Privacy Policy

Last updated: 28 August 2025

Who is responsible?

Morastugan is the data controller for the processing described here. Contact: info@morsatugan.com.

What data we process

• Account and sign-in: name, email address, roles/access, password stored in hashed form.
• Downloads behind login: receipt of who downloaded what and when.
• Email newsletters: name, email, consent and unsubscribe status.
• Technical logs for troubleshooting and security: IP address and browser information.

Purpose and legal basis

• Operating the portal and access control: contract or legitimate interest.
• Security and troubleshooting: legitimate interest (balancing test performed; summary available on request).
• Newsletters: consent, which can be withdrawn at any time.
• Consent under the GDPR (General Data Protection Regulation) is presented only when downloading protected materials.

Cookies

Public pages use no third-party tracking. We only use necessary cookies for signed-in sessions; therefore no cookie banner is shown.

Necessary cookies (examples)

• hpf_session — keeps the user signed in (session; cleared on sign-out/timeout).
• csrf_token — protection against cross-site request forgery (approximately 2 hours).

When logging occurs

Public pages are not logged on an individual level. Consent and individual logging occur only when a user chooses to download protected material after signing in.

Retention

• Account and access history: 12–24 months after last activity or as agreed.
• Download receipts: 12 months, longer if required for compliance.
• Newsletters: until consent is withdrawn.
• Technical logs: 90 days.

We take daily backups and retain them for up to 365 days. Restore is tested at least quarterly.

Recipients and processors

We do not sell personal data. Where needed, we engage processors for operations or email, governed by data processing agreements.

Transfers outside the EU/EEA

No planned transfers outside the EU/EEA. For any remote support outside the EU/EEA, we use the EU Standard Contractual Clauses and minimise data.

Security

Transmission uses TLS (Transport Layer Security). Access control follows a least-privilege principle. Back-end and front-end are separated. Backup and restore are tested regularly.

Your rights

You have the right to request access, rectification, erasure, restriction, data portability and to object to processing. Contact info@morastugan.com. We respond within 30 days.

Complaints can be filed with the Swedish Authority for Privacy Protection (IMY): https://www.imy.se/.

No profiling

We do not use automated decision-making or profiling.

Children

The service is intended for companies, B2B (Business to Business), and not for children. We do not knowingly collect data about persons under 16.

Identity verification

For rights requests we may need to verify your identity using the minimum necessary information.

Incidents

In the event of a personal data incident we assess risk. Where required we notify IMY and inform affected individuals.

Changes

This policy may be updated. Significant changes are communicated in the service.

 

Version 1.1 (2025-08-28)