GDPR

Privacy & Cookie Policy

Last updated: 11/07/2026

Data Controller

Note: Company details below are placeholders. They must be set in src/lib/legal-entity.ts before public release — required by GDPR Art. 13(1)(a).

[FÖRETAGSNAMN AB]

Company registration number: [XXXXXX-XXXX]

Address: [Gatuadress, postnummer ort]

Contact: [kontakt@gustifyapp.com]

Data protection enquiries: [dataskydd@gustifyapp.com]

Personal data we collect

  • Name (as you provide it at sign-up)
  • Email address (for login and notifications)
  • Company and role (if you add it to your profile)
  • Hashed password (if you sign up with email)
  • Google account ID (if you sign in with Google)
  • Timestamp of your GDPR consent (for accountability)
  • IP address and browser information (for security logging)

Content you create in the app

Routines, documents, tasks, laws, trainings, notes and other material you put into Gustify is stored under your account. Only you (and, when strictly needed for troubleshooting, our technical staff) can read it.

Why we process your data

To deliver the service (contract), to send reminders and support you request, and to meet legal obligations regarding security and logging. Legal bases: contract (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c)) and, in some cases, legitimate interest (Art. 6(1)(f)).

How long we keep your data

CategoryRetentionLegal basis
Account + content (routines, documents, laws, trainings, etc.)Until you delete your account. Then up to 30 days in encrypted backup.Contract (Art. 6(1)(b))
Email logs (transactional emails sent)90 daysLegitimate interest — troubleshooting and delivery proof (Art. 6(1)(f))
Security and authentication logs12 monthsLegal obligation / legitimate interest — IT security (Art. 6(1)(c), 6(1)(f))
Consent timestamps (GDPR + cookies)As long as the account exists, plus 3 years for accountabilityLegal obligation — burden of proof under Art. 7(1)
Support cases24 months from the most recent messageLegitimate interest — customer support (Art. 6(1)(f))

Subprocessors and international transfers

Gustify uses the following data processors to deliver the service. A Data Processing Agreement (DPA) is in place with each of them. For providers outside the EEA we rely on the European Commission's Standard Contractual Clauses (SCC) and, where available, the EU-US Data Privacy Framework (DPF).

ProviderPurposeLocationTransfer basis
Supabase (via Lovable Cloud)Database, authentication, file storageEU (Frankfurt)
CloudflareCDN, edge runtime, DDoS protectionGlobal (EU edge prioritized)SCC + DPF
ResendTransactional email (welcome, reminders, password reset)USASCC + DPF
Google (OAuth)Sign in with Google account (optional)USASCC + DPF
Lovable AI GatewayAI-powered helper features in the appEU/USA depending on modelSCC

We never sell your data and do not share it with third parties beyond these subprocessors.

Age limit

Gustify is intended for working adults and is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you discover that a child under 16 has signed up, contact us at [dataskydd@gustifyapp.com] and we will delete the account.

Your rights under the GDPR

You have the right to access, rectification, erasure, restriction, data portability, and to object to processing. You also have the right to lodge a complaint with your supervisory authority — in Sweden, the Swedish Authority for Privacy Protection (IMY, imy.se). Inside the app you can export and delete all of your data, and withdraw consent, under Settings → Personal data (GDPR). Withdrawing consent is as easy as giving it (Art. 7(3) GDPR).

Cookies and similar technologies

Gustify uses only strictly necessary cookies and local storage — no tracking, analytics, or marketing cookies. We do not load any third-party scripts that set cookies, and nothing is sent to ad networks. Because these cookies are strictly necessary to deliver the service, no separate consent is required under the ePrivacy Directive (2002/58/EC, Art. 5(3)).

KeyTypeCategoryPurpose
sb-*-auth-tokenlocalStoragenecessaryHåller användaren inloggad mellan sidvisningar.
gustify_cookie_consent_v1localStoragenecessarySparar att användaren tagit del av cookie-informationen så att bannern inte visas igen.
gustify.rememberMelocalStoragenecessaryKommer ihåg om användaren valt 'Kom ihåg mig' vid inloggning. Styr om sessionen ligger i localStorage eller sessionStorage.

You can withdraw or update your consent at any time under Settings → Personal data (GDPR).

Security and incident response

All data is encrypted (TLS in transit, AES-256 at rest at our cloud provider). Access to production data is logged and limited to authorized personnel. In the event of a personal data breach, we notify the supervisory authority within 72 hours (Art. 33 GDPR) and inform affected data subjects when required (Art. 34 GDPR).