Asky - Privacy Notice
This privacy notice (the "Privacy Notice") explains what personal data Asky Labs AB ("Asky") collects when you visit our website or use or enquire about the Asky platform and related services (the "Service"), why we collect it, the legal basis for each use, how long we keep it, and the rights you have.
What this Privacy Notice covers (and what it doesn't)
This notice covers personal data that Asky controls, mainly data about visitors to our website and people who sign up for, use, or contact us about the Service.
It does not cover the data that our business customers share with Asky in connection with the Service about their own users or third parties ("Customer Data"). For Customer Data the customer is the controller and Asky acts only as a processor on the customer's instructions; it is governed by our Data Processing Agreement (the "DPA"), not this Privacy Notice.
Who we are
Asky Labs AB ("Asky", "we", "us"), Org. Nr. 559581-5852, Katarina Västra Kyrkogata 6A, 116 25 Stockholm, Sweden, is the data controller. For any privacy question or to exercise your rights, contact us at [email protected].
What we collect, why, and our legal basis for doing so
We only collect the personal data that we need. Set out below is each use of personal data, with the legal basis for its collection (under Regulation (EU) 2016/679 (GDPR)) and how long we keep personal data.
Account and enquiry data
When you create an account, ask for a demo, or contact us, we collect the details you give us, such as your name, business email, company, and the content of your message. If you sign in with Google, we also receive your name, email address and profile picture from Google. If you join a video call with us (for example, a demo), we may record and transcribe the call. We will tell you before the recording starts.
Why: to set up and manage your account, answer your enquiry, and provide the Service.
Legal basis: performance of a contract with you, or steps taken at your request before entering a contract (Article 6(1)(b) GDPR); and, for general business enquiries, our legitimate interest in responding to you (Article 6(1)(f)).
How long: for as long as you have an account or active enquiry, and then up to 6 months afterwards, unless we must keep it longer by law.
Do you have to provide it? Providing this data is necessary to set up and provide the Service; if you do not provide it, we cannot do so.
Marketing
If you are a customer or business contact, we may send you updates and information about Asky and similar services.
Why: to keep you informed about our Service and related offerings.
Legal basis: our legitimate interest in marketing to business contacts (Article 6(1)(f) GDPR), or your consent where the law requires it (Article 6(1)(a)); electronic marketing also follows the ePrivacy/PECR rules.
How long: until you opt out. You can opt out at any time using the unsubscribe link in any marketing email, or by emailing us at [email protected].
Referral programme
If you take part in our referral programme, we (with our referral provider, Cello) process your name, user ID, referral code and related sign-up and conversion information to attribute and reward referrals.
Why: to run the referral programme and provide rewards.
Legal basis: performance of a contract with you, namely the referral terms (Article 6(1)(b) GDPR), or our legitimate interest in operating the programme (Article 6(1)(f)).
How long: for as long as you take part in the programme, and then up to 6 months afterwards, unless we must keep records longer by law.
Website analytics and session insights
We use analytics and product-insight tools (Google Analytics 4 and PostHog), including heat-mapping and session replay, to understand how our website and the Service are used and to improve it. These tools collect usage and device data such as your IP address, browser and device information, pages viewed, clicks, and how you move through the site.
Why: to measure and improve our website and service.
Legal basis: your consent, given through our cookie banner (Article 6(1)(a) GDPR and the cookie rules). You can withdraw consent at any time through the cookie settings, with no effect on the lawfulness of earlier processing.
How long: analytics data is kept for up to 6 months; session recordings for up to 6 months.
We also use Vercel Web Analytics, a cookieless service that collects only aggregated page and event counts and does not track individuals across sites. Because it uses no cookies or persistent identifiers, we rely on our legitimate interest in understanding site usage (Article 6(1)(f)) and it does not require consent.
Hosting, content delivery and security
We use hosting, database and content-delivery/security providers (Vercel, Supabase, Cloudflare and Upstash) to run our site and the Service, deliver them quickly, and protect them against attacks, and we use Sentry for application error monitoring. This necessarily involves processing technical data such as your IP address, request logs and error reports.
Why: to operate, deliver, secure and debug the website and the Service.
Legal basis: our legitimate interest in running a reliable, secure service (Article 6(1)(f)).
How long: security and system logs are kept for up to 6 months.
Billing and accounting records
If you become a paying customer, we keep invoices and related records.
Why: to comply with our legal accounting obligations.
Legal basis: compliance with a legal obligation (Article 6(1)(c) GDPR), in particular the Swedish Bookkeeping Act.
How long: 7 years, as required by Swedish law.
Legal claims, fraud prevention and compliance
Why: to protect our rights, prevent misuse or fraud, and respond to lawful requests from authorities.
Legal basis: our legitimate interest in protecting our business (Article 6(1)(f)), and compliance with a legal obligation where one applies (Article 6(1)(c)).
How long: as long as needed for the relevant claim, investigation or obligation.
Automated decisions
We do not use this personal data to make decisions about you by automated means that produce legal or similarly significant effects.
Cookies and tracking
We use cookies and similar technologies. Strictly necessary ones (for example, those that keep the site secure and working) do not need your consent. Analytics, heat-mapping and session-replay technologies are only used with your consent, which you give or refuse through our cookie banner and can change at any time. For the full list, see our Cookie Policy. We also honour recognised browser-based opt-out signals such as Global Privacy Control (GPC).
Who we share data with
We do not sell your personal data. We share it only with service providers who help us run Asky, each under a contract that requires them to protect it and use it only as we instruct:
- Google Analytics 4 (Google LLC, United States): website analytics.
- PostHog (PostHog, Inc., United States; hosted in PostHog's EU cloud in Frankfurt, Germany): product analytics, heat-mapping and session replay.
- Vercel (Vercel Inc., United States): hosting and backend infrastructure.
- Cloudflare (Cloudflare, Inc., United States): content delivery and security.
- Supabase (Supabase Pte. Ltd, Singapore; data hosted in Stockholm, Sweden): database, authentication and file storage.
- Upstash (Upstash, Inc., United States; hosted in Frankfurt, Germany): caching and API rate limiting.
- Sentry (Functional Software, Inc., United States; EU data residency in Germany): application error monitoring.
- Stripe (Stripe, Inc., United States): payment processing and subscription billing.
- Loops (Astrodon Corporation, United States): marketing and transactional email.
- Resend (Plus Five Five, Inc., United States): transactional email (for example, workspace invitations).
- HubSpot (HubSpot, Inc., United States): customer relationship management.
- Grain (Grain Intelligence, Inc., United States): meeting recording and transcription.
- Cookiebot (Usercentrics A/S, Denmark): cookie-consent management.
- Cello (Cello Technologies GmbH, Germany): our referral programme.
- Notion (Notion Labs, Inc., United States): internal documentation and knowledge-management.
Our everyday internal business tools (for example, our documentation and messaging tools) may also incidentally process your contact details. We may also share data with professional advisers, or with authorities or an acquirer of our business, where we are legally allowed or required to do so. An up-to-date list of providers is available on request.
International transfers
Some of our providers are based outside the EEA and the UK, for example in the United States and Singapore. Where we transfer your data outside the EEA/UK, we rely on an appropriate safeguard under data-protection law: an adequacy decision or the EU-US Data Privacy Framework where the provider is certified, and otherwise the European Commission's Standard Contractual Clauses (with the UK Addendum for UK data). You can ask us for more detail about the safeguard used for a particular transfer.
Your rights
Your rights depend on where you live. The core rights below apply to everyone in the EU/EEA and the UK; additional rights for users in Switzerland, Brazil and the United States are set out after. To exercise any right, email us at [email protected]. We respond within one month (or the period your local law requires); for complex or numerous requests we may extend this by up to two further months and will tell you if we do, free of charge, and we will not treat you any differently for exercising a right.
EU/EEA and United Kingdom (GDPR and UK GDPR)
You have the right to: access the personal data we hold about you; have it corrected; have it deleted; restrict or object to how we use it; receive it in a portable format; and, where we rely on consent, withdraw that consent at any time (without affecting earlier processing). You also have the right to complain to a supervisory authority: in Sweden, the Swedish Authority for Privacy Protection (IMY); in the UK, the Information Commissioner's Office (ICO); or the authority in your own country.
Switzerland (Federal Act on Data Protection)
If you are in Switzerland you have equivalent rights: to access your data, to have it corrected or deleted, to object to or restrict its processing, and to receive it in a portable format. You may also complain to the Swiss Federal Data Protection and Information Commissioner (FDPIC).
Brazil (LGPD)
If you are in Brazil, we process your personal data on a legal basis recognised by the Lei Geral de Proteção de Dados (LGPD) (such as your consent, performance of a contract, compliance with a legal obligation, or our legitimate interests). You have the right to: confirm that we process your data and access it; correct incomplete or inaccurate data; anonymise, block or delete unnecessary data or data not processed in line with the LGPD; obtain portability of your data; be told with whom we share it; delete data processed on the basis of consent; withdraw consent; and complain to the National Data Protection Authority (ANPD). You will not be discriminated against for exercising these rights.
United States
This section applies if you are a resident of a US state with a comprehensive privacy law, currently California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Nevada, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island and Montana. Subject to your state's law, you have the right to:
- Know and access the personal information we collect about you and how we use it;
- Correct inaccurate personal information;
- Delete your personal information;
- Obtain a copy of your personal information in a portable format;
- Opt out of any "sale" or "sharing" of your personal information and of its use for targeted advertising or certain profiling; and
- Not be discriminated against for exercising your rights.
We do not sell your personal information for money. However, some analytics cookies may count as a "sale" or "sharing" under these laws; you can opt out through our cookie banner, and we honour the Global Privacy Control (GPC) signal. You can also ask us to limit the use of any sensitive personal information to what is needed to provide the service. If we decline a request, you may appeal by contacting us, and you may use an authorised agent to make a request on your behalf. Residents of some states (for example Minnesota and Maryland) have additional rights regarding profiling and sensitive data; contact us and we will help. California residents may also request the "Shine the Light" disclosure about any sharing for third-party direct marketing.
Children
Asky is a business service and is not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has given us personal data, contact us at [email protected] and we will delete it.
Changes to this Privacy Notice
We may update this Privacy Notice from time to time. We will post the new version here with an updated date and, where the change is significant, let you know directly. Where a change affects processing based on your consent, we will ask for fresh consent if the law requires it.
Contact
Asky Labs AB, Katarina Västra Kyrkogata 6A, 116 25 Stockholm, Sweden. Email: [email protected].
Our Cookie Policy is available on our website.