EN Kundportal

Integritetspolicy

Senast uppdaterad: maj 2026

1. Data Controller

POISE AB (org.nr 559043-3228), Brunnsgatan 9, 172 68 Sundbyberg, Sweden is the data controller for personal data processed through this website. Contact: info@poise.se

2. Data We Collect

We collect only the minimum data necessary:

  • Contact form: Name, email address, and message content
  • Analytics: Anonymised page views with hashed IP addresses (rotated daily). No cookies.
  • Server logs: Standard web server logs retained for 30 days
  • Client portal: Email and authentication details for portal users
  • Email subscriptions: Email address, optional audit domain, topic and watchlist preferences, language, and engagement timestamps. See Section 5 for full detail.
  • Free domain security check: The domain you submit (queried via public DNS, HTTPS and email records), cached for 6 hours. No personal data is required to run an audit.

3. How We Use Your Data

  • Responding to your enquiries and providing requested services
  • Improving our website through aggregated, anonymised analytics
  • Maintaining security and preventing abuse
  • Fulfilling legal obligations

4. Legal Basis for Processing

  • Consent (GDPR Article 6(1)(a)): Contact form submissions; email subscription signups (double opt-in)
  • Legitimate interest (Article 6(1)(f)): Analytics, security monitoring, abuse prevention, sender-reputation hygiene for our email service
  • Contractual necessity (Article 6(1)(b)): Client portal accounts and service delivery

5. Email Subscriptions

If you sign up at poise.se/subscribe or via the footer signup form, we process the following data with your explicit consent:

5.1 What we store

  • Email address — required, used as your unique identifier and the delivery target. Work email only; free webmail (Gmail, Outlook, etc.) and disposable services are rejected by design.
  • Audit domain — optional. The domain you'd like us to audit monthly. If not provided and you subscribe to the monthly check-up, we may infer it from the part of your email address after the @ symbol.
  • Topic preferences — which of the three topics (monthly domain re-audit, weekly CVE alerts, weekly threat digest) you signed up for.
  • Watchlist / source preferences — vendors and products you want CVE alerts for, news sources you want in your digest, and the chosen stories-per-email count.
  • Language preference — English or Swedish.
  • Engagement metadata — timestamps of signup, confirmation, last email sent and last opened, plus a hard-bounce counter used to suspend deliveries to addresses that consistently fail.
  • Activity log — one row per subscription event (signup, confirm, code attempt, unsubscribe, send, bounce). Stored to satisfy GDPR Article 7(1) "demonstrate consent" obligations.

5.2 What we do not store

  • Your IP address — only a daily-rotated SHA-256 hash, used for short-window abuse detection. The original IP is never written to our database.
  • Open-tracking pixels with personal identifiers — Lettermint (our delivery provider) records aggregate opens for sender-reputation purposes only.
  • Click-tracking with cross-site behaviour — links in our emails go directly to their destination (no redirector that profiles you).
  • Browser fingerprints, third-party tracking pixels, or advertising identifiers.

5.3 Double opt-in

No subscription is activated without your explicit confirmation. After signup, we email a 6-digit code that expires in 30 minutes. Until you enter that code, no further emails will be sent and your address is automatically purged after 7 days.

5.4 Retention

  • Active subscribers: Data retained for the duration of the subscription.
  • Unsubscribed users: Email status is preserved (so we don't accidentally resend) but the row is purged after 24 months of inactivity.
  • Unconfirmed signups: Auto-purged after 7 days.
  • Activity log: Retained for 24 months for compliance and abuse forensics.
  • Right to be forgotten: On request, all rows (subscriber + activity log) are permanently deleted within 30 days.

5.5 Sub-processors

To deliver subscription emails, we use:

  • Lettermint (EU-based email delivery) — receives your email address and the content of each message for the sole purpose of delivery. Lettermint operates under EU GDPR; their privacy policy is available on their website.

All API services we use (api.poise.net for vulnerability and news data) are operated by POISE AB itself within the EU.

5.6 Unsubscribing

Every email contains an unsubscribe link in the footer, plus a one-click List-Unsubscribe header that mail clients like Gmail and Outlook display as a built-in button. You can also unsubscribe from your subscription management page at any time. Unsubscribing is instant and never asks for a reason.

6. Data Storage

All data is stored within the European Union. We do not transfer personal data outside the EU/EEA. Our hosting infrastructure is located in Sweden and the EU.

7. Data Retention

  • Contact form messages: 12 months
  • Analytics data: 12 months (aggregated, anonymised)
  • Server logs: 30 days
  • Client accounts: Duration of service agreement plus 12 months
  • Email subscribers: While the subscription is active; unconfirmed signups auto-purged after 7 days. Unsubscribed addresses retained for 24 months unless erasure is requested.
  • Subscription activity log: 24 months for compliance and abuse forensics.
  • Free-audit cache: 6 hours per domain.

8. Data Sharing

We do not sell, trade, or rent personal data. Data may be shared with:

  • EU-based hosting providers (infrastructure only)
  • Lettermint (EU-based email delivery, for subscription emails only)
  • Swedish authorities when required by law

9. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the right to:

  • Access your personal data (Article 15)
  • Rectify inaccurate data (Article 16)
  • Erase your data (Article 17)
  • Restrict processing (Article 18)
  • Data portability (Article 20)
  • Object to processing (Article 21)
  • Withdraw consent at any time

To exercise these rights, contact info@poise.se. We will respond within 30 days. For subscription-related rights (unsubscribe, change preferences, request a data export covering your subscription), the fastest path is the management link in any of our emails or your settings at poise.se/subscribe.

10. Cookies and Tracking

This website does not use tracking cookies. We use only essential technical storage (theme preference in localStorage). No third-party analytics, advertising, or social media trackers are present. Our subscription emails do not contain tracking pixels that identify you personally; Lettermint reports aggregate open/click rates for sender-reputation purposes only.

11. Security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS), at rest where applicable, and strict access controls. Subscription confirmation codes are stored as bcrypt hashes; we never store plain-text codes. Unsubscribe links use HMAC-signed tokens that cannot be forged or enumerated.

12. Supervisory Authority

You have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY): www.imy.se

13. Changes to This Policy

We may update this privacy policy. Changes will be posted on this page with an updated revision date. Significant changes will be communicated via email to affected subscribers and portal users.