Privacy Policy
GBBS AB (“GBBS”, “we”, “us”) cares about your privacy. This Privacy Policy explains how we collect, use, and share personal data when you use our website, the GBBS training and risk management platform, and our certification services (collectively, the “Services”).
For the purposes of the General Data Protection Regulation (GDPR), GBBS AB is the Data Controller for the personal data regarding account administrators and billing contacts.
Note: For data regarding your employees or guests that you enter into the GBBS system for risk management purposes, You (the Customer) are the Data Controller and GBBS acts as the Data Processor. That relationship is governed by our Data Processing Agreement (DPA).
1. Information We Collect
We collect information to provide our certification and training services effectively.
1.1 Information You Provide to Us
Account Information: When you sign up, we collect names, work email addresses, phone numbers, and job titles of the Account Administrator and billing contacts.
Trainee Information: To issue certificates, we collect the names and email addresses of Authorised Users (staff) undergoing training.
Payment Information: We collect billing addresses and VAT numbers. Note: We do not store full credit card numbers; these are processed securely by our third-party payment provider.
Support & Communications: Any information you include when you contact our support team.
1.2 Information Collected Automatically
Usage Data: We log how you interact with the platform, including login timestamps, pages visited, and training modules completed.
Device Data: IP address, browser type, and operating system.
2. How We Use Your Data
We process your data for the following purposes based on specific legal grounds:
For Service Provision (creating accounts, granting access to training, and issuing certificates) and Billing (processing payments and sending invoices), we process your data based on the Performance of Contract.
We also rely on our Legitimate Interest to process data for Certification Verification (verifying the validity of a certificate to third parties to maintain trust in our scheme) and for Improvement (analysing usage trends to improve our training modules and platform features).
Finally, for Compliance purposes, such as keeping tax and accounting records as required by Swedish law, we process data based on our Legal Obligation.
3. Sharing and Disclosure
We do not sell your personal data. We only share data in the following circumstances:
Service Providers: We use trusted third-party processors to host our platform (e.g., cloud providers), process payments, and send transactional emails. They are contractually bound to protect your data.
Legal Requirements: We may disclose data if required by Swedish law, a court order, or to protect our rights (e.g., enforcing our Terms & Conditions).
Business Transfers: If GBBS AB is involved in a merger, acquisition, or asset sale, your information may be transferred as part of that deal.
4. International Transfers
GBBS AB is based in Sweden.
Within the EU/EEA: Most of our data processing occurs within the European Union/European Economic Area.
Outside the EU/EEA: If we use service providers (sub-processors) located outside the EU/EEA (e.g., US-based software tools), we ensure safeguards are in place, such as the EU Standard Contractual Clauses (SCCs) or adequacy decisions adopted by the European Commission.
5. Data Retention
We retain your personal data only as long as necessary:
Account Data: Retained for the duration of your Subscription Term plus a grace period (e.g., 12 months) to allow for re-activation or audit.
Training Records: We retain records of completed training and certifications to allow users to prove their certification status historically.
Financial Records: Invoices and payment records are retained for 7 years in accordance with the Swedish Bookkeeping Act (Bokföringslagen).
6. Security
We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, or alteration. This includes encryption in transit (HTTPS), role-based access controls, and regular security reviews.
7. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
Access: Request a copy of the data we hold about you.
Rectification: Correct inaccurate or incomplete data.
Erasure: Request deletion of your data (subject to legal retention obligations).
Restriction: Request we restrict processing of your data.
Portability: Receive your data in a structured, commonly used format.
Objection: Object to processing based on legitimate interests.
To exercise these rights, please contact us at the email below.
8. Cookies
Our platform uses essential cookies to keep you logged in and secure. We may also use analytical cookies to understand platform usage. You can manage your cookie preferences through your browser settings.
9. Contact Us
If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:
GBBS AB
Email: privacy@gbbsab.com
Address: Brånängen 10, 683 94 Lakene, Sweden
If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten – IMY).
For the purposes of the General Data Protection Regulation (GDPR), GBBS AB is the Data Controller for the personal data regarding account administrators and billing contacts.
Note: For data regarding your employees or guests that you enter into the GBBS system for risk management purposes, You (the Customer) are the Data Controller and GBBS acts as the Data Processor. That relationship is governed by our Data Processing Agreement (DPA).
1. Information We Collect
We collect information to provide our certification and training services effectively.
1.1 Information You Provide to Us
Account Information: When you sign up, we collect names, work email addresses, phone numbers, and job titles of the Account Administrator and billing contacts.
Trainee Information: To issue certificates, we collect the names and email addresses of Authorised Users (staff) undergoing training.
Payment Information: We collect billing addresses and VAT numbers. Note: We do not store full credit card numbers; these are processed securely by our third-party payment provider.
Support & Communications: Any information you include when you contact our support team.
1.2 Information Collected Automatically
Usage Data: We log how you interact with the platform, including login timestamps, pages visited, and training modules completed.
Device Data: IP address, browser type, and operating system.
2. How We Use Your Data
We process your data for the following purposes based on specific legal grounds:
For Service Provision (creating accounts, granting access to training, and issuing certificates) and Billing (processing payments and sending invoices), we process your data based on the Performance of Contract.
We also rely on our Legitimate Interest to process data for Certification Verification (verifying the validity of a certificate to third parties to maintain trust in our scheme) and for Improvement (analysing usage trends to improve our training modules and platform features).
Finally, for Compliance purposes, such as keeping tax and accounting records as required by Swedish law, we process data based on our Legal Obligation.
3. Sharing and Disclosure
We do not sell your personal data. We only share data in the following circumstances:
Service Providers: We use trusted third-party processors to host our platform (e.g., cloud providers), process payments, and send transactional emails. They are contractually bound to protect your data.
Legal Requirements: We may disclose data if required by Swedish law, a court order, or to protect our rights (e.g., enforcing our Terms & Conditions).
Business Transfers: If GBBS AB is involved in a merger, acquisition, or asset sale, your information may be transferred as part of that deal.
4. International Transfers
GBBS AB is based in Sweden.
Within the EU/EEA: Most of our data processing occurs within the European Union/European Economic Area.
Outside the EU/EEA: If we use service providers (sub-processors) located outside the EU/EEA (e.g., US-based software tools), we ensure safeguards are in place, such as the EU Standard Contractual Clauses (SCCs) or adequacy decisions adopted by the European Commission.
5. Data Retention
We retain your personal data only as long as necessary:
Account Data: Retained for the duration of your Subscription Term plus a grace period (e.g., 12 months) to allow for re-activation or audit.
Training Records: We retain records of completed training and certifications to allow users to prove their certification status historically.
Financial Records: Invoices and payment records are retained for 7 years in accordance with the Swedish Bookkeeping Act (Bokföringslagen).
6. Security
We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, or alteration. This includes encryption in transit (HTTPS), role-based access controls, and regular security reviews.
7. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
Access: Request a copy of the data we hold about you.
Rectification: Correct inaccurate or incomplete data.
Erasure: Request deletion of your data (subject to legal retention obligations).
Restriction: Request we restrict processing of your data.
Portability: Receive your data in a structured, commonly used format.
Objection: Object to processing based on legitimate interests.
To exercise these rights, please contact us at the email below.
8. Cookies
Our platform uses essential cookies to keep you logged in and secure. We may also use analytical cookies to understand platform usage. You can manage your cookie preferences through your browser settings.
9. Contact Us
If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:
GBBS AB
Email: privacy@gbbsab.com
Address: Brånängen 10, 683 94 Lakene, Sweden
If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten – IMY).