Data Controller
src/lib/legal-entity.ts before public release — required by GDPR Art. 13(1)(a).[FÖRETAGSNAMN AB]
Company registration number: [XXXXXX-XXXX]
Address: [Gatuadress, postnummer ort]
Contact: [kontakt@gustifyapp.com]
Data protection enquiries: [dataskydd@gustifyapp.com]
Personal data we collect
- Name (as you provide it at sign-up)
- Email address (for login and notifications)
- Company and role (if you add it to your profile)
- Hashed password (if you sign up with email)
- Google account ID (if you sign in with Google)
- Timestamp of your GDPR consent (for accountability)
- IP address and browser information (for security logging)
Content you create in the app
Routines, documents, tasks, laws, trainings, notes and other material you put into Gustify is stored under your account. Only you (and, when strictly needed for troubleshooting, our technical staff) can read it.
Why we process your data
To deliver the service (contract), to send reminders and support you request, and to meet legal obligations regarding security and logging. Legal bases: contract (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c)) and, in some cases, legitimate interest (Art. 6(1)(f)).
How long we keep your data
| Category | Retention | Legal basis |
|---|---|---|
| Account + content (routines, documents, laws, trainings, etc.) | Until you delete your account. Then up to 30 days in encrypted backup. | Contract (Art. 6(1)(b)) |
| Email logs (transactional emails sent) | 90 days | Legitimate interest — troubleshooting and delivery proof (Art. 6(1)(f)) |
| Security and authentication logs | 12 months | Legal obligation / legitimate interest — IT security (Art. 6(1)(c), 6(1)(f)) |
| Consent timestamps (GDPR + cookies) | As long as the account exists, plus 3 years for accountability | Legal obligation — burden of proof under Art. 7(1) |
| Support cases | 24 months from the most recent message | Legitimate interest — customer support (Art. 6(1)(f)) |
Subprocessors and international transfers
Gustify uses the following data processors to deliver the service. A Data Processing Agreement (DPA) is in place with each of them. For providers outside the EEA we rely on the European Commission's Standard Contractual Clauses (SCC) and, where available, the EU-US Data Privacy Framework (DPF).
| Provider | Purpose | Location | Transfer basis |
|---|---|---|---|
| Supabase (via Lovable Cloud) | Database, authentication, file storage | EU (Frankfurt) | — |
| Cloudflare | CDN, edge runtime, DDoS protection | Global (EU edge prioritized) | SCC + DPF |
| Resend | Transactional email (welcome, reminders, password reset) | USA | SCC + DPF |
| Google (OAuth) | Sign in with Google account (optional) | USA | SCC + DPF |
| Lovable AI Gateway | AI-powered helper features in the app | EU/USA depending on model | SCC |
We never sell your data and do not share it with third parties beyond these subprocessors.
Age limit
Gustify is intended for working adults and is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you discover that a child under 16 has signed up, contact us at [dataskydd@gustifyapp.com] and we will delete the account.
Your rights under the GDPR
You have the right to access, rectification, erasure, restriction, data portability, and to object to processing. You also have the right to lodge a complaint with your supervisory authority — in Sweden, the Swedish Authority for Privacy Protection (IMY, imy.se). Inside the app you can export and delete all of your data, and withdraw consent, under Settings → Personal data (GDPR). Withdrawing consent is as easy as giving it (Art. 7(3) GDPR).
Cookies and similar technologies
Gustify uses only strictly necessary cookies and local storage — no tracking, analytics, or marketing cookies. We do not load any third-party scripts that set cookies, and nothing is sent to ad networks. Because these cookies are strictly necessary to deliver the service, no separate consent is required under the ePrivacy Directive (2002/58/EC, Art. 5(3)).
| Key | Type | Category | Purpose |
|---|---|---|---|
| sb-*-auth-token | localStorage | necessary | Håller användaren inloggad mellan sidvisningar. |
| gustify_cookie_consent_v1 | localStorage | necessary | Sparar att användaren tagit del av cookie-informationen så att bannern inte visas igen. |
| gustify.rememberMe | localStorage | necessary | Kommer ihåg om användaren valt 'Kom ihåg mig' vid inloggning. Styr om sessionen ligger i localStorage eller sessionStorage. |
You can withdraw or update your consent at any time under Settings → Personal data (GDPR).
Security and incident response
All data is encrypted (TLS in transit, AES-256 at rest at our cloud provider). Access to production data is logged and limited to authorized personnel. In the event of a personal data breach, we notify the supervisory authority within 72 hours (Art. 33 GDPR) and inform affected data subjects when required (Art. 34 GDPR).