Legal · GDPR
Privacy Notice
Last updated: 2026-07-07
1. Controller
Controller within the meaning of Art. 4(7) GDPR: [INSERT COMPANY LEGAL NAME], [INSERT BUSINESS ADDRESS]. Contact: compliance@swlef.com. See the Impressum for full operator details.
2. Categories of data we process
- Account data — name, email, password hash, role, company association.
- Evidence documents — ownership, licensing and chain-of-title documents submitted for review. Stored privately, fingerprinted (SHA-256) for integrity; never published.
- Registry data — work metadata, statuses, review dates and audit history (partly public by design).
- Payment / access data — plan, transaction status and provider references. Card data is processed by the payment provider (Stripe / PayPal) and never stored by SWLEF.
- Cookies / session data — a session cookie for sign-in, a short-lived unlock cookie for PIN-protected records, a consent cookie, and a short operational presence signal (current page, IP address, browser type) used to protect the service. No advertising or cross-site tracking cookies.
- Communication data — support, compliance and claims correspondence; transactional emails; newsletter only for subscribed addresses.
3. Legal bases (Art. 6 GDPR)
- Art. 6(1)(b) — performance of contract: accounts, submissions, review workflow, access plans.
- Art. 6(1)(c) — legal obligations: commercial and tax retention.
- Art. 6(1)(f) — legitimate interests: registry integrity, fraud and abuse prevention, security logging, dispute handling.
- Art. 6(1)(a) — consent: newsletter, non-essential cookies.
4. Retention
See the Data Retention Policy. In brief: accounts until closure plus statutory retention; evidence for the record's life + up to 6 years; payment records up to 10 years (statutory); operational logs ≤ 30 days; newsletter until unsubscribed.
5. Recipients and processors
Hosting on servers operated for the controller in the EU. Payment processing: Stripe and/or PayPal under their own terms. Submitted evidence is accessible only to authorized reviewers — and to platforms or legal teams where you request it or law requires it. Data is not sold.
6. International transfers
Processing takes place in the EU where possible. Where a processor transfers data outside the EEA (e.g. payment providers), the transfer relies on adequacy decisions or EU standard contractual clauses.
7. Your rights
Access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21); consent may be withdrawn with future effect. Requests: compliance@swlef.com. Public registry records are retained as part of the registry's verification function (see Art. 17(3) limits).
8. Supervisory authority
You may lodge a complaint with a data protection supervisory authority, in particular in the member state of your habitual residence or of the controller's seat: [INSERT COMPETENT STATE DATA PROTECTION AUTHORITY].
9. Security
TLS on all connections, hashed passwords (bcrypt), signed session tokens, role-based access to evidence, private document storage outside the web root, and audit logging of administrative actions.