Privacy Policy

How Flybring IT AB collects, uses, and protects your personal data, and the rights you have under the GDPR.

Last updated Jun 10, 2026

Flybring IT AB ("Flybring IT", "we", "our", or "us") respects your privacy. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have. It applies to the GridTree website at gridtree.app and the GridTree desktop application (together, the "Service").

We are subject to the EU General Data Protection Regulation (GDPR) and, where applicable, Swedish data protection law.

1. Data Controller

The data controller responsible for processing your personal data is:

Flybring IT AB (org.nr. 559400-4318)
Örtagårdsvägen 39, 891 51 Örnsköldsvik, Sweden
Email: privacy@gridtree.app
Website: gridtree.app

For questions about this policy or your rights, contact us at privacy@gridtree.app.

2. Data We Collect

2.1 Account and Identity Data

When you register for an account, we collect:

Email address
Name (if provided)
Password (stored as a cryptographic hash — we never store your plain-text password)
Organisation or team name (if applicable)

2.2 Billing and Payment Data

When you subscribe to a paid plan, our payment processor Stripe collects and processes your payment details (card number, billing address). Flybring IT does not receive or store your full card number. We do receive and store:

Stripe customer ID and subscription ID
Billing address (for tax and invoicing purposes)
Transaction history and invoices

2.3 Usage and Technical Data

To provide and improve the Service, we collect:

Log data (IP address, browser type and version, pages visited, time and date of requests)
Desktop application version and operating system (transmitted when the application verifies your licence or checks for updates)

The desktop application does not currently collect or transmit analytics or telemetry data (such as feature usage statistics, error reports, or crash logs). If such collection is introduced in the future, this policy will be updated and you will be informed in advance.

2.4 Communication Data

If you contact us by email or through the Service, we retain records of that correspondence.

2.5 Cookies and Similar Technologies

Our website uses only essential cookies required for authentication and session management. We do not use advertising, analytics, or tracking cookies.

Cookie	Provider	Purpose	Duration
`sb-*-auth-token`	Supabase	Stores your authentication session	Session / up to 1 week
`sb-*-auth-token-code-verifier`	Supabase	PKCE flow security token for OAuth login	Session

You can control cookies through your browser settings. Disabling essential cookies will prevent you from logging in to the Service.

Purpose	Legal basis
Providing and managing your account	Performance of a contract (Art. 6(1)(b))
Processing payments and managing subscriptions	Performance of a contract (Art. 6(1)(b))
Complying with accounting and tax obligations	Legal obligation (Art. 6(1)(c))
Improving and securing the Service	Legitimate interests (Art. 6(1)(f)) — we balance these against your interests and rights
Sending product updates and announcements	Legitimate interests (Art. 6(1)(f)), or consent where required
Responding to support requests	Performance of a contract / legitimate interests

4. How We Use Your Data

We use your personal data to:

Create and manage your account
Process your subscription and payments
Provide customer support
Send transactional emails (account confirmations, invoices, password resets)
Send product update announcements (you can opt out at any time)
Monitor and improve the reliability, security, and performance of the Service
Comply with legal obligations (e.g. accounting records, tax reporting)
Detect and prevent fraud or abuse

We do not sell, rent, or share your personal data with third parties for their own marketing purposes.

5. Third-Party Processors

We share your data with the following sub-processors strictly to the extent necessary to operate the Service:

Processor	Purpose	Location
Supabase	Authentication and database hosting	EU
Stripe	Payment processing and subscription management	USA (Standard Contractual Clauses apply)
Cloudflare	Web hosting, CDN, and DDoS protection	Global (Standard Contractual Clauses apply)
Microsoft 365	Email delivery (transactional and product update emails)	EU (EU Data Boundary; Microsoft's DPA with SCCs covers any residual transfers)

For transfers to countries outside the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) or equivalent safeguards.

We require all sub-processors to maintain appropriate technical and organisational security measures and to process personal data only on our instructions.

6. Data Retention

We retain your personal data for as long as your account is active and for a period thereafter as necessary to fulfil the purposes described in this policy:

Account data: Retained for the duration of your account plus 30 days after account deletion (to allow recovery), then deleted.
Billing records and invoices: Retained for 7 years to comply with Swedish accounting law (bokföringslagen).
Usage and log data: Retained for up to 90 days for security and debugging purposes.
Support correspondence: Retained for up to 2 years.

After the applicable retention period, data is securely deleted or anonymised.

7. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or alteration. These include:

Encryption in transit (TLS) and at rest
Row-level security policies in our database
Access controls limiting who at Flybring IT can access production data
Regular review of security practices

No system is completely secure. If you discover a security vulnerability, please report it responsibly to security@gridtree.app.

If you are located in the EU, EEA, or UK, you have the following rights:

Right of access. You can request a copy of the personal data we hold about you.

Right to rectification. You can ask us to correct inaccurate or incomplete data.

Right to erasure ("right to be forgotten"). You can ask us to delete your personal data, subject to legal retention obligations.

Right to restriction. You can ask us to restrict processing of your data in certain circumstances.

Right to data portability. You can request a machine-readable copy of your data to transfer to another service.

Right to object. You can object to processing based on legitimate interests. You can also object to direct marketing at any time.

Right to withdraw consent. Where processing is based on your consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.

Right to lodge a complaint. You have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at www.imy.se, or with the supervisory authority in your country of residence.

To exercise any of these rights, contact us at privacy@gridtree.app. We will respond within one month. We may need to verify your identity before acting on a request.

9. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you, as described in GDPR Article 22. Decisions about your account (such as fraud detection or subscription management) may use automated tools, but any outcome affecting you materially is subject to human review.

10. Children

The Service is not directed at children under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact privacy@gridtree.app and we will delete it.

11. Links to Third-Party Sites

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those sites. We encourage you to read their privacy policies.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a prominent notice on the Service before the changes take effect. The "last updated" date at the top of this page reflects the most recent revision.

13. Contact

For any privacy-related questions or to exercise your rights: