Privacy Policy

1. Introduction

This privacy policy explains how Klarum Technologies AB (“KLARUM”, “we”, “us”, or “our”) collects, uses, shares, and protects personal data when you visit our website klarum.com, use our platform, or otherwise interact with us.

We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Swedish Data Protection Act (2018:218), and other applicable data protection legislation.

This policy applies to all individuals whose personal data we process, including:

• Visitors to klarum.com
• Representatives and contact persons of our customers, design partners, and prospective customers
• Representatives of our suppliers and business partners
• Individuals who contact us via email, forms, or other channels

2. Controller

3. Contact Person for Data Protection

If you have any questions about how we process your personal data or wish to exercise your rights, please contact us using the details above.

Given our current size and the nature of our processing activities, we are not required to appoint a Data Protection Officer (DPO) under Article 37 GDPR. Should this change, we will update this policy accordingly.

4. What Personal Data We Collect

We process the following categories of personal data:

(a) Contact and identification data

• Full name
• Email address
• Phone number
• Job title and role
• Company/organisation name

(b) Account and platform data

• Login credentials (email, hashed password)
• User preferences and settings
• Activity logs within the platform (e.g. procurement searches, document interactions)

(c) Technical and usage data

• IP address
• Browser type and version
• Operating system
• Device identifiers
• Pages visited, timestamps, and referring URLs
• Cookies and similar tracking technologies (see Section 12)

(d) Communication data

• Content of emails, messages, or support requests you send to us
• Records of communication between us

(e) Business relationship data

• Company information (name, org. number, address)
• Contract and billing information
• Notes and records related to our business relationship

5. How and Why We Process Your Personal Data

6. Legitimate Interests - Balancing Assessment

Where we rely on legitimate interest (Art. 6(1)(f)) as our legal basis, we have carried out a balancing assessment to ensure that our interests do not override your fundamental rights and freedoms. Key considerations include:

• In a B2B context, we process business contact data of professionals acting in their professional capacity, which generally has a lower privacy impact than processing personal consumer data.
• We limit data collection to what is necessary for the stated purpose.
• We implement appropriate technical and organisational safeguards.
• We provide clear information and easy mechanisms for you to object.

You have the right to object to processing based on legitimate interest at any time (see Section 11).

7. Sources of Personal Data

We collect personal data from:

• You directly - when you visit klarum.com, create an account, fill in a form, send us an email, or otherwise communicate with us.
• Your employer or organisation - when they set up your user account or provide your contact details in connection with a business relationship.
• Publicly available sources - such as company websites, public registers (e.g. Bolagsverket), and professional networks, for B2B outreach purposes.
• Automatically - through cookies and similar technologies when you visit klarum.com (see Section 12).

8. Recipients and Sharing of Personal Data

We do not sell your personal data. We may share your personal data with the following categories of recipients, only to the extent necessary:

(a) Service providers and sub-processors

We use third-party service providers who process personal data on our behalf under data processing agreements (Art. 28 GDPR). These include:

• Cloud hosting and infrastructure: Vercel, Amazon Web Services (AWS), and Neon - all processing in EU (Frankfurt / Stockholm regions)
• Email and communication services: Google Workspace, Resend
• Customer relationship management: HubSpot
• Payment processing: Stripe
• AI services: Microsoft Azure OpenAI Service (Sweden Central and US regions)

(b) Business partners and design partners

We may share limited data (e.g. names and contact details of platform users) with our customers' organisations to the extent necessary for the provision of our services.

(c) Professional advisors

Such as lawyers, auditors, and accountants, where necessary.

(d) Authorities

We may disclose personal data to government authorities or regulators where required by law.

(e) Corporate transactions

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the relevant party, subject to appropriate safeguards.

9. International Transfers

Your personal data is primarily processed within the EU/EEA. Our cloud infrastructure (Vercel, AWS, Neon) is hosted in EU regions (Frankfurt and Stockholm). However, some of our service providers may process data outside the EU/EEA. Where this occurs, we ensure that appropriate safeguards are in place, specifically:

• Adequacy decisions: Transfers to countries that the European Commission has determined provide an adequate level of data protection (e.g. transfers to the United States under the EU-U.S. Data Privacy Framework).
• Standard Contractual Clauses (SCCs): Where no adequacy decision exists, we use the European Commission's Standard Contractual Clauses (decision 2021/914) as the transfer mechanism, supplemented by additional technical and organisational measures where necessary.

Current third-country transfers:

• Google LLC (Workspace) - United States - EU-U.S. Data Privacy Framework
• HubSpot Inc. - United States - EU-U.S. Data Privacy Framework
• Stripe Inc. - United States - EU-U.S. Data Privacy Framework
• Resend Inc. - United States - EU-U.S. Data Privacy Framework / SCCs
• Microsoft (Azure OpenAI) - Sweden Central (EU) and US regions - EU-U.S. Data Privacy Framework + SCCs

You may request a copy of the relevant safeguards by contacting us.

10. Retention Periods

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.

When retention periods expire, personal data is deleted or anonymised.

11. Your Rights

Under the GDPR, you have the following rights in relation to your personal data. To exercise any of these rights, please contact us using the details in Section 2 or 3.

• Right of access (Art. 15) - Obtain confirmation of whether we process your personal data and receive a copy of the data.
• Right to rectification (Art. 16) - Have inaccurate personal data corrected and incomplete data completed.
• Right to erasure (Art. 17) - Request deletion of your personal data where it is no longer necessary, you withdraw consent, or there is no overriding legitimate ground.
• Right to restriction of processing (Art. 18) - Request that we restrict processing in certain circumstances.
• Right to data portability (Art. 20) - Receive your personal data in a structured, commonly used, and machine-readable format.
• Right to object (Art. 21) - Object to processing based on legitimate interest. You also have the right to object at any time to processing for direct marketing purposes.
• Right to withdraw consent (Art. 7(3)) - Where processing is based on your consent, withdraw that consent at any time.
• Right not to be subject to automated decision-making (Art. 22) - See Section 13.

We will respond to your request without undue delay and in any event within one month. Exercising your rights is free of charge.

12. Cookies and Similar Technologies

We use cookies and similar technologies on klarum.com. Cookies are small text files placed on your device that help us provide and improve our services.

• Strictly necessary cookies: Required for the website to function (e.g. session management, security). These do not require consent.

You can manage your cookie preferences through your browser settings.

13. Automated Decision-Making and Profiling

KLARUM is an AI-powered procurement platform. As of the date of this policy:

• We do not use automated decision-making that produces legal effects or similarly significantly affects individuals in the sense of Article 22 GDPR.
• Our AI features assist procurement professionals by analysing procurement documents and data. These provide recommendations and analysis to human decision-makers - they do not make automated decisions about individuals.

If we introduce any automated decision-making that falls under Art. 22 GDPR in the future, we will update this policy and inform affected individuals before such processing begins.

14. Whether Provision of Data Is a Requirement

• Certain personal data (such as name and email address) is necessary to enter into and perform a contract with us.
• Some data collection is required by law (e.g. billing information for accounting purposes).
• Where processing is based on consent, providing data is entirely voluntary.

15. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS) and at rest
• Access controls and authentication requirements
• Regular security reviews
• Sub-processor vetting and data processing agreements

16. Right to Lodge a Complaint

If you are dissatisfied with how we process your personal data, you have the right to lodge a complaint with a supervisory authority.

We encourage you to contact us first so that we can attempt to resolve your concern.

17. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our processing activities, legal requirements, or business operations. When we make material changes, we will publish the updated policy on klarum.com with a new “Last updated” date. We encourage you to review this policy periodically.

18. Contact Us

If you have any questions about this privacy policy or our data processing practices, please contact us: