Privacy Policy

About Us and Data Controller

Paxaden is operated by Jane Doe Communication AB (org. no. 556663-5321). We are the data controller for processing where we decide the purposes and means, such as accounts, sign-in, operations, security, support, payments, subscriptions, website analytics, and our own communications.

When a Provider uses Paxaden for its own booking page, the Provider is normally the data controller for personal data processed to manage its customers, bookings, services, premises, resources, and own terms. Paxaden then acts as a data processor under our Data Processing Agreement. Contact the relevant Provider if you want information about how that Provider processes personal data in its business.

This policy explains what we process, why we process it, the legal bases, retention periods, sharing, transfers, AI use, and your rights.

Personal Data We Process

We mainly collect data directly from you, from Providers using Paxaden, from our payment, email, SMS, and infrastructure providers, and through cookies or similar technologies.

• Contact data: name, email address, phone number, address, and other contact information.
• Account data: login details, language, role, permissions, stores, resources, preferences, and consents.
• Booking data: booked time, service, resource, Provider, status, history, cancellations, verification status, access codes, and message logs.
• Payment and invoicing data: payment status, amount, currency, receipts, invoice details, Stripe references, and transaction metadata. Card details are handled by Stripe and are not stored on our servers.
• Communication data: support messages, contact forms, feedback, complaints, and email or SMS metadata.
• Technical data: IP address, device and browser information, logs, security events, cookie IDs, analytics data, and interactions with the Service.
• Optional data: information you or a Provider choose to add to booking fields, notes, preferences, or integration flows.

Do not submit sensitive personal data, such as health information, unless it is necessary for the specific booking and the Provider has stated a clear basis for collecting it. If a Provider requests such information, the Provider is normally responsible for that processing.

Purposes, Legal Bases, and Retention

We process personal data only where we have a legal basis under GDPR Article 6 and only for as long as the data is needed for the relevant purpose.

End-Users Booking Without an Account

• Purpose: enable booking, email or SMS verification, booking confirmations, reminders, cancellations, support, and abuse prevention.
• Data: contact data, booking data, communication data, and technical data.
• Legal basis: contract or steps prior to contract, legitimate interests for security and support, and legal obligation where accounting rules apply.
• Retention: for as long as the booking, support need, or Provider instruction requires. Data needed for accounting is retained until the end of the seventh year after the calendar year in which the data was recorded.

End-Users With an Account

• Purpose: create accounts, sign-in, access management, booking history, consent management, support, security, and product improvement.
• Data: account data, contact data, booking data, consents, technical data, and communication data.
• Legal basis: contract, legitimate interests, and consent for processing that requires consent.
• Retention: normally for as long as the account exists and after that for as long as needed for bookings, legal obligations, security, or disputes. Inactive or closed accounts are deleted or anonymised when the data is no longer needed.

Providers and Their Representatives

• Purpose: create and administer Provider accounts, subscriptions, support, invoicing, permissions, operational messages, security, and customer relationship management.
• Data: contact data, company data, role, permissions, billing data, usage data, and communication.
• Legal basis: contract for sole traders, legitimate interests for representatives of organisations, and legal obligation for accounting.
• Retention: during the contractual relationship and normally up to 24 months after it ends for support and customer care. Contract and accounting data is kept as required by law or for as long as claims may be brought.

Website Visitors

• Purpose: display the website, remember language and cookie choices, measure usage, protect against spam and abuse, and, if you consent, measure and personalise marketing.
• Data: technical data, cookie IDs, consent status, and interactions.
• Legal basis: legitimate interests for necessary functions and security, consent for analytics, advertising, and social cookies where consent is required.
• Retention: according to our Cookie Policy and your cookie settings.

Support, Contact Forms, and Complaints

• Purpose: answer questions, troubleshoot, handle complaints, document actions, and improve the Service.
• Data: contact data, communication data, booking references, and technical data.
• Legal basis: legitimate interests, contract where the matter relates to a service you use, and legal obligation where the law requires handling.
• Retention: support matters are normally deleted or anonymised within 24 months after closure, unless needed longer for legal claims or accounting.

Marketing and Consents

• Purpose: send news, offers, or Provider marketing messages where you have consented.
• Data: contact data, consent status, store-specific consents, sending history, and unsubscribe records.
• Legal basis: consent or legitimate interests where existing-customer communication is permitted by law.
• Retention: until you withdraw consent or object. We may retain a suppression or unsubscribe record to ensure you do not receive further messages.

Legal Obligations, Rights, and Disputes

• Purpose: comply with accounting obligations, handle GDPR requests, protect rights, investigate abuse, manage disputes, and carry out a business transfer or reorganisation.
• Data: the data required for the relevant purpose.
• Legal basis: legal obligation and legitimate interests.
• Retention: GDPR requests are normally kept for up to 12 months after handling. Data needed for accounting is kept under accounting law. Data related to disputes is kept for as long as the claim may be brought and then for the period required to defend our rights.

Service-Related Messages

Paxaden may send booking confirmations, verification codes, reminders, change notices, cancellations, receipts, and security messages by email or SMS. These messages are necessary to carry out bookings and provide the Service and do not require separate marketing consent.

Retention and Deletion

• Transactional SMS messages and SMS delivery logs are normally stored for a maximum of 30 days for security, troubleshooting, and audit purposes.
• One-time codes, short-lived verification links, and temporary access tokens are kept only for as long as needed for verification and security.
• Technical security and operational logs are normally stored for a maximum of 12 months, unless a longer period is needed for security investigations, abuse prevention, or legal claims.
• Booking and payment data is kept for as long as needed for the booking, Provider instructions, support, accounting, complaints, or legal claims.
• Ghost profiles and blocked or banned identities are kept only as long as needed to prevent abuse and protect the Service.

When data is no longer needed, we securely delete or anonymise it unless we must retain it by law.

Data Sharing

We do not sell personal data. We share data only where needed for the purposes described in this policy:

• Providers: receive the booking and contact data needed to manage their bookings and services.
• Processors: infrastructure, database, authentication, payments, email, SMS, support, analytics, security, and similar services.
• Payment providers: Stripe and banks/card networks process payment and transaction data according to their roles and terms.
• Analytics, advertising, and social platforms: only where permitted by your cookie choices and applicable law.
• Authorities and legal recipients: where required by law or needed to protect our, users', or third parties' rights.
• Business transactions: advisers, buyers, or new owners in a merger, sale, reorganisation, or similar transaction.

Processors and Vendors We Use

• Supabase – database, hosting, and authentication (Sweden/EU).
• Stripe Payments Europe Ltd. – payments, invoicing, and fraud prevention.
• ProSMS – verification and status SMS messages.
• Email providers, such as Postmark or One.com – transactional email.
• Google – analytics, advertising, tag management, and spam/bot protection when such services are used and require or rely on your consent.
• AI and support providers – only where needed for support, product features, troubleshooting, or security.

Processors may process personal data only on our instructions and are bound by data processing agreements.

Transfers Outside the EU/EEA

We aim to process and store personal data within the EU/EEA. Some vendors or sub-vendors may process data outside the EU/EEA, for example for payments, email delivery, analytics, security, support, or AI features. When this happens, we use appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs), adequacy decisions, the EU-US Data Privacy Framework where applicable, and supplementary technical and organisational measures.

AI Use

Paxadenmay use AI-based tools for support, troubleshooting, security, product improvement, and features that help Providers or End-Users use the Service. We limit the personal data sent to such tools and use providers that are not permitted to use our customers' personal data to train their own general models, unless otherwise clearly stated and permitted by law.

Security

We apply technical and organisational measures to protect personal data, including access restrictions, encryption where appropriate, authentication, logging, security reviews, and incident response routines. You are responsible for protecting your login credentials and notifying us of suspected unauthorised use.

Your GDPR Rights

You may contact us to exercise your rights. We normally respond as soon as possible and no later than one month. If the matter is complex or we receive many requests, the period may be extended as allowed by GDPR, and we will inform you.

• Access: know whether we process personal data about you and receive a copy.
• Rectification: have inaccurate or incomplete data corrected.
• Deletion: request deletion when data is no longer needed or another deletion ground applies.
• Restriction: request restricted processing in certain situations, for example while accuracy is being checked.
• Objection: object to processing based on legitimate interests, including direct marketing.
• Data portability: receive data you provided in a structured, commonly used, machine-readable format where processing is based on consent or contract and is automated.
• Withdrawal of consent: withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

You also have the right to lodge a complaint with a supervisory authority. In Sweden, this is the Swedish Authority for Privacy Protection (IMY), or you may contact your local EU/EEA authority.

To exercise your rights, contact us at info@paxaden.se. If your request concerns a Provider's own processing, we may refer you to that Provider.

Cookies

We use necessary cookies so the website and Service can work. If you consent, we may also use cookies and similar technologies for analytics, advertising, and social features. You can manage your choices in cookie settings. Read more in our Cookie Policy.

Changes to This Policy

We may update this Privacy Policy when our processing, vendors, or legal requirements change. For material changes, we seek to inform affected users through the Service or by email.

Contact