Sendivent Privacy Policy
Last updated: 21 December 2025
This Privacy Policy explains how Appitude AB ("Sendivent", "we", "us") processes personal data when you visit sendivent.com, communicate with us, or use the Sendivent service as an authorized user of a business customer.
If you are a recipient/end user whose details a Sendivent customer processes through the Service, Sendivent processes your data on behalf of that customer as a processor. In most cases, requests should be directed to the customer (Section 4).
1) Plain-language summary
- We are a B2B-only service.
- Core systems are hosted in AWS eu-north-1 (Stockholm, Sweden).
- For Customer Content, we act as a processor under our DPA.
- For website/account/billing/communications, we act as a controller.
- We do not use Customer Content to train AI models and do not send Customer Content to LLM providers.
- We use Plausible Analytics for website analytics.
- Managed database backups are retained up to 30 days.
- Our current Subprocessors are listed at /subprocessors.
2) Who we are and how to contact us
Company: Appitude AB, org.nr 556950-5448
Address: Skeppargatan 18, 114 52 Stockholm, Sweden
Privacy / legal contact: legal@sendivent.com
Support: support@sendivent.com
3) Who this policy applies to
This policy applies to:
- website visitors to sendivent.com,
- business representatives and authorized users of Sendivent customer accounts,
- prospects/customers communicating with us.
4) Roles: Controller vs Processor
4.1 Processor (Customer Content)
We act as a processor when we process Customer Content to provide the Service to our business customers. Our processing is governed by our DPA: /dpa.
4.2 Where recipients should direct requests
Recipients/end users should direct rights requests to the relevant Sendivent customer (the controller). We provide reasonable assistance to the customer as required by the DPA.
4.3 Controller (our business operations)
We act as a controller for personal data processed for:
- operating and securing our website,
- account creation and administration,
- billing and payments,
- communications (support, product updates, legal notices),
- compliance and protecting the Service against abuse.
5) Personal data we process as Controller
Depending on how you interact with us:
5.1 Account administration
- name, business email, role/title, company name
- authentication identifiers and account settings
- audit-relevant actions to protect accounts
5.2 Billing
- billing contact details and subscription metadata
- billing address (if provided)
- payment status
Payment card details are processed by Stripe; we do not intentionally store full card details.
5.3 Website
- limited technical data (e.g., IP address typically in server logs), device/browser information
- website analytics events via Plausible (Section 9)
5.4 Communications
- emails and messages you send to support@ / legal@
- information you provide during support or onboarding
6) Customer Content (Processor context)
Customer Content may include contact identifiers (email/phone/Slack identifiers), contact metadata (including free-form fields), message content/template variables, delivery metadata, and suppression/subscription state.
Customers control what they upload. We do not automatically determine whether metadata contains special-category data.
7) Purposes and legal bases (GDPR Art. 6)
| Purpose (Controller context) | Examples | Legal basis |
|---|---|---|
| Account administration | onboarding, authentication, support communications | Contract (Art. 6(1)(b)) and/or Legitimate interests (Art. 6(1)(f)) |
| Billing | subscription management, payment status | Contract (Art. 6(1)(b)) and Legal obligation (Art. 6(1)(c)) |
| Security and abuse prevention | investigating suspicious activity, rate limiting | Legitimate interests (Art. 6(1)(f)) and/or Legal obligation (Art. 6(1)(c)) |
| Website analytics | aggregate traffic insights | Legitimate interests (Art. 6(1)(f)) and/or consent where required |
| Legal compliance/enforcement | disputes, lawful requests | Legal obligation (Art. 6(1)(c)) and Legitimate interests (Art. 6(1)(f)) |
| B2B marketing | product updates/news | Legitimate interests (Art. 6(1)(f)) and/or consent where required |
For Customer Content, we process on customer instructions under the DPA.
8) Sharing
8.1 Subprocessors (Customer Content)
We use subprocessors (e.g., hosting and SMS delivery) to provide the Service. Our current list is published at /subprocessors.
8.2 Integrations (e.g., Slack)
Customers may connect integrations (such as Slack). When enabled, we transmit the information reasonably necessary to deliver the message (e.g., workspace/channel identifiers, message content, delivery-related metadata). These integrations are selected/configured by the customer and process data under the customer’s relationship and terms with the provider.
8.3 Payments
We use Stripe for payments and subscription billing.
8.4 Legal disclosures
We may disclose data if required by law or valid legal process.
9) Cookies and analytics (Plausible)
We use Plausible Analytics for website analytics.
- We configure analytics to avoid cross-site tracking.
- We do not use analytics cookies in our current configuration. If this changes, we will update this section and implement consent mechanisms where required.
10) International transfers
EEA means the European Economic Area.
Core hosting is in Sweden (EEA). However, data may be processed outside the EEA in limited cases due to integrations, SMS routing depending on recipient destination and telecom networks, limited support/admin access, and third-party providers used for payments or authentication.
Where we initiate transfers subject to GDPR Chapter V, we apply appropriate safeguards as required (such as adequacy decisions or SCCs), as described in our DPA.
11) Retention (high level)
- Managed database backups are retained up to 30 days.
- Deletion of Customer Content and processing retention is described in the DPA.
- We retain account and billing records as needed to provide the Service and meet legal obligations.
12) Security
We use risk-based technical and organizational measures, including access controls, least privilege, logging, encryption in transit, incident response processes, and deletion workflows. More detail is available in the DPA.
13) Your rights
Depending on context and law, you may have rights to access, correct, delete, restrict/object, portability, and to withdraw consent where applicable.
- Requests regarding Customer Content should be directed to the Sendivent customer (controller).
- Requests regarding our Controller processing should be sent to legal@sendivent.com.
We may need to verify identity.
Complaints
You may lodge a complaint with your supervisory authority. In Sweden, this is Integritetsskyddsmyndigheten (IMY).
14) Marketing communications
We may send business contacts product updates or marketing communications. You can opt out via any unsubscribe link (where provided) or by contacting legal@sendivent.com.
Service/security/billing communications are not marketing.
15) Changes
We may update this policy. The updated version will be posted with a new “Last updated” date.