Privacy Notice
This Privacy Notice (the "Notice") is issued by Structsales AB, a Swedish limited liability company (Sw. aktiebolag) with corporate registration number 559130-1667 and registered office at Kungsgatan 37, Stockholm, Sweden, doing business under the trade name "Commercial Architects" (the "Controller", also referred to in this Notice as "we", "us" or "our").
It describes how we collect, use, disclose and otherwise process personal data in connection with (i) the website commercialarchitects.ai (the "Website"), (ii) communications initiated by you through the Website, by email or otherwise, and (iii) the provision of our advisory and consulting services (the "Services").
We process personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (the "GDPR"), the Swedish Data Protection Act (Sw. lag (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning) and any other applicable mandatory law.
1.Controller and contact details
The controller of the personal data processed under this Notice, within the meaning of Article 4(7) GDPR, is:
- Entity: Structsales AB
- Trading as: Commercial Architects
- Corporate registration number: 559130-1667
- Registered office: Kungsgatan 37, 111 56 Stockholm, Sweden
- Email: oliver.lopez@commercialarchitects.ai
We have not appointed a Data Protection Officer (Sw. dataskyddsombud) as we are not required to do so under Article 37 GDPR. Inquiries relating to this Notice or to the processing of personal data should be addressed to the email above.
2.Definitions
Capitalised terms not otherwise defined herein shall have the meaning ascribed to them in Article 4 GDPR. Without limitation:
- "Personal Data" means any information relating to an identified or identifiable natural person (Data Subject).
- "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means.
- "Processor" means a natural or legal person which processes Personal Data on behalf of the Controller.
- "EEA" means the European Economic Area.
- "Supervisory Authority" means the Swedish Authority for Privacy Protection (Sw. Integritetsskyddsmyndigheten, "IMY").
3.Categories of personal data
We process the following categories of Personal Data:
- Identification data: first name, last name.
- Contact data: work email address, and any postal address voluntarily provided.
- Professional data: employer (company name), professional role or title, annual revenue range of your employer, and any other professional information you voluntarily disclose.
- Communications data: the content of messages submitted through the Website's contact form, by email or in calls (including meeting notes prepared by us).
- Technical data: IP address, browser type and version, operating system, device type, referring URL, pages visited, and timestamps, as automatically collected by our hosting provider's server logs.
We do not knowingly process special categories of Personal Data within the meaning of Article 9 GDPR, nor Personal Data relating to criminal convictions and offences within the meaning of Article 10 GDPR. You are requested not to submit such data to us through the Website.
4.Purposes and legal bases
We process Personal Data only for specified, explicit and legitimate purposes set out below. For each purpose, the corresponding legal basis under Article 6(1) GDPR is identified.
| Purpose | Categories of data | Legal basis |
|---|---|---|
| Responding to inquiries submitted via the Website's contact form or by email; scheduling and conducting introductory calls. | Identification, Contact, Professional, Communications. | Art. 6(1)(b) GDPR , steps taken at the request of the Data Subject prior to entering into a contract. |
| Performance of the Services pursuant to a signed engagement agreement, including invoicing and client communications. | Identification, Contact, Professional, Communications. | Art. 6(1)(b) GDPR , performance of a contract. |
| Compliance with statutory obligations, including accounting and bookkeeping obligations under the Swedish Accounting Act (Sw. bokföringslagen (1999:1078)). | Identification, Contact, Professional, Communications. | Art. 6(1)(c) GDPR , compliance with a legal obligation. |
| Operating, securing and improving the Website; preventing fraud and abuse; maintaining server logs. | Technical. | Art. 6(1)(f) GDPR , legitimate interests pursued by the Controller in ensuring the security and availability of the Website. We have assessed these interests against the rights and freedoms of Data Subjects pursuant to Recital 47 GDPR. |
| Business development and follow-up communications with prospective clients who have actively engaged with us, where such communications are reasonably expected. | Identification, Contact, Professional, Communications. | Art. 6(1)(f) GDPR , legitimate interests in developing the Controller's business. You may object to such processing at any time pursuant to Article 21 GDPR. |
| Establishment, exercise or defence of legal claims. | All categories as relevant. | Art. 6(1)(f) GDPR and, where applicable, Art. 9(2)(f) GDPR. |
Where processing is based on consent under Article 6(1)(a) GDPR, you may withdraw such consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal.
5.Sources of personal data
We collect Personal Data primarily from you directly. In limited circumstances, we may also receive Personal Data from:
- publicly available sources, such as your employer's website, professional networks (e.g. LinkedIn) and company registries;
- introducers, advisors or other third parties acting on your behalf or instructions; and
- our technical service providers, in respect of Technical data automatically collected when you access the Website.
6.Recipients and processors
We disclose Personal Data only to the extent necessary for the purposes set out in Section 4 and subject to appropriate confidentiality and security obligations. Categories of recipients include:
- Processors engaged by us to process Personal Data on our behalf under a data processing agreement compliant with Article 28 GDPR, including in particular:
- Hosting and form delivery: Netlify, Inc. (United States).
- Email infrastructure and calendaring: [EMAIL/CALENDAR PROVIDER, e.g. Google Workspace, Microsoft 365].
- Document management and storage: [CLOUD STORAGE PROVIDER].
- Accounting and invoicing: [ACCOUNTING SOFTWARE / FIRM].
- Professional advisers, including legal counsel, auditors and accountants, where reasonably required.
- Competent public authorities, including the Swedish Tax Agency (Sw. Skatteverket) and the IMY, where required by law or in response to a binding request.
- Acquirers or successors, in connection with a corporate transaction (such as a merger, acquisition or sale of assets), subject to customary confidentiality safeguards.
We do not sell Personal Data, nor do we disclose Personal Data to third parties for their own independent marketing purposes.
7.Transfers outside the EEA
Some of the Processors referred to in Section 6 are established in third countries outside the EEA, in particular the United States. Where Personal Data is transferred to a third country, such transfer takes place on the basis of one or more of the following safeguards pursuant to Chapter V GDPR:
- an adequacy decision of the European Commission pursuant to Article 45 GDPR (in particular, the EU-US Data Privacy Framework, where the relevant recipient is certified thereunder); or
- Standard Contractual Clauses adopted by the European Commission pursuant to Article 46(2)(c) GDPR, supplemented by technical and organisational measures where required following a transfer impact assessment.
A copy of the relevant safeguard may be obtained, upon request, by contacting us at the address set out in Section 1.
8.Retention periods
We retain Personal Data only for as long as is necessary for the purposes for which it is processed, after which the data is deleted or anonymised. The following indicative retention periods apply:
| Data / context | Retention period |
|---|---|
| Contact form submissions and prospect communications where no engagement is concluded. | Up to 24 months from the last meaningful interaction. |
| Client engagement data (correspondence, meeting notes, deliverables). | For the duration of the engagement and 24 months thereafter, subject to longer retention where required by law. |
| Accounting records and supporting documentation. | Seven (7) financial years following the end of the calendar year to which they relate, pursuant to Chapter 7 of the Swedish Accounting Act. |
| Server logs (Technical data). | Up to twelve (12) months, unless required for security investigation. |
| Data relevant to establishing, exercising or defending legal claims. | Until the applicable limitation period has expired (typically ten (10) years under Swedish law). |
9.Automated decision-making and profiling
We do not carry out automated decision-making, including profiling, producing legal effects concerning you or similarly significantly affecting you within the meaning of Article 22 GDPR.
10.Cookies and similar technologies
The Website uses only cookies and similar technologies that are strictly necessary for the Website and the contact form to function. Such cookies are exempt from the consent requirement under Section 6 a of the Swedish Electronic Communications Act (Sw. lag (2022:482) om elektronisk kommunikation).
Should we in the future deploy non-essential cookies (for instance for analytics or marketing purposes), we will request your prior consent in accordance with applicable law and update this Notice accordingly.
11.Security measures
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. Such measures include, without limitation, encryption of Personal Data in transit (HTTPS / TLS), access controls based on the principle of least privilege, the use of reputable Processors bound by data processing agreements, and ongoing review of the security posture of our systems.
12.Rights of data subjects
Subject to the conditions and limitations set out in Chapter III GDPR, you have the following rights in respect of Personal Data concerning you:
- Right of access (Article 15 GDPR) , to obtain confirmation as to whether or not Personal Data concerning you is being processed, and access to such data and the related information.
- Right to rectification (Article 16 GDPR) , to obtain the rectification of inaccurate Personal Data and to have incomplete Personal Data completed.
- Right to erasure (Article 17 GDPR) , to obtain the erasure of Personal Data where the grounds set out therein are met.
- Right to restriction of processing (Article 18 GDPR).
- Right to data portability (Article 20 GDPR) , to receive Personal Data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit such data to another controller where processing is based on consent or contract and is carried out by automated means.
- Right to object (Article 21 GDPR) , to object, on grounds relating to your particular situation, to processing based on Article 6(1)(f) GDPR; and to object at any time to processing for direct marketing purposes.
- Right to withdraw consent (Article 7(3) GDPR) , where processing is based on consent.
Requests to exercise any of the above rights should be sent to oliver.lopez@commercialarchitects.ai. We will respond without undue delay and, in any event, within one (1) month of receipt of the request, in accordance with Article 12(3) GDPR. We may extend that period by a further two (2) months where necessary, taking into account the complexity and number of the requests. We may request reasonable additional information to confirm your identity prior to acting on a request.
13.Right to lodge a complaint
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a Supervisory Authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of Personal Data concerning you infringes the GDPR (Article 77 GDPR). The competent Supervisory Authority in Sweden is the IMY:
- Integritetsskyddsmyndigheten (IMY)
- Box 8114, 104 20 Stockholm, Sweden
- Email: imy@imy.se
- Web: www.imy.se/en/
14.Amendments
We may amend this Notice from time to time, in particular to reflect changes in our processing activities, in applicable law or in the guidance issued by competent authorities. The version number and the effective date set out at the top of this Notice will be updated accordingly. Where the amendment is material, we will take reasonable steps to draw your attention to such amendment.
15.Governing law
This Notice and the processing of Personal Data described herein are governed by Swedish law and the directly applicable provisions of EU law, including the GDPR.