1. Who we are
SousFlow AB ("SousFlow", "we", "us", "our") is a Swedish limited company headquartered in Stockholm, Sweden. We operate the website at sousflow.com and provide ITSM automation services to enterprise and government clients.
Data controller for personal data processed via this website:
- CompanySousFlow AB
- Organization no.559452-1527
- AddressStockholm, Sweden
- Emailhello@sousflow.com
For privacy questions or to exercise your rights, email hello@sousflow.com. We respond within 30 days.
2. What this policy covers
This policy explains what personal data we collect from visitors to sousflow.com, why we collect it, how we use it, and your rights under the EU General Data Protection Regulation (GDPR) and the Swedish Data Protection Act.
Not covered by this policy: when we act as a data processorfor clients — for example, when we build automation that processes employee or user data inside a client's environment — the client is the data controller and their own Data Processing Agreement (DPA) and privacy policy govern that data. If you have questions about data SousFlow processes on behalf of your employer or another organization, reach out to that organization first.
3. Information we collect
Information you provide
When you submit our contact form, we collect:
- First name (optional)
- Last name (optional)
- Email address (required)
- Phone number (optional)
- The content of your message
- Your consent to data processing (with timestamp)
Information collected automatically
When you visit sousflow.com, we (or our service providers) automatically receive:
- IP address (truncated where technically possible)
- Browser type and version
- Operating system
- Pages visited and time on page
- Referrer URL (the page you came from)
- Device type (desktop, mobile, tablet)
- Country and approximate region (derived from IP)
This is collected via two channels:
- Vercel (our hosting provider) — short-lived server logs for security, performance monitoring, and debugging
- Google Analytics 4 — only if you have accepted analytics cookies via our consent banner
We do not use any of the following on this website:
- Behavioral or remarketing pixels (Meta Pixel, LinkedIn Insight Tag, etc.)
- Cross-site tracking
- Session replay or screen recording tools
- Heatmap tools
Cookies and local storage
We use the following client-side storage on this site:
| Name | Type | Purpose | Duration |
|---|---|---|---|
sousflow-consent-v1 | Strictly necessary | Stores your cookie consent choice so the banner does not reappear on every visit. | 1 year |
_ga | Analytics (opt-in) | Google Analytics — distinguishes unique visitors. | 2 years |
_ga_EZ6EXDCDZP | Analytics (opt-in) | Google Analytics — session state for our specific GA4 property. | 2 years |
_gid | Analytics (opt-in) | Google Analytics — distinguishes unique visitors for 24 hours. | 24 hours |
You can withdraw analytics consent at any time by clearing the sousflow-consent-v1entry from your browser's local storage — the consent banner will then reappear on your next visit. You can also block all cookies via your browser settings; the site remains functional without analytics.
4. Legal basis for processing
Under GDPR Article 6, we process personal data on the following bases:
| What we process | Purpose | Legal basis |
|---|---|---|
| Contact form submissions | Respond to your inquiry; pre-contractual communication if you are evaluating us | Pre-contractual measures (Art. 6(1)(b)) + your consent (Art. 6(1)(a)) |
| Email correspondence | Reply to your questions, send proposals, manage engagements | Pre-contractual / contractual (Art. 6(1)(b)) |
| Server logs (Vercel) | Security, debugging, abuse prevention | Legitimate interest (Art. 6(1)(f)) |
| Google Analytics 4 | Understand how the site is used so we can improve content | Your consent (Art. 6(1)(a)) |
| Accounting records | Comply with Swedish bookkeeping law (Bokföringslagen) | Legal obligation (Art. 6(1)(c)) |
5. How we use your data
We use the personal data we collect to:
- Respond to inquiries you submit via the contact form
- Send proposals, assessments, or follow-ups if you are evaluating us
- Operate, debug, and improve the website
- Protect our site from abuse and security threats
- Comply with legal obligations (tax, accounting, lawful requests from authorities)
We do not:
- Sell or rent your personal data to third parties
- Use your data for automated decision-making or profiling that produces legal or similarly significant effects
- Send marketing emails without your explicit opt-in (we do not currently send marketing emails at all)
7. International transfers
Some of our service providers are based outside the European Economic Area (EEA), primarily in the United States. When personal data is transferred internationally, we rely on the following safeguards under GDPR Chapter V:
- The EU-US Data Privacy Framework, where the recipient is certified
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Supplementary technical and organizational measures where appropriate
You can request copies of the relevant safeguards by emailing hello@sousflow.com.
8. How long we keep data
| Data | Retention period |
|---|---|
| Contact form submissions and follow-up correspondence | 3 years from your last interaction, unless we have an active engagement |
| Analytics data (Google Analytics 4) | 14 months (then automatically deleted) |
| Server logs (Vercel) | 30 days (default Vercel retention) |
| Engagement records (if you become a client) | 7 years from the end of the engagement (Swedish Bokföringslagen) |
| Tax/accounting records | 7 years (Swedish law) |
9. Your rights
Under GDPR you have the following rights regarding your personal data:
| Right | What it means |
|---|---|
| Access (Art. 15) | Request a copy of the personal data we hold about you. |
| Rectification (Art. 16) | Ask us to correct inaccurate or incomplete data. |
| Erasure (Art. 17, "right to be forgotten") | Ask us to delete your personal data, subject to legal retention obligations. |
| Restriction (Art. 18) | Ask us to limit how we process your data while a dispute is being resolved. |
| Data portability (Art. 20) | Receive the data you have given us in a structured, machine-readable format. |
| Object (Art. 21) | Object to processing based on legitimate interest (e.g. server logs). |
| Withdraw consent (Art. 7(3)) | Withdraw consent for analytics at any time. This does not affect prior processing. |
To exercise any of these rights, email hello@sousflow.com. We respond within 30 days.
You also have the right to lodge a complaint with the Swedish supervisory authority, Integritetsskyddsmyndigheten (IMY): www.imy.se.
10. Security
We take reasonable technical and organizational measures to protect your personal data:
- HTTPS/TLS encryption for all traffic to and from the website
- Encrypted storage of contact form data at our processors (HubSpot)
- Access controls — only SousFlow staff with a legitimate need can access your inquiry
- Regular review of our data flows and processor list
- Multi-factor authentication on internal systems that contain personal data
No method of transmission over the internet is 100% secure. If we become aware of a personal data breach affecting you, we will notify you and the Swedish supervisory authority as required by GDPR (within 72 hours where required).
11. Children
Our services are aimed at organizations, not individuals. We do not knowingly collect personal data from children under 16. If you believe a child has submitted data to us, email hello@sousflow.com and we will delete it.
12. Changes to this policy
We may update this policy from time to time. Material changes will be marked with an updated "Last updated" date at the top of this page. For significant changes — new processors, new categories of data, or changes to legal basis — we will additionally post a notice on the homepage for 30 days.
13. Contact
For privacy questions or to exercise your rights:
To file a complaint with the Swedish supervisory authority: