Gridheart Privacy Policy

    Version 2026-03

    1. Controller and Contact Information

    The controller of your personal data is:

    Gridheart AB
    Org.nr: 556779-9209
    Färögatan 33, 164 51 Kista, Sweden

    For questions regarding this Privacy Policy or the processing of your personal data, please contact us at: privacy@gridheart.com

    2. About This Policy

    This Privacy Policy describes how Gridheart AB ("Gridheart", "we", "us" or "our") collects, uses, stores and shares your personal data when you use our services, visit our website, or interact with us as a partner, customer or prospective customer.

    This Policy applies to all services offered by Gridheart and its affiliates. It does not apply to third-party services accessible through our platform, which are governed by their own privacy policies.

    3. Personal Data We Collect

    3.1 Data You Provide to Us

    When you create a Gridheart account, register as a partner, or contact us, you may provide:

    • Account information: Name, email address, phone number, company name, organization number, and billing address.
    • Payment information: Invoicing details and payment references.
    • Communication data: Information you provide when you contact our support or sales teams, including the content of emails, chat messages and support tickets.

    3.2 Data We Collect Automatically

    When you use our services or visit our website, we automatically collect:

    • Technical data: IP address, browser type and version, device type, operating system, and screen resolution.
    • Usage data: Pages visited, features used, click patterns, session duration, and referral source.
    • Cookie data: Information collected through cookies and similar technologies (see Section 9 below).

    3.3 Data We Receive from Third Parties

    We may receive information from:

    • Our technology vendors and partners, such as license activation data or usage statistics relevant to the services we distribute.
    • Publicly available sources, such as company registries, for business verification purposes.

    4. Purposes and Legal Grounds for Processing

    We process your personal data for the following purposes, based on the legal grounds indicated:

    Purpose Legal Ground (GDPR)
    Providing and managing our services, including the Gridheart Marketplace and partner portal Performance of contract (Art. 6.1(b))
    Managing partner relationships, including onboarding, billing and license provisioning Performance of contract (Art. 6.1(b))
    Providing technical support and troubleshooting Performance of contract (Art. 6.1(b))
    Sending service-related communications (e.g. service updates, security alerts, billing notifications) Legitimate interest (Art. 6.1(f))
    Sending marketing communications about our services and events Consent (Art. 6.1(a)) or Legitimate interest (Art. 6.1(f))
    Improving and developing our services based on usage patterns and feedback Legitimate interest (Art. 6.1(f))
    Ensuring the security and integrity of our systems Legitimate interest (Art. 6.1(f))
    Complying with legal obligations, such as bookkeeping and tax requirements Legal obligation (Art. 6.1(c))
    Establishing, exercising or defending legal claims Legitimate interest (Art. 6.1(f))

    Where we rely on legitimate interest as a legal ground, we have assessed that our interest does not override your rights and freedoms. You may contact us to obtain information about these assessments.

    5. Retention Periods

    We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.

    Data Category Retention Period
    Account and partner data Duration of the business relationship plus 12 months, unless longer retention is required by law
    Billing and invoicing data 7 years from the end of the financial year (Swedish Bookkeeping Act)
    Support ticket data 24 months from ticket closure
    Marketing consent records Until consent is withdrawn, plus 12 months for documentation purposes
    Website analytics and cookie data Maximum 26 months
    Server logs (including IP addresses) 90 days

    After the applicable retention period, personal data is deleted or anonymized.

    6. Sharing of Personal Data

    We do not sell your personal data. We share personal data only in the following circumstances:

    • With service providers (processors): We engage trusted third-party service providers to process personal data on our behalf, such as cloud hosting, email services, CRM, accounting and analytics. All processors are bound by Data Processing Agreements in accordance with GDPR Article 28. A list of our current sub-processors is available at gridheart.com/sub-processors.
    • With technology vendors we distribute: When you use services distributed through Gridheart, certain account data is shared with the relevant vendor to enable service delivery. Each vendor acts as an independent controller or processor as described in our Data Processing Terms.
    • With your consent: Where you have given us explicit consent to share your data with a specific party.
    • For legal reasons: Where disclosure is required by law, regulation, legal process, or enforceable governmental request, or to protect the rights, property or safety of Gridheart, our partners or the public.
    • In connection with corporate transactions: If Gridheart is involved in a merger, acquisition or sale of assets, your personal data may be transferred as part of that transaction. We will notify affected individuals before personal data becomes subject to a different privacy policy.

    7. International Transfers

    Your personal data may be transferred to and processed in countries outside the EU/EEA. When such transfers occur, we ensure appropriate safeguards are in place, including:

    • EU Commission adequacy decisions for countries deemed to provide an adequate level of protection.
    • Standard Contractual Clauses (SCCs) as adopted by the EU Commission (Decision 2021/914), supplemented by transfer impact assessments where required.
    • EU-US Data Privacy Framework for transfers to certified US organizations, where applicable.

    Information about the locations where our sub-processors operate is available at gridheart.com/sub-processors.

    8. Your Rights

    Under GDPR, you have the following rights regarding your personal data:

    • Right of access (Art. 15): You may request a copy of the personal data we hold about you.
    • Right to rectification (Art. 16): You may request correction of inaccurate or incomplete data.
    • Right to erasure (Art. 17): You may request deletion of your personal data, subject to legal retention obligations.
    • Right to restriction (Art. 18): You may request that we restrict the processing of your data in certain circumstances.
    • Right to data portability (Art. 20): You may request to receive your personal data in a structured, commonly used and machine-readable format.
    • Right to object (Art. 21): You may object to processing based on legitimate interest, including direct marketing. If you object to direct marketing, we will cease processing immediately.
    • Right to withdraw consent (Art. 7.3): Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
    • Right not to be subject to automated decision-making (Art. 22): We do not make decisions based solely on automated processing that produce legal effects or similarly significantly affect you.

    To exercise any of these rights, contact us at privacy@gridheart.com. We will respond within 30 days. If we need more time, we will inform you of the extension and the reasons for it.

    9. Cookies and Similar Technologies

    Our website uses cookies and similar technologies. We use:

    • Strictly necessary cookies to enable core website functionality (no consent required).
    • Analytics cookies (e.g. Google Analytics, Google Tag Manager) to understand how visitors use our website and improve our services. These are set only with your consent.
    • Marketing and tracking cookies (e.g. Pipedrive Web Visitors) to identify companies visiting our website for B2B sales purposes. These are set only with your consent.

    You can manage your cookie preferences through the cookie banner displayed on our website, or through your browser settings. For detailed information about the specific cookies we use, their purposes and retention periods, please refer to our Cookie Policy.

    10. Security

    We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption in transit and at rest, access controls, multi-factor authentication, regular security reviews and staff training. For details, see our Security Measures documentation.

    11. Complaints

    If you believe that our processing of your personal data infringes your rights under GDPR, you have the right to lodge a complaint with a supervisory authority. The Swedish supervisory authority is:

    Integritetsskyddsmyndigheten (IMY)
    Box 8114, 104 20 Stockholm, Sweden
    imy.se
    imy@imy.se

    You may also lodge a complaint with the supervisory authority in the EU/EEA member state of your habitual residence or place of work.

    12. Changes to This Policy

    We may update this Privacy Policy from time to time. We will not reduce your rights under this Policy without your explicit consent. Material changes will be communicated via email or a prominent notice on our website. We always indicate the date the last changes were published.

    Previous versions:

    • Version 2025-08
    • Version 2018-05