Skip to content

Legal

Privacy Policy

Describes which personal data is processed, which legal basis applies to each purpose, and how data subjects can exercise their rights.

Version 2026-06-30Privacy owner, Compliance ownerEffective June 30, 2026Updated June 30, 2026

Contents

Data Controller

Rojs Software AB (reg. no. 559573-3501), Kongahällagatan 7, 442 36 Kungälv, is the data controller for the processing described in this policy.

Data protection enquiries can be sent to privacy@vardbemanningsguiden.se.

Personal Data Processed

We process contact details, account identifiers, session and security data, application details, timesheet data, billing records, and moderation data required for the service.

For BankID sign-in, we process strong identity attributes, short-lived BankID attempt state, and the minimum identity binding needed for account access and abuse-prevention security. Raw personnummer is not stored by default, and BankID identity data is not sent to analytics or marketing.

For interest leads, we also process selected work categories, regions, optional messages, and accepted document versions. For matched interest leads, we also process routing and delivery metadata, selected recipient firms, and access timestamps.

We do not process sensitive health data for ad targeting or other marketing purposes.

Legal Basis and Purpose

Core product functions such as account access, applications, invitations, timesheets, approvals, and support handling are processed to perform a contract or to take steps before entering into a contract.

BankID is used as necessary strong identity for Swedish member sign-in and is processed to deliver account access, protect against unauthorized use, and bind verified identity to the correct member account.

Matched interest leads are processed to provide the matching requested by the consultant and to share the request with selected firms that match the submitted choices.

Security logging, abuse prevention, moderation, disputes, and auditability are processed under legitimate interests.

Billing, bookkeeping, and other required business records are processed to comply with legal obligations.

Consent is used only for analytics and future marketing categories where consent is required under applicable rules.

Consent is not used as the legal basis for core processing required for matched interest leads.

BankID and Strong Identity

BankID is used for Swedish member sign-in where the service needs strong identity before account access, interest leads, tenant invitations, ratings, or time reporting.

BankID data is kept out of public product views, links, analytics streams, and marketing. Changes that store additional BankID attributes require a new privacy review.

Interest Leads and Recipients

A direct interest lead is sent only to the firm chosen by the consultant.

A matched interest lead is sent to selected firms matching the consultant's choices. It is not sent to the whole market, and the recipient firms, timestamps, and routing basis are documented.

Firms receiving an interest lead are independent recipients for their follow-up after receipt. They may use the data only to handle that specific lead and according to their own legal obligations.

If an interest lead is withdrawn, we stop future access where possible. Data a recipient firm has already accessed may need to be handled by that firm under its own obligations.

Analytics, Marketing, and Public Transparency

When the Analytics category is allowed, we may use Vercel Web Analytics on public pages. Private workspaces, sensitive search parameters, and personal data are excluded from analytics payloads.

The Marketing category exists in the interface but is not active on this site today. Google tags or other ad measurement must not be enabled before a separate consent model and updated documentation are in place.

If consultant ratings or sponsored firms are shown publicly, they must be described clearly so that ratings, rankings, and sponsorship are not conflated.

Automated decision-making was assessed before activating multi-firm distribution for matched interest leads. If future changes mean legal or similarly significant effects cannot be ruled out, human review, objection handling, and clearer public information are required before the change is activated.

Cross-border Transfers

Certain subprocessors (Vercel, Stripe) may process personal data outside the EU/EEA. Such transfers are protected by the EU Standard Contractual Clauses (SCCs) included in each subprocessor's data processing agreement.

Rights and Contact

Data subjects may request access, correction, or deletion under applicable data protection laws.

Data protection enquiries can be sent to privacy@vardbemanningsguiden.se.

For interest leads, access requests can include selected recipient firms and disclosure timestamps where this can be provided without exposing another person's data.

If you believe your personal data is being processed in violation of data protection law, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY), imy.se.

Version history

  • Version: 2026-06-30

    Effective from: June 30, 2026

    Last updated: June 30, 2026

    Current version

Allow analytics cookies?

Privacy Policy | Vårdbemanningsguiden