Privacy Policy

Last updated: March 23, 2025

1. Introduction

Valigate AI AB (“Valigate”, “we”, “us” or “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains what information we collect, how we use and safeguard that information, and your rights in relation to it. It applies to the use of our website (valigate.io) and any related products or services we offer (collectively, our “Services”). Our Services are intended for business and enterprise clients, typically professionals in media and marketing departments. By using our website or Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the terms, please do not use our Services.

2. Data We Collect

We collect various types of personal data from you when you interact with Valigate’s website or Services. This includes information you provide directly, information collected automatically, and information from third-party tools:

• Contact and Identity Information: When you fill out forms or register an account, we collect information such as your name, work email address, company name, job title, phone number, and other basic contact details. This also includes any information you provide if you contact us for support or inquiries.
• Account Credentials: If you create an account or log in to our Services (which is handled via our authentication provider Auth0), we collect login credentials like username or email and password (stored in encrypted form) or other authentication tokens.
• Payment and Billing Information: If you purchase our services or subscribe to paid features, we (or our payment processor) collect payment details. This may include billing name and address, credit card or other payment information, and transaction history.
• Usage Data and Website Activity: We gather data about how you use our website and Services. This includes analytics information such as the pages you visit, the features you use, the time and date of your visits, and your navigation patterns. We may collect website traffic data like your IP address, browser type, device identifiers, and operating system.
• Cookies and Tracking Data: We use cookies and similar tracking technologies (e.g. web beacons, pixels, and local storage) to collect information about your interactions with our site. These technologies may record details such as your browsing behavior, preferences, and login status. (See Cookies and Tracking Technologies below for more details.)
• Marketing and Communications Data: This includes your preferences in receiving marketing communications from us (e.g. newsletter sign-ups or opt-outs) and information about your responses to our marketing (such as email open rates or link clicks, if applicable). We may also collect feedback you provide through surveys or user research.
• Third-Party Provided Data: We may receive certain information about you from third-party services. For example, if you log in via our authentication provider or if we use analytics or advertising partners, those services might send us information such as an anonymized user ID or aggregated demographic data. We only use such third-party data in accordance with this policy and applicable law.

Note: We do not collect any sensitive personal data (such as social security numbers, racial or ethnic origin, health information, etc.) unless you voluntarily provide it to us for a specific purpose. We only collect the personal data that is necessary for the purposes described in this Privacy Policy.

3. How We Use Your Personal Data

Valigate uses the collected data for the following purposes, all in line with providing and improving our Services for our business clients:

• Providing and Improving Services: We use your personal information to operate our Services and deliver the features you request. For example, we use contact and account information to set up and maintain your user account, authenticate you via Auth0, and provide you with access to the Valigate platform. We also use usage data and feedback to monitor performance, fix issues, and continually improve our website and Services.
• Customer Support and Communications: We process personal data when you reach out to us with questions, support requests, or feedback. This allows us to respond to your inquiries, provide technical assistance, and ensure a high quality of service. We may also send you important administrative or service-related emails (e.g. updates about your account, security alerts, or changes to our terms).
• Processing Payments: If you are a paying customer, we use your payment and billing information to process subscription fees or other transactions, provide invoices, and keep proper financial records. Payment information may be handled by our authorized payment processors on our behalf, solely for payment processing purposes.
• Marketing and Newsletters: Where permitted, we use your contact details (such as work email) to send promotional materials, product updates, newsletters, or event invitations that we believe may be relevant to you in a professional context. These communications will be sent in accordance with applicable marketing laws, and you can opt out of marketing emails at any time.
• Analytics and Personalization: We use cookies and third-party analytics tools (like Google Analytics) to understand how users engage with our website, which helps us analyze trends, track the effectiveness of campaigns, and tailor our content. This usage data enables us to make informed decisions about enhancements and to customize your experience (for example, remembering your preferences).
• Security and Fraud Prevention: Your information is used to help keep our Services secure. We may use data (such as IP addresses and login activity) to detect, prevent, and respond to potential fraud, unauthorized access, or illegal activities. This includes enforcing our terms of service and protecting the rights and safety of Valigate, our users, and others.
• Legal Compliance: In certain cases we must process personal data to comply with legal obligations. For instance, we may retain and use some information for tax reporting, accounting requirements, or responding to lawful requests by public authorities (such as law enforcement or regulatory agencies).

We will not use your personal data for purposes that are incompatible with the ones listed above without first obtaining your consent or unless required or permitted by law. If we plan to process your information for a new purpose, we will update this Privacy Policy or otherwise inform you and, if necessary, request your consent.

4. Legal Bases for Processing

Under the EU General Data Protection Regulation (GDPR), we rely on the following legal grounds to process your personal data:

• Performance of a Contract: Most of our data processing is based on necessity to fulfill our contract with you (or your employer). When you sign up for or use Valigate’s Services, we must process your account data, payment information, and other details to provide the service you requested (GDPR Article 6(1)(b)).
• Legitimate Interests: We process certain data as needed for purposes of our legitimate interests, provided those are not overridden by your data protection rights. These legitimate interests include: improving and securing our Services; understanding how our Services are used; communicating with business contacts; and marketing to existing or potential enterprise customers in a B2B context (GDPR Article 6(1)(f)). We only rely on this basis after considering the impact on your privacy and performing any required balancing tests. For example, when we use analytics to improve user experience, we do so under legitimate interest in delivering a better product.
• Consent: In some situations, we ask for your consent to process data. For instance, if we send you certain marketing emails, place non-essential cookies, or publish a customer testimonial with your personal information, we do so based on your consent (GDPR Article 6(1)(a)). Where processing is based on consent, you have the right to withdraw it at any time. For example, you can unsubscribe from our marketing communications by following the link in any promotional email or adjusting your preferences.
• Legal Obligation: We will process personal data when necessary to comply with a legal obligation to which we are subject (GDPR Article 6(1)(c)). This can include retaining transaction records for tax and accounting compliance, or disclosing information when required by law (such as responding to a court order or regulatory inquiry).

In some cases, more than one legal basis may apply to the same piece of personal data (for example, we may retain invoice data both to perform our contract with you and to satisfy legal record-keeping requirements). We will always ensure we have an appropriate legal basis to process your personal data. If you have questions about the specific legal basis for any processing of your personal data, feel free to contact us.

5. Cookies and Tracking Technologies

Like most websites and cloud services, we use cookies and similar tracking technologies to collect and use personal data about visitors to our site. Cookies are small text files placed on your device that help us recognize you on subsequent visits, keep you logged in, and understand usage patterns. We use cookies for several reasons:

• Essential Cookies: Some cookies are necessary for our website and Services to function properly. For example, when you log in through Auth0, cookies (or similar technologies like secure tokens) maintain your session so you don’t have to re-enter your credentials on every page. These are required for security and user authentication.
• Analytics Cookies: We use analytics tools, including Google Analytics, which set cookies to gather information about site traffic and user interactions. This data helps us analyze how our website is used (e.g., which pages are most visited, how users navigate between pages) so we can improve the Service. Google Analytics may collect information such as your IP address, browser type, and pages visited on valigate.io. We have configured Google Analytics to anonymize IP addresses and we do not allow Google to use or share our analytics data for unrelated purposes.
• Preference and Functionality Cookies: These cookies remember your preferences and settings to provide a more personalized experience. For instance, they might recall your language selection or other customizations so you don’t have to set them each time.
• Advertising/Marketing Cookies: Valigate does not currently serve third-party advertisements on our site, but we may use cookies or pixels from platforms like LinkedIn or Google Ads in the future to measure the effectiveness of our own marketing campaigns. Such cookies would only be used to track conversions or reach relevant audiences and would not involve selling your data to advertisers.

When you first visit our website, you will be presented with a notification about our use of cookies. Where required by law, we will obtain your consent for non-essential cookies. You can manage or delete cookies at any time through your browser settings. Please note that if you disable certain cookies, some features of our site or Services may not function correctly (for example, you may not be able to stay logged in).

We also may use other tracking technologies like web beacons (clear image files) or local storage in conjunction with cookies. This helps us collect usage statistics and improve our communications. For example, our marketing emails may contain a tiny pixel that lets us know if an email was opened. You can typically disable images in your email if you do not wish to share that information.

For more detailed information about the cookies and tracking technologies we use, and your choices regarding them, please refer to our Cookie Notice (if available) or contact us with any questions.

6. Data Sharing and Third-Party Processors

We treat your personal data with care and confidentiality. We do not sell or rent your personal information to third parties. However, we do share certain data with trusted third parties in order to operate our business and provide our Services to you. These third parties only process your data on our behalf and under our instructions (as “data processors”), or in some cases as separate controllers for specific services, and we ensure they are bound to strict data protection obligations. The key instances where we share your data include:

• Cloud Hosting (Microsoft Azure): Our applications and databases are hosted on Microsoft Azure cloud servers located in the EU. All data you provide to Valigate (including account information and any content entered into our platform) is stored on Azure’s secure data centers. Microsoft acts as our data processor, and we rely on Azure’s robust security measures and compliance with EU data protection standards.
• User Authentication (Auth0 by Okta): We use Auth0, a user identity management service provided by Okta, to handle user sign-ups, logins, and authentication. When you log in or register, your credentials are processed by Auth0. Auth0 may store your username, password (encrypted), and other profile details needed for authentication. Auth0 acts as a processor, and we have ensured that it complies with GDPR and keeps your login data secure. This service helps us manage user accounts safely without storing plaintext passwords in our systems.
• Analytics (Google Analytics): As noted, we use Google Analytics to track website usage metrics. Google LLC may process certain limited personal data (like online identifiers and browsing info) for analytics on our behalf. We have configured Google Analytics to use EU-based servers where possible and enabled privacy features. Google acts as a data processor for us in this context, and we’ve accepted the EU Standard Contractual Clauses to safeguard any data that might be transferred to the U.S. (See International Data Transfers below for more on data location.)
• Payment Processing: If you make payments to us (e.g. for a subscription), we will share the necessary billing information with our third-party payment processor (for example, this could be a platform like Stripe, Braintree, or a banking service). Such processors are responsible for handling your credit card or bank information securely in accordance with industry standards (like PCI-DSS for card payments). They only use your payment data to process transactions and will store payment details (e.g. card token, billing address) as needed for recurring billing and compliance purposes. We do not store full payment card numbers or sensitive financial account data on our own servers.
• Email and Communications Tools: We may use third-party email service providers (for instance, services like SendGrid, Mailchimp, or Microsoft 365 Outlook) to send out service emails or newsletters. In doing so, we provide your email address and sometimes your name to these providers solely for the purpose of delivering our communications to you. These providers are not permitted to use your information for any other purposes.
• Business Partners and Subcontractors: In certain cases, we may share data with other vendors or subcontractors who assist us in providing the Services. For example, this could include IT support services, analytics or marketing consultants, or customer relationship management (CRM) platforms that organize customer contact information. Any such partners are bound by confidentiality and data protection agreements. They will only process personal data as needed to perform their functions and must not use it for other purposes.
• Legal and Compliance: We might disclose personal data to third parties (such as advisors, auditors, law enforcement agencies, or regulators) if required to do so by law or a valid legal process. For instance, if we receive a subpoena or a lawful request from authorities, or need to enforce our contractual terms or protect our rights, we may share data as necessary. We will ensure any request is legitimate and only disclose the minimum data necessary to comply with the law.

In all cases of data sharing, we evaluate our third-party providers carefully and ensure that they have committed to protecting your personal data. We have Data Processing Agreements in place with our vendors where required, and they must implement appropriate technical and organizational measures to safeguard the data. If any third-party service involves transferring personal data outside of the EU/EEA, we will ensure adequate protection is in place (as described in the next section).

7. International Data Transfers

Valigate is based in Sweden, and we aim to store and process personal data within the European Union/European Economic Area (EU/EEA) whenever possible. We do not ordinarily transfer your personal data to countries outside the EU/EEA. Our primary servers and infrastructure (such as Microsoft Azure’s data centers and our databases) are located in the EU, meaning that the personal data you provide is kept within Europe.

However, some of our third-party service providers might be headquartered outside the EU or may sub-process data in non-EU regions. For example, our authentication provider (Auth0/Okta) and analytics provider (Google) are U.S.-based companies. In cases where any personal data is transferred or accessed outside the EU/EEA (for instance, in the United States), we take steps to ensure your data receives an adequate level of protection as required by GDPR. These safeguards include:

• EU Standard Contractual Clauses (SCCs): We have agreements incorporating the European Commission’s approved Standard Contractual Clauses with non-EU service providers, obligating them to protect EU personal data according to EU standards.
• Adequacy Decisions: When available, we rely on official adequacy decisions (i.e., recognition that a non-EU country’s laws provide sufficient data protection). If a service provider is in a country with an adequacy decision by the EU Commission, transfers to that country are permitted.
• Additional Security Measures: We encourage or require providers to implement additional encryption and access controls. For instance, data sent to third parties might be encrypted in transit and at rest, and we work with vendors who offer EU data center options or pseudonymization of personal data to minimize exposure.

By using our Services or submitting your information to us, you acknowledge that your personal data might be processed in a non-EU country in the above-described scenarios. We will always strive to minimize such transfers and will inform you if a significant change requires transferring more of your data abroad. Your rights and protections travel with your data. This means that no matter where your data is processed, we will uphold the same high level of protection as mandated by EU law.

If you have questions about cross-border data transfer or want more information about the specific safeguards in place, please contact us (see Contact Information below).

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or to comply with legal or contractual obligations. Retention periods will vary depending on the type of data and the context of processing:

• Account Information: If you have an account with Valigate, we will keep your account data while you are an active user. If you or your employer terminates your relationship with Valigate or your account is deactivated, we will generally delete or anonymize personal data associated with the account after a set period. In most cases, core account data will be removed within a reasonable time (for example, within 30–90 days) after you cancel your Services or your account becomes inactive.
• Customer Service Communications: Records of communications with you (such as emails or support tickets) are retained as long as needed to resolve your inquiry and for a short period thereafter in case of follow-up issues. We may keep these records longer if needed to establish or defend legal claims.
• Marketing Data: We retain information like your email address for sending newsletters or updates until you unsubscribe or otherwise opt out of marketing. Once you opt out, we will stop sending you marketing messages, but may keep your contact information on a suppression list to ensure we honor your opt-out going forward.
• Analytics Data: Usage data collected via cookies and similar technologies may be retained in our analytics tools for varying periods (for instance, Google Analytics retains non-identifiable data for a period such as 14 months or as configured). This data is generally aggregated and not directly tied to an identifiable person after a short time, but we follow recommended retention settings to avoid storing it longer than necessary.
• Payment and Transaction Records: We keep payment records and invoices as long as required under Swedish accounting and tax laws. Typically, financial records must be retained for seven (7) years (or as mandated by local law) for audit purposes. During this time, your payment data will be securely stored and protected.
• Legal Compliance and Legitimate Use: In certain situations, we may need to retain data for longer periods if required by law or if necessary for legitimate business interests, such as security, fraud prevention, or handling any possible disputes. For example, if we believe an account was used fraudulently, we might retain relevant data to investigate and prevent future fraud. Also, if required by a governmental order or in litigation, we would retain data as needed for evidence.

After the applicable retention period has ended, or upon your valid request for erasure (and no other lawful basis for retention applies), we will securely delete or irreversibly anonymize your personal data. We use proper techniques to ensure data is completely removed from our systems or retained only in a form that does not identify you. Backup copies may persist for a short duration until rotated out of our backup systems, but we have processes to eventually purge those as well.

9. Data Security

We take data security seriously at Valigate. We have implemented a variety of technical and organizational measures to protect your personal data from unauthorized access, disclosure, alteration, or destruction. These measures include:

• Secure Infrastructure: Our Services are hosted on Microsoft Azure, which provides state-of-the-art security protections including firewalls, intrusion detection systems, and regular security updates. We leverage Azure’s security features such as data encryption at rest and in transit to safeguard our databases and servers.
• Encryption: All data transmitted between your browser and our website is encrypted using HTTPS/TLS protocols. This means personal data (like login credentials or form submissions) is encrypted while in transit. We also encrypt sensitive data at rest (for example, passwords are hashed and not stored in plaintext, and any payment information stored by us or our payment providers is encrypted).
• Access Controls: Access to personal data within our organization is restricted on a need-to-know basis. Only authorized personnel who require access to your data to perform their job (for example, customer support or engineers performing maintenance) are allowed to view it. We employ role-based access controls and multi-factor authentication for our internal systems to prevent unauthorized access.
• Monitoring and Testing: We monitor our systems for potential vulnerabilities and attacks. Regular audits, security assessments, and penetration testing are performed to evaluate the strength of our security measures. If any weaknesses are identified, we address them promptly. We also maintain up-to-date antivirus and threat-detection tools on our systems.
• Secure Development Practices: Our engineering team follows secure coding guidelines and best practices. Changes to our software are reviewed and tested before deployment to minimize bugs that could affect security. We also keep our software frameworks and libraries updated to patch known security issues.
• Data Minimization: We collect and retain only the personal data that is necessary for our purposes, which helps reduce the risk to you. Any particularly sensitive information (if ever provided) is given special protection or promptly deleted if not needed.
• Incident Response: In the unlikely event of a data breach or security incident involving your personal data, we have a detailed incident response plan. This plan includes notifying affected users and the appropriate supervisory authorities within the timeframe required by law, and taking steps to mitigate any potential harm.

While we strive to protect your information, please note that no method of transmission over the Internet or electronic storage is 100% secure. We thus cannot guarantee absolute security. It is also important for you to play a part in keeping your data safe. Please use a strong, unique password for your Valigate account and do not share it with others. Always log out and close your browser after you finish using the Services, especially on a shared or public device. If you suspect any unauthorized access to your account or any security vulnerabilities, notify us immediately so we can assist.

10. Your Rights Under GDPR

As an individual in the European Union (or in other jurisdictions with similar data protection laws), you have certain rights regarding your personal data that we hold. Valigate is committed to respecting these rights and has processes in place for you to exercise them. Your principal rights under the GDPR include:

• Right of Access: You have the right to request confirmation whether we are processing your personal data, and if so, to obtain a copy of the personal data we hold about you. We will also provide supplementary information about the processing (such as the purposes, categories of data, and recipients) to ensure you have transparency.
• Right to Rectification: If any of your personal data is inaccurate or incomplete, you have the right to ask us to correct it. Upon your request, we will promptly update or rectify any incorrect information. For example, if you change your work email or spot a typo in data we have on file, you can have it corrected.
• Right to Erasure: Also known as the “right to be forgotten,” this allows you to request that we delete your personal data. You can exercise this right in certain circumstances — for instance, if the data is no longer needed for the purposes it was collected, or if you withdraw consent and we have no other legal basis for processing. We will honor valid erasure requests by deleting or anonymizing your data, except where retention is required by law or compelling legitimate interests (we will inform you if this is the case).
• Right to Restrict Processing: You have the right to ask us to suspend the processing of your personal data in certain scenarios. For example, if you contest the accuracy of the data or have objected to processing (see below), you can request the data be “frozen” (no further processing) while we address your concern. When processing is restricted, we can still store your data but will not use it until the issue is resolved (except for certain exempt purposes like legal claims).
• Right to Data Portability: For data that you have provided to us and that we process by automated means based on your consent or to perform a contract, you have the right to receive that data in a structured, commonly used, machine-readable format. You may also request that we transmit this data directly to another controller where technically feasible. In plain terms, this allows you to take your personal data to another service provider if you decide to switch services.
• Right to Object: You have the right to object to our processing of your personal data when the processing is based on our legitimate interests or on public interest grounds. If you object on such grounds, we will cease processing your data unless we have a compelling legitimate reason that overrides your rights or if we need to continue processing for legal reasons. Importantly, you also have an unconditional right to object to your personal data being used for direct marketing purposes. If you object to marketing, we will stop using your data for that purpose immediately.
• Right to Withdraw Consent: Where we are processing your personal data based on your consent, you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, and it won’t affect processing under other legal bases. If you withdraw consent for a particular service or communication, we will inform you of any consequences (for example, if it means we cannot provide certain features to you).
• Right to Lodge a Complaint: If you believe we have infringed your data protection rights or have handled your personal data improperly, you have the right to file a complaint with a supervisory authority (data protection regulator). Valigate is established in Sweden, so our lead supervisory authority is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY). You may contact the IMY or your local EU data protection authority. We encourage you to contact us first, however, so we can address your concerns directly.

To exercise any of your rights, you can reach out to us via the contact details provided below (Contact Information). We will respond to your request as soon as possible, and in any event within the timeframe required by law (generally, within one month). Please note that to protect your privacy, we might need to verify your identity before fulfilling certain requests (such as providing access to your data or deleting it). This is to ensure that personal data is not disclosed to someone who is not entitled to receive it.

There may be conditions or limitations to these rights under applicable law; for example, if fulfilling a request would reveal personal data about another person or if you ask us to delete information which we are required by law to keep. If any such limitations apply, we will inform you in our response. Rest assured, we will not discriminate against you for exercising any of these rights.

11. Children’s Privacy

Our website and Services are not directed to children, nor do we knowingly collect personal information from individuals under the age of 16. Valigate is a B2B service intended for use by adult professionals in a business context. We do not target or market our Services to minors. If you are under 16 (or the age of majority applicable in your country), please do not use Valigate’s Services or provide any personal data to us.

If we become aware that we have inadvertently collected personal information from a child under 16 without proper consent, we will take steps to delete such information as soon as possible. Parents or guardians who believe that we might have information about a minor can contact us, and we will ensure that the data is removed from our systems.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will post the revised Privacy Policy on our website and update the “Last updated” date at the top of this policy. If the changes are significant, we may also notify you by email or through a notice on our homepage, prior to the change becoming effective, and where required by law we will obtain your consent to these changes.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of our website or Services after any updates to this policy will constitute acknowledgment and (if applicable) acceptance of those changes. If you do not agree with any changes to the Privacy Policy, you should stop using our Services and contact us if you wish to have your data removed.

13. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or how Valigate handles your personal data, please do not hesitate to contact us.

• Data Protection Contact Email: You can reach our privacy team atsecurity@valigate.ioThis is the dedicated email for all data protection inquiries, such as questions about your data, requests to exercise your rights, or reports of a potential privacy issue.
• Postal Address: Valigate AI AB, Nioörtsvägen 28A, 12632 Hägersten, Stockholm, Sweden. Attn: Data Protection Officer/Privacy Team.

We will be happy to assist you and will strive to address any concerns you have about your privacy or how we handle personal data. If you contact us to exercise your GDPR rights, please provide sufficient information for us to verify your identity and understand your request. We may need to ask for additional details to ensure we properly address your concern.

Thank you for trusting Valigate with your personal data. We value your privacy and work hard to protect it.