All legal documents

GDPR Compliance

Effective: 2024-09-22Last updated: 2026-03-19

Adcyma AB (“we”, “us”) takes data protection seriously. We are a Swedish company and our services are built with GDPR compliance as a baseline — not an afterthought. This page explains how we meet our obligations under the EU General Data Protection Regulation (EU 2016/679).

1. Scope

This policy covers all personal data we process — whether it belongs to customers, website visitors, service users, or third parties. It applies to everyone at Adcyma, including employees, contractors, and any third-party providers we work with.

2. Our Data Protection Principles

Everything we do with personal data follows these six principles from Article 5 of the GDPR:

  • Lawfulness, fairness, and transparency — we process data in a way that is legal, fair, and clear to the people it belongs to.
  • Purpose limitation — we collect data for specific, stated reasons and do not use it for anything else.
  • Data minimization — we only collect what we actually need.
  • Accuracy — we keep data correct and fix errors when we find them.
  • Storage limitation — we do not keep data longer than necessary.
  • Integrity and confidentiality — we protect data with appropriate security measures.

3. Legal Basis for Processing

We process personal data under one or more of the following legal bases:

  • Contract — processing is necessary to deliver our services to you.
  • Legitimate interest — processing is in our legitimate business interests, balanced against your rights (for example, basic analytics to improve the product).
  • Legal obligation — we need to process data to comply with the law (for example, accounting and tax requirements).
  • Consent — where none of the above apply, we ask for your explicit consent.

4. Your Rights

Under the GDPR, you have the right to:

  • Access your personal data and receive a copy of it.
  • Correct inaccurate or incomplete data.
  • Delete your data (the “right to be forgotten”), where there is no legal reason for us to keep it.
  • Restrict how we process your data in certain circumstances.
  • Portability — receive your data in a structured, machine-readable format.
  • Object to processing based on legitimate interests.
  • Not be subject to automated decisions — you can request human review of any automated decision that significantly affects you.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

5. Data Security

We protect personal data with a combination of technical and organizational measures:

  • All data is encrypted in transit (TLS) and at rest.
  • Access to personal data is limited to authorized personnel on a need-to-know basis.
  • Our infrastructure is hosted in Germany on Hetzner, within the EU.
  • We have procedures in place for detecting, reporting, and investigating data breaches.

6. Data Retention

We keep personal data only as long as there is a valid reason to do so — whether that is to provide our services, meet legal requirements, or resolve disputes. When data is no longer needed, we delete or anonymize it.

7. Subprocessors

We use a small number of third-party services to run our platform. Each one is bound by a data processing agreement, and we have chosen providers that keep data within the EU wherever possible. The full list is available on our subprocessors page.

8. International Data Transfers

We keep data within the EEA by default. Our infrastructure is hosted in Germany, and we use EU data regions for our subprocessors where available. For the limited cases where data may leave the EEA (for example, Microsoft 365 with global data residency), we rely on EU-approved Standard Contractual Clauses to ensure adequate protection.

9. Data Breach Notification

If we discover a breach that is likely to affect your rights, we will notify the relevant supervisory authority within 72 hours. If the breach poses a high risk to you personally, we will notify you directly as well.

10. Accountability

We maintain records of our processing activities and conduct data protection impact assessments where required. We regularly review our practices to make sure they hold up.

11. Changes to This Policy

We may update this policy from time to time. Any significant changes will be communicated by email. The latest version is always available on this page.

12. Contact

If you have questions about how we handle your data, or if you want to exercise any of your rights, contact us at [email protected].