Privacy Notice
How we process personal data
Version 1.2 · Last updated: 2026-05-26
1. About this document
Stackship AB (“Stackship”, “we”) builds a platform service that helps organizations develop and operate software on their own resources, with full control over their data. The same principles guide how we handle personal data ourselves: we process only what we need, we keep information within the EU/EEA wherever possible, and we deliberately work to minimize dependencies on suppliers outside Europe.
This document describes how we process personal data about visitors to our website, people we engage with in connection with sales and pilot programs, and contact persons at our customers. It covers all processing for which Stackship is the controller.
2. Data controller
Stackship AB, company reg. no. 559546-4669, Projektgatan 6, 781 70 Borlänge, Sweden.
Contact for data protection matters: legal@stackship.se.
Stackship has not appointed a data protection officer. There is no formal requirement to do so for a company of our size and scope. Questions are handled by company management via the contact channel above.
3. Whose data we process
We process personal data about four categories of people:
- Visitors to www.stackship.se.
- Leads and prospect contacts — people we engage with in connection with sales, pilot programs, partner dialogue, or events.
- Portal users and contact persons at self-service customers — people who hold accounts in the customer portal on behalf of a customer organization, as well as the person responsible for billing and contracts.
- Portal users and contact persons at enterprise customers — people who hold accounts in the customer portal on behalf of a customer organization, as well as contractual contacts in the ongoing customer relationship.
We do not process data about our customers' own end users — that is, the users of the applications the customer operates with the help of the Platform. The Platform runs in the customer's own infrastructure, and the data the customer stores in their applications never reaches us.
4. Processing activities
4.1 Website visitors
Data we process: Aggregated and anonymized traffic statistics (e.g. page views, referrer, approximate region, device type). We use Plausible Analytics, which is designed not to collect personal data and which does not use cookies for visitor tracking.
Purpose: Understand how the website is used and improve its content, performance, and search visibility.
Legal basis: Legitimate interest (GDPR Article 6(1)(f)). The interest is in managing and improving the website. Because the processing is anonymized, the privacy impact is minimal.
Retention period: Statistics are stored in aggregated form with no link to individuals and cannot be traced back to specific visitors.
4.2 Leads and prospect contacts
Data we process: Name, email address, phone number, organization, role, notes from the dialogue, and information about the contact source (e.g. event, pilot sign-up, referral, LinkedIn, partner cooperation).
Purpose: Dialogue, follow-up, and providing information about Stackship's services. Planning and administering pilot programs.
Legal basis: Legitimate interest (GDPR Article 6(1)(f)) for business-to-business communication with people in a professional role at organizations that match Stackship's target audience. Where applicable, consent (GDPR Article 6(1)(a)), e.g. when signing up for a pilot or a newsletter.
Retention period: Up to 24 months after the most recent active contact, after which the data is deleted or anonymized. We regularly remove people who are no longer relevant to the dialogue.
4.3 Portal users and contact persons at self-service customers
Data we process: For each natural person who holds an account in the customer portal on the customer's behalf: name, email address, title, organization, organization number, and role-based permissions in the portal. On authentication, technical information such as login time and IP address is logged. Card payment information is handled by our payment provider — Stackship does not store card data ourselves beyond what is needed to identify the registered payment card.
Purpose: Provide the Platform in accordance with the terms of use: access and authentication to the customer portal, contract administration, billing, support, operations and security communications, and invoicing records.
Legal basis: Contract (GDPR Article 6(1)(b)) for processing that is necessary to provide the Platform. Legal obligation (GDPR Article 6(1)(c)) for accounting and tax-related information under the Swedish Bookkeeping Act. Legitimate interest (GDPR Article 6(1)(f)) for operations and security communications, and for keeping access logs to the customer portal for security purposes.
Retention period: Portal accounts are deleted or deactivated without undue delay after the contract ends. Invoicing records and accounting material are retained, however, for seven (7) years after the end of the contract (Bookkeeping Act requirement). Support tickets are deleted twenty-four (24) months after the ticket is closed. Authentication and access logs are purged after twelve (12) months.
4.4 Portal users and contact persons at enterprise customers
Data we process: For each natural person who holds an account in the customer portal on the customer's behalf: name, email address, title, organization, and role-based permissions in the portal. On authentication, technical information such as login time and IP address is logged. In addition, we process data about contractual contacts and other customer contacts (name, title, email address, phone number) and notes from the ongoing customer relationship (Customer Success Management dialogue, meeting notes).
Purpose: Contract administration, access and authentication to the customer portal, ongoing customer relationship (Customer Success Management), support, operations and security communications, and invoice handling.
Legal basis: Contract (GDPR Article 6(1)(b)), legal obligation (GDPR Article 6(1)(c)) for accounting, and legitimate interest (GDPR Article 6(1)(f)) for customer care, access logging, and security communications.
Retention period: Portal accounts are deleted or deactivated without undue delay after the contract ends. Contractual contacts and customer relationship material are retained for the duration of the contract and for ten (10) years after it ends. The longer period is justified by the requirements of the Bookkeeping Act combined with limitation periods for commercial disputes in larger contract relationships. Authentication and access logs are purged after twelve (12) months.
5. Telemetry from the Platform — no personal data
Telemetry is reported from the installation to Stackship only for customers using the Platform as self-service. The purpose is to enable billing for self-service usage and to operate and troubleshoot the Platform. The telemetry is deliberately designed to contain no personal data.
The telemetry contains:
- A technical customer number that identifies the organization (not individuals).
- Counters of the number of Services in use (e.g. number of App Services, Database Servers, Function Namespaces).
The telemetry does not contain compute data, traffic content, IP addresses, user identities, application data, or any other information that can be linked to individuals — either at the customer or at the customer's end users.
Under enterprise contracts, no telemetry is reported to Stackship. Enterprise customers are billed on a license basis, and no ongoing measurement of the installation is required. This also applies to air-gapped installations, where reporting to Stackship is in practice not technically possible either.
This is a deliberate architectural choice. Stackship's business model does not require us to see customer data, and our platform is built so that we do not.
6. When Stackship processes personal data on the customer's behalf
Because the Platform runs in the customer's own infrastructure, Stackship is not normally a processor for the customer in respect of the data processed within the Platform. The customer retains full control over personal data processed through the Platform.
For the portal user accounts that the customer creates for their own employees in Stackship's customer portal, Stackship is the controller (see sections 4.3 and 4.4). This is processing that Stackship is responsible for in its own right, not a processor relationship.
Situations can still arise where Stackship temporarily processes personal data on the customer's behalf — most notably in support cases where the customer shares logs, configuration files, or error descriptions that contain personal data. In those cases Stackship processes the information only to resolve the ticket and deletes the material once the ticket is closed.
If an enterprise customer connects its own identity provider (SSO/OIDC) to the customer portal, or if Stackship for any other reason processes personal data on the customer's behalf, a data processing agreement under GDPR Article 28 is signed as part of the contract package.
7. Recipients and subprocessors
We share personal data with the following suppliers in order to operate our business. All suppliers have been instructed to process the data solely on Stackship's behalf and in accordance with applicable data protection law.
| Supplier | Role | Processing location |
|---|---|---|
| Sekurbit Sverige AB | Hosting of customer portal, CRM, and Stackship Business Suite, plus IT operations and delivery of M365 licenses | Sweden |
| Stripe Payments Europe, Ltd. | Card payment processing for self-service | EU (Ireland) |
| Fortnox AB | Invoicing and accounting system | Sweden |
| Tians Ekonomibyrå AB | Day-to-day bookkeeping and year-end accounts | Sweden |
| Microsoft Ireland Operations Ltd. (M365) | Internal email and document handling (sub-processor via Sekurbit) | EU (Ireland) |
| Plausible Insights OÜ | Aggregated web analytics (stackship.se) | EU (Estonia) |
| CookieYes Limited | Handling of any cookie consent | EU (Ireland) |
An up-to-date list of subprocessors is published on this page. Customers are notified at least thirty (30) days in advance of the addition or replacement of any subprocessor that may process personal data on the customer's behalf.
In addition to the above, personal data may be disclosed to public authorities where we are required to do so by law, and to auditors, lawyers, or other advisors bound by confidentiality.
8. Transfers outside the EU/EEA
Stackship actively works to keep all processing within the EU/EEA.
To the extent transfers to third countries do occur, we ensure their lawfulness through the European Commission's standard contractual clauses (SCCs) and, where applicable, the EU-U.S. Data Privacy Framework.
9. Your rights under the GDPR
As a data subject you have the following rights in relation to Stackship's processing of your personal data:
- Access: You can request to know which personal data we process about you and to receive a copy of it.
- Rectification: You can ask us to correct inaccurate data or to complete incomplete data.
- Erasure: You can ask us to delete your personal data where we no longer have a legal basis to retain it.
- Restriction: You can ask us to restrict the processing of your personal data for a period, for example while we investigate an objection.
- Objection: You can object to processing based on legitimate interest. For direct marketing, you always have the right to object.
- Data portability: Where we process data on the basis of a contract or your consent and the processing is automated, you can receive your data in a structured format to transfer to another provider.
- Withdrawal of consent: Where we process data on the basis of your consent, you can withdraw your consent at any time for future processing.
You exercise your rights by contacting us at legal@stackship.se. We respond without undue delay and at the latest within one month of receiving the request.
You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) if you believe that we are processing your personal data in breach of applicable data protection law. Contact details for IMY can be found at www.imy.se.
10. Security
Stackship works actively with information security in everything we do. We apply technical and organizational measures appropriate to the risks of our processing, including encryption, access management, logging, security patching, and regular reviews of access rights.
Our suppliers have been selected with their security posture in mind, and we prefer suppliers with strong local roots and transparent security practices. Our ambition is for Stackship's own operations to follow the same security principles that we build into our product.
11. Cookies and tracking on stackship.se
We use Plausible Analytics to understand how our website is used. Plausible is cookie-free and collects no personal data.
If the website uses cookies that require consent, this is handled via CookieYes. We do not use third-party cookies for marketing purposes.
12. Changes to this document
We update this document when our processing changes, when new suppliers are added, or when legislation requires it. The latest version is always published at www.stackship.se/en/privacy. For material changes that affect customers, we provide notice by email and by publication on the website.
13. Contact
For questions or requests regarding the processing of your personal data, contact us:
Stackship AB
Company reg. no.: 559546-4669
Address: Projektgatan 6, 781 70 Borlänge, Sweden
Email: legal@stackship.se