Legal

GDPR

This page describes how Nordedge works practically with GDPR and data protection. It complements our privacy policy and helps data subjects, customers and partners understand roles, rights and processes.

Last updated: 13 May 2026
Responsible party: Nordedge AB, company reg. no. 559414-7026
Contact: andreas@nordedge.io

Short summary

Nordedge is the controller for its own processing and a processor when we process data on behalf of customers.
We process personal data according to the principles of lawfulness, transparency, purpose limitation, data minimisation, storage limitation, accuracy, security and accountability.
You can exercise your GDPR rights by contacting andreas@nordedge.io.
When a customer project involves processing personal data on behalf of the customer, we use data processing agreements and relevant instructions.
We work with supplier review, access control, security routines and incident handling.

1. Roles under the GDPR

When Nordedge is the controller

Nordedge is the controller when we determine the purposes and means of processing, for example for contact forms, quote requests, customer administration, marketing, invoicing and operation of our website.

When Nordedge is the processor

Nordedge is normally the processor when we process personal data in a customer's system, website, CRM, advertising, analytics environment or other project where the customer determines the purposes and instructions.

2. Our data protection principles

We only collect data needed for a clear purpose.
We document lawful basis and purpose for key processing activities.
We limit access to people and suppliers who need the data.
We store data only for as long as there is a business, contractual or legal need.
We use security measures that are proportionate to the risk.
We aim to choose suppliers that provide sufficient data protection guarantees.

3. Data subject rights

Right	What it means	How to use it
Information	You have the right to clear information about how your personal data is processed.	Read our privacy policy or contact us with your question.
Access	You can request a copy of personal data we process about you.	Send a request to andreas@nordedge.io.
Rectification	You can ask for inaccurate or incomplete data to be corrected.	Describe which data is wrong and what it should be changed to.
Erasure	You can ask for deletion when data is no longer needed or when processing lacks a lawful basis.	State which data or processing activity your request concerns.
Restriction	You can ask for processing to be restricted in certain situations.	Explain why you want the processing to be restricted.
Data portability	You can receive data you provided in a structured and machine-readable format when the conditions are met.	State which format or recipient you prefer.
Objection	You can object to processing based on legitimate interest or direct marketing.	Write which processing activity you object to.
Withdrawn consent	You can withdraw consent when processing is based on consent.	Use an unsubscribe link or contact us.

4. How we handle data protection requests

We acknowledge and handle requests without undue delay.
We normally respond within one month after receiving a complete request.
If the request is complex or extensive, the response period may be extended by up to two months under the GDPR.
We may need to verify your identity before disclosing data or carrying out an action.
If we cannot fulfil the request, we explain why, for example if the data must be stored by law or for legal claims.

5. Data processing agreements for customers

When Nordedge processes personal data on behalf of a customer, the processing must be governed by a data processing agreement. The agreement should describe instructions, categories of data subjects, types of data, security measures, subprocessors, incident reporting and what happens when the assignment ends.

The customer is responsible for ensuring that the instructions are lawful and that there is a lawful basis for the processing the customer orders or instructs Nordedge to perform.

6. Suppliers, subprocessors and transfers

We use suppliers for hosting, email, forms, project tools, analytics, security, accounting and communication. When suppliers process personal data on our or customers' behalf, they must have relevant contractual terms and security measures.

For transfers outside the EU/EEA, we use appropriate safeguards, such as the European Commission's Standard Contractual Clauses or adequacy decisions.

7. Personal data breaches

A personal data breach is a security incident that leads to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or unauthorised access to personal data.

We have routines to identify, assess, limit and document incidents. If an incident concerns personal data we process as a processor, we inform the customer according to the data processing agreement. If Nordedge is the controller, we assess whether the incident must be reported to IMY and whether data subjects must be informed.

8. Contact and complaints

You have the right to lodge a complaint with the Swedish Authority for Privacy Protection, IMY, if you believe that our processing of personal data violates the GDPR.