Paloma in Sweden AB – Terms of Service and Privacy Policy

This document is an English translation of Paloma’s Swedish Terms of Service and Privacy Policy. In case of any differences in interpretation between language versions, the Swedish version shall prevail.

Terms and Conditions

Definitions

Customer Agreement – The agreement entered into between Paloma in Sweden AB (“Paloma”) and the Customer.
Terms and Conditions – Refers to the terms in this present agreement.
Agreement Term – Refers to the period that Paloma and the Customer have agreed upon for the use of the Service.
Credits – Refers to a pool of credits, i.e. a pool corresponding to a number of participants in Paloma Event and Magnet by Paloma, number of responses in Paloma Surveys, and number of mailings in Paloma Newsletter that the Customer has purchased under the agreement.
Customer – Refers to the natural or legal person with whom Paloma has entered into a Customer Agreement for a license to the Service.
Service – Refers to Paloma’s products: Paloma Newsletter, Paloma Event, Paloma Surveys, and Magnet by Paloma.
Recipient – Refers to the natural or legal person to whom the Customer sends newsletters, invitations and other communications via the Service.
Intellectual Property Rights – Refers to all intellectual property rights in the Service to which Paloma has exclusive rights (including related rights), as well as any further developments and updates of the Service.
Usage Rights – Refers to the limited right that the Customer is granted through the Customer Agreement and these Terms and Conditions to use the Service during the agreed Agreement Term.

§ 1 General

These Terms and Conditions, together with the Customer Agreement, govern the contractual relationship between Paloma and the Customer regarding the Service. In case of any contradictions between these Terms and the Customer Agreement, the Customer Agreement shall take precedence. Paloma and the Customer are jointly referred to as the “Parties” and each individually as a “Party.”

§ 2 Conclusion of the Customer Agreement

Ordering the Service can be done via a form on the website, via email, or verbally. Anyone wishing to subscribe to the Service must provide Paloma with the information that Paloma requests at the time of registration, in order to enable full use of the Service. The Customer is obliged to sign a written agreement in connection with the order if Paloma so requests. If no written Customer Agreement has been signed, the Customer Agreement is considered concluded when Paloma has confirmed the order or when the Service has been made available for use.

The Customer chooses a username and a password. Paloma reserves the right to change the Customer’s login credentials for technical, operational or other reasons, such as due to a decision by an authority.

§ 3 Termination of the Customer Agreement

Termination of the Customer Agreement must be done in writing via email. Failure to pay an invoice is notconsidered a termination of the Customer Agreement. Paloma will not refund any prepaid fees, compensation for unused portions of the Agreement Term, or remaining Credits unless the termination is due to a fault or delay in the Service caused by Paloma that is not of minor significance to the Customer.
Termination of the Customer Agreement should be effected before the start of a new Agreement Term. It is the Customer’s responsibility to be aware of when a new Agreement Term begins. Paloma has the right to invoice the Customer for each commenced Agreement Term. Paloma does not refund any fees for the remaining time in an Agreement Term that has already started according to the Customer Agreement. This applies even if there is a remaining pool of Credits.
Upon termination of the Customer Agreement, the Service will automatically be shut down the day after the last day of the Agreement Term. The Customer is responsible for exporting any data they wish to retain before the Service is shut down. Paloma does not guarantee that the Customer’s data from the Service will be saved or backed up after the last day of the Agreement Term has passed.
The Customer Agreement is renewed automatically if it is not terminated before the start of a new Agreement Term. A freemium account or an account with only Credits will be automatically shut down if the Customer has not logged in to the account for a period of twelve (12) months.
Paloma has the right to terminate the Customer Agreement with immediate effect if Paloma intends to discontinue the Service, incorporate it into another service, or if Paloma changes the Terms and Conditions for access to the Service (for example, due to added functionality or introducing fees for the Service). In such case, any outstanding prepayment will be credited to the Customer via a credit note.
With the exception of the above, the following applies to payment by credit or debit card: If sufficient funds are not available at the time of automatic card payment, Paloma reserves the right to make further debit attempts during the following ten (10) days. If funds are still insufficient after ten days, the Customer Agreement will be terminated with immediate effect. However, the Service will not cease entirely, but will continue as a freemium account. In accordance with the above provision, such a freemium account will then be automatically shut down if the Customer has not logged in to the account within a period of twelve (12) months.

§ 4 Intellectual Property Rights to the Service

Through the Customer Agreement, the Customer is only granted a non-exclusive, time-limited right to use the Service. The Customer is also granted a non-exclusive, time-limited right to use any further developments, updates, or modifications of the Service. The Customer’s Usage Rights are limited to what is stated above and in the Customer Agreement. Paloma retains all other rights to the Service, including all Intellectual Property Rights that the Service contains or may come to contain through further development, updates, or modifications of the Service. Paloma’s rights and the rights in Paloma’s Services may not be used in connection with any product or service without Paloma’s written consent.

The Service, or any part of it, may not be sold, resold, copied, reproduced, or used in any way that is not consistent with the Customer’s Usage Rights according to these Terms and the Customer Agreement.

§ 5 Price and Payment Terms

Payment for the Service is made according to the current price list. All prices are stated exclusive of VAT and other comparable taxes or public fees.
The Service is invoiced or charged to a credit/debit card at the beginning of the Agreement Term (or any renewal term). Invoices must be paid within 15 days from the invoice date, unless otherwise agreed by the Parties. In case of late payment on an invoice, the Customer must pay interest on overdue amounts as per Section 6 of the Swedish Interest Act, from the date payment was due.
For payment by credit or debit card, the amount is charged immediately upon purchase of the Service, and automatically upon each renewal of the Customer Agreement.
Paloma reserves the right to suspend delivery of the Service, in whole or in part, if payment is not received within the stipulated time. It is the Customer’s responsibility to inform Paloma of any change of billing or contact address.
Customers using Magnet’s free license may under no circumstances charge admission or require payment for their tickets.

§ 6 Operation, Support, and Customer Service

The Service is normally available 24 hours a day, seven days a week. However, the Service is unattended during certain hours, and disruptions may occur during those times. Furthermore, Paloma has the right to restrict or suspend the operation of the Service without prior notice for maintenance purposes, such as bug fixes, maintenance, and upgrades.

If Paloma needs to send any operational announcements or information to the Customer, it will use the email address that the Customer has provided for receiving such service notifications.

Paloma provides support to the Customer if a support service has been purchased. Support is provided via email for questions, service disruptions or other issues that arise when using the Service. Support matters submitted during office hours (08:00–17:00, Swedish time) are normally answered within four hours. (During the summer season, support hours may be reduced.) For urgent support matters, the Customer is referred to Paloma’s switchboard at +46 (0)225-410 22 to report the issue.

§ 7 Processing of Personal Data

Paloma needs to process certain personal data about contact persons at the Customer in order to perform the Service, manage the customer relationship, and send marketing material to the Customer (such as newsletters and offers). Paloma is the data controller for this personal data and processes it in accordance with Paloma’s Privacy Policy.

Paloma also processes personal data via the Service on behalf of the Customer. This may include, for example, newsletter subscribers or event participants whose data is handled through the Service. For such personal data, the Customer is the data controller and Paloma is the Customer’s data processor. By accepting these Terms and Conditions, the Customer also accepts the Data Processing Agreement (Personal Data Processor Agreement) set out below.

As the data controller, the Customer must fulfill the requirements of the EU General Data Protection Regulation (GDPR). This means the Customer is responsible for having a legal basis for all personal data processing and for processing personal data in accordance with the principles of the GDPR.

§ 8 Technical Requirements for the Service

To use the Service, the Customer’s technical environment must meet the minimum requirements for the Service as specified on Paloma’s website.

§ 9 Restrictions and Refusal of Service

Paloma reserves the right to review the material that the Customer distributes via the Service, in order to ensure that the Customer is complying with its obligations under these Terms. However, Paloma assumes no responsibility to actively monitor or review the Customer’s use of the Service in detail.

The Customer only has the right to use the Service in compliance with applicable laws and regulations.

Paloma also reserves the right to immediately suspend delivery of the Service if the Customer’s use of the Service violates these Terms and Conditions or any other reasonable written restrictions imposed by Paloma. Paloma further reserves the right to immediately suspend the Service in the event of any use that is harmful to Paloma, the Service, or the Recipients of the Service in any other way.

Examples of prohibited uses of the Service include:

Distributing offensive content such as racism, Nazism/fascism, defamation, insults, harassment, threats, or pornography.
Sending chain letters or running pyramid schemes.
Creating a false identity for the purpose of misleading others.
Sending or otherwise making available material protected by intellectual property rights without having acquired the rights to the material or obtained all necessary consents to use the material.
Infringing Paloma’s or any other party’s intellectual property rights.
Sending or otherwise making available material that contains viruses, trojan horses, worms, time bombs, cancelbots, corrupted files, or any other similar software or programs that may damage another’s computer or property.
Forging or removing author attributions, legal notices or other proper notices, or proprietary labels indicating the origin or source of any material or message transmitted.
Violating codes of conduct, accepted norms, or other guidelines applicable to the Service.
Accessing or attempting to access accounts, computers, or networks related to the Service without authorization, or disrupting or interrupting such accounts, computers, or networks.
Accessing or attempting to access information or data through the Service except for information that Paloma intends to make available to the Customer.
Using access to the Service to obtain information in order to design, develop, or update another software or service.
Charging others, whether directly or indirectly, for the use of the Service.
Circumventing the applicable fee policy for the Service – for example, by systematically importing and exporting the same address or the entirety/large parts of a recipient list to avoid fees.
Sending emails in such a way that results in, or may result in, the Service’s IP addresses being blacklisted, flagged by spam filters, or otherwise blocked.

If the Service is suspended due to use that violates the conditions in this Section 9, the Customer is not entitled to any refund. The Customer’s right to use the Service ceases immediately when the Service is suspended. Paloma assumes no liability toward the Customer for any loss of data as a result of the Service being suspended under this section.

§ 10 Customer’s Responsibilities

The Customer is responsible for ensuring that the Service is used in accordance with the laws and regulations applicable in Sweden as well as internationally. The Customer undertakes to hold Paloma harmless from any financial loss or other damage arising from the Customer’s use of the Service.

The Customer agrees not to disclose their password to any unauthorized person, and to ensure that any document containing the password is stored so that no unauthorized person can gain access to it. The Customer shall immediately request that Paloma disable the password if it is suspected that an unauthorized person has obtained knowledge of the password.

The Customer is solely responsible, as regards Paloma, for the information that is transmitted, stored, or otherwise made available through the Service.

The Customer undertakes to use the Service according to the principle of “permission marketing.” This means the Service should be used to further develop existing relationships. A Recipient of a mailing must have directly or indirectly given their consent to receive information from the Customer. Such permission from a Recipient can arise, for example, from an existing customer relationship, personal contact, or an expression of interest in receiving information via the Service from the Customer.

Recipients of information via the Service must always be given the option to unsubscribe from further mailings via a clearly visible clickable link in each individual mailing. It must be easy for a Recipient to unsubscribe, and all unsubscribe requests must always be honored. Sending invitations to introduce a new newsletter is permitted provided that such invitation is a one-time mailing to each Recipient and is directed to a relevant target group that can be presumed to be interested in the content.

Use of the Service must otherwise comply with the industry association SWEDMA’s interpretation of the GDPR (the applicable data protection regulation).

Paloma does not permit the Customer to import purchased email addresses or contact lists into the Service.

§ 11 Paloma Account Provisions

The Customer understands that only one registered sender is permitted per account. The Customer has the right to open an account on behalf of a client; however, only one such registered client/sender may exist per Paloma account.

§ 12 Limitation of Paloma’s Liability

Paloma is not liable for any inconvenience, damage or loss caused by circumstances beyond Paloma’s control, or which Paloma could not reasonably have controlled or foreseen.

Examples of such exonerating circumstances (force majeure) include, but are not limited to: accidents, war, riots, extreme weather conditions, labor disputes, and failures in the IT services, data networks, payment solutions or similar provided by operators, partners or subcontractors, or any similar event that Paloma could not influence.

In no event will Paloma be liable for indirect damages or consequential losses. Paloma is therefore not liable for loss of profit or any other indirect damage or loss.

Paloma’s liability under the Customer Agreement is in all cases limited to a total amount corresponding to the fees that the Customer has paid in the twelve (12) months prior to the occurrence of the damage or loss.

§ 13 Paloma’s Responsibility

In the event of a fault or delay on Paloma’s part that is not of minor significance to the Customer, the Customer may receive a remedy in the form of an extension of the Agreement Term at no charge, corresponding to the period of service outage for the affected portion of the Service. In no case will any monetary compensation be paid for service outages as described above.

If the Customer does not present a claim for such compensation within one month after the Service should have been made available or the fault ceased, the Customer loses the right to compensation (provided that the claim could have been made within that time).

§ 14 Changes to Terms and Conditions

Paloma reserves the right to revise these Terms and Conditions by publishing an updated version on its website. The amended Terms and Conditions become effective upon being published on the website.

§ 15 Changes in Fees

Changes to fees are made by updating the then-current price list to reflect the new fees. If the Customer does not accept a change or addition to the fees, the Customer has the right to terminate its Customer Agreement for the Service in accordance with § 3 above. If no termination is made, the Customer is deemed to have accepted the new fees.

The new fees will apply from the start of the next Agreement Term, but in all cases no earlier than one (1) month after Paloma has notified the Customer of the upcoming fee change. The notification will be sent to the email address that the Customer has provided for receiving service information.

§ 16 Assignment of the Agreement

The Customer does not have the right to assign the Customer Agreement to a third party without written permission from Paloma.

Paloma has the right, without the Customer’s consent, to assign the Customer Agreement in whole or in part – or Paloma’s rights and obligations under the Customer Agreement – to any company that is part of the same corporate group as Paloma. Paloma also has the right to engage subcontractors to fulfill its obligations under the Customer Agreement.

§ 17 Confidentiality

Each Party undertakes not to disclose to any third party any confidential information that it receives from the other Party, or that arises from the use of the Service.

§ 18 Information to Third Parties

Paloma may not, without the Customer’s consent, provide the Customer’s address lists to any third party.

§ 19 Changes to the Service

Paloma reserves the right to change the design or functionality of the Service without prior notice and for any reason. Any such change takes effect immediately.

For any changes that can be expected to affect the Customer’s use of the Service, Paloma shall within a reasonable time send an email with information about the change to the email address the Customer has provided for receiving operational information.

§ 20 Transfer of the Service

The Customer does not have the right to transfer or sublicense the Service to any third party.

§ 21 Prevailing Language

Paloma enters into agreements with customers in multiple countries and may translate the Customer Agreement and these Terms and Conditions into different languages as needed. If the agreement can be interpreted differently due to linguistic differences, the Swedish version of the agreement shall always prevail.

§ 22 Governing Law

The requirements for the form of entering into the agreement, as well as any questions regarding the validity of the agreement between Paloma and the Customer, shall be determined in accordance with Swedish law. Agreements entered into between Paloma and the Customer shall be interpreted and have the legal effects provided by Swedish law.

§ 23 Dispute Resolution

Any dispute between the Parties shall be settled under Swedish law and by Swedish courts, with the Stockholm District Court (Stockholms tingsrätt) as the court of first instance.

Personal Data Processing Agreement (Data Processor Agreement)

1. Background

1.1 The Customer and Paloma have entered into an agreement regarding the use of Paloma’s services (the “Customer Agreement”) and accepted the general Terms and Conditions above.

1.2 This Personal Data Processing Agreement (the “Processing Agreement”) governs only issues regarding Paloma’s Processing of Personal Data on behalf of the Customer. In the event of any conflict between the Customer Agreement and this Processing Agreement, the Customer Agreement shall have precedence.

2. Definitions

2.1 Terms used in this Processing Agreement with a capital initial letter that are also used in the General Data Protection Regulation (EU) 2016/679 (“GDPR”) have the same meaning as in the Regulation. For the purposes of this Processing Agreement, the following terms are defined:

Customer Agreement: The agreement for the use of Paloma’s services that was entered into before or at the same time as this Processing Agreement.
Processing Agreement: This Personal Data Processing Agreement.
Legislation: The applicable Swedish legislation in force at any given time. (Processing of personal data is primarily governed by the EU General Data Protection Regulation (GDPR) 2016/679 and the Swedish Data Protection Act (2018:218) which supplements the GDPR.) The Parties understand and agree that this Processing Agreement shall be interpreted in accordance with the applicable Swedish legislation at each point in time.
Data Controller: Refers to the Customer, who determines the purposes and means of the Processing.
Data Processor: Refers to Paloma, which processes Personal Data on behalf of the Data Controller.
Standard Contractual Clauses: Refers to the standard clauses for the protection of Personal Data transferred to third countries, in accordance with the European Commission’s decision (EU) 2021/914, or equivalent clauses that replace these.
Sub-processor: Refers to a party engaged by the Data Processor who, under the responsibility of the Data Processor, carries out Processing in accordance with this Processing Agreement and the Data Controller’s instructions.

3. Purpose

3.1 The purpose of this Processing Agreement is to establish a binding written agreement concerning data processing in accordance with the requirements of applicable Legislation.

3.2 The purpose is also to ensure that the security and confidentiality of Personal Data is maintained during the Data Processor’s Processing of Personal Data.

4. Legislation

4.1 The Data Controller is responsible for ensuring that Processing is carried out in accordance with the Legislation in force at each point in time.

4.2 The Parties acknowledge and agree that if the Legislation or applicable regulatory guidance undergoes significant changes, the terms of this Processing Agreement shall be adjusted so that they, to the greatest extent possible, correspond to the principles originally intended by the Parties when this Processing Agreement was entered into.

5. Data Controller’s Rights and Obligations

5.1 The Data Controller shall:

(a) provide the Data Processor with such detailed and documented instructions regarding the Processing that the Data Processor can carry out the Processing in accordance with this Processing Agreement and applicable Legislation;
(b) be entitled and obligated to determine the purposes of the Processing of Personal Data and the means by which the Processing is to be conducted;
(c) ensure that every individual whose Personal Data will be processed has received all necessary information and disclosures, and ensure that all required legal grounds for transferring Personal Data to the Data Processor are in place for the relevant time period – thereby permitting the Data Processor to carry out the Processing as set forth herein;
(d) if the Data Controller is acting on behalf of its group companies or a third party under this Processing Agreement, ensure that the Data Controller has all necessary legal authority to enter into and fulfill this Processing Agreement on behalf of said entities and to allow the Data Processor to Process the Personal Data in accordance with the terms of this Processing Agreement and the Customer Agreement; and
(e) ensure that the Data Processor has received all information necessary from the Data Controller to enable the Data Processor to perform the Processing in accordance with applicable Legislation.

6. Data Processor’s Rights and Obligations

6.1 The Data Processor shall:

(a) Process Personal Data only on documented, lawful, and reasonable instructions from the Data Controller, unless otherwise required by applicable law. In such case, the Data Processor shall inform the Data Controller of that legal requirement before Processing, unless the law prohibits such notice;
(b) ensure that persons authorized to carry out the Processing under this Processing Agreement have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, as further detailed in this Processing Agreement;
(c) implement all security measures required of the Data Processor under applicable Legislation, as further detailed in this Processing Agreement;
(d) comply with the conditions set forth in applicable Legislation for engaging any Sub-processor, as further detailed in this Processing Agreement;
(e) taking into account the nature of the Processing, assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the Data Controller’s obligation to respond to requests for exercising the data subjects’ rights under applicable Legislation;
(f) assist the Data Controller in ensuring compliance with the Data Controller’s legal obligations – including those concerning data security, notification of Personal Data Breaches, data protection impact assessments, and prior consultations with supervisory authorities – which relate to the Data Processor’s Processing of Personal Data, taking into account the nature of Processing and the information available to the Data Processor;
(g) upon the Data Controller’s instruction, delete or return all Personal Data to the Data Controller and delete existing copies, unless storage of the Personal Data is required by applicable law. The method for deletion or return of data shall be agreed between the Parties; and
(h) maintain necessary records of its Processing activities and provide the Data Controller with all information needed to demonstrate the Data Processor’s compliance with its obligations as set out in applicable Legislation. The Data Processor shall also allow for and contribute to audits, including inspections, carried out by the Data Controller or by a third party authorized by the Data Controller.

6.2 The Data Processor is not entitled, except in accordance with the Data Controller’s instructions, to change the purposes of the Processing or the means by which the Processing is carried out.

7. Security Requirements

7.1 The Data Processor shall implement and maintain appropriate technical and organizational measures to protect the Personal Data, taking into account:

(a) the latest developments, the costs of implementation, the nature, scope, context and purposes of the Processing, and the risks of varying likelihood and severity for the rights and freedoms of natural persons; and
(b) the risks associated with the Processing, in particular those arising from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data transmitted, stored or otherwise processed.

7.2 The Data Controller is responsible for ensuring that the Data Processor is informed of all circumstances (including risk assessments and the Processing of special categories of Personal Data) regarding the Personal Data provided by the Data Controller, which may affect the technical and organizational measures required under this Processing Agreement.

7.3 The Data Processor shall, without undue delay and in no case later than 48 hours after becoming aware of it, notify the Data Controller of any Personal Data Breach or any situation in which there is a risk of a Personal Data Breach.

8. Sub-Processors

8.1 The Data Processor has the right to engage one or more Sub-processors to perform its obligations under this Processing Agreement.

8.2 If a Sub-processor is engaged, the Data Processor must enter into a binding agreement with that Sub-processor, which binds the Sub-processor to at least the same obligations as the Data Processor is bound by under this Processing Agreement. In such an agreement, the Sub-processor shall provide sufficient guarantees that it will implement appropriate technical and organizational measures in such a manner that the Processing meets the requirements of this Processing Agreement and applicable Legislation.

8.3 The Data Processor shall maintain an updated list of all Sub-processors engaged. At the request of the Data Controller, the Data Processor shall provide a copy of this list to the Data Controller.

8.4 The Data Processor remains fully liable to the Data Controller for the performance of any Sub-processor that processes Personal Data, including the Sub-processor’s implementation of security measures.

8.5 The Data Processor shall inform the Data Controller in advance of any planned changes concerning the addition or replacement of Sub-processors. This is to give the Data Controller the opportunity to object to such changes if there are objectively justifiable reasons for doing so.

9. General Instructions for Paloma’s Services

9.1 If the Customer Agreement includes the Paloma newsletter service, the Data Controller’s instructions for Processing Personal Data are:
a) to Process Personal Data on behalf of the Data Controller by sending out a newsletter (created by the Customer) to email addresses included in an address list compiled by the Customer;
b) to Process any Personal Data contained in the content of the newsletter; and
c) to store the address list for the purpose of using the email addresses for future mailings.

9.2 If the Customer Agreement includes Magnet (event management service), the Data Controller’s instructions are:
a) to Process Personal Data on behalf of the Data Controller by receiving registrations for various types of events;
b) in certain cases, to sell paid tickets to such events and thereby Process payment information;
c) to provide the Customer with access to the Personal Data of the registrants, consisting mainly of names, contact details, and payment information; and
d) to Process Personal Data by providing a feature to “check in” registered participants at events.

9.3 If the Customer Agreement includes Kurios (survey tool), the Data Controller’s instructions are:
a) to Process any Personal Data on behalf of the Data Controller by sending out a survey (created by the Customer or Paloma) to email addresses included in a mailing list compiled by the Customer;
b) to store any Personal Data obtained through responses to the surveys; and
c) to Process the Personal Data by compiling statistics on the outcome of the surveys.

9.4 The Data Controller bears full responsibility for ensuring that the Processing of Personal Data in the Services complies with the requirements of applicable Legislation. It is particularly noted that the storage of address lists and the collection of free-text survey responses should be given special consideration in order to meet the Legislation’s requirements regarding (among other things) legal basis, accuracy, and data minimization/deletion.

10. Transfer of Personal Data to Third Countries

10.1 In cases where the Data Processor, in connection with performing the Processing, transfers Personal Data to a country outside the European Economic Area (EEA) which the European Commission has not deemed to have an adequate level of data protection, the Parties shall enter into a supplementary agreement based on the relevant Standard Contractual Clauses.

10.2 If the Data Processor engages a Sub-processor that results in Personal Data being transferred to a country outside the EEA which is not deemed to have an adequate level of protection, a supplementary agreement based on the Standard Contractual Clauses shall be entered into. Such supplementary agreement shall be entered into between the Data Controller and the Sub-processor. In the event of any conflict between this Processing Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail. (Paloma currently does not use any Sub-processors outside the EEA in countries that do not meet an adequate level of protection.)

11. Right of Audit

11.1 Upon the Data Controller’s request, the Data Processor shall, without undue delay, provide the Data Controller (or an independent third party appointed by the Data Controller) access to such information and documentation as is necessary for the Data Controller to carry out an effective audit of the Data Processor’s compliance with this Processing Agreement and applicable Legislation.

11.2 The Data Controller shall bear all costs associated with any audit of the Data Processor’s Processing of Personal Data that the Data Controller undertakes.

12. Confidentiality

12.1 Unless otherwise instructed by the Data Controller, the Data Processor shall:
a) treat all Personal Data provided by the Data Controller as confidential;
b) ensure that persons authorized to Process the Personal Data have committed to confidentiality; and
c) ensure that Personal Data is not disclosed to any third party without the Data Controller’s prior approval, unless the Data Processor is required by mandatory law or regulation to disclose the information.

12.2 If a data subject or a public authority makes a request regarding Personal Data that is subject to this Processing Agreement, the Data Processor shall, as soon as reasonably possible, inform the Data Controller of the request before the Data Processor responds or takes any action with respect to the Personal Data.

12.3 In cases where a competent authority requires an immediate response, the Data Processor shall inform the Data Controller of the request as soon as reasonably possible after providing a response. If the Data Processor is prevented by mandatory law or regulation from disclosing such information about the request, the Data Processor is not obligated to notify the Data Controller of the request.

13. Liability and Breach of Agreement

13.1 The Data Controller is responsible for ensuring that Processing is carried out in accordance with applicable Legislation and for fulfilling the Data Controller’s obligations under this Processing Agreement. The Data Controller is also responsible for providing adequate and lawful instructions to the Data Processor.

13.2 The Data Processor is responsible for processing Personal Data in accordance with the Data Controller’s instructions, the Data Processor’s obligations under this Processing Agreement, and the applicable Terms and Conditions.

13.3 Each Party shall indemnify and hold the other Party harmless from any damage or loss (including, but not limited to, administrative fines, damages payable to data subjects, or legal fees) incurred by the other Party as a result of the first Party’s breach of this Processing Agreement. The Data Processor’s liability, however, is subject to the same limitations as set out in the Terms and Conditions of the Customer Agreement.

13.4 If a recoverable damage or loss occurs as described above, the affected Party shall take measures to mitigate the damage, provided that such measures do not cause unreasonable cost or are otherwise unreasonably burdensome.

13.5 If a Party is in material breach of this Processing Agreement, the other Party has the right to terminate the Customer Agreement prematurely, with immediate effect or at such time as the non-breaching Party specifies.

14. Term of the Processing Agreement

14.1 This Processing Agreement remains in effect between the Parties for as long as the Data Processor processes Personal Data as a result of its undertaking to provide services to the Customer under the Customer Agreement. If the Customer Agreement expires and a new Customer Agreement is entered into without a new personal data processing agreement being signed, this Processing Agreement shall also apply to the new agreement. This Processing Agreement may be terminated under the same conditions as those specified in the Customer Agreement.

15. Effects of Termination of Processing

15.1 Once the Processing of Personal Data has ceased, or earlier if the Data Controller so requests, the Data Processor shall hand over or destroy all Personal Data that the Data Processor has processed on behalf of the Data Controller.

Paloma’s Privacy Policy

Paloma in Sweden AB (“Paloma”) values individuals’ personal integrity and is committed to ensuring that personal data is handled in a secure, correct, and lawful manner. Paloma has adopted this Privacy Policy to inform you about how we process your personal data. If you intend to provide personal data to us in any way, we urge you to first read through this Privacy Policy.

Paloma processes different categories of personal data in a number of different contexts. In most of our processing activities, Paloma acts as a data processor on behalf of Paloma’s customers (the customers are referred to below as “Users”). Such processing mainly occurs when Users utilize Paloma’s services for event registration and the distribution of emails (Paloma’s newsletter service and Magnet). In this capacity, personal data may be processed by Paloma, but it is the Users who are the data controllers of that data. This means the Users have influence and control over the processing and therefore bear the primary responsibility for ensuring that the personal data is processed in accordance with applicable law.

Paloma also processes certain personal data for which Paloma is the data controller. Being a data controller means that we determine how the personal data will be processed and we have the primary responsibility for ensuring that the processing of personal data is in compliance with applicable legislation.

This Privacy Policy covers all our processing of personal data, regardless of how the personal data has been obtained and regardless of whether Paloma is acting as data controller or data processor. The policy is organized such that we first address the personal data for which Paloma is the data controller. This is followed by a section about Paloma’s processing of personal data in its role as a data processor for Users. The policy concludes with some general provisions that apply in all cases.

Cookies

What are cookies?

A cookie is a small text file that is stored on your computer or device. There are different types of cookies. A persistent cookie remains on the visitor’s computer for a predetermined period of time. A session cookie is stored temporarily in the computer’s memory while a visitor is on a website. Session cookies disappear once you close your web browser. The purpose of cookies can be, for example, to save a user from having to log in again for every new visit, or to remember language preferences and other settings.

Paloma’s use of cookies

When you use Paloma’s website, we use cookies to ensure the website works properly for you and to enhance your user experience. If you choose to disable cookies, certain functionality on our website may stop working, and your settings or logins may not be saved. Paloma’s website uses a session cookie that contains a session ID; this cookie is used so that the server can keep track of your session on the site. Paloma’s website also stores order data when a visitor creates an account.

Paloma as Data Controller

When Paloma is the data controller, the following categories of individuals and personal data are processed.

Categories of Data Subjects and Personal Data

Customers: When a customer creates an account on Paloma’s website, we collect and process certain personal data about them. This includes:
– Identification information: e.g. name
– Contact information: e.g. email address and telephone number
– Login information: chosen username and password
– Employment information: e.g. workplace (company/organization)
– Electronic identification data: e.g. IP address and cookie data
In addition, Paloma processes payment information related to customers, including payment history, invoicing details, and any payment reminders.
Suppliers: Paloma collects and processes personal data about its suppliers. This includes:
– Identification information: e.g. name
– Contact information: e.g. mailing address, email address, and telephone number
– Employment information: e.g. company or organization (workplace)
– Payment information: e.g. payment history and past invoices
Job Applicants: If you apply for a job at Paloma, we will process personal data in connection with the recruitment process. This includes:
– Identification information: e.g. name, title, and personal identification number (personnummer)
– Contact information: e.g. address, phone number, and email address
– Financial information: e.g. current salary and salary expectations
– Personal information: e.g. age and date of birth
– Application details: e.g. curriculum vitae (CV), records of education, transcripts, and references
Website Visitors: When you visit Paloma’s website, we process certain information about your visit. This includes:
– Electronic identification data: e.g. IP address and cookie data (see the “Cookies” section above for more details)

Please note: Personal data may be supplemented, obtained, or verified using public and other registers such as the national population register, credit reference agencies, corporate registers, etc., where applicable.

Use of Personal Data (Purpose and Legal Basis)

Paloma only processes personal data when we have a lawful basis to do so and for specific purposes. The primary purpose of our processing of personal data (when Paloma is the controller) is to fulfill our obligations in our business operations toward customers, suppliers, and job applicants. For example, Paloma must process certain personal data to be able to provide and deliver Paloma’s services to our customers, to manage relationships with our suppliers, and to evaluate candidates for employment.

For customers and suppliers, the legal basis for processing personal data is generally performance of a contract. This means we process personal data as necessary to fulfill the agreements we have entered with our customers (to deliver our services) and with our suppliers.

If you apply for a job at Paloma, we will process your personal data in the recruitment context with the purpose of assessing your application and suitability for the position. The legal basis for this processing is Paloma’s legitimate interest in recruiting suitable employees. If we wish to retain your application materials for consideration in future recruitment opportunities, we will ask for your consent to keep your data beyond the initial recruitment.

If you visit our website, we process your IP address and cookie data in order to gather statistics about the visit and understand how our website is used. This helps us improve our website and services. Paloma’s legal basis for processing website visitor data is our legitimate interest in understanding and improving user interactions with our site. (You can disable cookies in your browser settings if you do not wish for cookies to be stored, as noted above in the Cookies section. More information about cookies and how to manage them can also be found on the Swedish Post and Telecom Authority’s website.)

Personal data may also be processed for marketing purposes on the basis of Paloma’s legitimate interest. This includes our interest in communicating with current customers who use Paloma’s services and with individuals who might be interested in using Paloma’s services in the future. For example, we might use contact information to send newsletters, offers, event invitations, or to otherwise develop and promote our services.

Additionally, in some cases Paloma may need to process personal data in order to comply with legal obligations — for instance, fulfilling requirements under tax law, accounting law, or responding to lawful requests by authorities.

Consent

In certain cases, our processing of personal data may be based on your consent. If we rely on consent as the legal basis for processing your personal data, we will specify the purpose for which your consent is being sought, and we will only process your data for that purpose once you have given consent. You have the right to withdraw your consent at any time by contacting us (see contact information at the end of this Policy). Please note that if you withdraw consent, Paloma may still be entitled to continue processing the data to the extent required or allowed by other legal grounds – for example, to fulfill a contract we have with you or to comply with a legal obligation.

Recipients of Personal Data

Paloma may disclose personal data (for which Paloma is the data controller) to the data subject themselves and to third parties when such disclosure is necessary or beneficial for Paloma’s operations. Third parties may include companies with which Paloma has a business relationship or service agreement (for example, IT service providers acting as our data processors), and governmental authorities when we are legally obliged to provide such information.

Some of the external parties that receive personal data from us will act as independent data controllers (for example, public authorities or banks), but most external parties that handle personal data on our behalf are considered Paloma’s data processors. When we share personal data with an entity that is an independent data controller, that entity’s own privacy policy and data handling practices will apply.

Whenever Paloma engages a third-party service provider to process personal data on our behalf (as a data processor), this is done only for purposes that are compatible with the original purposes for which we collected the data. Paloma enters into written data processing agreements with all such service providers to ensure they only process personal data according to our instructions and that they provide sufficient guarantees regarding the implementation of appropriate security and confidentiality measures. We also perform periodic checks on our data processors to verify that they meet our standards and comply with our requirements, including any restrictions on transferring personal data to third parties in countries outside the EEA.

In some cases, personal data may be transferred to or accessed by an organization located in a country outside the European Economic Area (EEA). This means the data might be processed outside the EEA. Paloma will only transfer personal data to third countries if there is an adequate level of protection for personal data or if appropriate safeguards (such as EU Standard Contractual Clauses) are in place to ensure that the personal data is protected in accordance with EU standards.

Security Measures

Paloma has implemented suitable technical, administrative, and organizational security measures to protect personal data against unauthorized access, alteration, dissemination, or destruction. We ensure that personal data is only accessible to personnel who are authorized and who need the information to perform their duties. We also continuously work to prevent and detect data breaches or other incidents through various protective measures and routines.

Storage Period (Data Retention)

We retain personal data only for as long as it is necessary to fulfill the purposes for which the data was collected or to comply with legal obligations. Personal data related to customer agreements is typically stored for the duration of the active customer agreement and for a period of 12 months after the agreement has ended (unless a longer retention period is required or justified by law or legitimate interests). Personal data processed for other purposes (such as marketing or web analytics) is stored in accordance with defined retention routines and will be deleted or anonymized when it no longer serves the purpose for which it was collected.

Paloma also conducts regular reviews and deletions (gallring) of personal data that has become outdated or is no longer needed for the stated purposes, in order to ensure we do not keep data longer than necessary.

Data Controller and Contact

For the processing of personal data described in this section (“Paloma as Data Controller”), Paloma in Sweden AB is the data controller. This means Paloma is responsible for determining the purposes and means of the processing and for ensuring compliance with applicable data protection laws. If you have questions or requests regarding this processing or your personal data, you can contact Paloma using the contact information provided at the end of this Privacy Policy.

Paloma as Data Processor

Paloma also processes personal data on behalf of its Users (customers) in connection with the services that Paloma provides. In these situations, the User is the data controller and Paloma is acting as a data processor, processing personal data according to the User’s instructions and in accordance with applicable law. Paloma has entered into Personal Data Processing Agreements (as detailed above) with its Users, in which Paloma commits to implement appropriate technical and organizational measures to ensure that the rights of data subjects are protected during such processing. When the relationship between Paloma and a User ends, the personal data processed on behalf of that User will be deleted or returned in accordance with the terms of the Personal Data Processing Agreement. Users (as data controllers) have the right to conduct audits and inspections to verify that Paloma is fulfilling its obligations regarding the protection and confidentiality of personal data.

Below is information about the processing of personal data that can occur when Users make use of Paloma’s services to process personal data.

Categories of Personal Data Processed on Behalf of Users

Paloma’s services principally consist of two types of service offerings, and the personal data processed can vary by service:

Paloma Newsletter Service (Email Marketing): When Users utilize Paloma to send newsletters or other email communications, the typical categories of personal data that are processed include:
– Identification information: such as names (and in some cases unique identifiers like customer IDs) of email recipients
– Contact information: such as email addresses (and possibly mailing addresses or phone numbers if included in the mailing list)
– Professional details: such as the recipient’s employer, title, or workplace (to the extent the User includes such information in their mailing list)
Note: The content of the emails may itself contain personal data (depending on what the User includes, such as names or other information about individuals). Paloma will process whatever personal data the User includes in the email content or mailing list, as necessary to deliver the emails.
Magnet Event Service (Event Registration and Ticketing): When Users use Magnet for event registrations and ticket sales, the typical categories of personal data that may be processed include:
– Identification information: such as names (and in some cases personal identification numbers) of event registrants or ticket buyers
– Contact information: such as addresses, email addresses, and telephone numbers of participants
– Electronic identification data: such as IP addresses (captured at the time of registration) and cookies (if the registration page uses cookies)
– Health-related information: in some cases, data like dietary requirements, allergies, or accessibility needs (if the registration form asks for such information for event planning purposes)
– Professional details: such as employer, job title, or workplace (if relevant to the event and requested in the registration form)
– Payment information: if tickets are sold through the service, payment details will be processed (e.g. transaction ID, payment method, partial credit card information or payment confirmations – however, Paloma does not store full credit card numbers since payments are handled by secure payment providers)

Paloma’s services are designed to allow Users a great deal of flexibility in the information they collect. This means Users themselves can add custom fields or free-text input options that may capture additional categories of personal data. Consequently, other categories of personal data beyond those described above may be processed in specific cases, depending on how a User configures their use of the service (for instance, a User could add a question in a survey or registration form that asks for information not listed above, and any such data provided will be processed by Paloma on behalf of the User).

Personal data that Users process through Paloma’s services is typically collected directly from the data subjects (for example, when an individual fills out a newsletter sign-up form or an event registration form). In some cases, Users might supplement their contact lists or registration information with data from public or third-party sources (such as public directories, social media, the Swedish population register, credit check agencies, corporate registers, etc.). Paloma, acting as a data processor, will handle all such personal data that the User inputs into the system.

Use of Personal Data on Behalf of Users

Users are responsible for ensuring that they have a lawful basis for any personal data they process using Paloma’s services and that they have a specific, defined purpose for the processing. Paloma’s Users, in their role as data controllers, have committed (through our Data Processing Agreement) to only process personal data in compliance with GDPR and other applicable laws.

Paloma does not have full insight into the particular purposes for which Users process personal data via our platform; these purposes are determined by the Users. However, common purposes for which Users typically use Paloma’s services include:

For the Paloma newsletter/email service: purposes such as marketing, advertising, or providing news and updates to subscribers or customers. For example, a User might use the service to send newsletters, promotional offers, or important updates to people who have subscribed to their mailing list. This is often in support of the User’s customer relations or marketing activities.
For the Magnet event service: purposes such as organizing and managing events, courses, or seminars. For instance, a User may use Magnet to handle event registrations, manage attendee lists, send out invitations or tickets, and communicate with participants before and after an event.

Users may rely on different legal bases for their processing of personal data through our services. Depending on the situation, a User might process personal data based on:

Consent: e.g. a person has given consent to receive a newsletter or to have their information used for event registration;
Contract: e.g. processing is necessary for the performance of a contract with the data subject, such as fulfilling a service that the person signed up for (attending an event that they registered for, for example);
Legitimate interests: e.g. the User has a legitimate business interest in sending certain communications to existing customers, or in collecting feedback via a survey, and they have balanced this against the individual’s rights;
Legal obligation: e.g. compliance with laws that might require certain record-keeping for events or financial transactions associated with ticket sales.

It is the User’s responsibility to ensure that an appropriate legal basis exists for all personal data processing they carry out using Paloma’s services, and that data subjects have received any necessary information about the processing.

If the processing of personal data via our services is based on an individual’s consent (for example, someone consented to receive a newsletter), that individual has the right to withdraw their consent. To withdraw consent for data processing that is controlled by a User, you should contact the User (the data controller) directly. If you contact Paloma regarding consent for a service that one of our Users is running, we will help direct your request to the appropriate User. Even if consent is withdrawn, the User may be entitled to continue processing any data that is necessary on the basis of another legal ground – for instance, to fulfill a contract with you or to comply with a legal obligation.

Storage Period (Retention of Data on Behalf of Users)

Paloma’s platform gives Users control over their data, including the ability to delete data. In general, it is the User’s responsibility to remove or anonymize personal data from our service once it is no longer needed for the User’s purposes. Paloma does not independently erase data on active User accounts unless instructed by the User or required by law, as the data is under the User’s control.

However, when a User’s contract with Paloma is terminated, a process is initiated to eventually delete the data: Upon termination, an end date for the service is set. After that termination date, the User will no longer have access to their account. The data (including personal data such as address lists, survey results, event registrants, etc.) on the account will be permanently deleted 60 days after the termination date.

The reason Paloma retains the data for 60 days post-termination is to account for situations where a User might accidentally lose access or terminate an account without full awareness of all consequences. In exceptional cases, within this grace period Paloma can assist in restoring an account if it turns out the termination was premature or unintended. After 60 days, all data is irreversibly deleted, and account restoration with original data is no longer possible.

Recipients of Personal Data (User-Controlled Data)

Paloma does not have full visibility into how Users might further share or disclose the personal data that they process using our services, outside of the Processing that Paloma performs. It is possible that a User, in administering their own mailing lists or event registrations, could export data from Paloma’s system and share it with third parties (for instance, exporting an event attendee list to an Excel file and sharing it with co-organizers). Such actions are outside of Paloma’s systems and fall under the User’s responsibility and privacy policy.

Within Paloma’s services, personal data that Users input may be accessed by third-party tools or integrations that the User chooses to use in conjunction with Paloma’s services (for example, if a User has integrated an external CRM or analytics tool via Paloma’s APIs). In these cases, Paloma’s role is still to facilitate the transfer at the User’s direction, and the User remains responsible for the ultimate data sharing.

Additionally, a User could choose to use or contract other sub-processors or service providers in addition to Paloma for related purposes (for example, using a third-party payment processor for event payments, or an email archiving service). If such data sharing involves transferring personal data to a party outside the EEA, it is the User’s duty to ensure compliance with GDPR transfer rules (though Paloma’s own systems and sub-processors currently operate within the EEA or in compliance with EU standards, as noted earlier).

In summary, any onward disclosure or transfer of personal data by the User (beyond Paloma’s processing) is under the control of the User. Paloma’s responsibility as a data processor is limited to what we process within our own system on the User’s behalf.

Your Rights as a Data Subject

Regardless of whether Paloma is the data controller or merely the data processor for your personal data, you have certain rights under data protection law (specifically the GDPR, if you are in the EU) regarding your personal data:

Right of access: You have the right to request information about whether we (or our Users, when applicable) are processing personal data about you, and if so, to receive a copy of the personal data and supplementary information. This is commonly known as a subject access request.
Right to rectification: You have the right to request that inaccurate or incomplete personal data about you be corrected or completed without undue delay.
Right to erasure: You have the right to request the deletion of your personal data (the “right to be forgotten”) in certain circumstances – for example, if the data is no longer necessary for the purposes it was collected, if you withdraw consent and no other legal ground for processing applies, or if the data was processed unlawfully.
Right to restriction of processing: You have the right to request that the processing of your personal data be restricted in certain situations. For instance, you can ask for a temporary freeze on processing if you contest the accuracy of the data or have objected to the processing, while we verify the issue.
Right to object: You have the right to object to the processing of your personal data when the processing is based on Paloma’s (or a User’s) legitimate interests, including objecting at any time to personal data being used for direct marketing purposes. If you object to direct marketing, we (or the User, as applicable) will cease using your data for that purpose.
Right to data portability: When we are processing your personal data based on your consent or a contract with you, and the processing is carried out by automated means, you have the right to receive the personal data concerning you in a structured, commonly used, machine-readable format, and have the right to transmit that data to another controller (or have us transfer it for you, where technically feasible).

To exercise your rights, you should direct your request to the appropriate data controller. This means:

If your data is being processed by Paloma as described in the “Paloma as Data Controller” section of this policy (for example, you are a Paloma customer, supplier, job applicant, or website visitor), you should contact Paloma to exercise your rights.
If your data is being processed through Paloma’s services by one of our Users (for example, you signed up for a newsletter from one of our customers or registered for an event organized by one of our customers), then that User is the data controller responsible for your data. You should direct any requests to access, correct, or delete data, etc., to that User organization.

If a request is mistakenly sent to Paloma that actually pertains to data controlled by one of our Users, we will forward your request to the relevant User (and let you know we have done so) so that your rights can be exercised by the proper party.

Additionally, if you are not satisfied with how your personal data has been handled, you have the right to lodge a complaint with a supervisory data protection authority. In Sweden, the supervisory authority is the Integritetsskyddsmyndigheten (IMY), which is the Swedish Authority for Privacy Protection. If you reside in another EU/EEA country, you may alternatively contact your local data protection authority. They will coordinate with IMY and other authorities as needed to resolve your issue.

Additions and Changes

Paloma may update or make changes to this Privacy Policy from time to time. If we make significant changes, the updated Privacy Policy will be published on our website. We encourage you to periodically review this Policy to stay informed about how we protect your personal data. When we publish a new or revised policy, we will, when appropriate, also notify our customers or users via email or through the service. Please read any updated policy carefully, as your continued interaction with Paloma (or use of our services) after the changes will constitute acknowledgment of the updated terms.

Contact Information

If you have any questions or comments regarding this Privacy Policy, our handling of personal data, or if you need guidance on how to exercise your rights or whom to contact (for example, whether you should contact Paloma or a User), you are welcome to contact us at info@paloma.se. We will be happy to assist you and address any concerns you might have regarding privacy and data protection.