Privacy Policy
Privacy Policy
Effective Date: September 1, 2025 – Version 1.0
This Privacy Policy describes how Nonco AB (“we”, “us” or “Nonco”) processes personal data when you visit www.nonco.se (the “Website”), use our services, contact us, or otherwise interact with us.
1. Data Controller and Contact Information
Nonco AB
Company Registration Number: 559328-5579
Postal Address: Lagerlöfs Väg 18, 245 32 Staffanstorp, Sweden
Email for Privacy Inquiries: info@nonco.se
2. What Personal Data We Process
The data we collect depends on how you use the Website and our services.
2.1 Data You Provide to Us
– Contact details: name, email address, phone number.
– Message content: free-text fields in contact forms, demo requests, quote requests, support cases.
– Recruitment: CV, cover letter, references, and other application details.
2.2. Data Collected Automatically
– Technical data: IP address, device/browser information, language settings, date/time, pages/URLs.
– Cookies and similar technologies: see our Cookie Policy for details on categories of cookies, purposes, retention periods, and how to withdraw consent.
2.3. Data from Third Parties
– Public sources (e.g., web, government registers) and business partners/suppliers to the extent necessary to provide services, fulfill agreements, or comply with legal requirements.
3. Purposes, Legal Basis, and Retention Periods
We process personal data only when we have a legal basis under the GDPR. The table below summarizes the main purposes.
|
Purpose |
Examples of Personal Data |
Legal Basis |
Typical Retention Period |
Comment |
|
Respond to contact requests and deliver requested information |
Name, email, phone number, message content |
Legitimate interest (our interest in handling inquries) or Contract/pre-contractual measures |
Up to 12 months after the case is closed |
For follow-up and quality assurance of responses |
|
Customer and supplier relations (administration, projects, support) |
Contact and contract details, correspondence |
Contract, legal obligation (accounting), Legitimate interest |
Contract-related data: during the contract term + up to 10 years where applicable; accounting records: 7 years after the end of the financial year. |
Adapt to your document management plan |
|
Website operation, security, and troubleshooting |
Logs, IP addresses, techincal data |
Legitimate interest (IT security, troubleshooting, misuse prevention) |
Normally 12-24 months |
Shorter/longer period in case of incident investigation |
|
Website analysis and improvement |
Cookies/analytics data |
Consent (for non-essential cookies) |
See Cookie Policy |
Consent can be withdrawn at any time |
|
Marketing (newsletters, campaigns, events) |
Name, email, possible interest profiles |
Consent (where required) or Legitimate interest (B2B with clear opt-out option) |
Until you withdraw consent/unsubscribe; logs may be kept longer to demonstrate consent |
Respect NIX rules and anti-spam legislation |
|
Recruitment |
Application documents |
Legitimate interest or consent where required |
Normally 24 months after the process ends |
To address potential discrimination claims |
|
Compliance with legal obligations |
Identification and transaction data |
Legal obligation |
According to applicable law (e.g. accounting 7 years) |
Note: The retention periods above are indicative. We may retain data longer if required to establish, exercise, or defend legal claims, or to comply with specific legal obligations. When the data is no longer needed, it will be securely deleted or anonymized.
4. Cookies and Similar Technologies
We use cookies to enable basic functions (necessary cookies) and – with your consent – for the analysis and improvement of the Website. Non-essential cookies are not set without your prior consent. You may withdraw or change your consent at any time via the cookie settings on the Website. See our Cookie Policy for details on each cookie, provider, purpose, and retention period.
5. Recipients and Categories of Processors
We only share personal data when necessary and under contract. Categories of recipients may include:
- Web hosting and operations (e.g., One.com or other hosting providers)
- Cloud infrastructure and IT services (e.g., Microsoft Azure/Microsoft 365 or other providers)
- Web analytics/marketing (e.g., Google Search Console, Bing Webmaster Tools)
- Email and communications (e.g., Microsoft 365)
- CRM, case management, and support (e.g., Microsoft 365)
- Payment and invoicing services (e.g., Fortnox)
- Professional advisors (e.g., auditors, legal counsel)
- Authorities where required by law
When suppliers process personal data on our behalf, we enter into data processing agreements that govern security, confidentiality, and instructions.
6. Transfers Outside the EU/EEA
Some providers may be based outside the EU/EEA or use subcontractors in third countries. In such cases, we ensure that the transfer is carried out in accordance with the GDPR, for example through the European Commission’s Standard Contractual Clauses (SCCs) and – where necessary – additional safeguards following a risk assessment.
7. Security
We take appropriate technical and organizational measures to protect personal data, such as access controls, encryption where appropriate, logging, the principle of least privilege, regular updates, and supplier reviews. Nevertheless, no method can be entirely risk-free. In the event of a personal data incident, we act in accordance with applicable regulations and our internal procedures.
8. Your Rights
You have rights under the GDPR. To the extent provided by law, you may:
- Access your personal data (data subject access request).
- Correct inaccurate or incomplete data.
- Erase data (“right to be forgotten”) when there is no longer a legal basis for processing.
- Restrict processing in certain cases.
- Object to processing based on legitimate interest or for direct marketing.
- Withdraw consent at any time where processing is based on consent.
- Receive and transfer your data (data portability) when processing is automated and based on consent or contract.
To exercise your rights, please contact us using the details provided in Section 1. We may need to verify your identity. We normally respond within one (1) month.
9. Complaints to the Supervisory Authority (IMY)
If you believe that your personal data is being processed in violation of the GDPR, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY):
Swedish Authority for Privacy Protection (IMY)
Box 8114, 104 20 Stockholm
Phone: +46 8 657 61 00
Email: imy@imy.se
Website: https://www.imy.se/
You may also contact the supervisory authority in the EU/EEA country where you live or work.
10. Children's Personal Data
Our Website and services are not directed at children. If a service is offered directly to children and the processing is based on consent, we ensure compliance with applicable rules (e.g., obtaining parental consent where required). If we become aware that we have processed children’s data without the necessary consent, we will take steps to delete the data.
11. Profiling and Automated Decision-Making
We do not engage in automated decision-making that produces legal effects concerning you or similarly significantly affects you. Any analytics for website statistics are carried out at an aggregated level and only after consent to such cookies.
12. Where the Data Comes From
Primarily from you (e.g., through forms and correspondence). In some cases, from public sources, partners, or suppliers where necessary to fulfill a contract, legitimate interest, or legal obligation.
13. How We Balance Legitimate Interests
When we base processing on legitimate interest, we carry out a balancing test to ensure that our legitimate interests do not override your interests or fundamental rights and freedoms. You may contact us for a summary of the assessment.
14. Retention and Deletion in Practice
We apply the principle of data minimization in storage.
Examples:
- Contact inquiries: Normally deleted 12 months after the case is closed, unless a longer period is required (e.g., ongoing dialogue/claims).
- Customer and contract records: Retained during the contract term and thereafter in accordance with limitation and accounting rules (accounting records normally 7 years after the end of the financial year).
- Technical logs/IT security: Kept for as short a time as possible, normally 12–24 months.
- Marketing: Until you object or withdraw consent; suppression lists may be retained to ensure we do not contact you again by mistake.
- Recruitment: Up to 24 months after the process has ended.
15. Third-Party Websites
The Website may contain links to third-party websites. We are not responsible for their privacy practices. Please review their respective policies.
16. Changes to This Policy
We may update this Policy from time to time. The latest version will always be available on this page. In the event of significant changes, we will provide clear notice (e.g., via a banner or by email where appropriate).
17. Contact
Questions about this Policy or our processing of personal data?
Contact us at info@nonco.se or by post as set out in Section 1.