mensefulbase.
Book a call Request demo
Home / Privacy policy

Privacy policy

How mensefulbase processes personal data. Written in plain English, aligned with the EU General Data Protection Regulation (GDPR).

Last updated: 1 April 2026 · Effective date: 1 April 2026

Contents

  1. 1. Who we are
  2. 2. What data we collect
  3. 3. Why we process it
  4. 4. Legal bases
  5. 5. Who we share it with
  6. 6. International transfers
  7. 7. Retention
  8. 8. Your rights
  9. 9. How we protect data
  10. 10. Contact & complaints

1. Who we are

mensefulbase AB ("mensefulbase", "we", "us") is a Swedish private limited company (AB) registered with Org.nr 559241-8736, with its registered office at Sveavägen 24, 4 tr, 111 57 Stockholm, Sweden. We are the data controller for personal data we collect through this website (mensefulbase.digital) and our marketing channels. For personal data we process on behalf of our customers as part of the mensefulbase platform, we act as a data processor — the terms of which are set out in the Data Processing Agreement attached to each customer contract.

2. What data we collect

We collect the minimum we need to run our business and serve you well. In practice that means:

  • Contact data you provide voluntarily — name, work email, phone number, company, role.
  • Communication content — the messages you send us via forms, email or scheduled calls.
  • Account data, if you become a customer — sign-in credentials, user IDs, role assignments.
  • Technical data — IP address, device type, browser, language, referring page, pages viewed, approximate location (city / country level).
  • Cookie data — see our cookie policy.

We do not deliberately collect special categories of personal data (e.g. health, religion, political opinions). Please do not send us such information unsolicited.

3. Why we process it

  • To respond to enquiries, demo requests and audit bookings.
  • To deliver, secure and improve the mensefulbase platform for our customers.
  • To send relevant product updates and invoices.
  • To measure how our website performs (only with your consent).
  • To comply with our legal obligations under Swedish, EU and other applicable law.

We process personal data on the following legal bases (Article 6 GDPR):

  • Consent — for non-essential cookies and direct marketing emails to private individuals.
  • Contract — when you are a customer or are negotiating one.
  • Legitimate interest — to run, secure and improve our business (we balance this against your rights and keep records of the assessment).
  • Legal obligation — accounting, tax, anti-money-laundering rules.

5. Who we share it with

We share personal data with a small number of trusted sub-processors under written agreements that meet GDPR Article 28 requirements. A current, complete list is available on request. As of the effective date, our sub-processors include:

  • Cloud hosting — Amazon Web Services EMEA SARL (Frankfurt, Stockholm).
  • Transactional email — Postmark / ActiveCampaign EU.
  • Customer support tooling — Intercom EU instance.
  • Accounting and invoicing — Fortnox and Stripe Payments Europe Limited.
  • Web analytics — Plausible Analytics (EU, cookieless).

We never sell personal data. We disclose data to public authorities only where strictly required by law.

6. International transfers

All customer data processed by the platform is stored and processed inside the European Union. For business operations (e.g. payroll, occasional vendor support), some personal data may be transferred outside the EEA. In those cases we rely on the European Commission's adequacy decisions or, where these do not apply, on the most recent EU Standard Contractual Clauses with supplementary measures as appropriate.

7. Retention

We keep personal data only as long as we need it for the purposes set out above, and in accordance with statutory minimums under Swedish law (e.g. seven years for accounting records under the Swedish Bookkeeping Act (Bokföringslagen)). Typical retention periods are: marketing leads — up to 24 months from the last interaction; customer records — for the duration of the contract plus seven years; cookies — see our cookie policy.

8. Your rights

Subject to the conditions in Articles 15–22 GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data or complete incomplete data.
  • Have your data erased ("right to be forgotten").
  • Restrict or object to certain processing.
  • Receive your data in a portable, machine-readable format.
  • Withdraw consent at any time (without affecting prior processing).
  • Lodge a complaint with the Swedish Authority for Privacy Protection (IMY, imy.se) or your local supervisory authority.

9. How we protect data

We maintain a comprehensive information security programme aligned with ISO/IEC 27001 and audited annually under SOC 2 Type II. Measures include encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access control, mandatory MFA for employees, quarterly external penetration testing, and a documented incident response plan tested every six months.

10. Contact & complaints

For any data protection request, please contact our Data Protection Officer at [email protected] or by post to mensefulbase AB, Att.: DPO, Sveavägen 24, 4 tr, 111 57 Stockholm, Sweden. We respond within 30 calendar days. If you are not satisfied with our response, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or your local supervisory authority.

We update this policy when our practices change. The version above is the only one in force; previous versions are available on request.