Privacy & Data Policy

1. Introduction

This Privacy Policy explains how Permly AB ("Permly," "we," "us"), registered in Sweden, collects, uses, stores, and protects personal data when you interact with our Platform or communicate with us. Our Platform provides digital services for work permit applications, relocation support, and related compliance workflows. We are committed to processing personal data in accordance with the EU General Data Protection Regulation ( GDPR, Regulation (EU) 2016/679) and applicable Swedish legislation, including the Data Protection Act (Lag 2018:218). This Policy applies to all personal data we process, whether structured or unstructured, and reflects our responsibility to handle your information with care, confidentiality, and transparency.

2. Definitions

Unless otherwise stated, the terms below have the meanings assigned to them in Regulation (EU) 2016/679 ("GDPR") and applicable Swedish legislation.

• "Platform": The digital services operated by Permly AB, including but not limited to the public website, web-based dashboards, mobile applications, APIs, electronic forms, document portals and chat interfaces through which the Services are provided.
• "Services": The functionality, workflows, content and support made available via the Platform, including without limitation work-permit and relocation management, compliance monitoring, document generation and storage, communication with authorities, advisory support and related administrative tools.
• "Client": Any natural or legal person that enters into an agreement with Permly AB to access or use the Services (e.g. employers, individual applicants or authorised representatives such as lawyers or consultants).
• "User": Any individual who accesses or interacts with the Platform, whether on behalf of a Client or in their own capacity, including employees of Clients, applicants, representatives, administrators and visitors.
• "Data Subject": An identified or identifiable natural person whose Personal Data are processed, within the meaning of Article 4(1) GDPR.
• "Personal Data": Any information relating to a Data Subject as defined in Article 4(1) GDPR, such as names, contact details, passport numbers, visa and permit data, salary information, employment history, family relations and any supporting documents or metadata submitted via the Platform.
• "Company Data": Non-public operational information relating to a Client's business shared with Permly AB for the purpose of receiving the Services (e.g. organisational structures, internal salary bands and HR policies). Although not Personal Data under the GDPR, Company Data is protected by strict contractual confidentiality obligations.
• "Processing": Any operation or set of operations performed on Personal Data as listed in Article 4(2) GDPR, such as collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure or erasure.
• "Data Controller": The natural or legal person who, alone or jointly with others, determines the purposes and means of Processing Personal Data (typically the Client), as defined in Article 4(7) GDPR.
• "Data Processor": Permly AB when it Processes Personal Data on behalf of a Data Controller under a written data-processing agreement in accordance with Articles 4(8) and 28 GDPR.
• "Sub-Processor": Any third-party service provider engaged by Permly AB to assist in delivering the Services (e.g. cloud-hosting, analytics or communication providers) that Processes Personal Data on behalf of the Data Controller under a written contract compliant with Article 28 GDPR.
• "Supervisory Authority": The competent independent public authority tasked with monitoring the application of the GDPR; in Sweden, this is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY).
• "Swedish Migration Agency (Migrationsverket)": The government agency that examines residence- and work-permit applications. Permly AB may assist with submissions but has no influence over the Agency's decisions.
• "Applicable Law": All legislation governing the Processing of Personal Data and the provision of the Services, including without limitation the GDPR, the Swedish Data Protection Act (Lag 2018:218), the Archives Act ( Arkivlagen 1990:782), the Public Access to Information and Secrecy Act ( Offentlighets- och sekretesslagen  2009:400) and other relevant EU/EEA regulations.

3. What data do we collect?

We collect and use data to deliver rich, interactive experiences, track software issues and facilitate immigration workflows. One purpose of our Platform is to help you gather information and documents for immigration processes. We also gather information on behalf of Clients and, where applicable, provide that information to the Swedish Migration Agency ( Migrationsverket) to help companies and individuals obtain or maintain permits to stay, work or live in Sweden. This includes:

• Preparing and submitting complete applications to Migrationsverket and other authorities on behalf of Clients, ensuring compliance with Swedish migration law.
• Providing customer care and support, such as answering questions, correcting errors, and assisting with document preparation.
• Improving and developing our Platform and workflows based on aggregated insights and user feedback.
• Carrying out analytics and business follow-up, such as market analysis, service usage statistics, and method development for process optimisation.
• Providing and securing our Platform, including updates, troubleshooting, fraud prevention, and maintaining reliable service availability.
• Personalising the Platform and making tailored recommendations (e.g., relevant permit pathways or guidance based on user input).

For how and on what legal bases we process these data, see Our GDPR Roles, and for the controller/processor split, see Key Processing Activities. Retention periods are described in Section 6 (Data Storage & Retention).

4. How do we collect data?

We collect personal data directly from you when you use our Platform, visit the website, contact customer service or otherwise communicate with us. We may also collect data from public registers (e.g. Swedish Tax Agency for address updates) and via cookies that log how you use our website. Permly AB does not knowingly collect personal data from individuals under 16 without verified parental consent. We use strictly necessary cookies and, with your consent, analytics and performance cookies/SDKs. For details and choices, see Cookies.

For the corresponding lawful bases, see Our GDPR Roles. For retention, see Section 6 (Data Storage & Retention). To exercise your rights, see Your GDPR Rights.

6. Data Storage & Retention

We store and protect personal data in accordance with the EU General Data Protection Regulation (Reg. (EU) 2016/679, "GDPR") and the Swedish Data Protection Act (Lag 2018:218). GDPR's storage-limitation principle (Art. 5(1)(e)) means we keep personal data no longer than necessary for the purposes for which it was collected, unless EU/Swedish law requires a longer period or we must retain a minimal subset to establish, exercise or defend legal claims (Art. 17(3)(b), (e)).

6.2 Security of storage (Art. 32 GDPR)

We implement role-based access control (least privilege) with encryption, continuous logging/monitoring, and EU/EEA-hosted infrastructure in ISO 27001-certified data centres. Where we rely on sub-processors, they operate under written data-processing agreements that meet Art. 28 GDPR (including, where relevant, the EU Standard Contractual Clauses). We conduct DPIAs and vendor risk reviews where required.

6.3 Default retention

Unless a longer period is required by law, contract, or a documented legitimate interest, we delete or irreversibly anonymise immigration case-file data within 12 months of case closure/decision. This implements the storage-limitation principle in Art. 5(1)(e) GDPR and still allows you (or your employer/controller) to retrieve recently closed matters.

6.4 When we keep data longer (and why)

• Book-keeping / tax law (7 financial years): We must retain "räkenskapsinformation" (e.g., invoices, ledgers, voucher backups) for 7 financial years (until the end of the seventh year after the calendar year in which the fiscal year ended), per 7 kap. 2 § Bokföringslagen (1999:1078). This does not require us to keep the full immigration case file.
• Potential or ongoing claims (up to 10 years): The general civil limitation period is 10 years under 2 § Preskriptionslagen (1981:130). If we reasonably need data to establish, exercise or defend legal claims (GDPR Art. 17(3)(e)), we keep only a minimal, relevant subset (a "legal-hold defence packet") for up to 10 years and restrict access strictly.
• Controller instructions: When we act as processor, the controller's written retention schedule in the DPA governs (Art. 28 GDPR). If, for example, an employer requires longer retention for compliance/audit, we follow that written instruction.
• Specific legal obligations: If Union or Member State law (Art. 6(1)(c) GDPR) or a court/authority order mandates retention, we keep only what is necessary for that obligation (Art. 17(3)(b) GDPR).

6.5 Migrationsverket-related material

When we act as your ombud (via fullmakt / Power of Attorney) before Migrationsverket, the authority becomes controller for its own copy of the submitted material. We normally retain our copy for 12 months after decision to evidence transmission and outcome, unless (i) the controller's audit/retention policy requires a longer period, (ii) a legal obligation applies, or (iii) we must retain a minimal subset to defend legal claims.

6.6 The "defence packet" (what we actually keep up to 10 years)

A narrowly scoped bundle that is usually sufficient to defend claims, e.g.:

• Engagement letter / DPA and key email correspondence
• Timestamped submission proof and audit logs (what was sent, when, by whom)
• The final decision/outcome
• Redacted versions of sensitive attachments (only if strictly necessary)

6.7 Access & disclosure

We disclose personal data only where a lawful basis applies (e.g. legal obligation, contract performance, legitimate interest not overridden by your rights, or explicit consent). All personnel with access to personal data are bound by confidentiality undertakings and receive annual privacy and security training.

6.8 Deletion, anonymisation & legal holds

When the retention period expires, we delete or irreversibly anonymise the data. If you exercise your right to erasure (Art. 17 GDPR) and no exception applies, we delete without undue delay and within 30 days. If an exception does apply (e.g. legal obligation or legal claims), we place the data under a restricted legal hold, limit access on a strict need-to-know basis, and notify you of the legal basis and expected duration.

We review our retention schedules and security controls at least annually to ensure continued compliance with data-minimisation and storage-limitation (Art. 5(1)(c) and (e) GDPR).

7. Our GDPR Roles

Depending on context, Permly acts as either a data controller or data processor:

6.3 How we anonymise (short SOP)

• Generalise / bucket quasi-identifiers (e.g. salary, SSYK → 2-digit, employer size → <50 / 50-249 / 250+, dates → month/quarter).
• k-Anonymity: we only publish cohorts with k ≥ 10 and suppress small cells.
• Map free text to a controlled taxonomy to avoid re-identification.
• Delete linkage keys.

Until anonymisation is complete, any raw/pseudonymised data remains fully subject to the GDPR and is processed strictly under the Controller's instructions (Art. 28 GDPR). For details on our processing purposes, lawful bases and roles, see Our GDPR Roles and Key Processing Activities.

7. Our GDPR Roles

The GDPR distinguishes between Data Controllers (who determine the purposes and means of processing) and Data Processors (who process personal data on behalf of a Controller). Permly AB may act in either capacity depending on the specific activity:

8. Sub-processors & Data Transfers

We engage a limited number of trusted sub-processors to deliver our Services. All personal data is processed and stored exclusively within the European Economic Area (EEA). We will provide at least 30 days' prior notice before adding or replacing a sub-processor (GDPR Art. 28(2)).

9. Security Measures

We use industry-standard encryption (in transit & at rest), strict access controls, staff NDAs, and continuous monitoring. If a data breach affects you, we will notify you and/or the relevant controller without undue delay (within 72 hours where feasible).

10. Your GDPR rights

We generally respond to rights requests in less than one month (Art. 12(3) GDPR). For full details on our roles, see Our GDPR Roles.

11. Cookies

We use strictly necessary cookies for the proper functioning of our Platform and analytics cookies (only with your consent) to help us understand usage and improve our services. We do not use advertising or tracking cookies for marketing purposes. You can manage or withdraw your consent at any time via our cookie banner or in your browser settings.

11.1 What are cookies?

Cookies are small text files placed on your device that enable core website functions or help collect information about how our Platform is used. This may include basic technical data (e.g., device type, browser version) or aggregated usage information. Cookies do not give us direct access to your personal files or identify you without additional information.

11.2 How we use cookies

• To maintain secure logins and session integrity.
• To remember language and regional preferences.
• To understand how users navigate our Platform and identify areas for improvement.
• To generate anonymised, aggregated usage statistics.

11.3 Types of cookies we use

• Strictly necessary cookies: Required for basic Platform functionality such as authentication, security, and user preferences. These cannot be disabled.
• Analytics cookies (consent-based): Used to collect anonymised information on how visitors interact with our Platform, helping us improve usability and performance. These are only enabled if you consent via our cookie banner.

11.4 Managing cookies

You can refuse or remove cookies at any time via your browser settings or our cookie banner. Please note that disabling strictly necessary cookies may affect the functionality of the Platform. For detailed instructions, refer to your browser's help section.

12. Marketing

Permly AB may send you information about our products and services that we believe may be relevant to you, as well as updates on our Platform. We only send such communications with your prior consent or where permitted by law (e.g., for existing customers). You may opt out at any time by following the unsubscribe instructions in our emails or by contacting us directly.

We do not sell your personal data to third parties for marketing purposes, and we do not use tracking or advertising cookies.

13. Consent

We process your personal data on the basis of your consent in specific situations (e.g., participating in voluntary surveys, providing special-category data such as dietary preferences for events). You have the right to withdraw your consent at any time, without affecting the lawfulness of processing carried out before the withdrawal.

We are committed to ensuring your consent is freely given and informed. We do not use dark patterns, and we make it as easy to withdraw or change your preferences as it is to give consent.

14. Privacy policies of other websites

Our Platform may contain links to external websites or third-party services. This Privacy Policy applies only to Permly AB's website and Platform. If you click on a third-party link, you should review their privacy policy to understand how they process your data.

15. Changes to this Privacy Policy

We keep our Privacy Policy under regular review and will post updates on this page. For material changes, we will provide at least 30 days' advance notice via email or in-Platform notifications.

16. Contact

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data rights, please contact us at admin@permly.ai.

17. Key Processing Activities

Permly AB may act as either a Data Controller or a Data Processor depending on the context of the processing activity. These roles determine our responsibilities under the General Data Protection Regulation (GDPR). The table below outlines our key processing activities, the roles we assume, and the types of personal data involved.