Privacy Policy

Effective date: 2025-10-16

Last updated: 2025-10-16

Kvirkel ("the App") is operated by Gustav Westling AB ("we," "us," or "our"). This Privacy Policy explains how we collect, use, and protect your personal data when you use the Kvirkel app, API, and website (together, the "Service").

We are committed to protecting your privacy and handling your data transparently and securely, in accordance with the EU General Data Protection Regulation (GDPR) and applicable Swedish law.

1. Data Controller

The data controller responsible for your personal data is:

Gustav Westling AB
Hagaesplanaden 61
113 68 Stockholm
Sweden
Org. no: 559297-6731
Email: privacy@kvirkel.com

2. Data We Collect

We collect and process only the information necessary to provide and improve the Service. This may include:

a) Account and Subscription Information

  • Email address
  • Subscription status and plan details (active, expired, renewal date)
  • Usage data (eg amount of bytes backed up to Kvirkel)

b) Backed up data

  • Backed up photos and videos, including metadata. This data is always encrypted on your device, and never leaves your device un-encrypted.
  • The backed up data is stored on Amazon Web Services (AWS) data centers located in Sweden.

3. How We Use Your Data

We use your data only for the following purposes:

  • To provide and maintain the Service
  • To process and verify App Store subscriptions
  • To store and back up your photos securely
  • To improve performance and reliability
  • To respond to support requests and user feedback
  • To comply with legal obligations

We do not sell or rent your data to third parties.

4. Legal Basis for Processing

We process personal data based on the following legal grounds under the GDPR:

  • Performance of a contract: to provide the Kvirkel Service you subscribed to.
  • Legitimate interest: to maintain and improve our services and protect against fraud.
  • Consent: when you explicitly agree to certain optional data uses (e.g., analytics or marketing).

5. Data Storage and Hosting

All user data is stored within the European Union, specifically in AWS data centers in Sweden. Our backend API and website are hosted by Vercel, with data processing located in Sweden.

We ensure that both AWS and Vercel maintain industry-standard security certifications (such as ISO 27001 and SOC 2) and implement strong technical and organizational measures to protect your data.

6. Data Retention

We retain your data only as long as necessary to provide the Service or comply with legal obligations.

  • Photo backups and associated data are deleted within 30 days after your subscription ends or your account is terminated.
  • Support correspondence is retained for up to 12 months for record-keeping.
  • Anonymized analytics data may be retained longer for statistical purposes.

7. Data Sharing and Transfers

We may share limited data only with trusted service providers who process data on our behalf and under our instructions.

These include:

  • Amazon Web Services (AWS) for storage
  • Vercel for hosting and API delivery
  • Apple for subscription verification and billing

We do not transfer data outside the EU/EEA. If a transfer ever occurs, we will ensure it is protected under GDPR-compliant safeguards.

8. Your Rights

Under the GDPR, you have the following rights:

  • Access: Request a copy of your personal data.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your data ("right to be forgotten").
  • Restriction: Request limitation of how we process your data.
  • Portability: Request a copy of your data in a portable format.
  • Objection: Object to processing based on legitimate interests.

You can exercise these rights by contacting us at privacy@kvirkel.com. We may require verification of your identity before fulfilling your request.

9. Data Security

We implement appropriate technical and organizational measures to protect your data against unauthorized access, loss, or alteration.

This includes:

  • Encryption of data in transit and at rest
  • Secure authentication and access controls
  • Regular security reviews and audits

However, no system is completely secure, and we cannot guarantee absolute protection against all risks.

10. Children's Privacy

Kvirkel is not directed to children under 13 years of age. We do not knowingly collect personal data from children. If you believe we have unintentionally collected such data, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Updates will be posted in the app or on our website, with a new effective date. We encourage you to review this page periodically for the latest information.

12. Contact

If you have questions, requests, or complaints regarding this Privacy Policy, please contact us at:

📧 privacy@kvirkel.com

Gustav Westling AB