We deliver to all of Europe
Contact us for a quote
This Privacy Policy is governed by Swedish law, and references to legal acts refer to Swedish legislation unless otherwise stated.
1.1 This Privacy Policy describes how Herbox AB, corporate registration number 559320-7037, Sven Hultings Plats 5, 412 58 Gothenburg (“Herbox”, “we”, “us”), safeguards the protection of personal data in all our operations.
1.2 The purpose is to ensure that all processing is carried out lawfully, fairly, and transparently in accordance with the GDPR and Swedish legislation, and to build trust among customers, users, and partners through transparency and clarity regarding how we collect, use, store, and protect personal data.
1.3 Herbox works systematically with data protection through risk assessments, internal procedures, technical security measures, and training. We always strive for data minimization and retain personal data only for as long as necessary for each specific purpose.
| Terms | Definition |
|---|---|
| Cookie |
Small text files stored in the browser to enable functionality, statistics, and marketing. Managed in accordance with Herbox’s separate Cookie Policy. |
| Personal Data |
All information that directly or indirectly can identify a natural person, such as name, email address, IP address, or customer number. |
| Processing |
Any operation performed on personal data, such as collection, storage, analysis, sharing, or deletion, whether manual or automated. |
| Data Controller |
The party that determines the purposes and means of the processing. |
| Data Processor |
An external party that processes data on behalf of Herbox under a Data Processing Agreement (DPA). |
| Legal Basis |
A legal condition under Article 6 of the GDPR (consent, contract, legal obligation, or legitimate interest). |
| Legitimate Interest |
When Herbox has a legitimate business interest, such as customer communication or IT security, that outweighs the privacy interest. For processing based on legitimate interest, Herbox conducts a Legitimate Interest Assessment (LIA), which is documented and updated as necessary. |
| Sensitive Personal Data |
Special categories of data (health, ethnicity, political opinions, etc.) are processed only in exceptional cases. Herbox’s services are also not directed at children, and we do not knowingly collect personal data from minors without the consent of a legal guardian. |
| Registered |
The individual whose data is being processed (customer, user, employee, supplier, etc.). |
| SCC / DPF |
The EU’s Standard Contractual Clauses and the EU-US Data Privacy Framework, both mechanisms for ensuring protection in the context of third-country data transfers. |
Data Protection Officer (DPO)
Herbox AB
Attn: Data Protection Officer
Email: info@herbox.se
Address: Sven Hultings Plats 5, 412 58 Gotheburg
You may also contact us as follows:
| Subject | Contact | Comment |
|---|---|---|
| General Inquiries |
info@herbox.se |
We acknowledge receipt within 2 business days and normally respond within 30 days. |
| GDPR Request |
info@herbox.se |
We may require identification (BankID or a copy of an ID). |
| Incident Reporting |
info@herbox.se |
Feedback within 24 hours |
| Supervisory Authority |
Swedish Authority for Privacy Protection (IMY), Box 8114, 104 20 Stockholm |
Further information is available at www.imy.se |
4.1 When visiting our website
| When and Why | Personal Data | Legal Basis | Retention Period |
|---|---|---|---|
| Provide the Website |
IP address, technical logs |
Legitimate interest (necessary operation) |
2 months |
| Statistics and Analysis (Microsoft Clarity) |
IP (truncated), events, cookie ID |
Consent (ePrivacy) |
90 days |
| Advertising and Platform Pixels |
Hashed email, device/cookie ID |
Consent / Legitimate interest (customers) |
Up to 24 months |
4.2 When Contacting Existing and Potential Customers
| When and Why | Personal Data | Legal Basis | Retention Period |
|---|---|---|---|
| Customer Relationship and Support |
Name, email, agreement, communication |
Contract / Legitimate interest |
Up to 10 years (accounting 7 years) |
| Marketing to Customers |
Contact details, interaction data |
Legitimate interest (opt-out) |
Until opt-out or 36 months of inactivity |
| Prospect Marketing |
Contact details, job title, interactions |
Consent (email) / Legitimate interest |
36 months |
4.3 Automation and AI Support
| When and Why | Personal Data | Legal Basis | Retention Period |
|---|---|---|---|
| Automation of Workflows |
Minimized fields depending on Zapier |
Legitimate interest |
Short-term storage in Zapier |
| AI Drafts for Emails (OpenAI) |
Limited email excerpts |
Legitimate interest |
Processing only, no persistent local storage |
4.4 In Connection with Recruitment, Employment, and HR Administration
| When and why? | Personal data | Legal Basis | Retention period |
|---|---|---|---|
| Receipt and Evaluation of Applications |
CV, contact details, notes |
Legitimate interest (recruitment) + consent for extended retention |
24 months (longer with consent) |
| Reference Checks and Background Verification |
Contact details of references, notes from reference conversations, verification of education or employment |
Consent (from the candidate before contact) + legitimate interest in ensuring accurate recruitment |
24 months after the completion of the recruitment process (or longer with explicit consent from the candidate) |
| During Employment and HR Administration |
Contact details, salary, absence, competence data, and information about next of kin |
Processing is carried out to fulfill the employment contract, legal obligations (e.g., tax and labor law), and Herbox’s legitimate interest in administering HR processes. |
During employment and thereafter for 2–10 years depending on the type of data (e.g., payroll and accounting data 7 years, agreements up to 10 years, contact details 2 years) |
4.5 When Fulfilling Legal Obligations and Protecting Legal Interests
| Legal Obligation | Examples of Data Involved | Applicable Law / Regulation | Retention period |
|---|---|---|---|
| Accounting and Bookkeeping |
Customer and supplier invoices, payment data, vouchers |
Accounting Act (1999:1078) |
7 years after the end of the financial year |
| Limitation of Claims / Disputes |
Contract documents, correspondence, payment history |
Limitation Act (1981:130) |
Up to 10 years |
| Tax and Fee Reporting |
Payroll statements, invoices, payments |
Tax Procedure Act (2011:1244) |
7 years |
| Legal Claims and Regulatory Matters |
Correspondence, investigation materials |
GDPR Article 17.3(e) (defence of legal claims) |
Until the matter is concluded |
| Employment Documentation |
Employment agreements, payroll and pension records |
Swedish Labour law |
2–10 years depending on the type of document |
Herbox also maintains a record of all processing activities in accordance with Article 30 of the GDPR, which is updated by the DPO.
| Data Processor / Recipient | Category | Personal Data Processed | Role | Specific safety measures |
|---|---|---|---|---|
| Upsales, Mailchimp |
CRM and marketing |
Name, email, communication history, preferences |
Data Processor |
Encryption, access restriction, DPA |
| Google Workspace |
Email and Productivity |
Name, email, documents, files, metadata |
Data Processor |
DPF certification, MFA, data minimization |
| Zapier |
Automation |
Limited data fields for system integration |
Data Processor |
Encryption during transfer, SCC |
| OpenAI |
AI Analysis and Automated Support |
Short text excerpts (minimized) |
Data Processor |
DPF certification, restriction against model training |
| Google Ads, Microsoft Ads, LinkedIn, Microsoft Clarity etc. |
Advertising and analytics |
Hashed email, cookie ID, IP address, device data |
Independent controllers |
Consent management via GTM, DPF/SCC |
| TeamTailor |
Rekrytering |
Namn, kontaktuppgifter, CV, intervjunoteringar |
Data Processor |
DPA, dataminimering, automatisk gallring |
| Accounting firm, auditor, shipping and service partners |
Finance and delivery |
Name, address, payment details, invoice records |
Processors / independent controllers |
Non-disclosure agreements, encrypted communication, statutory retention periods |
| Area | Type of Data / Processing | Technical and Organisational Safeguards | Retention Period / Deletion Schedule |
|---|---|---|---|
| Technical Security |
System data, access logs, backups |
Encryption in transit and at rest, role-based access control, multi-factor authentication (MFA), logging, and regular access reviews |
Logs 12 months, backups according to IT policy (max 12 months) |
| Organisational Security |
All personal data |
Non-disclosure agreements, ongoing training, incident response process, annual review of procedures |
Continuously during employment / assignment |
| Incident Management |
Data included in incident reports |
DPO-supervised process, internal logging, notification to IMY within 72 hours if individuals’ rights are at risk, and information to affected data subjects in accordance with Articles 33–34 GDPR |
Documentation retained for 5 years after the case is closed |
| CRM and Customer Data |
Correspondence, investigation materials |
GDPR Article 17.3(e) (defence of legal claims) |
Until the matter is concluded |
| Employment Documentation |
Employment agreements, payroll and pension records |
Labour law |
2–10 years depending on the type of document |
Herbox primarily processes personal data within the EU/EEA. However, some suppliers use infrastructure or provide support services in the United States. All transfers are carried out in accordance with Chapter V of the GDPR and following a Transfer Impact Assessment (TIA).
| Category / Supplier | Type of Personal Data | Processing Location (Primary) | Transfer Mechanism |
|---|---|---|---|
| Google Workspace |
Name, email, documents, metadata |
USA (DPF certified) |
EU-US Data Privacy Framework (DPF) |
| Microsoft Clarity / Microsoft Ads |
IP address (truncated), cookie ID, analytics data |
USA (DPF certified) |
EU-US Data Privacy Framework (DPF) |
| OpenAI (API/Team) |
Short text excerpts (minimized) |
USA (DPF certified) |
EU-US Data Privacy Framework (DPF) |
| Zapier Inc. |
Limited data fields for system integration |
USA (not DPF certified) |
Standard Contractual Clauses (SCC) + supplementary measures |
| Mailchimp (Intuit Inc.) |
Name, email address, interaction data |
USA (DPF certified) |
EU-US Data Privacy Framework (DPF) |
| Right | Article | Meaning | How to Exercise Your Right |
|---|---|---|---|
| Access |
Art. 15 |
Obtain a copy of your personal data and information about the processing. |
Request via info@herbox.se. |
| Rectification |
Art. 16 |
Correct inaccurate or incomplete data. |
Contact us by email or phone. |
| Erasure (“Right to be Forgotten”) |
Art. 17 |
Deletion of data when it is no longer needed or when consent is withdrawn. |
Email info@herbox.se. |
| Restriction |
Art. 18 |
Temporarily stop processing in case of a dispute regarding accuracy or lawfulness. |
Mark the email “Restriction.” |
| Data Portability |
Art. 20 |
Receive your data in a structured format or transfer it to another party. |
Request export (CSV/JSON). |
| Objection |
Art. 21 |
Object to processing based on legitimate interest or direct marketing. |
Use opt-out links or contact us. |
| Withdraw Consent |
Art. 7.3 |
Withdraw consent without affecting processing carried out prior to the withdrawal. |
Via cookie banner or email. |
| Automated Decisions |
Art. 22 |
Request a manual review of decisions with legal effects. |
Email info@herbox.se. |
9.1 Herbox reviews this Privacy Policy at least once a year or as needed, for example if:
a) New or amended legislation enters into force,
b) The business changes in a way that affects the processing of personal data,
c) New systems, suppliers, or processing activities are introduced, or
d) The Swedish Authority for Privacy Protection (IMY) or EU authorities issue new guidelines or decisions.
9.2 The review is carried out by Herbox’s Data Protection Officer (DPO) in consultation with management and relevant system owners. The DPO is responsible for identifying the need for updates, documenting changes, and ensuring that new versions comply with applicable law and Herbox’s internal information security policy.
9.3 When significant changes are made, we provide notice:
a) Internally to all employees via email and/or the intranet, and
b) Externally to customers, partners, and data subjects via our website (herbox.se) and, where relevant, through direct communication.
9.4 Each new version is assigned a revision date and version designation, and the previous version is archived in accordance with Herbox’s document management procedures.
9.5 The current version is always published on www.herbox.se
Last updated: 28 October 2025
