Privacy Notice

This Privacy Notice explains how Spawnback AB processes personal data when you visit our website, create or use an account, purchase or use our services, contact us, or otherwise interact with us.

1. Who is responsible for your personal data

Spawnback AB, organisationsnummer 559579-8165, Prästvägen 12, 246 30 Löddeköpinge, is the controller for the personal data described in this Privacy Notice, except where we clearly state that we act as a processor on behalf of a customer.

If you need to contact us about privacy or data protection matters, you may do so via sales@spawnback.com or by post to Spawnback AB, Prästvägen 12, 246 30 Löddeköpinge. If Spawnback AB appoints a Data Protection Officer, that contact information should also be made available to data subjects.

2. When this notice applies

This Privacy Notice applies when you:

  • visit our website;
  • create, administer, or use an account;
  • access our platform, products, or services;
  • subscribe to paid services or interact with billing flows;
  • contact support, sales, or customer success;
  • participate in demos, onboarding, or commercial discussions;
  • interact with us as a customer, prospect, supplier, partner, or representative of an organization.

3. What personal data we may process

Depending on how you interact with Spawnback AB, we may process the following categories of personal data:

Account and identity data

  • name
  • email address
  • username
  • password hash or authentication credentials
  • organization name
  • role, permissions, and account status
  • multi-factor authentication and session-related data

Subscription and billing data

  • billing contact information
  • company and invoicing details
  • subscription plan and status
  • payment status
  • transaction references
  • tax-related information where required

Technical and usage data

  • IP address
  • browser and device information
  • login events
  • audit trails
  • API activity
  • logs, diagnostics, and performance data
  • platform usage events

Communication and support data

  • emails, tickets, and support requests
  • contact form details, including phone number where provided
  • meeting notes
  • attachments you submit
  • feedback and customer communication history

Customer environment data

Where our services are used by an organization, we may process account, usage, and operational data connected to that customer environment.

4. How we collect personal data

We may collect personal data:

  • directly from you;
  • when you create or use an account;
  • when your employer or organization provisions access for you;
  • when you use our website, platform, or APIs;
  • when you contact us;
  • from payment, identity, analytics, hosting, or support providers;
  • from public business sources where permitted by law.

5. Why we process personal data and our legal bases

We process personal data only where we have a valid legal basis.

A. To provide accounts and platform access

We process personal data to create and manage accounts, authenticate users, manage permissions, provide platform functionality, and maintain service continuity.

Legal basis: performance of a contract, steps prior to entering into a contract, and legitimate interests in operating and securing the service.

B. To manage subscriptions, payments, and commercial administration

We process personal data to manage subscriptions, billing, invoicing, renewals, payment status, and customer administration.

Legal basis: performance of a contract, compliance with legal obligations, and legitimate interests in running our business.

C. To operate, secure, and improve the service

We process personal data to monitor availability, prevent abuse, maintain logs, troubleshoot incidents, improve performance, and protect the integrity of our systems.

Legal basis: legitimate interests and, where applicable, compliance with legal obligations.

D. To provide support and customer communication

We process personal data to respond to inquiries, provide support, manage incidents, and communicate about service-related matters.

Legal basis: performance of a contract and legitimate interests.

E. To comply with legal and regulatory obligations

We process personal data where necessary for accounting, tax, recordkeeping, audit, legal requests, dispute handling, and compliance obligations.

Legal basis: compliance with legal obligations and legitimate interests in establishing, exercising, or defending legal claims.

F. To send marketing communications where permitted

We may process personal data to send updates, newsletters, or marketing communications where allowed by law.

Legal basis: consent where required, or legitimate interests where permitted.

6. Payment providers and third parties

Where payments or subscriptions are handled through a payment provider, payment-related data may be processed by that provider under its own privacy and security framework. Spawnback AB may receive payment confirmations, billing metadata, and subscription status information needed to manage the customer relationship, while the payment provider may act as an independent controller for parts of the payment processing.

7. When we act as controller and when we act as processor

In some situations, Spawnback AB acts as a controller, for example for website, account, billing, support, and internal operational data. In other situations, particularly where customer data is processed through services we provide to an organization, Spawnback AB may act as a processor on behalf of that customer.

Where Spawnback AB acts as a processor, the relevant customer remains responsible for determining the lawful basis and providing appropriate privacy information to its own users, employees, or end customers.

8. Who we may share personal data with

We may share personal data with:

  • hosting and infrastructure providers;
  • identity and authentication providers;
  • payment and billing providers;
  • analytics, logging, monitoring, and support providers;
  • professional advisors such as lawyers, auditors, and insurers;
  • public authorities, courts, or regulators where required by law;
  • affiliates or counterparties in connection with a merger, restructuring, financing, or sale of business assets, subject to appropriate safeguards.

9. International transfers

If personal data is transferred outside the EEA, we will only do so where a lawful transfer mechanism is in place, such as an adequacy decision, Standard Contractual Clauses, or another safeguard or exception permitted by applicable law.

10. How long we keep personal data

We retain personal data only for as long as necessary for the purposes for which it was collected and processed, including for service delivery, security, dispute handling, legal compliance, and legitimate business needs.

Retention may vary depending on the category of data, the relationship involved, legal obligations, contractual needs, security requirements, and whether the data is needed to establish, exercise, or defend legal claims.

11. Security

Spawnback AB applies technical and organizational measures intended to protect personal data against unauthorized access, alteration, disclosure, loss, or misuse.

12. Personal data breaches

If Spawnback AB becomes aware of a personal data breach, we will assess it and take appropriate action.

13. Your rights

Under the GDPR, individuals may have the right to:

  • be informed about how their data is processed;
  • access their personal data;
  • rectify inaccurate or incomplete personal data;
  • erase personal data in certain circumstances;
  • restrict processing in certain circumstances;
  • object to certain processing;
  • receive personal data in a portable format in certain circumstances;
  • not be subject to a decision based solely on automated processing where the GDPR applies.

If you want to exercise your rights, contact Spawnback AB through the contact details published on our official channels. We may ask for additional information to verify your identity where permitted.

14. Automated decision-making

If Spawnback AB does not make decisions based solely on automated processing that produce legal or similarly significant effects, this should be stated clearly. If such processing is used, the GDPR requires meaningful information about the logic involved and the significance and likely consequences for the individual.

15. Complaints

If you believe your personal data has been processed in violation of applicable data protection law, you have the right to lodge a complaint with a supervisory authority. For Sweden, the relevant authority is Integritetsskyddsmyndigheten (IMY).

16. Changes to this Privacy Notice

We may update this Privacy Notice from time to time. Where required, we will provide notice of material changes through our website, service, or account-related communications.

17. Contact

For questions about this Privacy Notice or the way Spawnback AB processes personal data, please contact Spawnback AB at sales@spawnback.com or by post at Prästvägen 12, 246 30 Löddeköpinge.