Privacy Policy
GBBS AB (“GBBS”, “we”, “us”) cares about privacy. This Privacy Policy explains how we collect, use, share, and protect Personal Data when you use our website and the GBBS platform for training, certification, and bed bug risk management (the “Services”).
For the purposes of the GDPR, GBBS acts as:
Controller for Personal Data relating to account administration, billing, and GBBS’s administration of the certification scheme (scheme integrity and certificate verification).
Processor for Personal Data processed on behalf of a Customer in connection with the Customer’s use of the Services for its internal operations. This Processor relationship is governed by the Data Processing Agreement (DPA) incorporated into the Terms & Conditions.
Important note on one user group
The Services are intended for business use. In practice, the individuals whose Personal Data is processed in the Services are the Customer’s staff who use training and certification features (“Authorised Users”). GBBS does not design the Services to process guest Personal Data.
1. Definitions
Customer means the organisation that purchases and uses the Services.
Authorised Users means Customer staff authorised to access the Services.
Personal Data has the meaning given in the GDPR.
Terms means the GBBS Terms & Conditions governing the Services.
DPA means the Data Processing Agreement forming part of the Terms.
2. What Personal Data We Collect
We collect only what is needed to operate the Services and certification.
2.1 Information you provide
Account and billing contacts
Names, work email addresses, phone numbers (if provided), job titles/roles, and billing details such as billing address and VAT number.
Training and certification data for Authorised Users
Name, work email address (or other identifier the Customer uses), role/department (if provided), training assignments, training progress, completion logs, test results (if used), certification status, certificate issuance and renewal events.
Support and communications
Information you provide when you contact us (e.g., emails, tickets, call notes) and any content you choose to include.
Content uploads and free text
If the Customer uploads files or enters free text into the Services, that content may contain Personal Data depending on what the Customer enters.
2.2 Information collected automatically
Usage and security logs
Login timestamps, access logs, actions taken in the platform, device and browser information, IP address, and security events. We use these to operate, secure, troubleshoot, and improve the Services.
3. How We Use Personal Data
We use Personal Data for the following purposes:
3.1 Provide the Services
Create and manage accounts, control access, deliver training, issue and manage certificates, provide platform features, and provide customer support.
3.2 Operate and secure the Services
Authentication, access control, monitoring, fraud prevention, abuse prevention, incident detection and response, backups, and service reliability.
3.3 Certification scheme administration and verification
Maintain scheme integrity, manage certification lifecycle, and verify whether a certificate is valid when a Customer or third party requests verification (where supported by the Services and scheme rules).
3.4 Billing, accounting, and compliance
Process payments, provide invoices, keep tax and accounting records, and comply with applicable legal obligations.
3.5 Improve the Services
Analyse usage and performance to improve features, training content, and reliability.
3.6 Communications
Send service-related communications such as security notices, technical notices, support responses, and changes to the Services or Terms.
Marketing communications
GBBS does not send marketing newsletters by default. If we ever send marketing communications, we will do so only in accordance with applicable law, including ePrivacy rules, and will provide an opt-out or obtain consent where required.
4. Legal Bases for Processing
Where GBBS acts as Controller, we rely on the following legal bases:
Contract (Article 6(1)(b))
To provide the Services, manage accounts, deliver training, and administer billing.
Legal obligation (Article 6(1)(c))
To comply with accounting, tax, and other legal requirements.
Legitimate interests (Article 6(1)(f))
To secure the Services, prevent misuse, maintain scheme integrity, verify certification status, and improve the Services.
Where we rely on legitimate interests, we have assessed that our interests are not overridden by the rights and freedoms of the individuals whose data we process.
Where GBBS acts as Processor, the Customer (as Controller) determines the lawful basis, and processing is governed by the Terms and the DPA.
5. Sharing and Disclosure
We do not sell Personal Data.
We may share Personal Data with:
5.1 Service providers (sub-processors)
We use trusted providers for hosting, storage, email delivery, monitoring, support tooling, and payment processing. They process Personal Data only under our instructions and are bound by contractual data protection obligations.
A current list of sub-processors is made available via the Services or on request. Contact us using the details in Section 12.
5.2 Legal and protection disclosures
We may disclose information if required by applicable law, court order, or binding request from a regulator, or to protect the rights, security, and integrity of GBBS, Customers, and users.
5.3 Business transfers
If GBBS is involved in a merger, acquisition, reorganisation, or sale of assets, Personal Data may be transferred as part of that transaction, subject to appropriate safeguards.
6. International Transfers
GBBS is based in Sweden and primarily processes Personal Data within the EU/EEA.
If Personal Data is transferred outside the EU/EEA, we will ensure appropriate safeguards are in place under GDPR Chapter V, such as:
An adequacy decision by the European Commission (including, where applicable, the EU–U.S. Data Privacy Framework), or
EU Standard Contractual Clauses (SCCs), supplemented by a transfer impact assessment where required, and
Where applicable, the UK International Data Transfer Addendum and/or Swiss addendum or other compliant mechanism under Swiss law.
7. Data Retention
We retain Personal Data only as long as necessary for the purposes described in this Privacy Policy, subject to legal requirements.
7.1 Account and billing data
Retained for the duration of the subscription and thereafter as needed for accounting, dispute resolution, and compliance.
7.2 Training and certification records
Where GBBS acts as Controller (certification scheme administration and scheme integrity), we retain training and certification records as necessary for our legitimate interests in operating the scheme, supporting audits, preventing misuse, and enabling verification of historical certification status.
Where GBBS acts as Processor (Customer-controlled use of the Services), retention follows the Terms and the DPA and the Customer’s instructions, including the post-termination handling described there.
7.3 Support and communications
Support tickets, emails, and related communications are retained for the duration of the subscription and a reasonable period thereafter for quality assurance, dispute resolution, and legal compliance.
7.4 Financial records
Invoices and payment records are retained for 7 years in accordance with Swedish bookkeeping requirements (Bokföringslagen).
8. Security
We implement appropriate technical and organisational measures to protect Personal Data, including encryption in transit (TLS/HTTPS), role-based access controls, logging and monitoring, and regular security reviews.
No system is completely secure. Customers are responsible for managing user access, roles, and credentials for their staff.
9. Your Rights
Where GBBS is the Controller of your Personal Data, you may have the following rights under the GDPR (subject to legal limitations):
Access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with a supervisory authority.
Response time
We will respond to verified requests without undue delay and generally within one month. If we need more time, we will inform you and explain why.
Where GBBS acts as Processor, requests should be directed to the Customer (Controller). If we receive a request directly in a Processor context, we will redirect it to the Customer unless we are legally required to respond.
10. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal effects or similarly significant effects for individuals.
11. Children
The Services are business-to-business and are not directed at individuals under 18. We do not knowingly collect Personal Data from minors.
12. Cookies and Similar Technologies
We use:
Essential cookies needed for authentication, security, and basic service functionality.
Analytics cookies only if enabled and only to understand platform usage and improve the Services.
If we use analytics cookies, we will implement consent where required under applicable ePrivacy rules. Customers and users can also manage cookies through browser settings. Where we use a consent mechanism, it will be presented in the Services or on the website.
If you want details about specific cookies (name, purpose, duration), contact us using the details below.
13. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. For material changes, we will provide reasonable notice, such as via email to the account administrator and/or notices within the Services.
14. Contact
If you have questions about this Privacy Policy or wish to exercise your rights, contact us:
GBBS AB
Email: privacy@gbbsab.com
Address: Brånängen 10, 683 94 Lakene, Sweden
If you believe we have not handled Personal Data correctly, you may lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY).
For the purposes of the GDPR, GBBS acts as:
Controller for Personal Data relating to account administration, billing, and GBBS’s administration of the certification scheme (scheme integrity and certificate verification).
Processor for Personal Data processed on behalf of a Customer in connection with the Customer’s use of the Services for its internal operations. This Processor relationship is governed by the Data Processing Agreement (DPA) incorporated into the Terms & Conditions.
Important note on one user group
The Services are intended for business use. In practice, the individuals whose Personal Data is processed in the Services are the Customer’s staff who use training and certification features (“Authorised Users”). GBBS does not design the Services to process guest Personal Data.
1. Definitions
Customer means the organisation that purchases and uses the Services.
Authorised Users means Customer staff authorised to access the Services.
Personal Data has the meaning given in the GDPR.
Terms means the GBBS Terms & Conditions governing the Services.
DPA means the Data Processing Agreement forming part of the Terms.
2. What Personal Data We Collect
We collect only what is needed to operate the Services and certification.
2.1 Information you provide
Account and billing contacts
Names, work email addresses, phone numbers (if provided), job titles/roles, and billing details such as billing address and VAT number.
Training and certification data for Authorised Users
Name, work email address (or other identifier the Customer uses), role/department (if provided), training assignments, training progress, completion logs, test results (if used), certification status, certificate issuance and renewal events.
Support and communications
Information you provide when you contact us (e.g., emails, tickets, call notes) and any content you choose to include.
Content uploads and free text
If the Customer uploads files or enters free text into the Services, that content may contain Personal Data depending on what the Customer enters.
2.2 Information collected automatically
Usage and security logs
Login timestamps, access logs, actions taken in the platform, device and browser information, IP address, and security events. We use these to operate, secure, troubleshoot, and improve the Services.
3. How We Use Personal Data
We use Personal Data for the following purposes:
3.1 Provide the Services
Create and manage accounts, control access, deliver training, issue and manage certificates, provide platform features, and provide customer support.
3.2 Operate and secure the Services
Authentication, access control, monitoring, fraud prevention, abuse prevention, incident detection and response, backups, and service reliability.
3.3 Certification scheme administration and verification
Maintain scheme integrity, manage certification lifecycle, and verify whether a certificate is valid when a Customer or third party requests verification (where supported by the Services and scheme rules).
3.4 Billing, accounting, and compliance
Process payments, provide invoices, keep tax and accounting records, and comply with applicable legal obligations.
3.5 Improve the Services
Analyse usage and performance to improve features, training content, and reliability.
3.6 Communications
Send service-related communications such as security notices, technical notices, support responses, and changes to the Services or Terms.
Marketing communications
GBBS does not send marketing newsletters by default. If we ever send marketing communications, we will do so only in accordance with applicable law, including ePrivacy rules, and will provide an opt-out or obtain consent where required.
4. Legal Bases for Processing
Where GBBS acts as Controller, we rely on the following legal bases:
Contract (Article 6(1)(b))
To provide the Services, manage accounts, deliver training, and administer billing.
Legal obligation (Article 6(1)(c))
To comply with accounting, tax, and other legal requirements.
Legitimate interests (Article 6(1)(f))
To secure the Services, prevent misuse, maintain scheme integrity, verify certification status, and improve the Services.
Where we rely on legitimate interests, we have assessed that our interests are not overridden by the rights and freedoms of the individuals whose data we process.
Where GBBS acts as Processor, the Customer (as Controller) determines the lawful basis, and processing is governed by the Terms and the DPA.
5. Sharing and Disclosure
We do not sell Personal Data.
We may share Personal Data with:
5.1 Service providers (sub-processors)
We use trusted providers for hosting, storage, email delivery, monitoring, support tooling, and payment processing. They process Personal Data only under our instructions and are bound by contractual data protection obligations.
A current list of sub-processors is made available via the Services or on request. Contact us using the details in Section 12.
5.2 Legal and protection disclosures
We may disclose information if required by applicable law, court order, or binding request from a regulator, or to protect the rights, security, and integrity of GBBS, Customers, and users.
5.3 Business transfers
If GBBS is involved in a merger, acquisition, reorganisation, or sale of assets, Personal Data may be transferred as part of that transaction, subject to appropriate safeguards.
6. International Transfers
GBBS is based in Sweden and primarily processes Personal Data within the EU/EEA.
If Personal Data is transferred outside the EU/EEA, we will ensure appropriate safeguards are in place under GDPR Chapter V, such as:
An adequacy decision by the European Commission (including, where applicable, the EU–U.S. Data Privacy Framework), or
EU Standard Contractual Clauses (SCCs), supplemented by a transfer impact assessment where required, and
Where applicable, the UK International Data Transfer Addendum and/or Swiss addendum or other compliant mechanism under Swiss law.
7. Data Retention
We retain Personal Data only as long as necessary for the purposes described in this Privacy Policy, subject to legal requirements.
7.1 Account and billing data
Retained for the duration of the subscription and thereafter as needed for accounting, dispute resolution, and compliance.
7.2 Training and certification records
Where GBBS acts as Controller (certification scheme administration and scheme integrity), we retain training and certification records as necessary for our legitimate interests in operating the scheme, supporting audits, preventing misuse, and enabling verification of historical certification status.
Where GBBS acts as Processor (Customer-controlled use of the Services), retention follows the Terms and the DPA and the Customer’s instructions, including the post-termination handling described there.
7.3 Support and communications
Support tickets, emails, and related communications are retained for the duration of the subscription and a reasonable period thereafter for quality assurance, dispute resolution, and legal compliance.
7.4 Financial records
Invoices and payment records are retained for 7 years in accordance with Swedish bookkeeping requirements (Bokföringslagen).
8. Security
We implement appropriate technical and organisational measures to protect Personal Data, including encryption in transit (TLS/HTTPS), role-based access controls, logging and monitoring, and regular security reviews.
No system is completely secure. Customers are responsible for managing user access, roles, and credentials for their staff.
9. Your Rights
Where GBBS is the Controller of your Personal Data, you may have the following rights under the GDPR (subject to legal limitations):
Access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with a supervisory authority.
Response time
We will respond to verified requests without undue delay and generally within one month. If we need more time, we will inform you and explain why.
Where GBBS acts as Processor, requests should be directed to the Customer (Controller). If we receive a request directly in a Processor context, we will redirect it to the Customer unless we are legally required to respond.
10. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal effects or similarly significant effects for individuals.
11. Children
The Services are business-to-business and are not directed at individuals under 18. We do not knowingly collect Personal Data from minors.
12. Cookies and Similar Technologies
We use:
Essential cookies needed for authentication, security, and basic service functionality.
Analytics cookies only if enabled and only to understand platform usage and improve the Services.
If we use analytics cookies, we will implement consent where required under applicable ePrivacy rules. Customers and users can also manage cookies through browser settings. Where we use a consent mechanism, it will be presented in the Services or on the website.
If you want details about specific cookies (name, purpose, duration), contact us using the details below.
13. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. For material changes, we will provide reasonable notice, such as via email to the account administrator and/or notices within the Services.
14. Contact
If you have questions about this Privacy Policy or wish to exercise your rights, contact us:
GBBS AB
Email: privacy@gbbsab.com
Address: Brånängen 10, 683 94 Lakene, Sweden
If you believe we have not handled Personal Data correctly, you may lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY).