Privacy Policy

This Privacy Policy explains what personal data Right on Point Solutions AB, org. no. 559505-8578, Sweden ("ROPARC", "we") processes as a controller, why, and what rights you have. It applies to this website and to the account-level parts of the ROPARC service.

1. Two roles — controller and processor

For your account, billing, and our website, we are the controller, and this policy applies. For the content your organization puts into its workspaces (requirements, documents, reviews — which may include personal data such as names in comments and change history), your organization is the controller and we are a processor: that processing is governed by the Data Processing Addendum, not this policy.

2. Data we collect as controller

• Account data: name, email address, organization name and role, hashed authentication credentials.
• Billing data: plan, seat count, invoicing details, and VAT number. Card details are collected and stored by Stripe, not by us.
• Service telemetry: server logs (IP address, timestamps, requested endpoints) and security/audit events needed to operate, secure, and debug the service.
• Correspondence: support and sales email you send us.

The marketing site uses no advertising trackers. If we use analytics, it is cookieless and aggregate; we do not show a cookie banner because we do not set non-essential cookies.

3. Purposes and legal bases (GDPR Art. 6)

• Providing the service and billing — performance of a contract (Art. 6(1)(b)).
• Security, abuse prevention, and service improvement — legitimate interests (Art. 6(1)(f)).
• Bookkeeping and tax records — legal obligation (Art. 6(1)(c), Swedish accounting law).
• Product announcements to account holders — legitimate interest, with an opt-out in every message.

4. Recipients and transfers

We share personal data only with the sub-processors and service providers needed to run the service (hosting, payments, AI features when invoked). Where a provider processes data outside the EU/EEA, transfers rely on an adequacy decision or Standard Contractual Clauses, as listed on the sub-processor page. We do not sell personal data.

5. Retention

• Account data: for the life of the account, then deleted within 30 days of account closure.
• Billing records: 7 years (Swedish Bookkeeping Act).
• Server logs (IP address, timestamps, requested endpoints): retained only as long as necessary for security and debugging, then deleted or anonymized.

Note for workspace content (processor role): change history is stored immutably in Git because regulated-industry traceability is the purpose of the service; author identity on past changes is part of the audit record. The deletion model is described in the DPA.

6. Your rights

You may request access to, correction of, export of, or deletion of your personal data, object to processing based on legitimate interests, and lodge a complaint with a supervisory authority (in Sweden: Integritetsskyddsmyndigheten, IMY). Contact [email protected] — we respond within one month. If your data is in a customer's workspace, we will refer the request to that customer (the controller) as the DPA requires.

7. AI features

When a user invokes an AI-assisted feature, the relevant workspace content is sent to the AI provider listed on the sub-processor page to generate the response, and AI output is marked as such in the product. AI features are optional; no content is sent to AI providers unless a user invokes them.

8. Changes

We will announce material changes to this policy by email or in-product notice before they take effect.

Contact

Data protection enquiries: [email protected]
Right on Point Solutions AB, Hermesgatan 5, 641 34 Katrineholm, Sweden