Privacy policy
How Klaffa AB handles personal data on klaffa.app. Short, concrete, no unnecessary legalese.
This policy covers our public marketing site klaffa.app. Processing of personal data inside the Klaffa product itself (schedules, call sheets, agreements, payroll) is governed by a separate Data Processing Agreement (DPA) between Klaffa and the customer's production company. Two different things — this document is only about the website.
§1Controller
The controller for processing on klaffa.app is:
- Klaffa AB, corporate ID no. [XXXXXX–XXXX]
- [Registered address, Stockholm]
- Email: privacy@klaffa.app
§2What we collect
Contact form
When you submit the contact form on klaffa.app we store your name, production company, email address, and message. We use it to reply to your enquiry and to follow up on that conversation. Filling in the form is always voluntary.
Server and access logs
Our hosting provider (Vercel) logs standard technical data for every request: IP address, timestamp, URL, HTTP status, referer, user agent. This is standard web-server data needed to operate the site and identify abuse.
Cookies and local storage
Klaffa.se sets no cookies for tracking, analytics, or advertising. We do not display cookie banners because there is nothing to consent to. If we ever introduce analytics, we will announce it clearly and give you a choice.
What we do not collect
- Personnummer or other sensitive personal identifiers via the website.
- Bank account details via the website.
- Data from ad trackers, third-party pixels or social embeds — there are none on the site.
§3Legal basis
| Processing | Legal basis (GDPR art. 6) |
|---|---|
| Contact form: replying to your enquiry | Legitimate interest (art. 6(1)(f)) — responding to a message you sent us |
| Server logs: operations, security, abuse prevention | Legitimate interest (art. 6(1)(f)) |
| Steps toward a contract if the enquiry leads to a quote / dialogue | Pre-contractual measures at your request (art. 6(1)(b)) |
§4Retention
- Contact enquiries — 24 months after the last correspondence, then deleted or anonymised. If it becomes a customer relationship, handling shifts to bookkeeping and customer-agreement processes.
- Server logs — 30 days maximum, then rotated automatically.
§5Who sees the data
We do not sell personal data. We do not share it for marketing purposes. The following processors handle data on our behalf to operate the website:
| Provider | Purpose | Region |
|---|---|---|
| Vercel Inc. | Hosting klaffa.app, HTTP logs | EU / global CDN |
| [Email provider, e.g. Fastmail / Google Workspace] | Receiving form submissions and replying to enquiries | [EU / US] |
For transfers outside the EU/EEA we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where required, supplementary measures.
§6Your rights
Under the GDPR you have the right to:
- request a copy of the data we hold about you (access),
- have inaccurate data corrected,
- request erasure when there is no longer a reason to process it,
- object to processing based on legitimate interest,
- request restriction of processing,
- where applicable, receive your data in a structured format (portability).
Contact privacy@klaffa.app. We respond within 30 days.
§7Security
Klaffa.se is served exclusively over TLS. Form submissions are encrypted in transit. Access to enquiries is restricted to Klaffa staff who need it to reply. Security in the Klaffa product itself — bank-data encryption, row-level security, EU data residency, SOC 2 work in progress, and the GDPR DPA — is covered in separate security documentation.
§8Changes
For material changes we update the date and version at the top. For significant changes affecting your rights we will try to notify you directly if we have your email.
§9Contact
Questions about privacy or this policy: privacy@klaffa.app.