This policy explains how Annuo (the “service”) processes personal data in accordance with the EU General Data Protection Regulation (GDPR).
1. Data controller
The data controller is: William Vestman Malmi (sole trader), trading as Annuo Email: hej@annuo.eu
2. What we process
**Account data:** email address and hashed password when you register. **Content you create:** year wheels, periods, events, organizations and invitations. **Technical data:** IP address, browser type and timestamps in logs for security and troubleshooting. **Email logs:** recipient, template, status and any error message for transactional emails we send.
3. Purposes and legal basis
We process the data to (a) provide the service under our contract with you (Art. 6(1)(b) GDPR), (b) operate and secure the service based on legitimate interest (Art. 6(1)(f) GDPR), and (c) comply with legal obligations (Art. 6(1)(c) GDPR).
4. Retention
We apply the following automatic deletion (runs nightly): • **Account data and content:** kept while your account is active. On deletion, personal wheels are removed immediately; organization wheels are transferred to another owner or deleted. • **Account-deletion requests:** removed 30 days after they are consumed or expire. • **Consent log:** kept while the account is active as proof under Art. 7 GDPR. IP address and browser information are automatically anonymized after 12 months; the consent record itself (timestamp, version, event type) is retained. • **Email send log:** at most 90 days. • **Admin audit log:** at most 24 months. • **Unsubscribe tokens:** at most 90 days.
5. Recipients and processors
We use the following processors: • **Lovable Cloud** (database, authentication and hosting) – data is processed within the EU/EEA. • **Paddle.com Market Ltd** (payment processing and invoicing for Pro/Plus subscriptions) – processes name, email, billing address and payment metadata. Established in the United Kingdom (adequacy decision by the European Commission). • **Resend** (transactional email delivery). • **Google Fonts** (fonts are delivered directly to your browser; we build no profile). We never sell your data and never share it for marketing purposes.
5b. International transfers
Processing primarily takes place inside the EU/EEA. When a processor (e.g. Resend or parts of the Google Fonts CDN) temporarily transfers data outside the EU/EEA, it is done under the European Commission's Standard Contractual Clauses (SCCs) or an equivalent adequacy decision. We minimize the personal data transferred.
6. Cookies and local storage
The service uses only strictly necessary storage in your browser and no tracking or marketing cookies. No consent is required (ePrivacy strictly-necessary exemption). We store: • **Sign-in token** (localStorage) – keeps you signed in between visits. • **Language preference** (localStorage, key `arshjul.lang`) – remembers your UI language. • **Active organization** (localStorage, key `arshjul.org`) – remembers which workspace you're in. • **Sidebar state** (cookie `sidebar:state`) – remembers if the sidebar is open. You can clear these any time from your browser settings – this signs you out.
7. Your rights
You have the right to access, rectify or erase your data, and the right to data portability and to object. You can delete your account directly under Settings → Delete account, or contact us at hej@annuo.eu and we'll respond within 30 days.
8. Complaints to a supervisory authority
You may lodge a complaint with the Swedish Authority for Privacy Protection (IMY), Box 8114, 104 20 Stockholm, imy@imy.se, www.imy.se, or your local EU data protection authority.
9. Changes
We may update this policy. Material changes are announced by email or in-product at least 30 days in advance.