Introduction

This Privacy Policy applies when companies within the Excedo Group provide services and/or products to customers and when Excedo is the controller of personal data.

The Privacy Policy describes Excedo’s processing of personal data as well as the rights that employees, consultants, suppliers, partners, customers, or customers’ end customers may exercise.

In this policy, “data subject” refers to the natural person whose personal data is being processed. Depending on the context, this may include, for example, a customer, contact person, user, or another representative of a customer.

Excedo is to be regarded as the controller of personal data for data which is processed to provide services and/or products and for other tasks where Excedo determines the purpose and means of processing such data.

If the customer determines the purpose and means of processing the data, the customer is to be regarded as the controller of personal data and Excedo as the processor. Excedo’s processing of such data is governed by a separate data processing agreement and is not covered by this Privacy Policy.

What kind of data do we process?

Excedo processes personal data necessary to provide our services and/or products.

The type of information we collect depends on which of our services and/or products are used.

Customer data: data related to the service/product we provide to the customer, for example name, address, email address, phone number, and professional title/role.

Other data: data that arises in connection with the customer relationship, such as contract information, billing data, communication, and data from public registers.

How do we collect the data?

Depending on the services and/or products we provide, we collect and process data that:

• is provided by the customer or the data subject when entering into an agreement with Excedo or communicating with us,

• is created when services and/or products are used,

• is collected from other sources, such as company registers, credit assessment providers, or suppliers and partners, or

• is generated through our websites (e.g. through cookies).

If certain personal data is not provided, we may not be able to enter into agreements or provide our services.

What we use the data for

Processing of personal data must be allowed according to applicable data protection regulations, i.e. there must be a legal basis for the processing.

For our processing of personal data to be lawful, it must be necessary:

• to fulfil the agreement with the customer; or

• to fulfil a legal obligation.

Processing of personal data may also take place:

• based on a legitimate interest; or

• based on consent.

Provide and fulfil service and/or product agreements

We process personal data to provide services and/or products, fulfil agreements, and exercise our rights under such agreements.

For example:

• customer administration

• invoicing and payment

• support and troubleshooting

• handling feedback and complaints

Legal basis: fulfil agreement, legal obligation

Develop services and products

We process personal data to develop and improve our business, services, products, and internal processes.

Legal basis: legitimate interest

Provide and improve service to our customers

We process personal data to manage customer relationships, provide support and customer service, and improve our ways of working.

Legal basis: fulfil agreement and legitimate interest

Direct marketing

We process personal data to market our services and products.

Marketing may be carried out via mail, telephone, and email.

Legal basis: legitimate interest or consent (where required by law)

The data subject is always entitled to decline direct marketing.

Information security and prevention of misuse

We process personal data to ensure the security of our services and to detect and prevent unauthorized use, incidents, or misuse.

Legal basis: legitimate interest and legal obligation

Comply with statutory obligations

We process personal data to fulfil obligations under law, regulations, authority decisions, or guidelines, for example under accounting legislation.

Legal basis: legal obligation

How long we save data for

We never save personal data longer than necessary.

• Personal data is saved during the customer relationship and thereafter no later than 12 months after termination of the agreement.

• Data that must be stored according to law, such as accounting data, is saved as long as required by law (normally up to 7 years).

• Data used for support and troubleshooting is saved for a limited period depending on the purpose.

To whom we provide information

We may share personal data with:

• subcontractors and suppliers necessary to provide our services and/or products, such as providers of IT operations, cloud services, business systems, and support,

• companies within our group of companies,

• authorities when required by law.

Where suppliers process personal data on our behalf, they act as processors and are governed by data processing agreements.

In other cases, the recipient may act as an independent controller for its own processing of personal data.

We do not sell personal data.

Transfer of personal data to third countries

We may engage suppliers outside the EU/EEA (so-called third countries) to provide services and/or products.

Such transfers are carried out in accordance with applicable data protection legislation, for example through the European Commission’s standard contractual clauses or equivalent safeguards.

Security

Excedo implements appropriate technical and organizational measures to protect personal data against unauthorized access, loss, alteration, or other unlawful processing. These measures are adapted to the sensitivity and scope of the data.

Cookies

We use cookies on our websites.

For more information about how we use cookies, what types of cookies are used, and how the data subject can manage their settings, please see our separate cookie policy on our website.

User’s exercise of individual rights

In accordance with applicable data protection legislation, the data subject has the right to:

• access their personal data,

• request rectification,

• request erasure,

• request restriction of processing,

• object to processing, particularly where processing is based on legitimate interest or for direct marketing purposes,

• receive their personal data in a machine-readable format (data portability).

Where processing is based on consent, the data subject has the right to withdraw such consent at any time.

Excedo does not carry out automated decision-making or profiling that produces legal or similarly significant effects for the data subject. This means that no decisions that significantly affect the data subject are made solely through automated processing without human involvement.

Requests are handled without undue delay and normally within one month.

Contact information for Excedo

If the customer or the data subject has questions or wishes to exercise their rights, for example to withdraw consent:

Contact our Legal team by email: legal (a) excedo.se
or by phone: +46 8 501 612 00

Complaint

If the data subject considers that personal data is processed in violation of applicable laws and regulations, the data subject may submit a complaint to the Swedish Authority for Privacy Protection (IMY).

Controller of personal data

Excedo Networks AB (reg. no. 556787-9944) is responsible for the processing of personal data.

Jan Stenbecks torg 17
164 40 Kista
Sweden

Validity and amendment of the Privacy Policy

This Privacy Policy is effective as of 1 May 2026.

Excedo may, from time to time, make changes to this Privacy Policy. The latest version is always available on our websites.