LEGAL · GDPR
Privacy Policy
How Platforma collects, processes, and protects your personal data. We follow the EU General Data Protection Regulation (GDPR) and the UK GDPR, plus the national rules of each Nordic country where our customers operate.
Last updated: 2026-05-19 · Effective: 2026-05-19
This Privacy Policy explains how Platforma ApS ("Platforma", "we", "us", "our") processes personal data when you use our multi-tenant SaaS platform for housing associations. It applies to visitors of our marketing site, residents of housing associations who use a tenant's portal, board members and operators who administer a tenant, and integration partners who consume our API.
1. Data controller
Platforma ApS is the data controller (Art 4(7) GDPR) for the personal data described in this policy. We have appointed a Data Protection Officer (DPO) who is your primary contact for any privacy question or rights request.
- Controller: Platforma ApS, Danmark
- DPO: dpo@platforma.nu
- Privacy questions: privacy@platforma.nu
- Legal / general: legal@platforma.nu
2. Categories of personal data we collect
The data we hold depends on how you use Platforma. Below is a complete inventory grouped by category.
- Account data: Email address, display name, role (SuperAdmin / TenantAdmin / TenantStaff / TenantMember), tenant association, language preference, optional phone number, and timestamps for created / updated / last sign-in.
- Authentication data: Hashed password (ASP.NET Core Identity v3, PBKDF2-SHA256 with 100,000 iterations), optional TOTP secret if you enable two-factor authentication, and optional WebAuthn / FIDO2 public-key credentials. We never store passwords in clear text and cannot recover them.
- Usage and audit data: Server-side audit logs of administrative actions (who did what, when), security-relevant events (failed logins, password changes, role assignments), source IP addresses and user-agent strings for the security audit log, and aggregate analytics if you consented to the Analytics cookie category.
- Content you create: Notices, tasks, news items, calendar activities, CMS pages, messages sent through inbound submission forms, contact-form inquiries, and CRM lead records — including any personal data you choose to put into these fields.
- Cookies and similar technologies: See the Cookie Policy for the complete cookie inventory. Categories: strictly necessary (always on), functional, analytics, and marketing (the last three are opt-in via the cookie banner).
3. Why we process your data and our legal basis
We process personal data only when there is a valid legal basis under Article 6 GDPR. The table below maps each processing purpose to the legal basis we rely on.
| Purpose | Legal basis (Art 6 GDPR) |
|---|---|
| Provide the Platforma service to you (multi-tenant SaaS for housing associations). | Art 6(1)(b) — performance of a contract with you (or with your housing association on your behalf). |
| Authenticate you, manage sessions, and enforce your role-based permissions. | Art 6(1)(b) — performance of contract. |
| Protect the platform from abuse, brute-force attacks, fraud, and unauthorised access (audit logs, rate-limiting, security event capture). | Art 6(1)(f) — legitimate interest in operating a secure service, balanced against your right not to be subject to disproportionate monitoring. |
| Comply with statutory bookkeeping and tax-reporting obligations (invoices, billing history, VAT records). | Art 6(1)(c) — legal obligation (Danish Bogføringsloven §10 / Swedish Bokföringslagen 7 kap §2 / Norwegian Bokføringsloven §13 — 5-year retention). |
| Send you marketing emails about Platforma features, case studies, and product updates. | Art 6(1)(a) — your explicit consent (you opt in via the cookie banner or newsletter sign-up). |
| Aggregate, anonymised analytics so we can improve the product (page views, feature usage, error rates). | Art 6(1)(a) — your explicit consent via the Analytics cookie category. No personal data is sent to third parties. |
| AI Copilot suggestions for content drafting (CMS, notices, emails) when enabled per tenant. | Art 6(1)(b) — performance of contract (AI is a feature of your subscription) plus Art 6(1)(a) — consent at the per-tenant level. AI is opt-in per tenant; no fully automated decisions are made. |
4. Who has access to your data
Your data is yours. We do not sell, rent, or trade personal data to anyone. Access is limited to:
1. You and members of your tenant — your housing association's administrators and staff see the data you create within their tenant (residents see only their own data).
2. Platforma employees — only on a strict need-to-know basis (support tickets, debugging, security incidents). All access is logged in our audit trail.
3. Sub-processors — third-party service providers we use to deliver the platform. Each sub-processor is bound by a Data Processing Agreement (DPA) per GDPR Art 28. See our public sub-processor register for the complete list. The primary sub-processor today is Microsoft Azure (hosting, storage, database — Sweden Central region).
4. Authorities — only where compelled by valid legal process (court order, regulatory request). We log all such disclosures and notify you unless prohibited by law.
5. International data transfers
Your data stays in the EU/EEA. Platforma is hosted on Microsoft Azure in the Sweden Central region. We do not transfer personal data outside the EU/EEA in the normal operation of the platform.
If we ever add a sub-processor outside the EU/EEA (for example, a US-based email-delivery vendor), we will:
1. Update the sub-processor register at least 30 days before activation;
2. Rely on EU Standard Contractual Clauses (SCCs) or an Adequacy Decision as the transfer mechanism;
3. Apply supplementary measures (encryption in transit + at rest, pseudonymisation where possible) per EDPB Recommendation 01/2020.
6. How long we keep your data
We retain personal data only as long as we have a legal basis to do so. Specific retention periods per data category:
| Data category | Retention period |
|---|---|
| Active account data (email, name, role) | While your account is active. Deleted within 30 days of account closure (subject to legal-hold exceptions below). |
| Audit logs and security event logs | 7 years — required for security forensics, GDPR-breach investigation, and tax-record correlation. |
| Invoices, billing records, VAT records | 5 years from end of financial year (DK Bogføringsloven §10 / SE Bokföringslagen 7 kap §2 / NO Bokføringsloven §13). |
| Marketing email subscriptions | Until you withdraw consent. Withdrawal honored within 24 hours via the unsubscribe link in every email. |
| Anonymous analytics events | 13 months maximum. |
| Database backups | 30 days rolling. After this, deleted records are permanently removed from backup snapshots. |
7. Your rights as a data subject
Under GDPR Articles 15-22 you have the following rights. We respond to all rights requests within 1 month (extendable by 2 months for complex requests, per Art 12(3)).
- Article 15 — Right of access — You can request a copy of the personal data we hold about you, plus information about why we process it, who we share it with, and how long we keep it.
- Article 16 — Right to rectification — You can ask us to correct inaccurate or incomplete personal data. Most account fields are self-service editable in your profile page.
- Article 17 — Right to erasure ("right to be forgotten") — You can request deletion of your personal data. We will erase data covered by the right (subject to the legal-hold exceptions in §6 above) and log the erasure for audit purposes.
- Article 18 — Right to restriction of processing — You can ask us to suspend processing while a dispute is resolved (e.g. while we verify accuracy after a rectification request).
- Article 20 — Right to data portability — You can ask for your data in a structured, commonly used, machine-readable format (JSON export) so you can move it to another provider.
- Article 21 — Right to object — You can object to processing based on legitimate interest (Art 6(1)(f)) — including direct marketing, which we will then stop unconditionally.
- Article 22 — Right not to be subject to automated decision-making — You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. We do not make such decisions (see §11 below).
To exercise any right, email dpo@platforma.nu from the address registered with your account, or use the self-service erasure form at /gdpr/request-erasure. We may ask you to verify your identity (especially for erasure or portability) to prevent fraud.
8. Right to withdraw consent
Where we process your data based on consent (marketing emails, analytics cookies, marketing cookies, AI Copilot enablement), you can withdraw consent at any time.
For cookies: open the cookie banner via the "Cookie preferences" link in the footer, click "Customize", and save your updated choices.
For email marketing: click the unsubscribe link in any marketing email.
For AI features: tenant administrators can disable AI Copilot in tenant settings; the AI permission is also revocable per-user.
Withdrawal of consent does not affect the lawfulness of processing done before withdrawal (Art 7(3) GDPR).
9. Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a data-protection supervisory authority in the EU/EEA member state where you live, work, or where the alleged infringement occurred (Art 77 GDPR). We hope you will contact us first so we can address your concern, but you are not required to.
- Danmark: Datatilsynet · Borgergade 28, 5., 1300 København K · dt@datatilsynet.dk
- Sverige: Integritetsskyddsmyndigheten (IMY) · Box 8114, 104 20 Stockholm · imy@imy.se
- Norge: Datatilsynet · Postboks 458 Sentrum, 0105 Oslo · postkasse@datatilsynet.no
- United Kingdom: Information Commissioner's Office (ICO) · Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
- Other EU/EEA countries: European Data Protection Board (EDPB) member list
10. Whether providing your data is required
For the core service: providing account data (email, name) is a contractual requirement. Without it we cannot give you access to your tenant's portal. If you refuse, we cannot enter into the contract.
For marketing and analytics: providing data is entirely optional. You can use Platforma without consenting to marketing emails or analytics cookies; service quality is the same.
11. Automated decision-making and AI
Platforma includes an AI Copilot feature that suggests content for your CMS pages, notices, and emails. The Copilot:
1. Is opt-in at the tenant level — disabled by default;
2. Only suggests — a human always reviews and approves before publication;
3. Does not make any decision that produces legal or similarly significant effects (per Art 22 GDPR).
Prompts and responses are logged for compliance and quality assurance. We do not use your data to train third-party AI models. See Data Processing Agreement for the AI sub-processor details.
12. Cookies
Platforma uses cookies to keep you signed in, prevent cross-site request forgery (anti-forgery tokens), remember your language and theme preferences, and — only with your consent — to gather anonymous analytics. The full cookie inventory and per-cookie purpose is documented at /cookie-policy. The cookie banner lets you grant or withdraw consent per category at any time.
13. How we protect your data
We implement appropriate technical and organisational measures per Article 32 GDPR. The current baseline includes:
- All connections use HTTPS with TLS 1.2 or higher. HSTS is enabled with a 2-year max-age and the preload directive.
- Passwords are hashed with ASP.NET Core Identity v3 (PBKDF2-SHA256, 100,000 iterations + per-password salt). We cannot recover them.
- Two-factor authentication is available via TOTP (Authenticator apps) and WebAuthn / FIDO2 hardware keys. SuperAdmin and tenant-admin roles are encouraged to enable it.
- All administrative actions and security-relevant events are written to an append-only audit log retained for 7 years.
- Data is encrypted at rest by Microsoft Azure (Transparent Data Encryption for SQL, Storage Service Encryption for blobs).
- Data breaches are notified to the relevant supervisory authority within 72 hours of detection and to affected data subjects without undue delay where the risk is high (Art 33-34 GDPR).
14. Changes to this policy
We update this policy when our processing practices change or when new legal requirements apply. Material changes (new sub-processors, new processing purposes, expanded retention) are communicated to active customers at least 30 days in advance by email and via an in-product banner. Non-material changes (clarifications, typographical corrections) update the "Last updated" date at the top of this page. We recommend reviewing this policy once a year.
15. Contact
Questions, rights requests, or concerns about how we handle your personal data?
Data Protection Officer: dpo@platforma.nu (primary contact for all privacy matters)
Privacy questions: privacy@platforma.nu
Legal / general: legal@platforma.nu
Postal: Platforma ApS, Danmark (full registered address available on request via legal@platforma.nu)
For supplementary information see our Terms of Service, Cookie Policy, Sub-processor register, and Data Processing Agreement. The technical security baseline is documented in Platforma Trust Center.