📞 +45 70604757
Explore Theo
A powerful solution for working with CSRD reporting
Book a free demo today
Included in Theo ↴
Privacy Policy
We offer strategic guidance and expertise to help you make informed technology decisions aligned with your business goals.
This privacy policy describes how Theo AB reg. no. 559442-5372, (”Theo”, ”us”, ”we” or “our”), manage and process your personal data as part of our business, for example in relation to you as a user (“User” meaning former, current and potential user of our platform (the “Platform”)), or as a visitor to our official website. The type of processing we carry out under the EU Data Protection Regulation (GDPR) depends on the context in which you come into contact with us, and in which capacity you act.
We value your privacy. It is therefore especially important to us that you understand this privacy policy and how and why we process your personal data.
This privacy policy describes how Theo AB reg. no. 559442-5372, (”Theo”, ”us”, ”we” or “our”), manage and process your personal data as part of our business, for example in relation to you as a user (“User” meaning former, current and potential user of our platform (the “Platform”)), or as a visitor to our official website. The type of processing we carry out under the EU Data Protection Regulation (GDPR) depends on the context in which you come into contact with us, and in which capacity you act.
We value your privacy. It is therefore especially important to us that you understand this privacy policy and how and why we process your personal data.
WHO IS RESPONSIBLE FOR THE PERSONAL DATA THAT WE COLLECT?
Please note that this privacy policy describes the processing activities undertaken by us in our capacity as data controller only. A data controller is essentially the company that is responsible for your personal data. We have detailed the processing activities that we are responsible for below in Section 4 (For what purposes and on what legal grounds do we process your personal data?).
The data controller for the activities mentioned under Section 1 (Who is responsible for the personal data that we collect?) is Theo AB with reg. no. 559442-5372, and with address at c/o CMNTY Stureplan 6, 114 35 Stockholm, Sweden.
Please note that this privacy policy describes the processing activities undertaken by us in our capacity as data controller only. A data controller is essentially the company that is responsible for your personal data. We have detailed the processing activities that we are responsible for below in Section 4 (For what purposes and on what legal grounds do we process your personal data?).
The data controller for the activities mentioned under Section 1 (Who is responsible for the personal data that we collect?) is Theo AB with reg. no. 559442-5372, and with address at c/o CMNTY Stureplan 6, 114 35 Stockholm, Sweden.
WHAT IS PERSONAL DATA?
"Personal data" means any information relating to an identifiable natural person, for example a name, a personal registration number, an email address, location data or an online identifier.
"Processing" of personal data is a reference to what we do with your personal data, for example collection, use, structuring, storing and erasure of personal data.
"Personal data" means any information relating to an identifiable natural person, for example a name, a personal registration number, an email address, location data or an online identifier.
"Processing" of personal data is a reference to what we do with your personal data, for example collection, use, structuring, storing and erasure of personal data.
WHAT PERSONAL DATA DO WE COLLECT?
You can read about the different categories of personal data that we collect from you in the table below. We have listed some examples of personal data in each category.
You can read about the different categories of personal data that we collect from you in the table below. We have listed some examples of personal data in each category.
FOR WHAT PURPOSES AND ON WHAT LEGAL GROUNDS DO WE PROCESS YOUR PERSONAL DATA?
We manage your personal data to maintain your user account and to guarantee the Platform's safety and dependability, as well as to maintain the integrity of the data you report and to oversee your data submissions within the Platform. The personal data collected when setting up your user account is what we process.
We restrict our processing of personal data to what is essential for the operation of your user account. Should you, as a User, incorporate personal data into the information you submit on the Platform, we will process this personal data accordingly. Nonetheless, if such personal data was not explicitly requested by us and is deemed unnecessary, we will delete, pseudonymize, or anonymize this personal data.
We manage your personal data to maintain your user account and to guarantee the Platform's safety and dependability, as well as to maintain the integrity of the data you report and to oversee your data submissions within the Platform. The personal data collected when setting up your user account is what we process.
We restrict our processing of personal data to what is essential for the operation of your user account. Should you, as a User, incorporate personal data into the information you submit on the Platform, we will process this personal data accordingly. Nonetheless, if such personal data was not explicitly requested by us and is deemed unnecessary, we will delete, pseudonymize, or anonymize this personal data.
HOW CAN YOU WITHDRAW YOUR CONSENT?
You have the right to withdraw your consent at any time if our processing of your personal data is solely based on your explicit consent. Please note that if you withdraw your consent, this will not affect the legality of the processing that we have undertaken prior to you withdrawing your consent. If you would like to withdraw your consent, please send an email to dpo@theo.ai. You can also contact us using the contact information below in Section 13 (How to contact us).
You have the right to withdraw your consent at any time if our processing of your personal data is solely based on your explicit consent. Please note that if you withdraw your consent, this will not affect the legality of the processing that we have undertaken prior to you withdrawing your consent. If you would like to withdraw your consent, please send an email to dpo@theo.ai. You can also contact us using the contact information below in Section 13 (How to contact us).
WHO DO WE SHARE YOUR PERSONAL DATA WITH?
We will always ensure that third parties can provide sufficient guarantees in protecting your personal data before we share any of your personal data. We have listed the categories of third parties with whom we may share your personal data below.
6.1 Public authorities
We may need to share your personal data with a public authority for the purpose of complying with applicable law. The legal ground is to comply with a legal obligation.
6.2 Mergers and acquisitions
We may need to share your personal data for the purpose of selling Theo, or all or parts of Theo's assets, to a potential buyer who wishes to acquire the same, or if we are otherwise subject to a merger with another company. The legal ground is our legitimate interest to complete such transactions, which we have determined outweighs your interest not to have your personal data processed for this purpose.
6.3 Suppliers and contractors
In order to provide, and for the sole purpose of providing, our services to you, we may need to share your personal data with certain carefully selected suppliers and contractors. Our Platform's functionality heavily relies on these third parties, encompassing a range of services essential for the operation and enhancement of our platform. These partners include, but are not limited to:
Authentication systems: We use third-party authentication systems to manage login data securely, ensuring that your access to our Platform is safe and private.
Cloud storage providers: For data hosting, including personal and sensitive information, we use leading cloud storage services. This ensures that your data is stored securely and is accessible only as necessary.
Analytics and tracking services: To understand how our Platform is used and to continually improve our Service, we engage with third-party analytics providers. These services help us track platform usage in a way that respects your privacy while providing valuable insights.
Use of Large Language Models (LLMs): In order to deliver and continuously enhance our services, we employ Large Language Models (LLMs) across various functionalities of our Platform, not limited to AI-driven chat interfaces. These models process personal data such as chat interactions and other user inputs and usage data to provide real-time, personalized responses and to improve user experience broadly across the Platform. We collaborate with carefully selected third-party suppliers who are integral to the development and optimization of these AI functionalities, all under strict data protection agreements that comply with GDPR standards.
These suppliers and contractors could be consultants or providers of legal, technical and IT support/functionalities, and storage providers (such as cloud storage). These entities act as data processors, meaning they will only process your personal data based on our instructions to them, and we will always ensure that the necessary agreements (for example a so-called data processing agreement) are in place to protect your personal data at all times. Furthermore, we implement safeguards like encryption and regular security audits and require all third parties to adhere to similar standards.
We will always ensure that third parties can provide sufficient guarantees in protecting your personal data before we share any of your personal data. We have listed the categories of third parties with whom we may share your personal data below.
6.1 Public authorities
We may need to share your personal data with a public authority for the purpose of complying with applicable law. The legal ground is to comply with a legal obligation.
6.2 Mergers and acquisitions
We may need to share your personal data for the purpose of selling Theo, or all or parts of Theo's assets, to a potential buyer who wishes to acquire the same, or if we are otherwise subject to a merger with another company. The legal ground is our legitimate interest to complete such transactions, which we have determined outweighs your interest not to have your personal data processed for this purpose.
6.3 Suppliers and contractors
In order to provide, and for the sole purpose of providing, our services to you, we may need to share your personal data with certain carefully selected suppliers and contractors. Our Platform's functionality heavily relies on these third parties, encompassing a range of services essential for the operation and enhancement of our platform. These partners include, but are not limited to:
Authentication systems: We use third-party authentication systems to manage login data securely, ensuring that your access to our Platform is safe and private.
Cloud storage providers: For data hosting, including personal and sensitive information, we use leading cloud storage services. This ensures that your data is stored securely and is accessible only as necessary.
Analytics and tracking services: To understand how our Platform is used and to continually improve our Service, we engage with third-party analytics providers. These services help us track platform usage in a way that respects your privacy while providing valuable insights.
Use of Large Language Models (LLMs): In order to deliver and continuously enhance our services, we employ Large Language Models (LLMs) across various functionalities of our Platform, not limited to AI-driven chat interfaces. These models process personal data such as chat interactions and other user inputs and usage data to provide real-time, personalized responses and to improve user experience broadly across the Platform. We collaborate with carefully selected third-party suppliers who are integral to the development and optimization of these AI functionalities, all under strict data protection agreements that comply with GDPR standards.
These suppliers and contractors could be consultants or providers of legal, technical and IT support/functionalities, and storage providers (such as cloud storage). These entities act as data processors, meaning they will only process your personal data based on our instructions to them, and we will always ensure that the necessary agreements (for example a so-called data processing agreement) are in place to protect your personal data at all times. Furthermore, we implement safeguards like encryption and regular security audits and require all third parties to adhere to similar standards.
WHERE DO WE PROCESS YOUR PERSONAL DATA?
As a main rule, we will process your personal data only within the European Union (EU) and the European Economic Area (EEA). In some situations, for example when the services and functionalities we need are provided outside of the EU/EEA, we may need to transfer your personal data to third countries outside of the EU/EEA.
Regardless of whether your personal data is processed within or outside the EU/EEA, we will at all times ensure that the same level of technical and organisational measures are in place to protect your personal data. Should we transfer your personal data to third countries outside of the EU/EEA, we will take additional appropriate measures to safeguard your personal data, which may as a main rule include one of the following measures.
Transfer of personal data only to third countries that, according to the European Commission, provide an adequate level of protection. This means that these third countries offer a similar level of protection as provided under the GDPR in the EU.
We will enter into standard contractual clauses adopted by the European Commission with the recipient of your personal data. This means that the recipient is required to comply with the same level of protection as provided under the GDPR in the EU.
In addition to one of the above measures, we will always seek to take any additional security measures that we deem appropriate and necessary to safeguard your personal data at all times.
As a main rule, we will process your personal data only within the European Union (EU) and the European Economic Area (EEA). In some situations, for example when the services and functionalities we need are provided outside of the EU/EEA, we may need to transfer your personal data to third countries outside of the EU/EEA.
Regardless of whether your personal data is processed within or outside the EU/EEA, we will at all times ensure that the same level of technical and organisational measures are in place to protect your personal data. Should we transfer your personal data to third countries outside of the EU/EEA, we will take additional appropriate measures to safeguard your personal data, which may as a main rule include one of the following measures.
Transfer of personal data only to third countries that, according to the European Commission, provide an adequate level of protection. This means that these third countries offer a similar level of protection as provided under the GDPR in the EU.
We will enter into standard contractual clauses adopted by the European Commission with the recipient of your personal data. This means that the recipient is required to comply with the same level of protection as provided under the GDPR in the EU.
In addition to one of the above measures, we will always seek to take any additional security measures that we deem appropriate and necessary to safeguard your personal data at all times.
COOKIES
We use cookies and other similar technologies on our Website. Cookies are small files of data that are placed and stored on your web browser or device when you visit our Website.
When you visit our Website, these files store information that is used for, for example, functionality purposes, to make it easier to use our Website. For more information about the cookies that we use, please read our cookie policy.
We use cookies and other similar technologies on our Website. Cookies are small files of data that are placed and stored on your web browser or device when you visit our Website.
When you visit our Website, these files store information that is used for, for example, functionality purposes, to make it easier to use our Website. For more information about the cookies that we use, please read our cookie policy.
FOR HOW LONG DO WE STORE YOUR PERSONAL DATA?
We will keep your personal data for as long as it is necessary in order for us to fulfil the purpose for which we collected your personal data. We have indicated the necessary retention periods in the table in Section 4 (For what purposes and on what legal grounds do we process your personal data?).
Please note, however, that Theo may be required to retain personal data for a longer period if we are required to do so pursuant to applicable law or a binding decision by a public authority or court of law. If that is the case, we will retain it for the period required under law or such decision.
We will keep your personal data for as long as it is necessary in order for us to fulfil the purpose for which we collected your personal data. We have indicated the necessary retention periods in the table in Section 4 (For what purposes and on what legal grounds do we process your personal data?).
Please note, however, that Theo may be required to retain personal data for a longer period if we are required to do so pursuant to applicable law or a binding decision by a public authority or court of law. If that is the case, we will retain it for the period required under law or such decision.
HOW DO WE PROTECT YOUR PERSONAL DATA?
We take the protection of your personal data seriously. We have reasonable and appropriate technical and organisational measures in place in our business to ensure that your personal data is safeguarded and protected against loss, destruction, misuse, and unauthorised access and disclosure, at all times.
Our employees work under strict confidentiality and follow clear instructions on how to manage your personal data in accordance with applicable data protection laws and our own policies. We only grant employees access to your personal data when it is necessary in order for them to perform their duties.
We continuously evaluate our security measures to remedy any vulnerabilities we may identify in an effort to make sure that your personal data is safe with us.
We take the protection of your personal data seriously. We have reasonable and appropriate technical and organisational measures in place in our business to ensure that your personal data is safeguarded and protected against loss, destruction, misuse, and unauthorised access and disclosure, at all times.
Our employees work under strict confidentiality and follow clear instructions on how to manage your personal data in accordance with applicable data protection laws and our own policies. We only grant employees access to your personal data when it is necessary in order for them to perform their duties.
We continuously evaluate our security measures to remedy any vulnerabilities we may identify in an effort to make sure that your personal data is safe with us.
YOUR RIGHTS AND HOW YOU CAN EXERCISE THEM
You have rights with regard to your personal data. Please read this Section to understand them, as well as how you can exercise them. You are always welcome to contact us if you need more information about your rights. You can also find further information regarding your rights on the website of the Swedish Authority for Privacy Protection.
11.1 Right to information
You have the right to be informed about how we process your personal data. We respect this right by being transparent with you in our communication, on our Website and by providing you with the information in this privacy policy.
11.2 Right of access
You have the right to obtain a confirmation from us as to whether or not we process your personal data. If we do process your personal data, you also have the right to obtain access to the personal data by requesting a copy showing which personal data we have about you, and how we use it. Please note that we may ask for additional information in order to identify you to ensure that personal data is disclosed to the correct individual.
11.3 Right to rectification
You have the right to, request that we correct inaccurate information about you, as well as to complete any incomplete information.
11.4 Right of erasure (Right to be forgotten)
You sometimes have the right to request the erasure of personal data that concerns you. We are required to erase the personal data in question, for example if the personal data is no longer necessary in relation to the purposes for which the personal data was initially collected. Please note that we are not obliged to delete your personal data if it is necessary to retain it to comply with legal obligations, or for the establishment, exercise, or defence of legal claims.
11.5 Right to restriction of processing
You have the right to request that we restrict our processing of your personal if you for example believe that the information, we have about you is inaccurate, our processing is unlawful, or we no longer need the information for the purposes they were collected.
11.6 Right to object
You have the right to object to our processing of your personal data if our processing is based on a legitimate interest.
11.7 Right to data portability
You have the right to request a copy of the personal data in a machine-readable format that concerns you and which we process to perform a contract or based on your consent. If technically feasible, you can then have such personal data transmitted to a different data controller.
11.8 Right to withdraw your consent
You have the right to withdraw your consent. Please refer to Section 5 (How can you withdraw your consent?) for more information.
11.9 Right to lodge a complaint
If you have any complaints about the way in which we process your personal data, you are always welcome to reach out to us. You also have the right to lodge a complaint to a supervisory authority (such as the Swedish Authority for Privacy Protection) here.
You have rights with regard to your personal data. Please read this Section to understand them, as well as how you can exercise them. You are always welcome to contact us if you need more information about your rights. You can also find further information regarding your rights on the website of the Swedish Authority for Privacy Protection.
11.1 Right to information
You have the right to be informed about how we process your personal data. We respect this right by being transparent with you in our communication, on our Website and by providing you with the information in this privacy policy.
11.2 Right of access
You have the right to obtain a confirmation from us as to whether or not we process your personal data. If we do process your personal data, you also have the right to obtain access to the personal data by requesting a copy showing which personal data we have about you, and how we use it. Please note that we may ask for additional information in order to identify you to ensure that personal data is disclosed to the correct individual.
11.3 Right to rectification
You have the right to, request that we correct inaccurate information about you, as well as to complete any incomplete information.
11.4 Right of erasure (Right to be forgotten)
You sometimes have the right to request the erasure of personal data that concerns you. We are required to erase the personal data in question, for example if the personal data is no longer necessary in relation to the purposes for which the personal data was initially collected. Please note that we are not obliged to delete your personal data if it is necessary to retain it to comply with legal obligations, or for the establishment, exercise, or defence of legal claims.
11.5 Right to restriction of processing
You have the right to request that we restrict our processing of your personal if you for example believe that the information, we have about you is inaccurate, our processing is unlawful, or we no longer need the information for the purposes they were collected.
11.6 Right to object
You have the right to object to our processing of your personal data if our processing is based on a legitimate interest.
11.7 Right to data portability
You have the right to request a copy of the personal data in a machine-readable format that concerns you and which we process to perform a contract or based on your consent. If technically feasible, you can then have such personal data transmitted to a different data controller.
11.8 Right to withdraw your consent
You have the right to withdraw your consent. Please refer to Section 5 (How can you withdraw your consent?) for more information.
11.9 Right to lodge a complaint
If you have any complaints about the way in which we process your personal data, you are always welcome to reach out to us. You also have the right to lodge a complaint to a supervisory authority (such as the Swedish Authority for Privacy Protection) here.
CHANGES TO THIS PRIVACY POLICY
We reserve the right to introduce updates and make amendments to this privacy policy. This is necessary to ensure that we have the ability to constantly improve our services to you and to introduce new functionalities. We may also be required to make changes to the way in which we process your personal data pursuant to applicable law or a decision issued by a public authority or court of law. If we make any changes to this policy, we will update the "Last updated" date at the top of this policy, so please make sure to check in from time to time.
We reserve the right to introduce updates and make amendments to this privacy policy. This is necessary to ensure that we have the ability to constantly improve our services to you and to introduce new functionalities. We may also be required to make changes to the way in which we process your personal data pursuant to applicable law or a decision issued by a public authority or court of law. If we make any changes to this policy, we will update the "Last updated" date at the top of this policy, so please make sure to check in from time to time.
HOW TO CONTACT US
If you have any questions about the processing of your personal data, this privacy policy or if you have concerns regarding our processing of your personal data, please contact us using the following contact information:
Theo AB
c/o CMNTY
Stureplan 6
114 35 Stockholm, Sweden
Email: dpo@theo.ai
Website: https://theo.ai
If you have any questions about the processing of your personal data, this privacy policy or if you have concerns regarding our processing of your personal data, please contact us using the following contact information:
Theo AB
c/o CMNTY
Stureplan 6
114 35 Stockholm, Sweden
Email: dpo@theo.ai
Website: https://theo.ai
Start your CSRD reporting journey
Offices
Theo AB
Stockholm, Sweden
Stureplan 6, SE-114 35
Silkeborg, Denmark
Højbovej 1C, DK-8600
Org Nr.: 5594425372
EU VAT: SE559442537201
E-mail: hello@theo.ai
Phone: +45 70604757
Start your CSRD reporting journey
Offices
Theo AB
Stockholm, Sweden
Stureplan 6, SE-114 35
Silkeborg, Denmark
Højbovej 1C, DK-8600
Org Nr.: 5594425372
EU VAT: SE559442537201
E-mail: hello@theo.ai
Phone: +45 70604757
Start your CSRD reporting journey
Offices
Theo AB
Stockholm, Sweden
Stureplan 6, SE-114 35
Copenhagen, Denmark
Christiansholms Tværvej 1, DK-2930 Klampenborg
Silkeborg, Denmark
Højbovej 1C, DK-8600
VAT: SE-5594425372
Start your CSRD reporting journey
Offices
Theo AB
Stockholm, Sweden
Stureplan 6, SE-114 35
Silkeborg, Denmark
Højbovej 1C, DK-8600
Org Nr.: 5594425372
EU VAT: SE559442537201
E-mail: hello@theo.ai
Phone: +45 70604757