arrow Home/Legal /

Privacy Policy (PP)

Privacy Policy (PP)

Effective Date: February 10, 2025

1. Introduction

Deskhero AB (“we,” “us,” or “our“) is committed to protecting the privacy of individuals who use our Software-as-a-Service (SaaS) platform (“Service“). This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when Clients, Users, and Client’s Customers interact with our Service. By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy and our Terms and Conditions.

2. Definitions

  • Client: A business or entity that has entered into an agreement with us to use the Service.
  • User: An employee or agent of the Client who is authorized to use the Service.
  • Client’s Customer: An individual who interacts with the Client through the Service.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on Personal Data, such as collection, use, storage, or disclosure.

3. Data Controller and Data Processor

  • Clients as Data Controllers: Clients are the data controllers of Personal Data relating to their Users and Client’s Customers. They determine the purposes and means of processing such data.
  • Deskhero AB as Data Processor: We act as a data processor on behalf of the Clients, processing Personal Data in accordance with our Data Processing Agreement (DPA).

4. Types of Personal Data Collected

4.1 Personal Data Provided by Clients and Users

We may collect the following types of Personal Data from Clients and Users:

  • Account Information: Names, email addresses, phone numbers, job titles, and company information.
  • Authentication Data: Usernames and passwords.
  • Billing Information: Payment details, billing addresses, and transaction records.

4.2 Personal Data of Client’s Customers

  • Personal Data submitted by Client’s Customers when they interact with the Service, such as support requests, contact details, and any other information provided through the Service.

4.3 Automatically Collected Data

  • Usage Data: Information about how Users access and use the Service, including IP addresses, browser types, and operating systems.
  • Cookies and Similar Technologies: Information collected through cookies and similar tracking technologies. (See Section 12: Cookies and Similar Technologies)

4.4 Use of Google and Microsoft Mailbox Data

When you connect your Google or Microsoft mailbox (“Mailbox Provider”) to Deskhero, we will request your authorization (via OAuth2 or other secure methods) to access, process, and store certain mailbox data so we can deliver helpdesk features (e.g., sending and receiving support tickets, tracking conversation history).

4.4.1. Data Collected

  • Mailbox Content: Emails, attachments, metadata (subject lines, timestamps, sender/recipient addresses).
  • User Account Information: Relevant tokens or credentials needed to send and receive emails on your behalf.

4.4.2. Purpose of Processing

  • Helpdesk Ticket Management: Automatically convert incoming emails into support tickets within Deskhero.
  • Outbound Replies: Send responses from your connected mailbox, ensuring a seamless email experience for your clients or end-users.
  • Conversation History: Store and display email threads and attachments in Deskhero to provide context for ongoing support cases.

4.4.3. Disclosure of Mailbox Data

  • No Sale of Data: We do not sell or share your mailbox data with third parties for advertising or marketing.
  • Authorized Sub-Processors:
    • We only share mailbox data with the limited set of sub-processors listed in our Record of Processing Activities (RoPA) strictly as needed to provide or improve our Service (e.g., virus scanning, storage, or email delivery).
    • These sub-processors are contractually required to adhere to data protection obligations no less protective than those in our Data Processing Agreement.
    • Legal or Regulatory Requirements: We may disclose data if required by law, regulation, or court order.

4.4.4. Data Protection and Security Measures

We consider mailbox data to be confidential and apply robust technical and organizational controls, including:

  • Encryption: All mailbox data is encrypted during transit (TLS) and at rest (AES-256 or equivalent).
  • Access Controls: Only authorized personnel with a legitimate need can access your mailbox data. All access is logged and monitored.
  • Incident Response: We maintain a detailed incident response plan to address any suspected security events.
  • Additional Safeguards: For a full overview, refer to our Technical and Organisational Measures (TOM).

4.4.5. Retention and Deletion

  • Active Use: We retain your mailbox data as long as you maintain a Deskhero account and keep your mailbox integration active, to facilitate support ticket creation, replies, and historical reference.
  • Disconnection or Account Closure:
    • If you revoke your mailbox integration or close your Deskhero account, we will delete all associated mailbox data from our active systems within 30 days, subject to any legal retention requirements.
    • Any residual data in backups is automatically purged on a rolling basis within one (1) year, in line with our backup retention policies.
  • Early Deletion Requests: You may request earlier deletion of mailbox data by contacting us at [privacy@deskhero.com]. We will honor such requests unless prohibited by law or legitimate business needs (e.g., ongoing legal obligations).

5. Purpose and Legal Basis for Processing

5.1 Providing the Service

  • Purpose: To operate and provide features of the Service.
  • Legal Basis: Performance of a contract (GDPR Article 6(1)(b)).

5.2 Communication

  • Purpose: To communicate with Clients and Users regarding the Service, including support and updates.
  • Legal Basis: Performance of a contract and legitimate interests (GDPR Article 6(1)(b) and 6(1)(f)).

5.3 Compliance and Legal Obligations

  • Purpose: To comply with legal obligations and respond to lawful requests.
  • Legal Basis: Compliance with legal obligations (GDPR Article 6(1)(c)).

5.4 Improvement and Analytics

  • Purpose: To analyze usage and improve the Service.
  • Legal Basis: Legitimate interests (GDPR Article 6(1)(f)). Where required by law, we obtain consent.

6. Data Subject Rights

Individuals have the following rights regarding their Personal Data:

  • Right to Access: Obtain confirmation and access to their Personal Data.
  • Right to Rectification: Request correction of inaccurate Personal Data.
  • Right to Erasure: Request deletion of Personal Data under certain conditions.
  • Right to Restriction: Request restriction of processing under certain conditions.
  • Right to Data Portability: Receive their Personal Data in a structured, commonly used format.
  • Right to Object: Object to processing based on legitimate interests.
  • Right to Withdraw Consent: Withdraw consent at any time, where processing is based on consent.

Exercising Rights

  • Clients and Users: May contact us at privacy@deskhero.com to exercise their rights.
  • Client’s Customers: Should contact the Client (data controller) directly to exercise their rights. We will assist Clients in responding to such requests as outlined in our DPA.

7. Disclosure of Personal Data

We may disclose Personal Data to:

  • Sub-Processors: Third-party service providers who assist in providing the Service. (See Section 8)
  • Legal and Regulatory Authorities: When required by law or to protect our rights.
  • Business Transfers: In connection with mergers, acquisitions, or asset sales.

8. Sub-Processors

We use third-party Sub-Processors to support the provision of our Service. A list of current Sub-Processors is available in our Record of Processing Activities (RoPA) and will be updated as necessary. We ensure that all Sub-Processors are bound by data protection obligations consistent with this Privacy Policy and applicable laws.

9. International Data Transfers

Personal Data may be transferred to countries outside the European Union (EU) or European Economic Area (EEA) that may have different data protection laws. We ensure that appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs): Utilizing SCCs approved by the European Commission. See our Data Processing Agreement (DPA) for details.
  • Adequacy Decisions: Transferring to countries recognized by the European Commission as providing an adequate level of data protection.

10. Security Measures

We implement appropriate technical and organisational measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption: Encrypting data in transit and at rest.
  • Access Controls: Restricting access to authorized personnel.
  • Regular Assessments: Conducting regular security assessments and audits.

For detailed information, please refer to our Technical and Organisational Measures (TOM) document.

11. Data Retention

We retain Personal Data only as long as necessary to fulfill the purposes for which it was collected, including for legal, accounting, or reporting requirements.

  • Clients and Users: Personal Data is retained for the duration of the Agreement and as required by law.
  • Client’s Customers: Personal Data is retained as instructed by the Client or as required by law.

Upon termination of the Agreement, Personal Data will be deleted or anonymized in accordance with our DPA and data retention policies.

12. Cookies and Similar Technologies

We use cookies and similar technologies to enhance the User experience. Cookies are small text files stored on your device when you visit our Service.

12.1 Types of Cookies Used

  • Essential Cookies: Necessary for the operation of the Service.
  • Analytical Cookies: Help us understand how the Service is used.

12.2 Managing Cookies

Users can manage cookie preferences through their browser settings. Disabling cookies may affect the functionality of the Service.

For more information, please refer to our Cookie Policy

13. Changes to This Privacy Policy

13.1 Notification of Changes

We may update this Privacy Policy from time to time. We will notify Clients and Users of significant changes by:

  • Sending an email to the registered email address.
  • Displaying a notice upon next sign-in to the Service.

13.2 Acceptance of Changes

Continued use of the Service after changes have been made constitutes acceptance of the updated Privacy Policy. If you do not agree to the changes, you may terminate your account.

14. Contact Information

For any questions or concerns regarding this Privacy Policy or our data practices, please contact our Data Protection Officer (DPO):

  • Name: Klas Karlsson
  • Email: dpo@deskhero.com
  • Phone: +46 70 601 13 22

15. Complaints

If you believe that our processing of Personal Data violates applicable data protection laws, you have the right to lodge a complaint with a supervisory authority in your country or in Sweden.

16. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of Sweden.

By using the Service, Clients, Users, and Client’s Customers acknowledge that they have read and understood this Privacy Policy.