Legal · Privacy

Privacy Policy

Effective: 8 May 2026 · Last updated: 11 May 2026 · Version: 1.1

PowersportOS is a multi-tenant SaaS platform operated by Umbr AB, a Swedish company (org. number 559512-5252, VAT SE559512525201), registered in Sweden, EU. We take privacy seriously, both because GDPR requires us to and because handling other people's commercial data with care is the only way to build trust as a B2B platform.

This Policy explains what personal data we collect, why we collect it, how we use and store it, who we share it with, and what rights you have. If anything is unclear, write to us at info@umbr.se and we will explain in plain language.

1. Who is the data controller?

Umbr AB, org. number 559512-5252, is the data controller for personal data processed via PowersportOS.

Postal address and contact details are available on request via info@umbr.se. For privacy-specific inquiries, write to info@umbr.se with the subject line "Privacy".

2. What data do we collect?

2.1 Account data (tenant users and admin users)

When you or your colleagues create accounts to use the customer portal or admin interface, we store:

• Full name
• Email address
• Hashed password (we never see your plain-text password)
• Role and tenant association
• Account creation and last-login timestamps

2.2 Customer (tenant) data

When you use PowersportOS as a customer (a "tenant"), you may upload or generate:

• Your product catalog, fitment data, and stock levels
• Your dealer or store locations (names, addresses, coordinates)
• Configuration such as your Mapbox API token, allowed Shopify domain, and similar integration credentials
• Activity logs (API request counts, last-request timestamps)

This data belongs to you. We process it on your behalf to deliver the service. We do not analyze it, profile it, or sell it.

2.3 End-customer data

The customer-facing widgets (YMM search, dealer map, store locator) embedded by tenants in their Shopify or other storefronts may, in some configurations, transmit minimal data about end customers, such as approximate location (when an end customer chooses to share it for "find a store near me" features) and the part numbers they search for. This data is processed in transit only and not stored beyond what's strictly necessary to return the requested results, unless the tenant has opted into a feature that requires storage (for example, the planned customer-garage feature, where end customers explicitly save vehicles for later use).

2.4 Technical data

To operate the service securely, we collect:

• Server-side request logs (IP, timestamp, endpoint, status code), retained 30 days
• Error and exception traces (Sentry), pseudonymous, retained 90 days
• Session cookies (for authentication, set by Better Auth); see Cookies below

3. Why we process your data (lawful bases)

Under GDPR Article 6, we rely on the following lawful bases:

• Performance of a contract (Art. 6(1)(b)) to deliver the service you signed up for
• Legitimate interest (Art. 6(1)(f)) to operate the platform securely, prevent abuse, debug errors, and improve the product based on aggregated usage
• Legal obligation (Art. 6(1)(c)) for tax records, accounting, and similar requirements under Swedish and EU law
• Consent (Art. 6(1)(a)) only where explicitly given, for example future marketing communications you opt into

4. Subprocessors

We use the following third-party services to deliver PowersportOS. All are reputable providers with their own GDPR-compliant data-processing terms:

• Hetzner Online GmbH (Germany / Finland) for hosting and storage. Data resides in EU data centers.
• Resend, Inc. for transactional email (password resets, welcome emails, contact-form submissions).
• Functional Software, Inc. (Sentry) for error tracking and exception monitoring.
• Mapbox, Inc. for geographic map rendering (only on tenant-installed dealer-map widgets, using each tenant's own Mapbox token).
• Shopify Inc.: for tenants who install our Shopify App, Shopify acts as a separate data controller for their own users; data we receive via webhooks is handled under this Policy.

The list of subprocessors will be updated when we add or change providers. We will notify customers of material changes with reasonable notice.

5. Data retention

Account data is retained for as long as the account is active, plus a reasonable period after deletion to allow for restoration in case of accidental closure. After that period, data is permanently deleted from primary storage and removed from backups within the regular backup-rotation window (currently 30 days).

Tenant data (catalog, dealers, stock, etc.) is retained for as long as the tenant subscription is active, plus 90 days after termination to allow for export and reactivation. After that, it is permanently deleted.

Technical logs (request logs, error traces) are retained for 30 to 90 days depending on type.

Some records may be retained longer where required by law (for example, accounting records under Swedish law are retained for 7 years).

6. International transfers

Your data is hosted in the European Union (Hetzner data center in Finland). We do not transfer personal data outside the EU/EEA except where a subprocessor unavoidably operates outside the EU (for example, error-tracking via Sentry's US-based infrastructure). Where this happens, we rely on the European Commission's Standard Contractual Clauses or equivalent transfer safeguards.

7. Cookies

PowersportOS uses minimal cookies. Specifically:

• Authentication session cookie (set by Better Auth), strictly necessary for keeping you logged in. No alternative; if disabled, you cannot use the service.
• SessionStorage (browser-side, not transmitted) for ephemeral UI state such as dismissed announcement banners and cached postal-code geocoding results.

We do not use cookies for advertising, profiling, or third-party tracking. There are no Google Analytics, Facebook Pixel, or similar tags on the customer portal or admin interface.

8. Your rights

Under GDPR, you have the right to:

• Access: request a copy of the personal data we hold about you
• Rectification: correct inaccurate or incomplete data
• Erasure: request deletion of your personal data ("right to be forgotten") subject to legal obligations we may have to retain it
• Restriction: limit processing in certain circumstances
• Portability: receive your data in a structured, machine-readable format
• Objection: object to processing based on legitimate interest
• Withdraw consent: where processing is based on consent, withdraw it at any time
• Lodge a complaint with your supervisory authority, in Sweden the Swedish Authority for Privacy Protection (IMY)

To exercise any of these rights, write to info@umbr.se with the subject line "Privacy". We will respond within one month, as required by GDPR Article 12(3).

9. Security

We use industry-standard security measures including TLS in transit, hashed passwords, hardened server configurations, regular backups, and isolated tenant data. We monitor errors and access patterns continuously. In the event of a personal-data breach affecting your data, we will notify you and the relevant supervisory authority without undue delay and within 72 hours where required by GDPR Article 33.

10. Changes to this Policy

We may update this Policy from time to time. The version number and "Last updated" date at the top of this page will reflect the most recent revision. For material changes, we will notify registered users by email with at least 30 days' notice before the change takes effect.

11. Contact

For any privacy-related questions, requests, or complaints, contact us at info@umbr.se. For full official correspondence:

Umbr AB
Org. number 559512-5252
VAT SE559512525201
Sweden, EU

For the full text of the EU General Data Protection Regulation (GDPR), see eur-lex.europa.eu.