Privacy Policy

1. Introduction

When you activate your account by logging in for the first time to our Member Portal with the intention of obtaining the right to use coworking spaces provided by Cecil Coworking AB, company registration no. 559242-1506 (the “Provider”), and when you use the Member Portal provided by the Provider (the “Service”), the Provider will collect and process personal data relating to you. This information notice describes how and why we process your personal data and what rights you have as a data subject.

You activate your account by logging in to the Member Portal. Activation grants you access to the agreed coworking spaces in accordance with the agreement entered into between the Provider and you, or the company you represent or are employed by. Your personal data is processed to ensure that you are granted access to the agreed coworking spaces and other services included in the membership from time to time.

The Service is a web-based digital platform that may also be accessed through our mobile app (iOS and Android). Through the Service, you may, among other things, manage your profile, view and pay invoices, book meeting rooms, register for events, report issues, receive news and messages from the Provider, and access discussion forums. Furthermore, you may be allowed to order various products and services from third-party providers. Agreements regarding the provision of such products and services are entered into between you and the third-party provider, which may require us to transfer your personal data to such third-party provider (see also “Transfer of Personal Data” below).

2. Who is responsible for your personal data?

Cecil Coworking AB, i.e., the Provider, is the data controller responsible for the processing of your personal data. Full company and contact details for the Provider are provided at the end of this information notice.

3. How and what personal data do we collect?

In connection with entering into an agreement regarding the use of the Provider’s coworking spaces, we have received your name and email address, and, where applicable, the name of your employer (or equivalent), for you as a member to be entitled to use our services. When you activate your account in our Membership Portal, you may provide additional information that we will then process (such as your photo, telephone number, date of birth, where applicable, your employer’s address, company registration number/personal identity number (for sole proprietorships), VAT number and website, your role/title, CV, and contact information for your social networks). Providing this information is voluntary. In addition, certain personal data about you will be generated when you use the Service, such as username, password, customer number, order and booking history, and case history.

To use the Service, you must provide us with certain personal data. We will inform you which data is mandatory and which is voluntary. If you do not provide mandatory personal data, we will not be able to take the measures requested by you, meaning that we may not be able to enter into or fulfill agreements with you and/or provide the Service.

4. Why do we process your personal data and on what legal basis?

We process your personal data for the purposes and on the legal grounds set out below. This summary may be updated, for example, in connection with the introduction of new personal data processing activities. We will inform you of changes to this privacy policy in accordance with applicable legislation.

PURPOSE

Customer and user administration, for example, to:

• register you as a user,
• provide the Service,
• invoice your employer for any purchases or orders you make through the Service on behalf of your employer,
• provide support, troubleshooting, and information,
• Upon your request, transfer your information to third-party providers connected to the Service.

LEGAL BASIS

Performance of our obligations under an agreement with you or taking steps at your request before agreeing (GDPR Art. 6.1(b)), and processing necessary for legitimate interests pursued by us or a third party (your employer and/or third-party providers), where such interests outweigh your interests (GDPR Art. 6.1(f)).

PURPOSE

Personalisation of our offering, for example, to:

• provide personalised services and content adapted to the information we have about you,
• provide location-based services based on information from your device/equipment,
• provide targeted marketing, including advertisements, offers, and recommendations adapted to the information we have about you.

LEGAL BASIS

Legitimate interest, where our legitimate interest consists of being able to provide and market our services to improve our offering (GDPR Art. 6.1(f)).

5. Marketing

We may send marketing communications to you through the Service, via email, and through other channels. You have the right at any time to object to direct marketing via email or other electronic communications from us. The easiest way to do this is by following the instructions included in the communications you receive from us. You may also contact us using the contact details provided at the end of this notice.

6. Transfer of personal data

For the purposes set out above, we may in certain cases transfer your personal data to others performing services on our behalf as data processors, such as our IT suppliers, other companies within the Provider’s group, and our business partners. We will implement appropriate safeguards to protect your personal data in connection with such transfers, for example, by entering into data processing agreements or other appropriate arrangements.

When you wish to purchase or use services provided by third-party providers connected to the Service, we will transfer your personal data to such third-party providers. This is necessary for you to enter into agreements with those third-party providers.

We may also disclose your information if we are required to do so by law, court ruling, authority decision, or at your request.

Please note that the platform service used by the Provider to provide the Service relies on subcontractors located in third countries (such as AWS and SendGrid, both of which are U.S. companies). The personal data that the Provider must process to provide the Service may therefore be transferred to the United States (mandatory data). The same applies to any information you voluntarily provide.

The service provider engaged (Nexudus Ltd.) has contractually undertaken to ensure that such transfers comply with the GDPR, for example, through the use of Standard Contractual Clauses or Binding Corporate Rules, both of which constitute lawful transfer mechanisms under GDPR Articles 46 and 47. In addition, following a review of all circumstances surrounding potential transfers to the United States, the Provider has concluded that Nexudus processes the data with a level of protection essentially equivalent to that provided within the EU.

By activating your membership, you confirm that you have been informed about how your data is processed. Please note in particular that, apart from your name, employer, and email address, all other information provided by you is entirely voluntary.

A data processing agreement has been entered into between the Data Controller and Nexudus governing the processing of personal data, including the use of subprocessors.

Information about Nexudus’ data protection terms and related documentation can be found here.

7. Technical information about your device, links to other websites, etc.

When you download our app to your device, your IP address may be stored in order for us to provide our services. This is stored by our platform provider in anonymised form.

The Service may also place cookies on your device to function properly. A cookie is a small text file stored on your device that allows our system to recognise your device when you use the Service. Our platform provider uses Google Analytics; please see Google’s privacy policy here.

Cookies are used to improve your user experience. If you do not accept the use of cookies, you may configure your browser not to accept cookies. Information on how to do this can be found in your browser’s user manual. If you choose to configure your browser not to accept cookies, we cannot guarantee that the Service will function properly. We use both session cookies (which expire when you close the app) and persistent cookies (which remain on the device for a certain period or until deleted).

We use the following types of cookies for the purposes described below:

Necessary for the provision of the Service

These cookies are necessary for us to provide the Service to you. For example, these cookies allow us to recognise who you are so that we can provide you with the correct information.

Performance and analytics

We use these cookies to analyse how the Service is accessed, used, or performed. We use this information to maintain, operate, and improve the Service.

Functional cookies

These cookies allow us to manage certain functions in the Service according to your settings and choices. This means that when you return to the Service, for example, we may have your username ready and remember how you customised your settings.

Advertising and offers

We use these cookies to provide you with advertisements and offers, and to measure the distribution of various offers.

Third parties

We may allow our partners to use cookies within or outside the Service for the same purposes described above. We may also engage service providers to use cookies on our behalf for the purposes described above.

The Service may also contain links to other websites, products, and/or services. The Provider has no control over these and accepts no responsibility for their content or any collection and/or processing of personal data carried out by them. Such processing activities are not covered by the Provider’s responsibility for personal data processing in connection with the Service.

8. How long do we store your personal data?

We do not store your personal data longer than necessary to fulfil the purposes stated above or as required by law. Thereafter, we delete your data or anonymise it in such a way that it can no longer be linked to you.

As a general rule, we store your personal data for as long as you are a user of the Service, i.e., for as long as we have obligations towards you under our agreement. If you deregister as a user, we may continue to use certain personal data for the purpose of regaining you as a user for six (6) months after your user relationship with us has ended. Thereafter, we delete or anonymise your data so that it can no longer be linked to you. Your posts in the Service will be deleted no later than six months thereafter unless you make another active choice before then.

We may also retain necessary personal data for a longer period in order to establish, exercise, or defend legal claims, or where we are legally required to do so. For example, we retain necessary accounting information in accordance with the Swedish Accounting Act (1999:1078), which entails a retention period of seven (7) years for certain data.

9. How do we protect your personal data?

The Provider and our IT suppliers implement technical and organisational security measures to protect your personal data against, among other things, accidental destruction, loss or alteration, as well as unauthorised disclosure and access.

Under applicable data protection legislation, we are required to ensure that the level of security applied to the Service is appropriate in relation to the risks associated with the processing. This means that we or our IT suppliers, where appropriate, apply among other things:

• physical security in data centres, antivirus protection, firewalls, and access control in accordance with industry standards,
• encryption of personal data,
• solutions to ensure the ongoing confidentiality, integrity, availability, and resilience of our systems,
• procedures and processes for restoring availability and access to personal data within a reasonable timeframe in the event of a physical or technical incident,
• procedures for regularly testing, examining, and evaluating the effectiveness of the technical and organisational measures implemented to ensure secure processing.

10. What rights do you have as a data subject?

As a data subject, you have several statutory rights under applicable data protection legislation:

• Right of access – You have the right to access your personal data, meaning that you have the right to obtain confirmation as to whether personal data concerning you is being processed and, if so, access to the personal data (a so-called register extract) and certain additional information about the processing.
• Right to rectification – You have the right to have inaccurate personal data corrected or completed if you believe your personal data is inaccurate or incomplete.
• Right to erasure – You have the right to have your personal data erased if:
  • The data is no longer necessary for the purposes for which it was processed,
  • You withdraw your consent for specific processing, and there is thereafter no legal basis for the Provider to continue processing the data.
  • Your data has been processed unlawfully, or
  • processing is not necessary to comply with legal obligations, establish, exercise, or defend legal claims, and/or permitted archive or research purposes.
• Right to withdraw consent – If you have provided specific consent for certain processing, you always have the right to withdraw your consent. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
• Right to object based on legitimate interest – Where processing is based on legitimate interests, you have the right to object at any time to such processing. We will then conduct a new balancing assessment and will only continue processing despite your objection if we can demonstrate compelling legitimate grounds that override your interests.
• Right to object to direct marketing – You have the right at any time to object to the processing of your personal data for direct marketing purposes. Your personal data will then no longer be processed for such purposes.
• Right to data portability – You have the right to data portability, meaning that under certain circumstances, you have the right to receive personal data concerning you that you have provided to us, to transfer that data to another data controller.
• Right to restriction of processing – You have the right to request that processing of your personal data be restricted if, among other things, you contest the accuracy of the data or object to processing as described above, in both cases during the period in which we investigate and verify your request.
• Right to lodge a complaint with the Swedish Authority for Privacy Protection – You have the right to lodge a complaint with the Swedish Authority for Privacy Protection if you believe that we process your personal data incorrectly or in violation of applicable data protection legislation. 

11. Contact details of the data controller

Cecil Coworking AB, company registration no. 559242-1506
Norrlandsgatan 10
111 43 Stockholm
Sweden

Email: gdpr@hufvudstaden.se