Smultron Studio – AI & Automation

  • Svenska
    • English (UK)

Privacy Policy

Last Updated: 2025-05-05

Smultron Studio AB (”we,” ”us,” or ”our”) is committed to protecting the privacy of visitors to our website www.smultronstudio.com and individuals who use our contact form or booking system, as well as our clients. This Privacy Policy explains how we collect, use, disclose, and protect your personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable Swedish data protection laws.  

1. Data Controller

The data controller responsible for the processing of your personal data is:

Smultron Studio AB (559437-9751)
Gamla Tingstadsgatan 38C
42244 Hisings Backa, Sweden
Email: privacy@smultronstudio.com

2. Personal Data We Collect

We collect personal data in the following ways when you interact with our website, communicate with us, or become a client:

  • Information you provide directly:
    • When you use our contact form, you may provide your name, email address, company name, and any additional information you choose to include in the booking form regarding your needs or project.
    • When you use our booking system, you provide your name, email address, company name, and any additional information you choose to include in the booking form regarding your needs or project.
    • When you communicate with us via email or digital meetings, information exchanged may include your name, email address, company details, and the content of the communication.
    • When you become a client, we collect necessary information for contracting, invoicing, and service delivery, which may include contact details, company information, project details, and billing information.
  • Information collected automatically:
    • Website Usage Data (via Umami): We use self-hosted Umami analytics to collect anonymous or pseudonymized data about how visitors use our website. This typically includes information such as the pages visited, duration of visit, referring sources, and device information. As Umami is self-hosted, this data remains under our control. Umami is primarily used for understanding website traffic patterns in aggregate and does not typically collect personally identifiable information in a way that directly identifies you as an individual user, beyond potentially a transient IP address used for geographic location approximation before anonymization.
    • Hosting Logs: Our hosting provider, Miss Hosting AB, may collect standard server logs which can include IP addresses, browser types, and access times for security and operational purposes.

3. Purpose and Legal Basis for Processing

We process your personal data for the following purposes and based on the following legal grounds under the GDPR:  

  • To respond to your inquiries and communication: When you contact us via the contact form, email, or during meetings, we process your data to respond to your questions and provide information about our services.
    • Legal Basis: Our legitimate interest in communicating with potential clients and responding to inquiries (Art. 6(1)(f) GDPR).
  • To manage and schedule your bookings: When you book a meeting, we process your data to confirm, schedule, and manage your appointment.
    • Legal Basis: Steps taken at your request prior to entering into a potential contract, or our legitimate interest in managing our business appointments (Art. 6(1)(b) or Art. 6(1)(f) GDPR).
  • To follow up on potential business opportunities: If your inquiry or booking indicates a potential need for our services, we may store your contact and company details in our CRM system for follow-up purposes.
    • Legal Basis: Our legitimate interest in business development and pursuing potential client relationships (Art. 6(1)(f) GDPR). We ensure this processing is balanced against your data protection rights.
  • To provide our services to you: If you become a client, we process your data to deliver the contracted services, manage the project, and communicate with you.
    • Legal Basis: Performance of a contract (Art. 6(1)(b) GDPR).
  • For invoicing and accounting: We process necessary data to issue invoices and manage our accounting records.
    • Legal Basis: Compliance with a legal obligation (Art. 6(1)(c) GDPR – e.g., accounting laws in Sweden) and performance of a contract (Art. 6(1)(b) GDPR).
  • To improve our website and services: We use website usage data to understand how our website is used, identify areas for improvement, and enhance the user experience.
    • Legal Basis: Our legitimate interest in analyzing website performance and improving our online presence (Art. 6(1)(f) GDPR).
  • To comply with legal obligations: We may process your data when required by law, such as for accounting, tax, or other regulatory purposes.
    • Legal Basis: Compliance with a legal obligation (Art. 6(1)(c) GDPR).

4. Sharing Your Data

We may share your personal data with the following categories of third parties who act as data processors on our behalf or are necessary for business operations:

  • Cal.com: Used for scheduling and managing meetings. Data provided during booking is processed by Cal.com. Please refer to Cal.com’s own privacy policy for details on how they process your data. Note that Cal.com is based in the USA, which involves transferring your data outside the EU/EEA. Cal.com is responsible for ensuring appropriate safeguards for such transfers.
  • Miss Hosting AB: Used for website hosting services, who processes data as necessary to provide hosting services. Data is processed within the EU/EEA.
  • Cloudflare Inc: Used for website hosting services, who processes data as necessary to provide hosting services. Data may be processed on servers located outside the EU/EEA.
  • Google (Google Workspace): We use Google services for email (Gmail), digital meetings (Google Meet), and administrative purposes (e.g., documents, spreadsheets). This involves processing your personal data as part of our standard business communication and operations. Google acts as a data processor for us. Data may be processed on servers located outside the EU/EEA, and Google provides GDPR-compliant safeguards, including Standard Contractual Clauses (SCCs). Please refer to Google’s privacy policy for more information.
  • Stripe Inc: We use Stripe to handle credit card payments, we do not process any credit card information outside of Stripe. Please refer to Stripes privacy policy for more information on their data processing.
  • SpeedLedger AB: We use SpeedLedger for invoicing and accounting purposes. Data necessary for creating and managing invoices, as well as for accounting records, is processed through SpeedLedger. SpeedLedger acts as a data processor for us.
  • Legal and Professional Advisors: We may share data with our accountants, lawyers, or other professional advisors when necessary.
  • Law Enforcement and Authorities: We may disclose your data if required by law or in response to valid requests by public authorities.
  • Client Delivery Specific Processors: For specific client projects, the delivery of services may require the use of additional third-party tools or platforms (e.g., specific AI services, automation tools, project management software) which may involve processing your data or your clients’ data. When a client delivery necessitates processing activities by third parties not listed here, we will provide a separate Data Processing Agreement (DPA) outlining the specific data processing arrangements and responsibilities when signing the contract for such services.

We enter into data processing agreements or rely on existing GDPR-compliant terms (like those provided by Google) with our data processors to ensure they process your data in accordance with GDPR and our instructions.

5. International Data Transfers

As mentioned above, some of our third party providers may involve the transfer of your personal data to the United States and potentially other countries outside the EU/EEA where these providers operate. We rely on these providers to implement appropriate safeguards for such international transfers in accordance with GDPR requirements, such as Standard Contractual Clauses (SCCs).

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.  

  • Information from inquiries and bookings that do not lead to a client relationship may be stored in our CRM for follow-up purposes for up to 18 months, unless you request earlier deletion.
  • If you become a client, we will retain your data for the duration of our business relationship and for a period thereafter as required by law or for legitimate business purposes.
  • Data processed for invoicing and accounting through Speedledger is retained according to applicable accounting laws.
  • Website usage data is retained according to our analytics configuration, focused on historical traffic analysis rather than individual tracking.

7. Your Data Protection Rights  

Under the GDPR, you have the following rights regarding your personal data:

  • Right to Access: You have the right to request a copy of the personal data we hold about you.  
  • Right to Rectification: You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.  
  • Right to Erasure (”Right to be Forgotten”): You have the right to request that we delete your personal data under certain conditions.
  • Right to Restriction of Processing: You have the right to request that we restrict the processing of your personal data under certain conditions.  
  • Right to Object to Processing: You have the right to object to our processing of your personal data, particularly where we process it based on our legitimate interest.
  • Right to Data Portability: You have the right to request that we transfer the data we have collected to another organization, or directly to you, under certain conditions.  
  • Right to Withdraw Consent: If we rely on your consent to process your personal data, you have the right to withdraw that consent at any time. Note that for most processing described herein, we rely on legitimate interest, performance of a contract, or legal obligation, not consent.  

To exercise any of these rights, please contact us using the contact details provided in Section 1 of this policy. We will respond to your request in accordance with GDPR.

8. Cookies and Tracking Technologies

Our website uses Umami for web analytics. Umami is self-hosted and focused on collecting aggregated website usage statistics.

We do not use cookies or other tracking technologies on this website for analytics or marketing purposes that require your explicit consent. Any cookies that may be present are strictly limited to those that are essential for the basic technical functioning of the website itself.

9. Security Measures  

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, and destruction.  

10. Changes to This Privacy Policy  

We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. We will post any changes on this page and update the ”Last Updated” date at the top of the policy. We encourage you to review this Privacy Policy periodically.