Privacy Policy
Last updated: 2026-05-21
Your privacy matters to us. This policy explains what personal data we collect, why, and what rights you have under the GDPR.
1. Data controller
Workflow Labs AB (a Swedish limited company, company reg. no. 559584-1726, VAT no. SE559584172601)
Address: Lingonstigen 1, 312 60 Mellbystrand
Contact: operations@nexar.se · +46 72 039 74 17
2. Data we collect
2.1 When you apply or book
- Name and contact details (email, phone)
- Company details (registration number, address) for mentorship
- Information about your goals, experience and time available — voluntarily provided by you in the application
2.2 When you use the platform
- Login credentials (handled via Supabase Auth)
- Progress and completed lessons in Academy
- Booking information and signed contracts
- Payment details (handled by external payment providers — we never store card numbers)
- Technical data (IP address, browser, timestamp) for security
2.3 When you use Google Calendar integration
- Meetings are created in the mentor's Google Calendar (the NEXAR Team), not yours
- The student receives a calendar invitation via email, but we do not store calendar contents
3. Why we process the data
| Purpose | Legal basis |
|---|---|
| Deliver mentorship and Academy service | Contract |
| Invoicing and payment | Contract + legal obligation (accounting) |
| Send booking confirmations and operational notices | Contract |
| Improve the platform (anonymised analytics) | Legitimate interest |
| Legal compliance (accounting, tax law) | Legal obligation |
4. Who we share data with
We never sell your data. We share it only with service providers necessary to operate the platform:
- Supabase (database, authentication) — servers in the EU
- Vercel (web hosting)
- Resend (email delivery)
- Certified payment providers — for subscriptions and one-time payments. Card details are never handled by us.
- Google (Calendar + Meet for booked sessions — only the information needed to create the meeting)
All have Data Processing Agreements (DPAs) with us committing them to GDPR-compliant processing.
5. Transfers outside the EU/EEA
Some of our providers (e.g. web hosting, Google Calendar, payment services) may transfer data to third countries. In such cases we ensure the transfer is lawful, e.g. via the European Commission's Standard Contractual Clauses (SCC).
6. How long we keep data
- Account and subscription data: during active subscription plus 12 months after cancellation
- Mentorship and contract data: 7 years per Swedish accounting law
- Communication (email): as long as relevant for contract and support, typically 2-3 years
- Log data (IP, technical data): 90 days
7. Your rights
As a data subject you have the right to:
- Access the data we process about you
- Rectify inaccurate data
- Request erasure when there is no longer reason to keep it
- Restrict processing
- Receive your data in a structured format (data portability)
- Object to processing based on legitimate interest
- Lodge a complaint with the Swedish Authority for Privacy Protection (IMY) if you believe we handle your data incorrectly
To exercise any right, email operations@nexar.se. We respond within 30 days.
8. Security
We protect your data through:
- HTTPS across the platform
- Encrypted databases (Supabase)
- Two-factor authentication where possible
- Row-Level Security (RLS) — users only see their own data
- Regular security reviews
9. Cookies
See our separate cookie policy for details on which cookies we use.
10. Changes
We may update this policy. Material changes are communicated via email. The timestamp above shows when the policy was last updated.
11. Contact
Questions about privacy and data processing? operations@nexar.se