Privacy Policy

1. Introduction

This privacy policy describes how Inbjuden collects, uses, and protects your personal data in accordance with the General Data Protection Regulation (GDPR) and Swedish law. Christian values your privacy and wants to be transparent about how your data is handled.

2. Data Controller

The data controller responsible for processing your personal data is:

Christian Gauffin
Private individual responsible for Inbjuden
Email: christian@inbjuden.com

3. Personal Data We Collect

Inbjuden collects the following categories of personal data:

4. Legal Basis for Processing

Inbjuden processes your personal data based on the following legal bases:

• • Contract: To provide the service under the user agreement
• • Legitimate Interest: For security, improvements, and marketing
• • Consent: For optional features like newsletters and cookies
• • Legal Obligation: To comply with laws and regulations

5. How We Use Your Data

Inbjuden uses your personal data to:

• • Provide and improve the service
• • Manage your account and authentication
• • Process event registrations and payments
• • Send notifications and communication
• • Ensure platform security and prevent abuse
• • Analyze usage for improvements
• • Comply with legal obligations

6. Data Sharing

Inbjuden shares your personal data only in the following cases:

• • With other users according to your settings (e.g., participant list)
• • With payment service providers for payment processing
• • With technical providers who help Inbjuden run the platform
• • When required by law or to protect Inbjuden's rights
• • With your explicit consent

6B. Personal Data Processors (Subprocessors)

Inbjuden's application, database, and email server are run on own, self-hosted infrastructure within the EU. Beyond this, the following external parties are engaged to process limited personal data for specified purposes:

6A. Child References and Guardian Connections in Groups

When you add a child in Inbjuden, a global child account is not created. Instead, we store a local child profile connected to your account with minimized information, typically first name and possibly birth year. When the child is connected to a school, class, preschool, or activity, we use a separate child reference that only applies within that specific group.

If a child with the same name and birth year already exists in the same group, we display a warning and ask you to actively choose whether it refers to the same child or if a separate reference should be created with a distinguishing group name. The system does not merge child entries automatically based only on name or birth year.

This model is used to fulfill the principles of data minimization, purpose limitation, and data protection by design. We do not show the identity of other guardians in the warning flow. Only what is needed to administer group membership, invitations, and notifications is processed.

• • Children are not treated as full user profiles.
• • Inbjuden does not use personal identity numbers or exact birth dates in this flow.
• • Multiple guardians can explicitly link their own child profiles to the same group reference when it refers to the same child.
• • Invitations and relevant notifications can then be directed to all explicitly linked guardians.

7. Data Retention

Inbjuden retains your personal data only as long as necessary:

• • Account data: Until you delete your account + 30 days
• • Event data: 3 years after the event date for statistics
• • Security logs: 12 months
• • Payment data: 7 years according to the Swedish Bookkeeping Act
• • Support cases: 2 years after closed contact

8. Your Rights

Under GDPR, you have the following rights:

• • Right to information about the processing of your personal data
• • Right to rectification of incorrect or incomplete data
• • Right to erasure ('the right to be forgotten')
• • Right to restriction of processing
• • Right to data portability
• • Right to object to processing
• • Right to withdraw consent
• • Right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY)

9. Cookie Policy

Inbjuden uses cookies and similar technologies to:

• • Keep you logged in and remember your preferences
• • Improve security and prevent fraud
• • Analyze how the service is used
• • Display relevant advertisements (with your consent)

You can manage your cookie settings in your browser or via the cookie settings in Inbjuden.

10. Security

Inbjuden protects your personal data through:

• • Encryption of data in transit and at rest
• • Regular security updates and monitoring
• • Restricted access based on need
• • Regular security testing and audits
• • Incident response processes

11. International Transfers

Your personal data is processed primarily within the EU/EEA. If transfer occurs to a third country, we ensure an adequate level of protection through:

• • European Commission decisions on adequacy
• • Standard Contractual Clauses (SCC)
• • Certifications and codes of conduct

12. Changes to This Policy

Inbjuden may update this privacy policy to reflect changes in practices or legal requirements. Material changes are notified via email or in the service at least 30 days before they take effect.

13. Contact Information

For questions about this privacy policy or to exercise your rights:

Contact person: Christian Gauffin
Email: christian@inbjuden.com

14. Supervisory Authority

You have the right to lodge a complaint with the supervisory authority:

Swedish Authority for Privacy Protection (IMY)
Box 8114
104 20 Stockholm
Sweden
Phone: +46 8 657 61 00
Email: imy@imy.se
Website: www.imy.se