Privacy Policy.

Last updated: June 18, 2026

1. Introduction

Attuned Solutions AB (“Attuned”, “we”, “us”) wants every website visitor, client and client representative, business partner, consultant and supplier to be confident that we process personal data in accordance with applicable data protection legislation, including the EU General Data Protection Regulation (GDPR) and Swedish supplementary law. This policy describes how we handle and protect personal data when we act as a data controller, that is, when we determine the purposes and means of the processing. Where, instead, we process personal data on behalf of a client in the course of an assignment, we act as a data processor; that processing is governed by a separate Data Processing Agreement rather than by this policy.

Visits to our website can be made without you having to provide any personal data or accept cookies with the exception of collecting your IP address, which is categorised as personal data. Knowing your IP address is necessary for our website to communicate with your device and web browser, and secure our IT systems from spam, phishing, harassment, incorrect logins, illegal acts or malicious conduct that compromise the availability, authenticity, integrity and confidentiality of stored or transferred personal data, and the security of related services.

When sending us email, you may provide us with your IP address since some email service providers or email clients include the IP address of the sending computer or mobile device in the email header information.

2. Data controller

Attuned Solutions AB, organisation number 556576-5624, is the data controller of personal data provided to us.

Questions about our processing of personal data may be directed to [email protected].

You are not obliged to provide personal data to us. However, if you do not, we may be unable to accept or perform an assignment.

3. Website

Our website does not use cookies or similar tracking technologies. We do not collect browsing data for analytics, marketing, or profiling purposes.

When you visit our website we collect your IP address, which is categorised as personal data. Your IP address is necessary for the website to communicate with your device and browser, and to protect our systems against spam, phishing, harassment, failed-login abuse and other malicious or unlawful activity that could compromise the availability, integrity or confidentiality of personal data and the security of related services. We also process limited technical information about your device for the same security purpose.

3.1. Categories of personal data we process

• IP address

3.2. Categories of technical data we may process for security

• Device type (computer or mobile device)
• Operating system
• Browser type
• Referral source, e.g., Google or Bing
• Duration of the visit
• Pages or documents viewed
• Name of your internet service provider
• Approximate geographical location

3.3. Legal basis and retention

This data is processed on the basis of our legitimate interest in operating and securing our website. The retention period is one year, following collection of the data.

4. General enquiries through digital contact channels

If you use a contact form, send us an email, or contact us through another digital channel, we use the information you provide to respond to your enquiry. The information may be shared with service providers acting on our behalf, under written terms.

4.1. Categories of personal data we may process

• Name
• Email address
• Telephone number
• Address
• Correspondence

4.2. Legal basis and retention

This data is processed on the basis of steps taken at your request prior to, or in connection with, a possible agreement, and our legitimate interest in responding to enquiries. Enquiry data is retained for one year from the end of any resulting engagement, or from the date of the enquiry where no engagement follows.

5. Online collaboration tools

When we work with you through online collaboration tools such as Microsoft Teams, SharePoint Online and OneDrive, we process the personal data you choose to provide, for example your name, email address and the content of messages and shared documents, together with limited technical information necessary to operate and secure the service. We do not use these tools to profile you or for marketing.

5.1. Categories of personal data we may process

• Name
• Email address
• Telephone number
• Correspondence and shared content
• IP address and limited technical/security metadata

5.2. Legal basis and retention

This data is processed on the basis of our agreement with you and our legitimate interest in operating and securing the collaboration environment. Where we process this data as a controller, the retention period is three years from collection; where we process it on a client’s behalf, retention is governed by the relevant Data Processing Agreement.

6. Clients, business partners and suppliers

When clients and their representatives, business partners, consultants, suppliers or other individuals connected with a client interact with us, or feature in connection with an assignment, personal data is provided to us or obtained by us. We primarily collect personal data directly from the individuals concerned. During an assignment we may also receive information about individuals from the client or other parties, and, where the assignment requires it, such as IT security advisory, operational advisory, incident response, investigation, security review or exposure assessment, we may supplement that data with information from public and private records and sources. Where we obtain such data, we do so only to the extent necessary for the assignment and we apply the safeguards described in section 8.

Where required by applicable data protection law, we provide separate information to individuals whose personal data has not been obtained directly from them, unless an exemption applies.

For certain assignments, additional or more specific privacy information may be provided in the relevant engagement terms, Data Processing Agreement or assignment documentation.

6.1. Categories of personal data we may process

• Name
• Email address
• Telephone number
• Work address
• Role, relationship or connection to the client or assignment, where relevant
• Date of birth and personal identity number, where necessary
• Invoicing information, such as account and tax details
• Correspondence
• IP address and technical/security metadata

6.2. Legal basis and retention for clients

Personal data provided or obtained in connection with an assignment is processed to perform our contract, to administer the assignment, and to comply with legal obligations. Where we act as a controller, the retention period is three years from the end of the engagement, unless a longer period is required by law. Where we act as a processor, retention and deletion are governed by the relevant Data Processing Agreement.

6.3. Legal basis and retention for suppliers and other external parties

Processing of personal data relating to suppliers, their representatives and other external parties is based on our legitimate interest in administering the relationship and performing our contractual obligations. The retention period is three years from the end of the relationship.

6.4. Business development and risk management

We may use personal data for our own market and client analysis, business and methodology development, statistics and risk management, on the basis of our legitimate interest in improving our services. The retention period is three years from the end of the engagement.

7. Securing our IT systems

Personal data such as your IP address and limited technical information about your computer or mobile device, collected by our website, online collaboration tools or email, will be used to secure our IT systems from spam, phishing, harassment, incorrect logins, illegal acts or malicious conduct that compromise the availability, authenticity, integrity and confidentiality of stored or transferred personal data, and the security of related services.

7.1. Categories of personal data we may process

• Device type (computer or mobile device)
• Operating system
• Browser type
• Pages or documents viewed
• IP address
• Name of your internet service provider
• Approximate geographical location
• Errors
• Malicious activity

7.2. Legal basis and retention

This data is processed on the basis of our legitimate interest in securing our IT systems and protecting personal data. The retention period is one year from collection.

Our service providers, such as Microsoft and Cloudflare, may process metadata for security purposes for longer than one year. Their processing is governed by their own privacy notices and applicable data processing terms.

8. How we safeguard personal data

We apply technical and organisational measures appropriate to the nature of the personal data we process, the purposes of the processing, and the risks involved. These measures are kept under review and include, in summary:

• Access controls based on authorised access, need-to-know principles and least privilege
• Strong authentication and appropriate controls for access to systems and data
• Encryption of personal data in transit and at rest, where appropriate
• Centrally managed and protected devices used to access personal data
• Logging and monitoring of access to systems containing personal data
• Regular patching, vulnerability management and security review
• Secure backup and recovery procedures
• Confidentiality obligations and security awareness for personnel
• Due diligence and written data protection terms for relevant suppliers
• Procedures to detect, assess, report and respond to personal data breaches

A fuller description of our technical and organisational measures is set out in the technical measures annex to our Data Processing Agreement and is available to clients on request.

9. Sensitive personal data and personal identification numbers

We do not intentionally collect special categories of personal data, such as data concerning health, biometric or genetic data, or data revealing political opinions, religious beliefs or sexual orientation. Where such data nonetheless arises in the course of an assignment, we process it only to the extent strictly necessary for the assignment, on an appropriate legal basis, and with the safeguards described in section 8.

Personal identity numbers (personnummer) are processed only where clearly justified, for example where strictly necessary for secure identification or to comply with a legal obligation, in accordance with Swedish law.

10. Sharing personal data with third parties

Other than as set out in this policy, we do not knowingly share personal data with any third party except where:

• you have agreed to the sharing;
• it is necessary within the scope of an assignment;
• it is necessary to comply with a legal obligation, a decision of a public authority or a court order; or
• it is otherwise permitted by law.

Where necessary to deliver our services, we engage suppliers acting as processors or, where we act as processor for a client, sub-processors. The categories of supplier we use include:

• financial services, such as banking, payment processing and book-keeping; and
• IT services, such as cloud and security services (for example Microsoft 365, Cloudflare).

A current list of the sub-processors engaged for a given assignment is maintained and made available to the relevant client under the Data Processing Agreement.

11. Transfer to third countries

We seek, where reasonably practicable, to use services and configurations that keep personal data within the European Economic Area (EEA). Where personal data is transferred outside the EEA, we ensure that such transfers are made in accordance with applicable data protection law, for example on the basis of an adequacy decision by the European Commission, the European Commission’s Standard Contractual Clauses, and, where necessary, supplementary measures. Transfers may also occur within the scope of a specific assignment. An EEA-only data-residency arrangement can be agreed with clients on request.

12. Your rights

You have the right, free of charge, to obtain information about our processing of personal data concerning you and to request access to that data. You may ask us to rectify, erase or restrict the processing of inaccurate or unlawfully processed data, and to object to certain processing. Where the conditions under GDPR are met, you may also have the right to receive certain personal data in a structured, commonly used and machine-readable format. Where processing is based on consent, you may withdraw that consent at any time. You may also object to processing for direct marketing; if you unsubscribe from any communications, the relevant data will be removed.

If you are dissatisfied with our processing of your personal data, you may lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY, www.imy.se), or with the supervisory authority where you live or work.

In case of questions about our processing of personal data, you are welcome to contact us at [email protected].