Privacy Policy

1. Introduction

This Privacy Policy provides information about how Pedaly AB with company registration number 559243–7999, a private limited company registered in Sweden (hereafter referred to as "Pedaly", "we", "our" or "us"), processes personal data, as well as the rights of data subjects.

This Privacy Policy is designed to ensure that we process personal data in accordance with the General Data Protection Regulation ("GDPR") based on the principle of accountability. The policy applies to all processing of personal data, both in structured and unstructured formats.

In this Privacy Policy, you can also read about the purposes for which the processing takes place, where the data is stored and who may have access to it. References to “you”, “your”, or “yours” refer to the data subject whose personal data we process.

We are the data controller for the processing carried out by or on behalf of us, when we determine the purposes and means of the processing, and are responsible for ensuring that such processing is in compliance with this Privacy Policy and the GDPR.

By contacting us, using the Pedaly mobile application (the "Pedaly app"), or entering into an agreement with us regarding any of the services or products offered, personal data may be processed in accordance with this Privacy Policy and GDPR.

We update this Privacy Policy as needed and review its content at least once per year to ensure that the information is up to date and in line with our processing activities. The latest version is always available at: www.pedaly.se/privacy.

2. Definitions

In this Privacy Policy, the definitions correspond to those set out in the EU General Data Protection Regulation 2016/679 (“GDPR”), such as “personal data”, “processing”, “data subject”, “supervisory authority”, “controller”, “processor” and others. Each of these definitions shall have the same meaning as provided in Article 4 of the GDPR. For a complete list and exact definitions, please refer to that article.

3. What Personal Data Pedaly Processes 

We only process personal data that is adequate, relevant, and necessary for the purposes for which it was collected, in line with the principle of data minimisation. 

We process the following categories of personal data:

• Identification and contact details: name, personal ID number, phone number, email address.

• Payment details: information required to process payments.

• User-provided data: any personal data provided by users or individuals in contact with us, including information shared when contacting customer support.

• Data related to the use of services: bookings, location data, session duration, and usage data from the Pedaly app’s functions.

• Technical data: IP address, device information, app version, GPS-based location data (where permission has been granted), crash reports, and usage behavior (e.g., clicks, navigation, session time).

4. How Pedaly Access the Personal Data

We collect personal data through your interactions with us, for example via phone, email, contact forms, or when using the Pedaly app. Personal data is obtained in situations such as:

• Account registration: when you create an account and provide your contact details, such as your email address.

• Use of the App: when you use the App’s features, which generates certain technical and usage data.

• Support: when you contact our support, your contact details will be processed and the information you provide in your request.

In some cases, we may also obtain personal data from third parties, such as payment providers, subscription systems, or public authorities, always in accordance with applicable data protection laws.

5. Legal Basis for Data Processing

Under GDPR, a legal basis is required for processing personal data. We base our processing mainly on the following four legal bases under the GDPR:

• Consent (Article 6.1.a GDPR): When you have given your consent to the processing of your personal data for specific purposes (e.g., receiving marketing communications). If processing of your personal data is based on consent, you may withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

• Contract (Article 6.1.b GDPR): When processing of your personal data is necessary for entering into or performing a contract with you (such as providing access to the App and its features).

• Legal obligation (Article 6.1.c GDPR): When processing of your personal data is necessary to comply with a legal requirement, which means that we must keep certain data because the law requires it (for example for accounting, tax, or consumer protection purposes).

• Legitimate interest (Article 6.1.f GDPR): When processing of your personal data is necessary for our legitimate interests, or those of a third party, provided these interests are not overridden by your rights and freedoms (e.g., ensuring security, improving the App, or communicating with existing users about the services). Where processing is based on legitimate interest, we have carried out a balancing test to ensure that our interests do not override your right to privacy and data protection.

In some cases, providing personal data is voluntary, but without it we may not be able to provide certain services, such as customer support or access to the services.

6. Purpose of Processing Personal Data

1) Fulfilling contractual obligations and providing services 

When you register an account and/or use the Pedaly app, we process your personal data to fulfill contractual obligations and deliver the agreed services.

• Purpose: To provide and manage our services in accordance with the terms and conditions, including account management, bookings, payments (if applicable), and necessary service communications.

• Personal data

  • Identification and contact details (e.g., name, email address, phone number, personal ID number).

  • Payment details (if applicable).

  • Account details and usage information (e.g., bookings, session duration, location data, service usage history).

• Processing

  • Collecting and storing accounts and booking data.

  • Verifying your identity and managing your user account.

  • Handling payments and invoicing (where applicable).

  • Enabling and administering service usage.

  • Sending necessary service-related communications (e.g., booking confirmations, parking reminders, account/security notifications).

• Legal basis: Contract. Processing is necessary to fulfill our obligations under the agreement with you.

• Recipients: Service providers supporting registration, payment processing (if applicable), hosting, communication, and technical delivery of the app’s functions.

• Storage period: Personal data is stored for as long as you have an active account with us and normally up to three (3) years after termination of the contractual relationship. See Section 8 for circumstances requiring longer retention.

2) Business relationships (B2B)

We process personal data belonging to representatives of business customers, suppliers, service providers, and partners in connection with business relationships and agreements. This section does not apply to individual end-users of the Pedaly app.

• Purpose: To manage and maintain business relationships, administer agreements, communicate with relevant representatives, and handle day-to-day cooperation.
  Personal data: 

  • Identification and contact details (e.g., name, job title, employer, email address, phone number).

  • Communication records.

  • Information necessary for contract administration (e.g., signatory rights, invoicing details).

• Processing: 

  • Collecting and storing contact details.

  • Communicating via email, phone, or meetings.

  • Managing contractual rights and obligations.
    Invoicing and maintaining records of cooperation.

• Legal basis: Legitimate interest. We have a legitimate interest in managing business relationships and fulfilling contractual rights and obligations with companies through their representatives.

• Recipients: Service providers assisting with communication, contract management, and accounting. Personal data may also be shared with other parties where necessary to administer the business relationship.

• Storage period: Personal data is stored for the duration of the business relationship and normally up to three (3) years after its end. See Section 8 for information about circumstances that may require longer retention.

3) Improving user experience and analyzing app behavior

We process personal data to evaluate and improve the performance, functionality, and usability of the App.

• Purpose: To understand how the App is used, identify areas for improvement, and enhance the user experience.

• Personal data: 

  • Technical and usage data (e.g., device information, operating system, app version, IP address, session duration, clicks, navigation, crash reports, and interaction with features).

• Processing: 

  • Collecting and analyzing usage statistics.

  • Performing error and crash analysis.

  • Testing and developing new features.

  • Monitoring system performance.

• Legal basis: Legitimate interest. We have a legitimate interest in improving its services and ensuring that the App functions smoothly and efficiently.

• Recipients: Analytics and IT service providers supporting us with data analysis, error reporting, and feature testing.

• Storage period: Technical and usage data linked to an individual is normally retained for up to two (2) years, after which it is anonymized or deleted. See Section 8 for information about circumstances that may require longer retention.

4) Push notifications

If you enable push notifications in the Pedaly app, we process your personal data to provide relevant service updates and reminders.

• Purpose: To send service-related messages and reminders (e.g., booking updates, parking notifications, account alerts) directly via the app’s push functionality.
  Personal data:

  • Device information.

  • Notification preferences.

  • App and account settings (e.g., language, time zone).

• Processing: 

  • Activating and managing your push notification settings.

  • Sending notifications and ensuring correct delivery to your device.

• Legal basis: Consent. Processing is based on your consent when enabling push notifications in the app or on your device. You may withdraw your consent at any time by changing your preferences in the app or device settings.
  Recipients: Technical service providers that enable and deliver push notifications.

• Storage period: Personal data related to push notifications is stored only as long as you use the feature or until you withdraw your consent.

5) Direct marketing

We may process your personal data to provide you with offers, news, and information about our services that may be of interest to you.

• Purpose: To inform users about ourservices, provide relevant offers, and encourage continued use of the App.

• Personal data: 

  • Identification and contact details (e.g., name, email address, phone number).
    Account details.

  • Usage data (e.g., how you use the app, service preferences).

• Processing: 

  • Creating and sending marketing communications via email, SMS, or other electronic channels.

  • Customizing messages based on your service usage or preferences.

  • Managing opt-out and unsubscribe requests.

• Legal basis: 

  • Legitimate interest: We have a legitimate interest in marketing its services to existing or former users. You always have the right to object to this processing, in which case we will stop using your data for direct marketing.

  • Consent: For certain channels (such as SMS, if required by applicable law), processing is based on your prior consent.

• Recipients: Marketing and communication service providers that support us in distributing messages.

• Storage period: Personal data processed for direct marketing is stored until you object to such processing or until your account is terminated. If you unsubscribe from marketing communications, we will immediately stop processing your data for this purpose. However, we may retain your contact details in a suppression list to ensure that you do not receive further marketing. These details are kept as long as we conduct marketing activities, or until you request their deletion.

6) Customer support and user feedback

When you contact us, for example via email, phone, surveys, the feedback feature in the app, or other channels, we process your personal data to handle your request and collect feedback that helps improve our services.

• Purpose: To manage incoming requests, provide user support, answer questions, and collect feedback to improve and develop our services.

• Personal data:

  • Identification and contact details (e.g., name, email address, phone number).

  • Account information.

  • The details you choose to provide in your request or feedback.

• Processing: 

  • Receiving and registering requests or feedback.

  • Identifying you as a user.

  • Handling and responding to the case.

  • Compiling and analyzing feedback.

  • Following up when necessary.

• Legal basis: Legitimate interest. We have a legitimate interest in providing support, responding to user inquiries, and improving its services based on user feedback.
  Recipients: Service providers offering communication services (e.g., email provider, telecommunication provider, survey platform).

• Storage period: Support cases and feedback are normally stored for up to three (3) years after the case is closed or the feedback is received, to enable follow-up and service improvement. See Section 8 for information about circumstances that may require longer retention.

7) Complying with legal obligations

We process personal data when required to comply with applicable laws and regulations.

• Purpose: 

  • To fulfill statutory obligations such as bookkeeping, tax reporting, and accounting requirements.

  • To ensure compliance with data protection rules, including documentation of personal data breaches and fulfilling data subject rights.

  • To cooperate with competent authorities where required by law.

• Personal data: 

  • Identification and contact details (e.g., name, email address, phone number, personal ID number).

  • Payment details and transaction history.

  • Other data necessary to meet legal obligations.

• Processing: 

  • Recording, storing, and reporting information as required by law.

  • Investigating, managing, and documenting personal data breaches.

  • Cooperating with government and supervisory authorities upon request.

• Legal basis: Legal obligation. Processing is necessary for us to comply with legal requirements under, for example, the Swedish Bookkeeping Act, tax legislation, consumer protection law, and the GDPR.

• Recipients: 

  • Government authorities such as the Swedish Tax Agency, law enforcement authorities, auditors, and supervisory authorities (e.g., IMY).

  • IT/security providers assisting with technical analysis in connection with incident management.

• Storage period: 

  • Accounting records are retained for seven (7) years in accordance with the Swedish Bookkeeping Act.

  • Documentation of personal data breaches is normally retained for three (3) years after the investigation is completed, unless longer retention is required.

  • Other statutory retention periods apply depending on the relevant law.

8) Crime prevention & security

We process personal data to protect its services, users, and business operations from misuse, security risks, and criminal activities, and to ensure that the app and related systems function securely and reliably.

• Purpose: 

  • To detect, prevent, and investigate suspected criminal activity, misuse, and unauthorized access.

  • To maintain the technical stability, integrity, and security of our services.

  • To cooperate with relevant authorities in connection with suspected criminal activity.

• Personal data: 

  • Identification and contact details (e.g., name, email address, phone number).

  • Account details and login data.

  • Technical and usage data (e.g., IP address, device information, log files, session data, GPS-based location if activated).

• Processing: 

  • Monitoring and analyzing system activity.

  • Maintaining logs and implementing authentication and security controls.

  • Detecting suspicious or unauthorized behavior.

  • Taking necessary measures to safeguard users and Pedaly’s systems.

  • Reporting and sharing information with law enforcement authorities in case of suspected criminal activity.

• Legal basis: Legitimate interest. We have a legitimate interest in ensuring the stability and security of its services, and in preventing misuse and criminal activity.

• Recipients: 

  • IT security providers, hosting providers, and analytics providers.

  • Law enforcement authorities in case of suspected criminal activity.

• Storage period: Security-related data (such as log files and system events) is normally retained for up to one (1) year. See Section 8 for circumstances that may require longer retention.

7. Where Personal Data is Stored

We strive to process and store all personal data within Sweden and the European Union (EU) or the European Economic Area (EEA). In some cases, however, personal data may be transferred to and processed outside the EU/EEA. To ensure adequate protection of your personal data in such cases, we implement appropriate safeguards, which may include the use of the European Commission’s Standard Contractual Clauses (SCCs).

8. Retention Period

Personal data is only retained for as long as necessary for the purposes for which it was collected, including any legal, accounting, or reporting requirements, in accordance with the principle of storage limitation. When personal data no longer needs to be retained, it is deleted or anonymized in accordance with our internal retention routines and applicable legislation.

The exact retention period depends on the type of personal data and the purpose of the processing. As a main rule, retention periods are specified in Section 6 for each purpose of processing. In certain cases, however, longer retention may be necessary. Please note the following exceptions:

• Legal requirements: If Pedaly is legally required to retain personal data (for example under accounting law, anti-money laundering legislation, or consumer protection laws), the data will be stored for the period required by the relevant law.

• Legal claims and disputes: If relevant, personal data may be retained until the applicable statute of limitations has expired, in order to establish, exercise, or defend legal claims.

• Regulatory investigations or proceedings: In the event of ongoing or potential proceedings, relevant personal data may be retained until the matter is finally resolved.

• Other obligations: If you request erasure, Pedaly may retain certain personal data to the extent necessary to fulfill contractual, statutory, or regulatory obligations.

9. Sharing of Personal Data

We process personal data with care and only share data in accordance with applicable data protection legislation. Recipients of processing are specified under each purpose in Section 7 of this Privacy Notice but are summarised here for clarity. 

Service providers: We engage external providers to help us operate our business. These may include: 

• Processors, who process personal data on our behalf and in accordance with our instructions, e.g. IT providers for operations, system maintenance, storage and security, as well as accounting firms for bookkeeping. Data Processing Agreements are entered into with all processors in accordance with Article 28 GDPR. 

• Independent controllers, e.g. payment service providers and banks who process personal data to deliver their services to us or to comply with their own legal obligations. 

Authorities: We may disclose personal data to authorities where required by law, such as to the Swedish Tax Agency or the Police. This may occur in connection with tax and accounting requirements, regulatory investigations, or for the prevention and investigation of crimes. 

Other parties: In some cases, personal data may be shared with other independent third-party controllers, who are responsible for their own processing. For example, this may occur in connection with business transactions (such as a sale, merger, or restructuring of our company) or where a third party has a legitimate interest in processing the personal data. 

10. Rights of the Data Subject

As a data subject under the GDPR, you have the following rights:

• Right to information: You have the right to clear information about how we process your personal data, including the purposes, categories of data, and potential recipients. This information is provided in this Privacy Policy.

• Right of access: You may request a copy of the personal data that we process about you and receive information about the processing, including any transfers outside the EU/EEA and applicable safeguards.

• Right to rectification: If your personal data is inaccurate or incomplete, you have the right to have it corrected. Where feasible, we will also inform relevant recipients of the correction. You also have the right to be informed of who these recipients are.

• Right to erasure (“right to be forgotten”): Under certain circumstances, you may request that we delete your personal data, for example if it is no longer needed for the purpose it was collected or if you withdraw your consent. In some cases, however, we must retain certain data if the law requires it (for example, for tax or accounting purposes). Where feasible, we will also inform relevant recipients of the erasure and provide you with information about who these recipients are.

• Right to restriction of processing: You may request that we restrict the processing of your personal data, for example if you contest its accuracy or if the processing is unlawful but you oppose deletion. During restriction, we may only store the data, process it with your consent, or process it for the establishment, exercise, or defense of legal claims. We will inform you when the restriction ends.

• Right to data portability: If we process your personal data based on consent or contract, you have the right to receive it in a structured, commonly used, and machine-readable format, and to have it transmitted to another controller where technically feasible.

• Right to object: You may object to our processing of your personal data if it is based on legitimate interests. We may only continue processing if compelling legitimate grounds can be demonstrated that override your interests. You always have the right to object to processing for direct marketing, in which case we must immediately stop such processing.

• Right not to be subject to automated decision-making: You have the right not to be subject to decisions based solely on automated processing, including profiling, if the decision significantly affects you. Exceptions apply if the decision is necessary for a contract or required by law. In such cases, you may request human review of the decision. We do not make automated decisions, with or without profiling.

You may contact us using the details provided at the end of this Privacy Policy to exercise your GDPR rights. Exercising your rights is free of charge, unless your request is repetitive, unfounded, or excessive, in which case we may charge a reasonable fee or refuse the request.

To ensure proper handling, we may need to verify your identity before processing your request. We normally handle and provide a response to your request within one month of receipt. If more time is needed due to complexity or number of requests, we may extend the period by up to two additional months. In that case, you will be informed within the first month.

Please note that certain rights are limited under the GDPR and only apply in specific circumstances. If we cannot fulfill your request, we will inform you of the reasons, in accordance with applicable law.

11. Security Measures

Pedaly takes the security of personal data seriously and implements appropriate technical and organizational measures in accordance with Article 32 GDPR to protect personal data against unauthorized access, alteration, disclosure, loss, or destruction. These measures are designed to ensure a level of security appropriate to the risk, and we regularly review and update them to maintain effective protection.

12. Questions or Complaints

If you have any questions about this Privacy Policy or about how we process your personal data, you can contact Pedaly’s contact person for personal data matters:

• Name: Ali Taleb

• Email: at@pedaly.se

• Phone number: +46 73 988 96 84 (weekdays 09:00–16:00 CET)

If you are dissatisfied with Pedaly’s processing of your personal data, you may lodge a complaint with Pedaly’s supervisory authority, the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, “IMY”):

• Phone: +46 (0)8-657 61 00

• Email: imy@imy.se

• Postal address: Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm, Sweden

If you reside in another EU/EEA country, you may also contact the supervisory authority in your country of residence. A list of EU supervisory authorities is available here: https://edpb.europa.eu/about-edpb/about-edpb/members_en