Privacy policy
Last updated 2022-03-31
Cookies
We use cookies, which are small text files that are stored in the visitor’s browser in order to customize offers and content on our website. On your first visit you will be given the opportunity to choose whether only necessary or more cookies should be used. If you later want to change this choice, you need to clear cookies in your browser settings this is usually possible for individual pages.
Copyright
All material on www.oderland.com is copyrighted by Oderland Webbhotell AB where not otherwise stated. Other brands and products mentioned on our website are probably copyrighted and trademarked by their respective owners.
GDPR / Personal data / Privacy
We take our customers’ privacy seriously and have a strong focus on ensuring that our solutions are as secure as possible and on protecting your personal data.
We process personal data in accordance with the GDPR and the General Data Protection Regulation.
The data controller is Oderland Webbhotell AB who can be reached at support@oderland.se and +4631-3616161 where email is usually the best method of contact for this type of question. We also have a support article with frequently asked questions and answers around GDPR plus links to any documentation you may need and our agreements.
The supervisory authority is Integritetsskyddsmyndigheten (IMY) which can be reached at imy@imy.se +468-6576100 and they can also receive questions and complaints.
The personal data we process about our customers is governed by this Integrity Policy/Personal Data Policy. The personal data our customers in turn choose to process, e.g. in the form of storage, in our services is governed by our Personal Data Processing Agreement (DPA/PUBA).
Other terms and conditions of the Services are governed by our User Agreement (TOS).
De personuppgifter vi behandlar om våra kunder regleras av denna Integritetspolicy/Personuppgiftspolicy. De personuppgifter våra kunder i sin tur väljer att behandla, tex. i form av lagring, i våra tjänster regleras av vårt Personuppgiftsbiträdesavtal (DPA/PUBA).
Övriga villkor för tjänsterna regleras av vårt Användaravtal (TOS).
Processing may also take place in order to comply with legislation or to assist authorities, for example, in the investigation of suspected crime.
Reason for collecting personal data
We collect personal data about our customers in order to deliver our services including support to them and also to share relevant information about our services on a regular basis. For example, we need contact details to know who owns a billing and accounting service. Some services such as domains also need to be registered in public registers such as WHOIS in order to function. We also send out a monthly newsletter with updates on changes and improvements to our services and ways of working.
What legal grounds do we have for processing personal data and how long is the personal data stored?
| Personal details | Continuous thinning | Deletion after closed and paid customer account | Legal basis |
|---|---|---|---|
| Accounting data | No | Yes, 7 years | Legal basis |
| Customer information | No | Yes, 7 years | Agreement |
| Card details | No | Stripe’s legal requirements (USA) | Agreement |
| Issues/Tickets | No | 3 mon (12 mon**) | Consent + balance of interests |
| Chats (External) | 2 mon | 2 mon | Agreement + balance of interests |
| Chats (Internal) | 7 days | 7 days | Agreement + balance of interests |
| Other mail to oderland.se | 0-24 mon** | 0-24 mon*** | Agreement + balance of interests |
| Logs | Up to 3 mon | Up to 3 mon | Agreement |
| Backups | 3 mon ( 12 mon**) | 3 mon (12 mon**) | Agreement |
| Data stored by the customer | No | Yes | Agreement |
** Managed Server
*** Mail containing personal data should first be transferred to the appropriate system, e.g. the case management system, and then deleted, and secondly deleted within 24 months.
WHOIS registry for domain owner information
Information about who owns a domain is stored in a so-called WHOIS registry and until the impact of GDPR rules on this registry is fully investigated, potential personal data is no longer publicly displayed. Negotiations on how WHOIS will be maintained and developed in the future while complying with GDPR continue and you can read about this here. Our customers who want an extra layer of privacy or e.g. are concerned that WHOIS data may become public again in the future can purchase WHOIS protection on the domains that support it.
What personal data we process
These are the data needed to fulfil the purposes specified above. For example, name, email, telephone numbers, addresses and IP numbers. For example, to deliver good hosting with good support and domains, etc.
About the personal data you process
Please note that personal data that you as a customer choose to process in our services are the data controllers themselves and must therefore ensure that their processing is lawful. However, we as a sub-provider also have an obligation in our turn to inform the person we are acting as a sub-provider for if we discover something that we believe violates the GDPR, but it should be noted that we have little ability to monitor this systematically and it will be unique cases where we discover something we feel needs to be reported e.g. in an unrelated support matter.
Be aware that there are visitor statistics logged in web hosting for domains you set up in the service. Learn more about what is logged and how you can delete and turn off logging.
Accounting for suppliers
Modern IT infrastructure relies on a variety of service and software providers. We are fortunate as a hosting provider that we can host much of our vendors’ software ourselves on our own servers in Sweden and thus avoid storing customers’ personal data with an external subcontractor. Here we list the providers where processing of non-anonymised personal data takes place outside our servers. I.e. not the cases where we host the software or where only anonymised metadata is processed.
We already have agreements in place to guarantee our customers’ privacy and personal data with all our suppliers. We already had to move to Standard Contractual Clauses (SCC) specifically for our US software suppliers, but with the Schrems II ruling, we are also not allowing technicians to come in and help us with problems, and in that case we are recreating the problems on a demo server without customer data.
In general, our aim is to carry out as few processing operations as possible and collect as little personal data as possible in order to fulfil our contracts and deliver the services ordered by our customers.
Personal data for WHOIS/Domain Providers concerns e.g. Name and email address. For automated fraud protection and firewalls it concerns e.g. IP number, browser and form data.
Here we list the cases where we do not host the software ourselves and personal data in some form may reach them. Previous providers listed here have been removed to increase clarity of when and where personal data may actually be processed by a subcontractor. They are listed in the format: supplier, country, contract.
- Domains (see paragraph above about WHOIS)
- Traficom (.fi) – Finland – User agreement and personal data policy
- IIS (.se/.nu) – Sweden – User agreement and personal data policy
- RRProxy/Keystems (.com, .org, .net etc. ) – Germany – Subcontracts (DPA)
- Backups
- Hosted on our servers (external technicians are only allowed access to servers where we recover errors without customer data)
- OS and Server
- Hosted on our servers (external technicians are only allowed access to servers where we recover errors without customer data)
- Control panels and page builders
- Hosted on our servers (external technicians are only allowed access to servers where we recover bugs without customer data)
- Payment
- Stripe (Card payment) – USA – Consent and Standard Contractual Clauses with enhanced security measures.
- Security
- MaxMind (Fraud protection) – USA – Consent and Standard Contractual Clauses with enhanced security measures.
- Halon (Spam protection) consists of two parts
- Hosted on our servers (external technicians are only allowed access to servers where we recover bugs without customer data)
- Anonymised metadata is analysed externally (i.e. it is not personal data that is processed)
Enhanced security measures include systematically monitoring suppliers’ security commitments and systematically conducting risk assessments around personal data to these suppliers. In addition, we are ready to replace them in the event of a breach.
How we store data
We strive to do all processing and storage of data and personal data in our data warehouses in Sweden. That said, for some parts of the delivery, modern technology companies need to engage suppliers, some of which we have listed above have processing overseas.
Data transfer is encrypted and staff have time-limited and strictly controlled access permissions and have signed GDPR-compliant confidentiality agreements. No personal data is resold to third parties.
Automated decision making
We use automated decision-making on these occasions:
- To prevent attacks on servers, IP numbers are automatically logged and blocked. So called «firewall«. These are usually temporary blocks and customers can always contact us if they suspect they have been blocked. This makes our customers’ services more secure against attacks.
- Automatic suspension of unpaid services. This protects the customer against invoices building up in the event of business closure and can also be a signal that they need to review their contact details so that they can receive their invoices.
- Emails to and from our servers may be blocked by automatic spam protection. Customers can, of course, contact us if emails are incorrectly caught in the protection.
Right of access, modification and deletion
As a customer, you can contact us at any time to change your details. We will do this without undue delay if possible without violating applicable laws.
You can also access your personal data upon request.
You can withdraw your consent to collection and, if there are no legal obstacles, have your data erased.
For a complete list of rights, see the Privacy Authority’s page.
För en komplett lista av rättigheter se Integritetsskyddsmyndighetens sida.
Personal Data Incident
Personal data incidents, if they involve a risk to the rights and freedoms of data subjects, shall be reported to the regulatory authority without undue delay and at the latest within 72 hours, and Oderland shall inform data subjects if there is a substantial risk that their rights and freedoms may be affected.
Privacy Policy Update
This policy will be updated as necessary to, for example, increase clarity, to reflect changes in suppliers, updated processing operations or to better comply with the law. You can always find the latest version on oderland.se