Version 1.1 · Effective from May 28, 2026
Privacy Policy
We treat your data with care. This policy describes what we collect, why, and what you can do about it.
1. Data controller
BuddyPro AB Org. number: 559516-1844 VAT number: SE559516184401 Karlavägen 41, 114 31 Stockholm, Sweden
Email: [email protected]
For questions about personal data or data protection: [email protected].
2. Which services this policy covers
- buddypro.io — our marketing site
- BuddyPro Admin (admin.buddypro.io) — business administration for RUT and ROT companies
- BuddyPro Workforce — field app for employees of our company customers (iOS, Android, web)
- BuddyPro Customer Portal (connect.buddypro.io) — customer portal where end customers of our company customers can see their booked jobs
- Fixat — marketplace for household services
Admin, Workforce, and Customer Portal share the same backend and authentication. Fixat has its own database and authentication, and is covered by a separate policy: /product/fixat/privacy-policy.
3. What data we process
buddypro.io
- Contact form: name, email, and the message you send
- Newsletter signups: email and consent
- Cookie-based analytics after consent (see Cookie Policy)
- IP address and browser information for security and operations
BuddyPro Admin
- Company information: organization, finance, subscription data
- Personnel records: employees' contact and payroll details
- Customer information: the company's own customers (name, address, personal ID number for RUT/ROT)
- Work orders, schedules, invoices, expenses, mileage logs
- Support cases
BuddyPro Workforce
Workforce is the field app your employer gives you access to. As an employed Buddy, you are processed by both BuddyPro and your employer. BuddyPro is responsible for the platform. The employer is responsible for employment-related data and decides which features are enabled.
Account and profile:
- First and last name, email, phone
- Employee ID, department, role
- Profile picture
- Scheduling preferences
Employment and payroll (when enabled):
- Personal ID number for tax and payroll
- Bank details for salary payment
- Tax information and benefit choices
- Next of kin
Work data:
- Assigned jobs, instructions, status, and notes
- Time tracking — start, end, breaks, total time, overtime, absence requests
- GPS position at job start and end, geofencing confirmation at the workplace, travel time (to the extent enabled by your employer)
- Performance metrics — execution time, completion rate, schedule adherence
- Photo and file uploads tied to jobs
- Chat and work communication
Technical data:
- Device type, operating system, app version
- Error logs and diagnostics
- Session length and usage patterns
BuddyPro Customer Portal
- End customer contact details (name, email, phone, address)
- Booked jobs and job history
- Communication with service providers
- Login credentials
Fixat
Fixat is covered by a separate policy. See /product/fixat/privacy-policy.
4. Legal basis
We process data based on:
- Contract — to deliver what you've ordered (account, subscription, job). Covers account management, job assignment, time reporting, and payroll calculation, among others.
- Legal obligation — bookkeeping law, tax legislation around RUT/ROT, employment law
- Legitimate interest — for security, operations, performance monitoring, platform development, and fraud prevention, where it doesn't override your rights
- Consent — for marketing, optional analytics, and certain optional features. Can be withdrawn at any time.
5. Roles — who is responsible for what
For Workforce, both BuddyPro and your employer have responsibilities:
- BuddyPro AB is the data controller for the platform — operations, security, account management, technical data.
- Your employer is the data controller for employment-related data — who is employed, which jobs you're assigned, pay, performance, schedule.
We have data processing agreements with the employer under Article 28 GDPR. Your employer should have its own privacy policy describing how it handles your employment data. Ask for it if you haven't seen it.
For Admin, our company customer is the data controller for its own customers' data, and BuddyPro acts as a data processor for the company.
Company customers who use BuddyPro Admin act as data controllers for their own customers' and employees' data. BuddyPro acts as a data processor for that data. This relationship is governed by our Data Processing Agreement.
6. Processors and who we share with
We use the following providers that process data on our behalf. The list can change — the updated version is always on this page.
| Provider | Use | Services |
|---|---|---|
| AWS (Amazon Web Services) | Backend operations and data storage: application hosting (EKS), databases (RDS MySQL & PostgreSQL), cache (ElastiCache/Redis), file storage (S3), frontend hosting (Amplify), message queuing (Amazon MQ/RabbitMQ), VPS (EC2) | Admin, Workforce, Customer Portal |
| Cloudflare | CDN, DDoS protection, and asset storage | buddypro.io, Admin, Customer Portal |
| Crisp | Live chat (when enabled) | buddypro.io (planned) |
| Customer.io | Transactional and marketing email | Admin, buddypro.io |
| Expo.dev | Mobile app publishing (no customer data processed) | Workforce |
| Fortnox / Bokio | Accounting | Admin (customers on the bookkeeping module) |
| Google Tag Manager (Consent Mode v2) | Tag management (after consent) | buddypro.io |
| Google Analytics 4 | Analytics (after consent) | buddypro.io |
| HubSpot | CRM, behavioral measurement, and marketing automation (after consent) | buddypro.io |
| Meta Pixel | Ad measurement (after consent) | buddypro.io |
| PostHog | Product analytics and usage tracking | Admin, Workforce |
| Sentry | Error logging and diagnostics | Admin, Workforce, Customer Portal |
In addition, we may share data with:
- Your employer (Workforce) — work-related data like time, location, job status, performance, and payroll basis
- The company customer (Customer Portal) — who has you as an end customer
- Authorities — Skatteverket for RUT/ROT, IMY, police, or courts when the law requires it
- Emergency services or insurers — for workplace accidents or injuries where necessary
- Acquirers — in case of merger, acquisition, or sale
We don't sell your data and we don't share it with unknown parties for their marketing.
7. Transfers outside the EU/EEA
We operate primarily in the EU. Some providers — including Google, Meta, HubSpot, Customer.io, and Sentry — process data in the US. Transfers happen on the basis of the EU Commission's Standard Contractual Clauses (SCC) and the providers' certifications. We follow developments around the EU–US Data Privacy Framework and update our agreements as needed.
8. Retention periods
- Operational data (personnel records, job data, customer data) — deleted within 30 days of account termination
- Authentication data (email, phone) — retained until the user has had no activity across any BuddyPro service for 7 years, or until the user requests erasure, unless the user is active in another company account on the platform. Users active in multiple company accounts retain access for the duration of their last active relationship.
- Time tracking and attendance (Workforce) — 7 years for employment law compliance
- Payroll and tax basis — 7 years per the Swedish Accounting Act
- Accounting data — 7 years per the Swedish Accounting Act
- Performance data (Workforce) — up to 3 years after employment ends
- Work communication and chat — 2 years from the most recent message
- Live chat conversations (Crisp) — 2 years from the most recent message
- GPS positions and location data (Workforce) — 1 year unless longer is required by law
- Support cases — up to 24 months
- Marketing consent — until you withdraw it
- Analytics data — per the settings in each tool, max 26 months for GA4
9. Your rights
You have the right to:
- request a data export — a copy of the data we have about you
- request rectification of incorrect data
- request erasure ("right to be forgotten") where legally possible
- request data portability — your data in a machine-readable format
- object to processing based on legitimate interest
- withdraw consent for marketing and optional analytics
- complain to the Swedish Authority for Privacy Protection (IMY) — imy.se
In an employment context, some rights may be limited — for example, you can't have payroll data erased while employed because we have to keep it by law. We'll explain why if we need to restrict anything.
Send your request to [email protected]. We respond within 30 days.
10. Security
We follow Article 32 GDPR and have, among other things:
- Encryption of personal data in transit and at rest
- Access controls, authentication, and two-factor when applicable
- Regular security testing and logging
- Backups and recovery procedures
- Staff trained in data protection
- Data processing agreements with our providers
In the event of a personal data breach that risks your rights, we notify IMY within 72 hours and inform you without undue delay.
You are responsible for keeping your login details secret and reporting suspicious activity immediately.
11. Children's privacy
The services are not intended for children under 16, and we do not knowingly process personal data of children under 16. If we learn we have collected such data, we delete it as soon as we can. Contact [email protected] if you believe we have done so by mistake.
12. Cookies
How we use cookies on buddypro.io is described in our Cookie Policy.
13. Changes
We update the policy as needed. We notify you of material changes in the service or by email.
14. Contact
Questions about personal data and data protection: [email protected].
Other questions: [email protected].