Integritetspolicy

Privacy Policy for Pythagoras AB

Last Updated: 2026-07-03

At Pythagoras AB ("Pythagoras", "we", "our", or "us"), we take your privacy seriously. This Privacy Policy explains how we collect and use personal information about you in the following situations: 

Situation 1: You use the Pythagoras product ("Product") and related services ("Services") as an end-user, because an organisation that has a contract with us has given you access, whether you are part of that organisation or an individual it serves 

Situation 2: You visit our website at www.pythagoras.se (the "Website") 

Situation 3: You maintain (or seek to establish) a business relationship with us, for example as a customer, supplier, or partner contact person 

Situation 4: You correspond or otherwise communicate with us, in any of the situations above or more generally 

Situation 5: You receive marketing from Pythagoras about our products and services.

These situations are not all treated the same way under data protection law, and this Policy is structured accordingly. Please read the section that applies to you. If you have any questions, contact us at DPO@pythagoras.se. 

1. When you use the Pythagoras Product and Services (Situation 1)

When you use the Product as an end-user because an organisation that has contracted with us (the "Customer") has given you access, the Customer is the data controller, and Pythagoras acts as its data processor. 

You do not need to belong to the Customer's own organisation. You may be one of its employees, a business partner, or an individual it serves, for example a tenant, resident, or member of the public whom a municipality, landlord, or other Customer invites to log in to view information relevant to you. Wherever this Policy refers to "your organisation", it means the Customer that gave you access, whether or not you belong to it. 

This means: 

  • As the data controller, your organisation decides what personal data is entered into and managed within the Product (for example, information about properties, tenants, contracts, or other individuals), and is responsible for complying with data protection law towards you and other data subjects. Pythagoras processes that data strictly on our Customer's documented instructions and under established Data Processing Agreement (DPA). This Policy does not describe that data. For questions about this, please contact your organisation. 

 

1.1 Your rights when you use the Product 

For data your organisation manages within the Product, your organisation (the Customer) is the controller and is responsible for handling your data subject rights requests. Requests concerning such data must therefore be directed to your organisation, not to Pythagoras. This division of responsibilities is regulated in the Data Processing Agreement (DPA) between Pythagoras and the Customer. As processor, Pythagoras will support our Customer in responding to such requests, in line with the DPA (Art. 28(3)(e) GDPR). 

Because this data is processed under the Customer's control and instructions, Pythagoras cannot, and will not, correct, delete, or otherwise change data managed by the Customer in the Product in response to a request from you directly. Acting on such a request without the Customer's documented instruction would put us in breach of our contractual and legal obligations as a processor. If you contact us with such a request, we will refer you to your organisation. 

Separately, Pythagoras processes a limited set of personal data about you for its own purposes, described in Section 1.2 below. For that data, Pythagoras is an independent controller, and you can exercise your rights directly with us. See Section 7. 

1.2 Data Pythagoras processes for its own purposes 

When you use the Product, Pythagoras also collects and uses a limited set of personal data about you, for purposes that Pythagoras itself determines. For this specific, limited data set, Pythagoras acts as an independent data controller, separate from the Customer's role as controller of the data it manages in the Product. 

Pythagoras process this data to: 

  • Maintain the Product's performance, security, and availability, protect its integrity, and detect and prevent fraud or misuse of our Services; 
  • Deliver the Product at the service level agreed with our Customer, and provide support to you as an end-user; and 
  • Understand how the Product is used, so that we can improve performance, features, and the overall end-user experience. For this improvement purpose, we work with usage data in aggregated form, meaning statistics at group level where no individual user can be identified. For example: "X% of all logged-in users used the report module last month", "the average session length is X minutes", or "feature X is used most on Tuesdays". No analysis output extracted from the service for this purpose points to an identifiable person. 

We do not sell this data, and we do not use it for marketing purposes. The table below shows what we process and why when you use the Product: 

Category What we collect and process Why we use it Legal basis*
Account and login informationUsername/login ID, name, email, role/permissionsAuthentication and access managementLegitimate interest (f) in delivering and securing the Product under our contract with your organisation; performance of a contract (b) where you act for the contracting Customer
Device and technical informationIP address, browser/device type, login and session timestampsSecurity and technical operation of the ProductLegitimate interest (f); legal obligation (c) for security incident record-keeping
Usage informationFeature usage, log data, click/navigation data, primarily analysed in aggregated or pseudonymised formTroubleshooting, service improvement, delivering the agreed service levelLegitimate interest (f)
Correspondence in Support and helpdesk servicesName, username and organisational relationship.Providing support to you as an end-userLegitimate interest (f); performance of a contract (b) where applicable
Billing/account administrationContract and invoicing details relevant to your organisation's accountAdministering our contract with your organisationPerformance of a contract (b); legitimate interest (f)

*(GDPR Art. 6(1))

Where our legitimate interest is the basis, we have assessed that our interest in a secure, reliable, and continuously improved Product is not outweighed by your rights and freedoms, given the limited nature of the data and the safeguards we apply. You may object to processing based on legitimate interest at any time. See Section 7.
 

2. Where Pythagoras is the sole data controller (Situations 2, 3, 4, and 5)

In every other situation, Pythagoras is the sole data controller: we alone decide why and how your personal information is processed. The table below sets this out for each situation: 

Situation What we collect and process Why we use it Legal basis*
Website visitors (situation 2)Contact information you provide (name, email, company); device and browsing information (IP address, browser/device type, cookies, see Section 4)Operate, secure, and improve the Website; understand how it is usedLegitimate interest (f); consent (a) for non-essential cookies
Business relationship (situation 3)Contact information (name, email, job title, employer); account/contract administration details relevant to the relationship (e.g. as a customer, supplier, or partner contact)Establish, manage, and administer the business relationship, including contracts and invoicingPerformance of a contract (b); legitimate interest (f) where you are a contact person at a counterparty rather than the contracting party itself
Correspondence (situation 4)Contact information; the content of your messages, emails, or other communications with us, and any attachmentsRespond to enquiries, provide support, and keep a record of our communicationsLegitimate interest (f); performance of a contract (b) where the correspondence relates to an existing agreement
Marketing (situation 5)Contact information; your marketing preferences; engagement data (e.g. email opens, event sign-ups)Send you information, invitations, and marketing about our products and servicesConsent (a); or legitimate interest (f) for similar B2B marketing to existing business contacts, where permitted under Swedish marketing law

*(GDPR Art. 6(1))

Where our legitimate interest is the basis (marked "f"), we have considered that this interest is not outweighed by your rights and freedoms. You may object to processing based on legitimate interest at any time. See Section 7. 

For marketing (Situation 5), you can withdraw consent or opt out at any time by using the unsubscribe link in our emails or by contacting us. This does not affect the lawfulness of processing carried out before your withdrawal.

 

3. Who we share information with

We may share personal information with: 

  • Subprocessors and service providers supporting our operation of the Website and Product (e.g. hosting, infrastructure, customer support, and business tools), engaged under written agreements consistent with Art. 28 GDPR. Relevant subprocessors depend on how a specific service is delivered to a given customer; an up-to-date overview is available at our Trust Center: https://trust.pythagoras.se/subprocessors. 
  • Professional advisors, such as auditors, lawyers, and insurers, where necessary. 
  • Public authorities, where required by law or a valid legal request. 
  • A buyer or successor, in the event of a merger, acquisition, or similar transaction. 

 

3.1 International transfers 

We always strive to process personal data within the EU/EEA. 

  • When you use the Product (Situation 1): Personal data is processed and stored within the EU/EEA, this and other instructions are regulated in the Data Processing Agreement with our Customer. Also see the list of possible sub-processors listed at our Trust Center.  
  • In Situations 2-5, where Pythagoras is the Data Controller: Some of the service providers we use (for example, for communication, marketing, and business tools) may process personal data outside the EU/EEA, or are part of corporate groups whose parent company is based outside the EU/EEA. In the latter case, we have taken into account the risk that personal data may be disclosed to countries outside the EU/EEA, for example due to a request from a public authority. Where personal data is transferred outside the EU/EEA, we ensure that a safeguard recognised by the GDPR is in place: 
  • An adequacy decision by the European Commission under Article 45 GDPR, confirming that the destination country ensures a level of protection equivalent to the GDPR, such as the decisions covering the United Kingdom and the United States (the EU-US Data Privacy Framework, for certified recipients); or 
  • The European Commission's Standard Contractual Clauses under Article 46 GDPR, entered into with the recipient, complemented by supplementary technical and organisational measures where needed to ensure that your rights remain protected. 

If you would like more information about which personal data is transferred outside the EU/EEA, to which countries, and the safeguards applied, you can always contact us at DPO@pythagoras.se. 

 

4. Cookies

We use cookies and similar technologies on our Website and, in limited form, within the Product login and portal. 

  • Essential cookies: necessary for security, login, and core functionality. These cannot be switched off. 
  • Analytics cookies: help us understand how the Website is used, so we can improve it. 
  • Marketing cookies: used on the Website only, to personalise content and marketing. We do not use marketing cookies within the Product. 

You can manage cookies through your browser settings or our cookie preference tool. Disabling certain cookies may affect functionality. 

 

5. Data retention

We keep personal information only for as long as necessary for the purposes for which it was collected, to provide the Website or Product, to fulfil our contractual obligations, to carry out legitimate business interests, or as otherwise required or permitted by law. 

 

6. Security

We apply appropriate technical and organisational measures to protect personal information against unauthorised access, loss, or misuse, in line with Art. 32 GDPR. 

 

7. Your rights

Where Pythagoras is the controller, that is, in Situations 2-5 and for the limited data described in Section 1.2, Pythagoras is directly responsible for handling your requests. You have the right to: 

  • Access the personal data we hold about you; 
  • Request correction of inaccurate data; 
  • Request erasure, subject to certain exceptions (for example, we may need to retain security logs to meet our legal obligations and legitimate security interests); 
  • Restrict or object to processing, in certain circumstances, including objecting to processing based on legitimate interest, or to direct marketing, at any time; 
  • Request data portability, the transfer of your data to another organisation or directly to you, under certain conditions; 
  • Withdraw consent at any time, where processing is based on consent; 
  • Lodge a complaint with the Swedish Authority for Privacy Protection (IMY), www.imy.se, or another competent supervisory authority. 

To exercise these rights, contact us at DPO@pythagoras.se. 

For data your organisation manages within the Product, please see Section 1.1. Those requests must be directed to your organisation (the controller), as regulated in the Data Processing Agreement between Pythagoras AB and your organisation. 

 

8. Children's privacy

The Website is directed at business users, and we do not knowingly collect personal data from children under 16 through it. Where a Customer chooses to give individuals under 16 access to the Product, the Customer is, as controller, responsible for ensuring that such processing complies with applicable data protection law. 

 

9. Changes to this policy

We may update this Policy from time to time. The "Last updated" date at the top shows when it was last revised. Material changes will be announced on our Website or, where relevant, within the Product. 

 

10. Contact us

Pythagoras AB
Söder Mälarstrand 27B
118 25 Stockholm
Sweden 

Email: DPO@pythagoras.se