Privacy & GDPR
Last updated: 2026-06-30
Introduction
This Privacy Policy explains how Reinversed AB ("Reinversed", "we", "us") collects and uses personal data when you visit reinversed.com, register for or use the Service, interact with us, or receive communications from us, in our capacity as data controller.
Controller versus processor
When we process personal data for our own business purposes — for example account administration, billing, website analytics, security, support, sales or marketing — Reinversed is the controller.
When we process personal data contained in Customer Data on behalf of a business customer, including data processed by customer-configured Agents or embedded interfaces, we generally act as processor and process that data on the customer's documented instructions under our Data Processing Agreement. This Policy does not govern that processing. Individuals whose data is processed by a customer's Agents or embedded interfaces should refer to the relevant customer's own privacy notice.
Who we are
Reinversed AB, a limited company incorporated in Sweden with registered office in Stockholm, Sweden, is the controller of the personal data described in this Policy. You can contact us about privacy at privacy@reinversed.com.
Personal data we collect as controller
Account and identity data
We may collect name, business email address, organisation, job title, role, account profile details, authentication identifiers and account settings of authorised users and customer administrators.
Billing and commercial data
Where applicable, we may collect billing contact details, organisation address, VAT or tax information, plan details, subscription history, invoice information and payment status. Card payments, if any, are handled by a third-party payment provider. We do not store full card numbers.
Usage, log and technical data
We may collect log and event data, IP address, device and browser information, operating system, approximate location derived from IP address, timestamps, feature usage, diagnostic data, security events, integration metadata, performance metrics and audit logs generated when you use the Service or visit our website.
Support and communications data
We may collect the content of support requests, sales communications, emails, meeting notes, chat messages, feedback and other correspondence you send us.
Marketing data
We may collect your contact details, preferences, event registrations, campaign interactions and opt-in or opt-out status where you sign up for updates, request information or interact with our marketing.
Cookies and similar technologies
We use cookies and similar technologies as described in our Cookie Policy. Non-essential cookies are used only where permitted by applicable law and, where required, based on consent.
Customer Data
Content submitted to or processed through the platform may contain personal data about a customer's users, employees, customers, contacts or other individuals. We generally process that data as processor on behalf of the relevant customer, as explained above and in our Data Processing Agreement.
How and why we use personal data
We use personal data for the following purposes and legal bases under Article 6 GDPR:
- Provide, administer and support the Service and accounts — account creation, authentication, user management, support, service communications. Legal basis: performance of a contract where the individual is party to the contract; otherwise legitimate interests in providing the Service to our business customers.
- Authenticate users and secure the Service — login security, audit logs, abuse prevention, fraud prevention, incident investigation. Legal basis: legitimate interests in security and preventing misuse; compliance with legal obligations where applicable.
- Communicate with you and respond to enquiries — sales communications, support requests, product updates, administrative messages. Legal basis: performance of a contract or legitimate interests in business communications.
- Billing and business administration — invoicing, tax records, accounting, payment follow-up, contract management. Legal basis: performance of a contract; compliance with legal obligations; legitimate interests in business administration.
- Analyse, maintain, improve and develop the Service — usage analytics, diagnostics, performance monitoring, product improvement, de-identified or aggregated analytics. Legal basis: legitimate interests in operating, improving and securing our products.
- Marketing, where permitted — newsletters, event invitations, product updates, B2B marketing. Legal basis: consent where required; otherwise legitimate interests in B2B marketing, with opt-out rights.
- Comply with law and protect rights — legal compliance, regulatory requests, dispute handling, enforcing agreements. Legal basis: compliance with legal obligations; legitimate interests in establishing, exercising or defending legal claims.
Where processing is based on legitimate interests, we balance those interests against the rights and interests of affected individuals.
Product improvement and AI-related processing
We may use Usage Data, feedback, and aggregated or de-identified data to operate, secure, analyse, improve and develop the Service.
Where Customer Content contains personal data and we process it as processor, we use it only in accordance with the customer's documented instructions, the Data Processing Agreement and applicable law. We do not use Customer Content to train or fine-tune third-party foundation models. We do not use Customer Content to train or fine-tune Reinversed models or create reusable evaluation datasets unless the relevant customer has expressly opted in or agreed to such use in writing. This does not prevent us from processing Customer Content where necessary to provide support requested by the customer, investigate security incidents, prevent misuse, comply with law, or provide the Service.
When we act as processor
Where we process personal data within Customer Data on behalf of a business customer, we do so only on that customer's documented instructions and under our Data Processing Agreement. Customers are responsible for providing their own privacy notices to authorised users, end users and other individuals whose personal data they process through the Service, including through embedded interfaces and connected Agents.
Who we share personal data with
We may share personal data with:
- service providers and sub-processors that help us run the Service, such as Google Cloud Platform, Google Vertex AI / Gemini, OpenAI, Anthropic, Stripe, hosting, infrastructure, analytics, payment processing, communications, customer-support tools and security providers;
- providers of customer-enabled integrations where the customer chooses to connect a third-party service;
- professional advisers, such as lawyers, auditors, accountants and insurers;
- public authorities, courts, regulators or other parties where required by law or to protect our rights; and
- a buyer, investor, lender or successor in connection with a merger, acquisition, financing, reorganisation or sale of assets, subject to appropriate confidentiality protections where applicable.
We require providers that process personal data on our behalf to do so under appropriate contractual protections. A current list of sub-processors is available on request and further processor terms are set out in our Data Processing Agreement.
International transfers
We aim to host and process personal data within the EU/EEA where practicable. The Service is hosted on Google Cloud using EU/EEA server regions selected for the relevant Google services where supported. Some services, model providers, support operations, logs, security monitoring, abuse monitoring or integrations may involve processing outside the EU/EEA.
Where personal data is transferred outside the EU/EEA, we rely on an adequacy decision or appropriate safeguards such as the European Commission's Standard Contractual Clauses, together with any supplementary measures required by applicable law.
How long we keep personal data
We keep personal data only as long as necessary for the purposes described in this Policy and to meet legal, accounting, tax, security, reporting or dispute-resolution requirements.
Account data is generally retained for the duration of the customer relationship and for a reasonable period afterwards. Support and communications data is retained for as long as needed to manage the relationship and protect our rights. Usage, log and security data is retained for the periods needed for security, troubleshooting, analytics and audit purposes. Statutory records, such as accounting records, are retained for the periods required by Swedish law, generally seven years for accounting information.
We then delete or anonymise personal data unless continued retention is required or permitted by law.
How we protect personal data
We maintain appropriate technical and organisational measures designed to protect personal data against unauthorised access, loss, alteration or disclosure, taking into account the state of the art, implementation costs and the nature, scope, context and purposes of processing. Measures may include access controls, encryption, logging, monitoring, backups, vulnerability management, secure development practices, confidentiality obligations and incident-response processes.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
Your rights
Subject to applicable law, you may have the right to:
- request access to your personal data;
- request rectification of inaccurate or incomplete data;
- request erasure;
- request restriction of processing;
- object to processing based on legitimate interests or direct marketing;
- request data portability; and
- withdraw consent at any time where processing is based on consent, without affecting prior processing.
To exercise your rights, contact us at privacy@reinversed.com. You can also withdraw cookie consent from Cookie settings at any time.
If your request concerns personal data processed by Reinversed as processor on behalf of a customer, we may refer your request to the relevant customer or act on the customer's instructions.
Complaints
You have the right to lodge a complaint with a supervisory authority. In Sweden, this is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY), Box 8114, 104 20 Stockholm, Sweden, www.imy.se.
Automated decision-making
In administering our website, accounts and business relationship, we do not make decisions that produce legal effects concerning you, or that similarly significantly affect you, based solely on automated processing.
The Service enables business customers to configure and deploy AI agents. Any automated processing carried out by a customer's Agents, including through embedded interfaces or connected sources, is determined and controlled by that customer as controller, unless otherwise expressly agreed.
Children
The Service is intended for business users and is not directed to children. We do not knowingly collect personal data from children as controller.
Changes to this Policy
We may update this Policy from time to time. We will post the updated version with a new "last updated" date and, where changes are material, take reasonable steps to notify you.
GDPR and Data Processing Agreement
Where Reinversed processes personal data on behalf of business customers, the customer is generally the controller and Reinversed is the processor. That processing is governed by our Data Processing Agreement, which covers processing instructions, security, sub-processors, international transfers, data-subject assistance, breach notice, return and deletion, and audit rights.
Contact us
If you have questions about this Policy or our handling of personal data, contact us at privacy@reinversed.com.