkedIn Ads) – Opt-in only

7. Your Rights

Under GDPR, you may:

  • Access your data (free copy within 30 days)

  • Request correction/deletion

  • Restrict processing

  • Object to direct marketing

  • Lodge complaints with the Swedish Authority for Privacy Protection (IMY)

Requests: Email leon@cotlyn.com with proof of identity.

8. Security Measures

We implement:

  • Encryption (TLS 1.2+ for web traffic)

  • Access controls (role-based permissions)

  • Regular security audits

9. Policy Updates

We notify users of material changes via email or website banners.

Approved by: Leon Borges
Title: CEO
Date: 27/4-2025