Privacy Policy

Last updated: July 4, 2022

Why and for whom?

At Done Sweden AB, company registration number 559201-0390 (“Done”, “we”, “us”, “our”), we care about personal privacy. This means that we respect and safeguard your privacy and your right to control and transparency when it comes to the processing of your personal data.

This Privacy Policy (“Policy”) applies to the data processing activities for which Done is the data controller. The Policy provides a general overview of the purposes for which we need your personal data, the legal grounds we rely on, and the measures we take to protect personal data. We also explain how you can exercise your rights related to our processing of your personal data.

The Policy informs you of how we handle personal data in cases where you communicate with us, use the Service, or visit our website www.doneservices.se (together referred to as the “Features”).

This policy is intended for:

  • Users of the Service

  • Potential customers

  • Employees of potential customers

  • Employees of existing customers

  • Visitors to our website

Definitions

  • “Processing” of personal data includes any action that can be taken with personal data, such as storing, modifying, reading, transferring, etc.

  • “Applicable law” refers to laws governing the processing of personal data, including the General Data Protection Regulation (GDPR), supplementary national legislation, as well as practices, guidelines, and recommendations issued by national or European supervisory authorities.

  • “Personal data” means any information that can be linked to an identifiable living person.

  • “Data controller” is the company/organization that determines the purpose (why) and means (how, what data, duration, etc.) of the processing of personal data and is responsible for ensuring that the processing complies with applicable law.

  • “Data processor” is the company/organization that processes personal data on behalf of the data controller and may only do so in accordance with the controller’s instructions and applicable law.

  • “Data subject” means the living individual whose personal data is being processed.

  • “The Service” refers to craft services and the mediation of craft services via the Done app and the website www.doneservices.se.

Done’s Responsibility as Data Controller

This Policy covers personal data processing for which Done is the data controller, i.e., where we determine the purpose and means of processing. It does not describe how we process data as a processor on behalf of our customers.

We provide a platform for the mediation of craft services. We need to process your personal data to create a user account, match you with available tradespeople based on your needs, and generate quotes and invoices. We may also contact relevant individuals in the industry for service sales.

Done’s Processing of Personal Data

We are obligated to describe and demonstrate how we comply with data protection requirements. This section aims to help you understand what types of personal data we process and for what purposes.

How long do we store your personal data?

We retain your personal data only as long as necessary for the purpose for which it was collected. The retention period depends on the legal basis for the processing, which may be based on a) a contract, b) valid consent, c) legal obligations, or d) a legitimate interest assessment.

We never store your personal data longer than necessary and regularly delete data that is no longer needed. We also take reasonable steps to ensure that data is kept up to date and delete outdated or incorrect information.

Types of Processing

The primary purpose of our processing is to provide, perform, and improve our services. We may collect, manage, and store your data for various reasons, including:

  • Contact and identification details to verify your identity and communicate with you.

  • Financial information for customer due diligence and risk analysis.

  • Information about how you use the service/product to enhance your experience.

  • IP address to perform customer analysis and display our website content effectively.

  • Consumption patterns to offer tailored promotions.

  • Contact details for marketing and promotional purposes.

  • Billing details to invoice for services.

How do we obtain your personal data?

We collect personal data in several ways, mainly through:

  • Data you provide to us.

  • Third-party analytics technologies (e.g., cookies).

  • Information derived from data analysis.

  • Public sources such as government agencies or SPAR.

  • Retailers who share your data when we are their installation partner.

Legal Bases

We process your data based on the following legal grounds:

  • Consent – We process your data when you have given consent. We always inform you before asking for consent.

  • Contract – Processing is necessary for fulfilling a contract or preparing to enter into one.

  • Legitimate interest – When we have a compelling interest that outweighs your privacy concerns, e.g., in direct marketing.

  • Legal obligation – We may be required by law to process certain data.

You can always request information about the legal basis for processing your personal data (see “How to exercise your rights”).

Your Rights

You control your personal data. We strive to help you exercise your rights easily and efficiently.

  • Access – You can request a record of the personal data we process about you.

  • Correction – You can ask us to correct inaccurate or incomplete data.

  • Erasure – You can request that we delete your personal data if it’s no longer needed. If we are legally required to keep it, we’ll restrict its use to that purpose only.

  • Objection – You can object to our processing based on legitimate interest. We’ll reassess and may stop the processing, especially if you object to direct marketing.

  • Restriction – You can ask us to limit processing:

    • While we’re evaluating another rights request

    • If you want us to stop using the data without deleting it

    • If we no longer need the data but you want us to retain it for legal claims

  • Data portability – You can request a copy of your data in a commonly used, machine-readable format.

  • Withdraw consent – You can withdraw previously given consent at any time. This applies only to future processing.

How to exercise your rights

Contact us at kontakt@doneservices.se. You can also manage your data and requests through your user account in the Done app.

Data Transfers

To operate our business, we may use processors (data processors) who handle data on our behalf.

When processors transfer data outside the EU/EEA, we ensure compliance with applicable law through:

  • EU Commission adequacy decisions;

  • Standard Contractual Clauses (SCCs);

  • Other appropriate safeguards.

We have data processing agreements (DPAs) with all our processors, detailing how they may handle data and what security measures they must use.

We may also be required to share data with government authorities due to legal obligations.

Our Data Processors

Done does not sell your data. We only share your data with selected third parties when necessary, and always securely. Examples include:

  • Marketing service providers for campaign creation and distribution.

  • IT suppliers for business systems and case management.

  • Analytics systems for customer insights and industry statistics.

Security

We implement technical and organizational measures to protect your data from loss, misuse, and unauthorized access.

Our Security Measures

Organizational measures:

  • Internal policies and procedures

  • Login and password management

Technical measures:

  • Encryption

  • Pseudonymization

  • Secure networks

  • Firewalls

  • Backups

  • Regular security audits

  • Two-factor authentication

Cookies

Done uses cookies and similar technologies to analyze usage and enhance your experience. For more, see our Cookie Policy.

If we don’t live up to our commitments

If you believe we’re mishandling your data, and we’ve not addressed your concerns, you can file a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten).

More information is available at www.imy.se or by contacting imy@imy.se.

Changes to this Policy

We reserve the right to update this Policy. If changes affect your rights or our obligations, we will inform you in advance so you can review the changes.

Contact

If you have questions about your rights or how we process your personal data, contact us at:

kontakt@doneservices.se