Back

Privacy Policy

Art. 13 GDPR — Information about the processing of personal data

Last updated: March 2026

1. Controller

AMS Vision AB ("ASPACE Vision")
Org. No: 559517-5950
Birger Jarlsgatan 57, 113 56 Stockholm, Sweden
Privacy contact: privacy@aspace.tech

ASPACE is currently assessing whether a Data Protection Officer (DPO) appointment is required under Art. 37 GDPR. Until this assessment is complete, all data protection inquiries should be directed to privacy@aspace.tech.

2. What personal data we process

When you use the aprivacy compliance portal, we process:

  • Account data (admin users): Name, email address, organisation, profile picture (from Google OAuth)
  • Portal session data (signers): Signer name, title, email, portal progress, step completion timestamps, electronic acknowledgment data
  • Technical data: Browser type, access timestamps, IP address (server logs)

3. Purpose and legal basis

PurposeLegal basisDetails
Provide the compliance portal serviceContractual necessity (Art. 6(1)(b))Necessary to deliver the compliance documentation service agreed between ASPACE and the customer organisation
Authenticate admin users via Google OAuthContractual necessity (Art. 6(1)(b))Necessary to provide secure access to the admin interface
Record compliance acknowledgments and e-signaturesContractual necessity (Art. 6(1)(b))Processing necessary for the performance of the compliance documentation service between ASPACE and the customer organisation
Server logging and security monitoringLegitimate interest (Art. 6(1)(f))IT security, incident detection, and service reliability

We do not rely on consentas a legal basis for any portal processing. The portal does not use "accept" or "agree" mechanisms to establish lawfulness.

4. Recipients and data sharing

Your data may be shared with:

  • Your organisation: Admin users within your customer organisation can view portal session data and completed compliance packages
  • Google (OAuth provider): Authentication is handled via Google OAuth. Google receives authentication requests and provides account data (name, email, profile picture). Google is an independent controller for authentication data and processes it under its own privacy policy. Transfers to Google are covered by the EU–US Data Privacy Framework (DPF).
  • Infrastructure providers: Server hosting within the EEA

We do not sell personal data or share it with third parties for marketing purposes.

5. International transfers

Google OAuth authentication may involve data transfers to the United States. These transfers are covered by Google's participation in the EU–US Data Privacy Framework (DPF), as recognised by the European Commission's adequacy decision of 10 July 2023. All other processing occurs within the EEA.

6. Retention periods

Data categoryRetention period
Active portal sessions (unsigned)30 days from creation, then expired
Completed/signed compliance packagesDuration of the service contract plus 10 years
Admin account dataDuration of employment plus 6 months; deleted upon request or account closure
Server logs90 days
Activity logs5 years

These retention periods represent our data management targets. Automated enforcement of retention limits is planned but not yet fully implemented. Data may be retained beyond the stated periods until automated deletion is deployed; manual deletion is available on request.

7. Your rights (Arts. 15–21 GDPR)

Under GDPR, you have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data (Art. 17), subject to our retention obligations
  • Restrict processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing based on legitimate interest (Art. 21)

To exercise any of these rights, contact privacy@aspace.tech. We will respond within 30 days. If we need additional time (up to 60 additional days for complex requests), we will notify you within the initial 30-day period.

8. Automated decision-making (Art. 13(2)(f))

This portal does not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects individuals.

9. Obligation to provide data (Art. 13(2)(e))

Providing your name, email, and title is necessary to use the compliance portal and complete the e-signature process. If you do not provide this data, we cannot deliver the compliance documentation service. There is no statutory obligation to provide data.

10. Cookies, local storage, and PDF generation

This portal uses:

  • Session cookies: Strictly necessary for authentication (NextAuth session cookie)
  • Local storage: Portal progress is saved in your browser's localStorage to preserve your work between sessions. This data stays on your device and is synced to our servers when you save progress.
  • Puppeteer (server-side): PDF documents are generated server-side using Puppeteer (headless Chromium). This processing occurs entirely on our servers; no additional data is collected from your browser for this purpose.

No analytics cookies, tracking pixels, or third-party advertising technologies are used.

11. Supervisory authority

You have the right to lodge a complaint with the Swedish Data Protection Authority:
Integritetsskyddsmyndigheten (IMY)
www.imy.se
Box 8114, 104 20 Stockholm

12. Changes to this policy

We may update this Privacy Policy to reflect changes in our processing activities or legal requirements. Material changes will be communicated through the portal interface. The "Last updated" date at the top indicates the most recent revision.