Privacy Policy
Last updated: 17 February 2026
1. Data controller
Ätakollen ("we", "us", "our") is the data controller for the processing of your personal data in connection with our service. The Service is provided via the mobile app (iOS and Android), the web app (app.atakollen.se) and our website (atakollen.se).
Contact: support@atakollen.se
2. Data we collect
2.1 Account data
- Name and email address (entered at registration or retrieved from Google/Apple at login).
- Authentication identifiers from Google or Apple if you choose to log in with these services.
2.2 Company information
- Company name, registration number, address and city.
- Company logo (optional).
- Office email address for change order reports.
- Default terms for change order reports (optional).
2.3 Project data
- Project name and address.
- Client name and email address (third-party data that you provide).
2.4 Change order data
- Description, location note and price information.
- Photographs taken with the device camera or selected from the photo library.
- Digital signatures (SVG data and image file) upon approval.
- Name of the person signing.
- Time of signing.
- Client email address (if provided).
2.5 Feedback and bug reports
- Message and type of feedback (bug/feature request).
- Screenshot of the app (if you choose to include one).
- Device information: platform, OS version, app version and language.
2.6 Technical and analytical data
- Usage analytics (Mixpanel) – We track events such as login, project creation and change order reports, and navigation in the app. These are linked to your user ID, email address, name, company, role and platform. Data is sent to Mixpanel's EU servers (api-eu.mixpanel.com).
- Error monitoring (Sentry) – On errors we collect error messages, stack traces, user ID and email address for debugging.
- Network data – IP addresses are automatically logged by our infrastructure providers (Cloudflare, Supabase) on API calls.
3. Legal basis for processing
We process your personal data based on the following legal grounds under GDPR Article 6:
| Processing | Legal basis |
|---|---|
| Providing the service (account, projects, change order reports, synchronisation) | Performance of contract (Art. 6.1b) |
| Sending change order reports by email | Performance of contract (Art. 6.1b) |
| Generating and storing PDF reports | Performance of contract (Art. 6.1b) |
| Authentication via Google, Apple or email OTP | Performance of contract (Art. 6.1b) |
| Usage analytics (Mixpanel) | Legitimate interest (Art. 6.1f) – improve the service |
| Error monitoring (Sentry) | Legitimate interest (Art. 6.1f) – ensure stability and debug |
| Handling feedback and bug reports | Legitimate interest (Art. 6.1f) – improve the service |
| Storing and processing client data (third parties) | Legitimate interest (Art. 6.1f) – necessary to manage construction project documentation |
4. How we use your data
We use your personal data to:
- Provide, maintain and improve the service.
- Manage your account and authentication (via Google, Apple or email OTP).
- Synchronise data between your mobile app and web app.
- Generate PDF reports for change orders.
- Send transactional emails (change order reports to clients and offices, team invitations).
- Monitor and debug technical issues.
- Analyse usage patterns to improve the user experience.
- Handle feedback and bug reports.
5. Sharing data with third parties
We never sell your personal data. We share data with the following categories of recipients:
5.1 Sub-processors
These process data on our behalf according to our instructions:
| Provider | Purpose | Data location |
|---|---|---|
| Supabase | Database and authentication | EU (Frankfurt) |
| Cloudflare | API hosting, file storage (R2), web hosting, PDF generation | EU jurisdiction (R2), global CDN |
| Resend | Transactional email delivery | USA (with EU data transfer agreement) |
| Mixpanel | Product analytics | EU (EU Data Residency) |
| Sentry | Error monitoring | EU/USA |
| Expo (EAS) | Mobile app build and distribution infrastructure | USA |
5.2 Login services
If you choose to log in via Google or Apple, authentication data (name and email address) is shared between these services and us via the OAuth protocol. Google and Apple act as independent data controllers for their own services.
5.3 Recipients of change order reports
When you sign and send a change order report by email, the report (as a PDF with images, signatures and price information) is shared with the email addresses you have provided: the client's email address and/or the company's office email address.
5.4 Legal requirements
We may disclose data if required by law, court order or government decision.
6. Transfer of data outside the EU/EEA
Certain data may be transferred to countries outside the EU/EEA, primarily the USA, via the following services:
- Resend (email delivery) – USA. Transfer takes place under the EU–USA Data Privacy Framework or Standard Contractual Clauses (SCC).
- Google/Apple (login) – USA. Subject to each company's transfer mechanisms.
- Sentry (error monitoring) – may process data in the USA. Standard Contractual Clauses apply.
- Expo/EAS (mobile app build) – USA. Handles app binaries, not end-user data.
We ensure that all transfers take place in accordance with GDPR Chapter V, with appropriate safeguards.
7. Storage and security
7.1 Server storage
Your data is stored in a PostgreSQL database at Supabase (EU, Frankfurt). Files such as photographs, signatures and PDF reports are stored in Cloudflare R2 with EU jurisdiction. All communication between your device and our servers is encrypted with TLS.
7.2 Local storage on your device
The mobile app stores data locally for offline access:
- Project, change order and company data in a local SQLite database.
- Authentication tokens in the device's secure storage (iOS Keychain / Android Keystore).
- Photographs and signatures as local files.
- Settings (language, tutorial status) in AsyncStorage.
This data is synchronised with our servers when you have an internet connection. Upon logout, local data is deleted from the device.
The web app stores authentication tokens and language settings in the browser's localStorage.
7.3 Security measures
- TLS encryption for all data transfers.
- Authentication tokens stored encrypted on mobile devices.
- Role-based access control (owner, administrator, worker, subcontractor).
- One-time invitation links with time limits for team members.
- Sensitive data (e.g. tokens) is scrubbed from error reports before being sent to Sentry.
8. Retention periods
| Data | Retention period |
|---|---|
| Account data | As long as the account is active. Deleted upon account deletion. |
| Project and change order data | As long as the company account is active. Can be archived and deleted by the user. |
| PDF reports and images | As long as the associated change order report exists. Note that construction documentation may need to be retained longer according to industry practice. |
| Feedback and bug reports | Up to 12 months. |
| Analytics data (Mixpanel) | According to Mixpanel's data retention policy, see mixpanel.com. |
| Error data (Sentry) | 90 days (Sentry's default). |
| Email tracking | Delivery status stored for 12 months. |
9. Device permissions (mobile app)
The mobile app may request access to the following features on your device:
- Camera – to take photographs for change order reports.
- Photo library – to select existing images for change order reports.
- Internet – to synchronise data and send emails.
You can revoke these permissions at any time via the device settings. Without camera access you can still create change order reports, but without photographs.
10. Cookies and tracking
10.1 Cookies
The web app uses necessary cookies and localStorage for authentication and session management. We do not use advertising cookies or third-party marketing cookies.
10.2 Product analytics (Mixpanel)
We use Mixpanel to understand how the service is used. Mixpanel receives your user ID, email address, name, company, role and platform, as well as event data (e.g. "Project created", "Change order signed"). Data is stored on Mixpanel's EU servers.
Mixpanel stores data in the browser's localStorage in the web app and via the Mixpanel SDK in the mobile app. You can request that we disable Mixpanel tracking for your account by contacting us.
10.3 Error monitoring (Sentry)
We use Sentry to track and fix technical errors. Sentry collects error messages, device type, app version, user ID and email address on errors.
11. Third-party personal data
When you create projects and change order reports you may enter personal data about third parties, such as the client's name and email address. You are responsible for having the right to register this data and for informing the client about the processing. We process this data as data controller based on legitimate interest (documentation of construction projects).
12. Your rights under GDPR
You have the following rights regarding your personal data:
- Right of access (Art. 15) – to know what personal data we process about you.
- Right to rectification (Art. 16) – to correct inaccurate or incomplete data.
- Right to erasure (Art. 17) – to request that we delete your data ("the right to be forgotten").
- Right to restriction (Art. 18) – to request that we restrict the processing of your data.
- Right to data portability (Art. 20) – to receive your data in a machine-readable format.
- Right to object (Art. 21) – to object to processing based on legitimate interest, e.g. product analytics and error monitoring.
Contact us at support@atakollen.se to exercise your rights. We will respond to your request within 30 days.
Right to lodge a complaint: If you believe that we are processing your personal data incorrectly you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY), Box 8114, 104 20 Stockholm, imy@imy.se.
13. Children
Ätakollen is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you as a guardian discover that a child has registered an account, contact us and we will delete the data.
14. Changes to the policy
We may update this privacy policy. For material changes we will notify you by email or in the app at least 30 days in advance. The latest version is always available at atakollen.se/en/privacy. Continued use of the service after changes means you accept the updated policy.
15. Contact
Have questions about how we handle your personal data or want to exercise your rights? Contact us:
Email: support@atakollen.se