Privacy Policy

Last updated: March 13, 2026

1. Data Controller

The data controller for Apiverket.se is Cuon Aktiebolag, org.nr 559459-3526, registered in Sweden. For privacy-related questions, contact us at privacy@apiverket.se.

2. Information We Collect

We collect the following information when you use our services:

• Account information: Email address and name provided during API key registration.
• API usage data: Endpoints called, request timestamps, response times, IP addresses, and HTTP headers sent with API requests.
• Technical data: Browser type, operating system, and device information when accessing our website or dashboard.

3. Legal Basis (GDPR Art. 6)

We process your personal data based on:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the API service you signed up for.
• Legitimate interest (Art. 6(1)(f)): Rate limiting, abuse prevention, and service improvement.
• Consent (Art. 6(1)(a)): Where we rely on consent (e.g. marketing emails), you may withdraw it at any time.

4. How We Use Your Information

• To provide, maintain, and improve our API services.
• To enforce rate limits, prevent abuse, and ensure platform security.
• To generate aggregated, anonymized usage statistics.
• To communicate service updates, security alerts, and billing information.

5. Data Sources

Apiverket.se aggregates publicly available data from Swedish government agencies (SMHI, Trafikverket, SCB, Riksdagen, etc.). We do not store the underlying government data permanently; it is cached temporarily to improve response times. The original data is governed by each agency's own data license, typically Swedish open data licenses.

6. Personal Data in Upstream Government Data

Certain API endpoints return publicly available government data that may contain personal information. Examples include:

• Company addresses (/v1/companies) — registered business addresses sourced from Bolagsverket, which may correspond to private residences for sole proprietors.
• Wanted person descriptions (/v1/police/wanted) — names, physical descriptions, and photographs published by Polisen in the public interest.
• Name statistics (/v1/names) — aggregate frequency data from SCB. This data is statistical and does not identify individual persons.

This information is published by the respective government agencies under Swedish public access principles (offentlighetsprincipen) and open data licenses. Apiverket does not collect, enrich, or combine this data with other sources. We cache upstream responses temporarily to improve performance but do not permanently store the underlying government data.

Your responsibility: If you process personal data obtained through our API, you are independently responsible for ensuring your own compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. This includes determining your legal basis for processing, fulfilling data subject rights, and conducting any required data protection impact assessments.

7. Data Retention

API usage logs are retained for 90 days. Account information is retained as long as your account is active. After account deletion, we retain anonymized aggregate statistics but remove all personally identifiable data within 30 days.

8. Data Sharing & Sub-processors

We do not sell your personal information. We share data with the following sub-processors as necessary to operate the service:

• Vercel (EU edge network): Application hosting and edge compute.
• Turso (EU region): Database hosting (libSQL/SQLite).
• Upstash (EU region): Redis caching for rate limiting.
• Resend (EU processing): Transactional email delivery (magic links, notifications).
• Stripe (EU region): Payment processing and subscription billing.
• PostHog (EU region): Product analytics (only with your consent).

We may also disclose data when required by Swedish or EU law, or to protect our legal rights.

9. International Transfers

All primary data processing occurs within the EU/EEA. Where sub-processors transfer data outside the EEA, we ensure appropriate safeguards are in place (Standard Contractual Clauses or adequacy decisions).

10. Security

We use industry-standard security measures including encrypted connections (TLS 1.2+), hashed API keys, and access controls. API keys are stored using one-way SHA-256 hashes and cannot be recovered by our staff. Only a truncated prefix is stored for identification purposes.

11. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the right to:

• Access the personal data we hold about you.
• Rectification of inaccurate or incomplete data.
• Erasure of your data ("right to be forgotten").
• Data portability — export your data in a machine-readable format.
• Restriction of or objection to processing.
• Withdraw consent at any time where processing is based on consent.

To exercise these rights, contact us at privacy@apiverket.se. We will respond within 30 days.

You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se.

12. Cookies, Local Storage & Analytics

Our website uses localStorage to persist:

• Your language preference (EN/SV).
• Cookie/analytics consent status.

We also set a secure, HTTP-only session cookie (__session) after login to maintain your authenticated session.

If you accept analytics via the consent banner, we load PostHog (EU-hosted, eu.i.posthog.com) to collect anonymous usage data such as page views, button clicks, and session replays. PostHog stores data in the EU and does not share it with third parties. You can withdraw consent at any time by clearing your browser's localStorage for this site.

We do not use advertising pixels or share data with ad networks.

13. Changes

We may update this policy from time to time. Material changes will be communicated via email to registered users and posted on this page with an updated date.