← konsultverkstad# Privacy notice — Konsultverkstad
_Last updated: 2026-04-26_
This notice describes how Konsultverkstad processes personal data. It is
written in English; the canonical Swedish version is rendered at
`/legal/privacy` inside the application. If there is a conflict, the
Swedish version controls.
---
## 1. Who is the controller
**Konsultverkstad** is operated by **David Martinsson**, sole proprietor,
based in Stockholm, Sweden. Contact: **david.j.martinsson@gmail.com**.
For your *account data* (email, password hash, profile, invoices, hours
logged), David is the controller. For data you, in turn, store about
your own clients (names, addresses, hours billed), you are the
controller and David is your processor — see §8 below.
## 2. What data we process
**Account data**
- Email address (used for login and transactional email).
- Password hash (bcrypt; never the plaintext).
- Optional profile information you enter: business name, organisation
number, VAT number, address, phone, bank account, footer text, logo.
- Account creation date, last sign-in time, IP address of recent
sign-ins (kept by Supabase for security purposes).
**Workspace data (controlled by you)**
- Mind-map nodes you create: clients, projects, tasks, notes.
- Hours you log: date, hours, rate, comment, link to client.
- Invoices you generate: numbers, dates, amounts, snapshotted issuer
and recipient details, line items, status history.
- Files you upload (Supabase Storage): documents attached to nodes,
optionally a logo for your invoice template.
**Operational data**
- Activity log entries for nodes and invoices (who changed what, when).
- Server logs for the hosting platform (Railway): timestamps, request
paths, status codes. No request bodies are logged.
We do **not** use third-party analytics, tracking pixels, or
advertising cookies. We do not sell or share data for marketing.
## 3. Why we process it (legal basis)
| Purpose | Legal basis (GDPR Art. 6) |
| --- | --- |
| Run your account, deliver the service | Contract performance, Art. 6(1)(b) |
| Bookkeeping data: invoices, logs feeding sent invoices | Legal obligation (Swedish Bokföringslagen 1999:1078, 7 yrs), Art. 6(1)(c) |
| Security: rate limiting, abuse detection, audit logs | Legitimate interest, Art. 6(1)(f) |
| Transactional email (signup confirmation, password reset) | Contract performance, Art. 6(1)(b) |
## 4. Where data is stored
- **Database + auth + file storage:** Supabase (region: EU-Central /
Frankfurt). Postgres, encrypted at rest.
- **Hosting:** Railway, EU regions when available.
- All transport is TLS 1.2+.
## 5. Subprocessors
We use the following subprocessors. Each has a Data Processing
Agreement (DPA) in force. The list is current as of the date above.
| Subprocessor | Purpose | Region | DPA |
| --- | --- | --- | --- |
| Supabase Inc. | Postgres database, authentication, file storage, transactional email | EU (Frankfurt) | Standard Contractual Clauses + DPA |
| Railway Corp. | Application hosting | EU when available; US fallback for some edge functions | DPA on file |
| Anthropic, PBC | AI model used by the optional document-import feature only | US | DPA on file; SCCs |
| Functional Software, Inc. (Sentry) | Error monitoring — receives stack traces only when the app crashes | EU (Frankfurt) | DPA on file; SCCs |
The Anthropic-backed import feature is only invoked when you upload
documents and ask the system to propose a node tree from them. Document
content is sent to Anthropic for that single request and is not used for
training (per Anthropic's API terms).
Sentry receives only stack traces and minimal request metadata when the
app encounters an unhandled error. We configure Sentry with
`sendDefaultPii: false` and a `beforeSend` hook that strips request
bodies, cookies, auth headers, and known sensitive query parameters
(tokens, codes, emails). User identifiers are reduced to opaque IDs.
## 6. How long we keep it
| Category | Retention |
| --- | --- |
| Active account data | While your account exists |
| Account after deletion | 30 days "tombstone" period to allow recovery, then irreversible deletion |
| Bookkeeping records (invoices + their source logs once status = sent or paid) | 7 years from the end of the fiscal year, per Swedish law |
| Activity / audit logs | 24 months, then anonymised |
| Server access logs (Railway) | 14 days |
| Email-link tokens (signup, password reset) | 24 hours; single-use |
If you delete your account, the bookkeeping retention overrides the
account deletion: invoices and the logs they reference are retained
for 7 years, but stripped of identifiers we are not legally required
to keep (e.g., the canvas mind-map content is purged immediately).
## 7. Your rights
You can exercise the following GDPR rights at any time:
- **Access** (Art. 15) — download a JSON export of your data from
*Profil → Exportera mina data*.
- **Rectification** (Art. 16) — edit any field inside the app.
- **Erasure** (Art. 17) — *Profil → Radera konto*. Subject to the
bookkeeping retention in §6.
- **Portability** (Art. 20) — same export as Access; structured JSON.
- **Restriction / objection** (Arts. 18, 21) — email us; we'll suspend
processing while reviewing.
- **Complaint** — to Integritetsskyddsmyndigheten (IMY) in Sweden.
We respond to rights requests within 30 days.
## 8. If you store data about your own clients
When you log hours against a "client" node, enter their org number, or
add an address, you are entering personal data about a third party.
You are the controller of that data; we are your processor.
You must have your own legal basis for processing your clients' data
(typically: contract performance and your own Swedish bookkeeping
obligation). Konsultverkstad does not impose a separate contract for
this; the relationship is governed by §3 of these Terms (the data-
processing addendum bundled there). If you need a standalone DPA, ask.
## 9. Cookies
We use **only essential cookies** required to keep you logged in. They
are HttpOnly, Secure, and SameSite=Lax. No analytics, no marketing.
The login session cookies are set by Supabase under names beginning
with `sb-`. They expire when your session expires (default 1 hour for
the access token, 30 days for the refresh token).
## 10. Security
See the public summary in `SECURITY.md` and §10 of the Terms. In short:
RLS on every table, append-only audit logs, encrypted-at-rest storage,
TLS in transit, and Skatteverket-aligned bookkeeping immutability.
## 11. Incidents
If we discover a personal-data breach affecting you, we will notify you
within 72 hours of becoming aware, by email, with what we know and
what we're doing about it. Reportable breaches are also escalated to
IMY per Art. 33.
## 12. Changes to this notice
We'll publish material changes at `/legal/privacy` with an updated
"Last updated" date and email registered users at least 14 days before
the change takes effect.
## 13. Contact
**david.j.martinsson@gmail.com** — privacy questions, rights requests,
or DPA copies on request.