Legal · Privacy
Privacy Policy
PowersportOS is a multi-tenant SaaS platform operated by Umbr AB, a Swedish company (org. number 559512-5252, VAT SE559512525201), registered in Sweden, EU. We take privacy seriously, both because GDPR requires us to and because handling other people's commercial data with care is the only way to build trust as a B2B platform.
This Policy explains what personal data we collect, why we collect it, how we use and store it, who we share it with, and what rights you have. If anything is unclear, write to us at info@powersportos.com and we will explain in plain language.
1. Who is the data controller?
Umbr AB, org. number 559512-5252, is the data controller for personal data processed via PowersportOS.
Postal address and contact details are available on request via info@powersportos.com. For privacy-specific inquiries, write to info@powersportos.com with the subject line "Privacy".
2. What data do we collect?
2.1 Account data (tenant users and admin users)
When you or your colleagues create accounts to use the customer portal or admin interface, we store:
- Full name
- Email address
- Hashed password (we never see your plain-text password)
- Role and tenant association
- Account creation and last-login timestamps
2.2 Customer (tenant) data
When you use PowersportOS as a customer (a "tenant"), you may upload or generate:
- Your product catalog, fitment data, and stock levels
- Your dealer or store locations (names, addresses, coordinates)
- Configuration such as your Mapbox API token, allowed Shopify domain, and similar integration credentials
- Activity logs (API request counts, last-request timestamps)
This data belongs to you. We process it on your behalf to deliver the service. We do not analyze it, profile it, or sell it.
2.3 End-customer data
When tenants embed PowersportOS storefront widgets (such as YMM search, dealer map, or store locator) in their own webshops, those widgets may process limited end-customer data, including IP address, approximate location (where the end customer has shared it for "find a store near me" functionality), search terms, and timestamps. With respect to such end-customer data, the tenant acts as the data controller and Umbr AB acts as the tenant's data processor under the DPA. End customers wishing to exercise their GDPR rights with respect to data collected via widgets should contact the relevant tenant in the first instance; we will support tenants in responding to such requests as required by GDPR Article 28(3)(e). Widget data is processed in transit and is not retained beyond what is strictly necessary to return the requested result, except where a tenant has explicitly enabled a feature that requires retention (for example, a future end-customer "saved garage" feature) and the tenant's own privacy notice covers that processing.
2.4 Technical data
To operate the service securely, we collect:
- Server-side request logs (IP, timestamp, endpoint, status code), retained 30 days
- Error and exception traces (Sentry), pseudonymous, retained 90 days
- Session cookies (for authentication, set by Better Auth); see Cookies below
- Aggregate visit metrics from our public marketing site at
powersportos.com, collected by our self-hosted Umami instance atanalytics.powersportos.com. Umami does not set cookies, does not store visitor IP addresses, and does not build cross-site profiles. It records page-view counts, referrer, country (derived from IP at request time and discarded), device type, and browser, all in aggregate form. Visit data is retained for 12 months.
3. Why we process your data (lawful bases)
Under GDPR Article 6, we rely on the following lawful bases:
- Performance of a contract (Art. 6(1)(b)) to deliver the service you signed up for
- Legitimate interest (Art. 6(1)(f)) to operate the platform securely, prevent abuse, debug errors, and improve the product based on aggregated usage
- Legal obligation (Art. 6(1)(c)) for tax records, accounting, and similar requirements under Swedish and EU law
- Consent (Art. 6(1)(a)) only where explicitly given, for example future marketing communications you opt into
4. Subprocessors
We use the following third-party services to deliver PowersportOS. All are reputable providers with their own GDPR-compliant data-processing terms:
- Hetzner Online GmbH (Germany / Finland) for hosting and storage. Data resides in EU data centers.
- Resend, Inc. for transactional email (password resets, welcome emails, contact-form submissions).
- Functional Software, Inc. (Sentry) for error tracking and exception monitoring.
- Mapbox, Inc. for geographic map rendering (only on tenant-installed dealer-map widgets, using each tenant's own Mapbox token).
- Labelary Inc. for server-side rendering of label-printing ZPL strings (SKU, brand, part name) into preview images and PDF. Label payloads contain no personal data; Labelary is listed here as a precaution.
We will provide Customers with at least thirty (30) days' prior notice before adding or replacing a subprocessor that processes Customer personal data, by updating this list and, where the Customer has subscribed to such notifications, by email. A Customer may object to a new subprocessor on reasonable grounds related to data protection by writing to info@powersportos.com within the notice period. If we and the Customer cannot agree on a resolution, the Customer may terminate the affected services with a pro-rata refund of any prepaid fees for the unused remainder of the term, as the Customer's exclusive remedy. The full mechanism is described in the Data Processing Agreement, Section 6 and Annex 3.
5. Data retention
Account data is retained for as long as the account is active, plus a reasonable period after deletion to allow for restoration in case of accidental closure. After that period, data is permanently deleted from primary storage and removed from backups within the regular backup-rotation window (currently 30 days).
Tenant data (catalog, dealers, stock, etc.) is retained for as long as the tenant subscription is active, plus 90 days after termination to allow for export and reactivation. After that, it is permanently deleted.
Technical logs (request logs, error traces) are retained for 30 to 90 days depending on type.
Some records may be retained longer where required by law (for example, accounting records under the Swedish Bookkeeping Act, Bokföringslagen (1999:1078), are retained for 7 years after the end of the calendar year to which they relate).
6. International transfers
Your data is hosted in the European Union (Hetzner data center in Finland). We do not transfer personal data outside the EU/EEA except where a subprocessor unavoidably operates outside the EU (for example, error-tracking via Sentry's US-based infrastructure). Where this happens, we rely on the European Commission's Standard Contractual Clauses or equivalent transfer safeguards.
7. Cookies and similar technologies
7.1 Cookies
PowersportOS uses minimal cookies. Specifically:
- Authentication session cookie (set by Better Auth), strictly necessary for keeping you logged in. No alternative; if disabled, you cannot use the service.
7.2 Browser storage (sessionStorage)
The customer portal and admin interface use the browser's sessionStorage API for ephemeral UI state such as dismissed announcement banners and cached postal-code geocoding results. sessionStorage is technically not a cookie: it is client-side only, never transmitted to our servers, and is cleared automatically when the browser tab is closed.
7.3 What we do not use
We do not use cookies or similar technologies for advertising, profiling, or third-party tracking. There are no Google Analytics, Facebook Pixel, or similar tags anywhere on PowersportOS. Our public marketing site uses self-hosted, cookieless Umami analytics (see section 2.4); the customer portal and admin interface do not run any analytics tracking at all.
8. Your rights
Under GDPR, you have the right to:
- Access: request a copy of the personal data we hold about you
- Rectification: correct inaccurate or incomplete data
- Erasure: request deletion of your personal data ("right to be forgotten") subject to legal obligations we may have to retain it
- Restriction: limit processing in certain circumstances
- Portability: receive your data in a structured, machine-readable format
- Objection: object to processing based on legitimate interest
- Withdraw consent: where processing is based on consent, withdraw it at any time
- Lodge a complaint with your supervisory authority, in Sweden the Swedish Authority for Privacy Protection (IMY)
To exercise any of these rights, write to info@powersportos.com with the subject line "Privacy". We will respond within one month, as required by GDPR Article 12(3).
9. Security
We use industry-standard security measures including TLS in transit, hashed passwords, hardened server configurations, regular backups, and isolated tenant data. We monitor errors and access patterns continuously. In the event of a personal-data breach affecting your data, we will notify you and the relevant supervisory authority without undue delay and within 72 hours where required by GDPR Article 33.
10. Changes to this Policy
We may update this Policy from time to time. The version number and "Last updated" date at the top of this page will reflect the most recent revision. For material changes, we will notify registered users by email with at least 30 days' notice before the change takes effect.
11. Contact
For any privacy-related questions, requests, or complaints, contact us at info@powersportos.com. For full official correspondence:
Umbr AB
Org. number 559512-5252
VAT SE559512525201
Sweden, EU