Privacy Policy
Effective Date: May 5, 2026
Cembro AB (“CEMBRO™”, “Company”, “we”, “us” or “our”) is a Swedish limited liability company committed to protecting your privacy and processing your personal data in compliance with the EU General Data Protection Regulation (GDPR) (EU 2016/679), the Swedish Data Protection Act (2018:218), and all other applicable data protection laws.
This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit our websites (including cembro.com and related domains) or use our services (collectively, the “Services”).
1. Controller
Cembro AB Tomtebogatan 21 SE-113 39 Stockholm Sweden Email: gdpr@cembro.com
We have not appointed a Data Protection Officer as this is not required under Article 37 of the GDPR for our processing activities. However, you may contact us at the email address above with any questions regarding this Privacy Policy or your personal data.
2. Personal Data We Collect
We collect the following categories of personal data:
Data you provide directly:
- First and last name
- Business email address
- Phone number
- Company name
- Job title / job level
- Industry
- Payment and billing information (processed by third-party payment processors)
Data collected automatically:
- IP address, device type, browser type and version, operating system, language settings
- Geographic location derived from IP address
- Usage data and interaction with our websites and Services (via cookies and similar technologies)
Data you upload or submit:
- Any files, documents, or data you choose to upload or connect to the Services (e.g., CSV files or data from third-party applications). You control what data you upload.
We do not intentionally collect special categories of personal data (sensitive data) unless you choose to upload such data.
3. Purposes and Legal Basis for Processing
We process your personal data only where we have a lawful basis under Article 6 of the GDPR:
| Purpose | Legal Basis | Examples |
|---|---|---|
| Providing and managing the Services | Contract (Art. 6(1)(b)) | Account creation, service delivery, support |
| Processing payments and billing | Contract (Art. 6(1)(b)) | Payment details, invoices |
| Customer support and communications | Contract + Legitimate Interests (Art. 6(1)(f)) | Responding to inquiries |
| Improving our Services and user experience | Legitimate Interests (Art. 6(1)(f)) | Analytics, product development |
| Marketing communications | Consent (Art. 6(1)(a)) or Legitimate Interests (Art. 6(1)(f)) | Newsletters, promotions |
| Complying with legal obligations | Legal Obligation (Art. 6(1)(c)) | Bookkeeping, regulatory compliance |
| Protecting our rights and security | Legitimate Interests (Art. 6(1)(f)) | Fraud prevention, security logs |
We may process anonymized or aggregated data for any purpose, including statistical analysis and product improvement, as such data is no longer personal data under the GDPR.
4. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:
- Contractual data: for the duration of the contract plus up to 3 years thereafter (statute of limitations).
- Accounting and billing records: 7 years in accordance with Swedish accounting law.
- Marketing data: until you withdraw consent or object.
- Uploaded customer data: for the duration of your active account or as specified in your agreement.
When the purpose no longer applies, we will delete or irreversibly anonymize the data.
5. Sharing of Personal Data
We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.
We may share personal data with:
- Service providers (processors): Such as payment processors, hosting providers, email service providers, and analytics providers. All such processors act on our instructions and are bound by data processing agreements.
- Business partners: Only when you explicitly purchase or express interest in a jointly offered product or service.
- Legal authorities: When required by law, court order, or to protect our legal rights.
- Corporate transactions: In the event of a merger, acquisition, or similar transaction.
International Transfers: Some of our processors are located outside the EU/EEA. Where this occurs, we ensure appropriate safeguards are in place, primarily EU Standard Contractual Clauses (SCCs) together with supplementary measures as required by the GDPR.
You may request a copy of the relevant safeguards by contacting
gdpr@cembro.com.
6. Your Rights under the GDPR
You have the following rights, which you may exercise free of charge (subject to legal limitations):
- Right of access
- Right to rectification
- Right to erasure (“right to be forgotten”)
- Right to restriction of processing
- Right to data portability
- Right to object to processing (including for direct marketing)
- Right to withdraw consent at any time
- Right not to be subject to automated decision-making (we do not engage in such processing with legal or similarly significant effects)
To exercise any of these rights, please email gdpr@cembro.com.
We will respond within one month (extendable where permitted by law).
Deletion requests: Submit your request by email. We will confirm receipt and, upon your confirmation, process the deletion within five (5) working days and notify you once completed.
You also have the right to lodge a complaint with the Swedish Authority for
Privacy Protection (Integritetsskyddsmyndigheten – IMY)
at www.imy.se.
7. Cookies and Tracking Technologies
We use cookies, web beacons, and similar technologies to operate and improve our Services. You can manage your cookie preferences through our cookie banner or your browser settings.
A separate Cookie Policy is available on our website and provides detailed information.
8. Security
We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, inform you.
9. Children’s Privacy
Our Services are not directed at children under the age of 16. We do not knowingly collect personal data from children.
10. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. The revised version will be posted on our website with an updated effective date. Material changes will be notified via email or prominent notice on the website.
11. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us at:
Cembro AB, Bankir Zethreaus väg 92, SE-113 39 Stockholm Sweden