Privacy policy
Last updated: 9 May 2025 · Effective: 9 May 2025
SverigeProvet ("we", "us") is the data controller for your personal data. This policy explains what data we collect, why, how long we keep it, and your rights under the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and Swedish complementary legislation (dataskyddslagen 2018:218).
Contact: hello@sverigeprovet.app
1. Personal data we process and why
1.1 Sign-in and account management
Data: email address, encrypted password hash (managed by Supabase Auth), account creation timestamp.
Legal basis: GDPR Art. 6(1)(b) — necessary to perform the contract with you.
Retention: Until account deletion. On deletion the email address is anonymised immediately.
1.2 Study progress and answers
Data: quiz answers, bookmarks, SRS state (spaced repetition), mock exam results.
Legal basis: GDPR Art. 6(1)(b) — the core service requires this to compute progress.
Retention: Until account deletion.
1.3 Device registration
Data: anonymous SHA-256 fingerprint of browser User-Agent, screen dimensions, language and timezone; optional device name set by you; last-seen timestamp.
Legal basis: GDPR Art. 6(1)(f) — legitimate interest in preventing unauthorised account sharing (limited to 2 devices per licence).
Retention: 90 days after last activity, or until revoked or account deleted.
1.4 Payment and subscription
Data: Stripe customer ID, subscription plan and status, billing history. We never store card details — these are handled exclusively by Stripe.
Legal basis: GDPR Art. 6(1)(b) (contract) and Art. 6(1)(c) (accounting obligation).
Retention: 7 years after the transaction per the Swedish Accounting Act (bokföringslagen 1999:1078, Ch. 7 §2). This obligation applies even if you delete your account.
1.5 Push notifications (if enabled)
Data: push subscription key (endpoint, p256dh, auth) stored in your browser and on our servers.
Legal basis: GDPR Art. 6(1)(a) — consent given via the two-stage consent screen shown before the browser permission dialog.
Retention: Until you disable notifications (in settings) or delete your account. You can withdraw consent at any time.
1.6 Analytics (PostHog)
Data: pseudonymous event ID, page URL, event type (e.g. "quiz_completed"). No data is sent until you accept non-essential cookies in our cookie banner.
Legal basis: GDPR Art. 6(1)(a) — consent via cookie banner.
Retention: 12 months, then automatic deletion.
2. Sub-processors
| Service | Purpose | Location | Safeguard |
|---|---|---|---|
| Supabase | Auth, database, file storage | EU (Frankfurt) | DPA, SCCs |
| Stripe | Payments, billing | USA/EU | DPA, EU-US DPF |
| Vercel | Hosting, edge functions | USA/EU | DPA, SCCs |
| Resend | Transactional email | USA | DPA, SCCs |
| PostHog | Product analytics (opt-in) | EU | DPA, SCCs |
SCCs = EU Standard Contractual Clauses (Decision 2021/914). DPF = EU-US Data Privacy Framework.
3. Your rights (GDPR Art. 15–22)
- Access (Art. 15) — Request a copy of your data via Settings → "Download my data" or email us.
- Rectification (Art. 16) — Correct inaccurate data via settings or email.
- Erasure (Art. 17) — Delete your account in settings. Activity data is deleted immediately; payment data is retained 7 years (accounting law).
- Restriction (Art. 18) — Contact us to restrict processing during a complaint investigation.
- Data portability (Art. 20) — Export your data in machine-readable JSON via settings.
- Objection (Art. 21) — Object to processing based on legitimate interest (Art. 6(1)(f)), e.g. device fingerprinting.
- Withdrawal of consent (Art. 7(3)) — Withdraw consent to push notifications or analytics cookies at any time without affecting prior processing.
Contact us at hello@sverigeprovet.app to exercise your rights. We respond within 30 days.
You have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY), Box 8114, 104 20 Stockholm, imy.se.
4. Security
All communication uses TLS 1.3. Passwords are stored as bcrypt hashes. Database access requires Row Level Security (RLS) policies. Service-account keys are stored in environment variables and never exposed in client code.
5. Cookies and local storage
See our Cookie policy for a full list. You can change your consent at any time via "Manage cookies" in the footer.
6. Changes to this policy
Material changes will be notified by email at least 14 days in advance. The date of the last change is always shown at the top.