Safespring is a Swedish cloud infrastructure provider, proudly Swedish owned and operated.
We deliver Public Cloud and Private Cloud services for organisations that require secure, reliable, and high-performance infrastructure. Safespring operates through legal entities in Sweden and Norway and provides services from data centres located within these jurisdictions.
This Privacy Policy describes how Safespring (“we”, “us”, “our”) processes personal data in accordance with:
- General Data Protection Regulation (“GDPR”)
- ePrivacy Directive
- Digital Services Act
- ISO/IEC 27001
1. Data Controller
Data Controller:
Safespring AB
559075-0245
Rättarvägen 3, 169 68 Solna
Sweden
2. Your Rights Under GDPR
Under the GDPR, you have the right to:
- Access your personal data (Art. 15)
- Rectification (Art. 16)
- Erasure (“right to be forgotten”) (Art. 17)
- Restriction of processing (Art. 18)
- Data portability (Art. 20)
- Object to processing (Art. 21)
- Withdraw consent at any time (Art. 7(3))
- Lodge a complaint with your national supervisory authority
Contact information
Local Authorities
Sweden
Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY)
website: https://www.imy.se/
Norway
Norwegian Data Protection Authority (Datatilsynet)
website: https://www.datatilsynet.no/
Denmark
Danish Data Protection Agency (Datatilsynet)
website: https://www.datatilsynet.dk/english
Finland
Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)
website: https://tietosuoja.fi/en/home
3. Categories of Data Subjects
We may process personal data relating to:
- Website visitors
- Business contacts
- Job applicants
4. Website Privacy
4.1 Purpose of Processing
We process website data for:
- Website functionality and security
- Analytics and performance monitoring
- Campaign effectiveness tracking
- Improvement of user experience
4.2 Categories of Personal Data
We may process:
- IP address (anonymised where technically feasible)
- Device and browser metadata
- Date/time and session data
- Page views and interaction data
- Referrer URLs
- Marketing parameters
- Download/click behaviour
- Error logs
- Session interaction data (if applicable) Where possible, IP addresses are truncated or anonymised immediately upon collection.
4.3 Legal Basis (GDPR Art. 6)
We rely on:
- Art. 6(1)(f) — Legitimate interest (analytics, security monitoring)
- Art. 6(1)(a) — Consent (where required for non-essential cookies or tracking) A documented Legitimate Interest Assessment (LIA) is maintained where required.
4.4 Retention
- Raw analytics and log data: maximum 12 months
Retention periods are defined in accordance with ISO 27001 control requirements for information lifecycle management.
4.5 Cookies and Similar Technologies
We use cookies and similar technologies in compliance with the ePrivacy Directive and GDPR. Cookies may include:
- Strictly necessary cookies
- Functional cookies
- Analytics technologies
- Consent management cookies (read more about our cookies in the Cookies setting)
Where legally required, we obtain prior consent before placing non-essential cookies.
5. Business Contact Data
5.1 Purpose of Processing
We process business contact data for:
- Commercial discussions
- Contract fulfilment
- Customer relationship management
- Surveys and feedback
5.2 Categories of Personal Data
- Name
- Business email
- Business phone
- Title
- Organisation
- Professional profile links
5.3 Legal Basis
- Art. 6(1)(f) — Legitimate interest (B2B communication)
- Art. 6(1)(b) — Contract performance
- Art. 6(1)(a) — Consent (surveys/newsletters)
5.4 Retention
- Active business relationship duration
- Legal retention obligations
6. Recruitment
6.1 Purpose of Processing
Processing job applications and candidate evaluation.
6.2 Categories of Personal Data
- Contact details
- CV and application documents
- Assessment notes
6.3 Legal Basis
- Art. 6(1)(a) — Consent
- Art. 6(1)(b) — Pre-contractual steps
6.4 Retention
- During active recruitment
- Up to 12 months for candidate pooling (unless consent withdrawn)
6.5. Processors and International Transfers
We use subprocessors for specific services.
| Name of Subprocessor | Location of Processing | Corporate Location | DPA |
|---|---|---|---|
| Linkedin – Recuitment | USA. EU operations in Ireland. | USA | https://www.linkedin.com/legal/l/dpa |
Where personal data is transferred outside the EU/EEA:
- Adequacy decisions are relied upon where applicable
Records of processing activities (ROPA) are maintained in accordance with GDPR Art. 30.
7. Information Security Measures
In accordance with ISO/IEC 27001, we maintain an Information Security Management System (ISMS) and apply appropriate technical and organisational measures, including:
- Risk assessment and risk treatment processes
- Access control based on least privilege
- Encryption in transit (TLS)
- Encryption at rest where appropriate
- Logging and monitoring
- Supplier security assessments
- Incident response procedures
- Business continuity planning
- Regular internal audits and management reviews Personal data protection is integrated into our security governance framework.
8. Automated Decision-Making
We do not engage in automated decision-making or profiling within the meaning of GDPR Art. 22, unless explicitly stated and legally permitted.
9. Third-Party Websites
Our website may contain links to third-party websites. When you leave our site, their privacy policies apply. We are not responsible for their data processing practices.
10. Contact Us
If you have any questions about your rights, please feel free to contact us at gdpr@safespring.com
