We collect personal data from the following sources:
- Directly from you: When you contact us, use our services, participate in meetings or events, fill out forms on our website, or communicate with us.
- From your employer or colleagues: If you are listed as a contact person for a customer, partner, or supplier.
- Automatically: Through cookies and similar technologies when you visit our websites or use our services.From public sources: Such as professional networking sites or company registers, where allowed by law.
- From partners and service providers: That help us with marketing, analytics, recruitment, or other business support, in accordance with applicable law.

We only process personal data when we have a legal basis under the GDPR. Below are our main purposes and corresponding legal bases.
‍
5.1 To operate and improve our websites and digital channels
Examples of processing:
- Providing access to our websites and ensuring their stability and security.
- Using analytics to understand how our sites are used and to improve content and user experience.
‍
Legal bases
- Legitimate interests (Article 6.1(f) GDPR): Our legitimate interest in operating, maintaining, and improving our websites and preventing misuse or security incidents.
- Consent (Article 6.1(a) GDPR): For non-essential cookies and certain tracking technologies, where required by law.
‍
5.2 To handle inquiries, demo requests, and communication
Examples of processing- Responding to contact requests, demo bookings, and other inquiries.
- Managing ongoing correspondence with you or your organization.

Legal bases
- Legitimate interests (Article 6.1(f) GDPR): Our legitimate interest in communicating with existing and potential customers, partners, and other stakeholders.
- Contract (Article 6.1(b) GDPR): Where communication is necessary to enter into or perform a contract with you personally.

5.3 To provide and support our services
Examples of processing:
- Creating and managing user accounts and authentication.
- Providing access to our SaaS solutions and related features.
- Delivering support, maintenance, and troubleshooting.
- Maintaining logs and audit trails for security and compliance purposes.
‍
Legal bases
- Legitimate interests (Article 6.1(f) GDPR): Our legitimate interest in fulfilling our commercial agreement with your employer (our customer) and providing you with secure access to the services they have purchased.
- Contract (Article 6.1(b) GDPR): In the specific case where you have entered into a contract with us directly as an individual (e.g., as a sole trader or freelancer), processing is necessary to perform that agreement.
‍
In connection with the provision of our services, we may also use aggregated or anonymized usage data to monitor performance, maintain security, and improve the functionality of our platform, provided that such data no longer identifies individual users.

5.4 To manage business relationships
Examples of processing:
- Managing relationships with customers, partners, and suppliers.
- Administration related to contracts, invoicing, and project management.
‍
Legal bases
- Legitimate interests (Article 6.1(f) GDPR): Our legitimate interest in managing and developing our business relationships and fulfilling agreements with the organizations we cooperate with.
- Legal obligation (Article 6.1(c) GDPR): Where processing is required by bookkeeping or other legal requirements.

5.5 Marketing, events, and newsletters
Examples of processing:
- Sending newsletters, product updates, and invitations to events.
- Conducting campaigns, surveys, and similar marketing activities.
- Segmenting and tailoring communication to make it relevant for you.
‍
We may use third-party platforms and tools to deliver and measure our marketing communications, in which case personal data is only shared in accordance with applicable law and with appropriate safeguards in place.
‍
Legal bases
- Legitimate interests (Article 6.1(f) GDPR): Our legitimate interest in marketing our products and services to existing customers and business contacts.
- Consent (Article 6.1(a) GDPR): For certain electronic marketing where required by law, or where you subscribe voluntarily.
‍
You can always opt out of marketing communications by following the unsubscribe instructions in our emails or by contacting us.

5.6 Recruitment and talent management
Examples of processing:
- Handling applications and evaluating candidates.
- Conducting interviews, assessments, and reference checks.
- Communicating with you during the recruitment process.
‍
Legal bases
- Legitimate interests (Article 6.1(f) GDPR): Our legitimate interest in finding and hiring suitable employees or consultants.
- Consent (Article 6.1(a) GDPR): For keeping your application for future opportunities beyond a specific recruitment process, where required.

5.7 To comply with legal obligations and protect our rights
Examples of processing:
- Complying with accounting, tax, and other legal obligations.
- Handling legal claims, disputes, or regulatory inquiries.
- Preventing misuse of our services and protecting security, property, and rights.
‍
Legal bases
- Legal obligation (Article 6.1(c) GDPR)
- Legitimate interests (Article 6.1(f) GDPR)
‍

We may share your personal data with the following categories of recipients, only to the extent necessary for the purposes described above:
‍
- Service providers and processors: For example providers of hosting, cloud infrastructure, analytics, CRM systems, email and marketing tools, recruitment platforms, and other IT or business support services. These providers only process personal data on our behalf and according to our instructions.
- Partners and resellers: In some cases, we work with partners who help us sell, implement, or support our solutions. Where appropriate, we may share your contact details and relevant information with such partners, for example, if you request a local contact.
- Professional advisers: Such as legal advisers, auditors, and consultants, when needed to manage our business and meet legal obligations.
- Public authorities: When we are required to do so by law, court order, or regulatory request, or when necessary to protect our legal rights.
- Group companies: If FrontFlow operates through several legal entities, personal data may be shared within the group for internal administration and to deliver services, where permitted by law and where appropriate safeguards are in place.
‍
In all such cases, we only share personal data to the extent necessary for the relevant purpose, and we require the recipients to apply appropriate technical and organizational security measures to protect the data.
We do not sell your personal data.

We use cookies and similar technologies on our websites and in some of our services. Cookies are small text files stored on your device that can be used to remember your preferences, analyze usage patterns, and improve your experience.

We typically use:
- Strictly necessary cookies: Needed for the website to function, for example to remember your cookie settings or to provide security. These do not require consent.
- Analytics and performance cookies: Help us understand how visitors use our site so that we can improve content and navigation.
- Marketing and preference cookies: Used to customize content and measure the effectiveness of marketing campaigns.
‍
Where required by law, we request your consent before setting non-essential cookies. You can change your cookie preferences at any time in your browser settings and, where applicable, through our cookie banner or cookie settings on the website.
‍

We keep your personal data only for as long as necessary for the purposes for which it was collected, or as long as we are obligated to do so according to law. The retention period depends on the context, for example:
- Website logs and technical data: Kept for a limited period for security and troubleshooting, unless a longer period is needed for investigations.
- Contact information: Data related to customers, partners, and suppliers is kept for the duration of the relationship and for a reasonable time thereafter, for example to handle follow-up questions or potential claims.
- User account data: Kept for as long as the account is active, and for a certain period after deactivation for backup, logging, and legal purposes, in accordance with our agreements.
- Marketing data: Generally kept as long as you remain an active contact or until you opt out.
- Recruitment data: Kept during the recruitment process and, where allowed or based on your consent, for a limited period thereafter for future opportunities.

When personal data is no longer needed, we will seek to delete it or anonymize it in a secure manner, taking into account technical limitations (for example in backup systems) and applicable legal retention requirements.

Under the GDPR, you have several rights regarding our processing of your personal data. The extent of these rights can depend on the legal basis for the processing and on the specific circumstances.
- 10.1 Right of access: You have the right to obtain confirmation as to whether we process personal data about you and, if so, receive a copy of your personal data together with certain information about the processing.
- 10.2 Right to rectification: You have the right to have inaccurate or incomplete personal data about you corrected.
- 10.3 Right to erasure (“right to be forgotten”): In certain circumstances, for example when the data is no longer necessary for the purpose, when you withdraw consent (where consent is the legal basis), or when you successfully object to processing, you can request that we delete your personal data.
- 10.4 Right to restriction of processing: In some cases, you have the right to request that we restrict the processing of your personal data, for example while we verify accuracy or assess an objection.
- 10.5 Right to data portability: For personal data you have provided to us and that we process based on your consent or on a contract, and where processing is carried out by automated means, you may request to receive your data in a structured, commonly used, and machine-readable format and to have it transmitted to another controller where technically feasible.
- 10.6 Right to object: You have the right to object, on grounds relating to your particular situation, to processing that we base on our legitimate interests, including profiling based on such interests. We will then no longer process the personal data unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or if processing is necessary for legal claims. You also always have the right to object to processing of your personal data for direct marketing, including profiling related to such marketing, in which case we will stop this processing.
- 10.7 Right to withdraw consent: Where the processing is based on your consent, you have the right to withdraw that consent at any time. This does not affect the lawfulness of processing based on consent before its withdrawal.
- 10.8 Right to lodge a complaint: If you are dissatisfied with how we process your personal data, you have the right to lodge a complaint with the competent supervisory authority. In Sweden, this is:
‍
Integritetsskyddsmyndigheten (IMY)
Website: imy.se
We encourage you to contact us first so that we can try to resolve your concerns.

To exercise your rights or if you have questions about this policy or our processing of your personal data, you can contact us using the details in section 2.

To help us handle your request, we may need to ask you for additional information to verify your identity and ensure that we do not disclose personal data to the wrong person. We will respond to your request as soon as reasonably possible and within the timeframes required by law.

Please note that these rights are not absolute and may be subject to certain conditions and limitations under the GDPR and other applicable laws. If we are unable to fully accommodate your request, we will explain the reasons to you where we are legally allowed to do so.

Our websites and services are primarily intended for business users and are not directed at children. We do not knowingly collect personal data from children. If you believe we have collected personal data about a child without appropriate consent, please contact us so we can take appropriate steps.

We may update this privacy policy from time to time to reflect changes in our processing activities, legal requirements, or technical developments. When we make changes, we will revise the “Last updated” date at the top of the policy.If we make material changes that significantly affect your rights or the way we process your personal data, we will notify you through appropriate channels, for example by publishing a notice on our website or, when suitable, by contacting you directly.
‍