Data Controller
Rojs Software AB (reg. no. 559573-3501), Kongahällagatan 7, 442 36 Kungälv, is the data controller for the processing described in this policy.
Data protection enquiries can be sent to privacy@vardbemanningsguiden.se.
Legal
Describes which personal data is processed, which legal basis applies to each purpose, and how data subjects can exercise their rights.
Rojs Software AB (reg. no. 559573-3501), Kongahällagatan 7, 442 36 Kungälv, is the data controller for the processing described in this policy.
Data protection enquiries can be sent to privacy@vardbemanningsguiden.se.
We process contact details, account identifiers, session and security data, application details, timesheet data, billing records, and moderation data required for the service.
For BankID sign-in, we process strong identity attributes, short-lived BankID attempt state, and the minimum identity binding needed for account access and abuse-prevention security. Raw personnummer is not stored by default, and BankID identity data is not sent to analytics or marketing.
For interest leads, we also process selected work categories, regions, optional messages, and accepted document versions. For matched interest leads, we also process routing and delivery metadata, selected recipient firms, and access timestamps.
We do not process sensitive health data for ad targeting or other marketing purposes.
Core product functions such as account access, applications, invitations, timesheets, approvals, and support handling are processed to perform a contract or to take steps before entering into a contract.
BankID is used as necessary strong identity for Swedish member sign-in and is processed to deliver account access, protect against unauthorized use, and bind verified identity to the correct member account.
Matched interest leads are processed to provide the matching requested by the consultant and to share the request with selected firms that match the submitted choices.
Security logging, abuse prevention, moderation, disputes, and auditability are processed under legitimate interests.
Billing, bookkeeping, and other required business records are processed to comply with legal obligations.
Consent is used only for analytics and future marketing categories where consent is required under applicable rules.
Consent is not used as the legal basis for core processing required for matched interest leads.
BankID is used for Swedish member sign-in where the service needs strong identity before account access, interest leads, tenant invitations, ratings, or time reporting.
BankID data is kept out of public product views, links, analytics streams, and marketing. Changes that store additional BankID attributes require a new privacy review.
A direct interest lead is sent only to the firm chosen by the consultant.
A matched interest lead is sent to selected firms matching the consultant's choices. It is not sent to the whole market, and the recipient firms, timestamps, and routing basis are documented.
Firms receiving an interest lead are independent recipients for their follow-up after receipt. They may use the data only to handle that specific lead and according to their own legal obligations.
If an interest lead is withdrawn, we stop future access where possible. Data a recipient firm has already accessed may need to be handled by that firm under its own obligations.
When the Analytics category is allowed, we may use Vercel Web Analytics on public pages. Private workspaces, sensitive search parameters, and personal data are excluded from analytics payloads.
The Marketing category exists in the interface but is not active on this site today. Google tags or other ad measurement must not be enabled before a separate consent model and updated documentation are in place.
If consultant ratings or sponsored firms are shown publicly, they must be described clearly so that ratings, rankings, and sponsorship are not conflated.
Automated decision-making was assessed before activating multi-firm distribution for matched interest leads. If future changes mean legal or similarly significant effects cannot be ruled out, human review, objection handling, and clearer public information are required before the change is activated.
Certain subprocessors (Vercel, Stripe) may process personal data outside the EU/EEA. Such transfers are protected by the EU Standard Contractual Clauses (SCCs) included in each subprocessor's data processing agreement.
Data subjects may request access, correction, or deletion under applicable data protection laws.
Data protection enquiries can be sent to privacy@vardbemanningsguiden.se.
For interest leads, access requests can include selected recipient firms and disclosure timestamps where this can be provided without exposing another person's data.
If you believe your personal data is being processed in violation of data protection law, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY), imy.se.
Version: 2026-06-30
Effective from: June 30, 2026
Last updated: June 30, 2026
Current version
Allow analytics cookies?