Skip to main content
Status Sign in

Legal · Privacy

Privacy Policy

Effective: 8 May 2026 · Last updated: 26 May 2026 · Version: 1.3

Early-access notice: PowersportOS is in early access. This Privacy Policy is in effect for current founding partners. Changes may be made before general availability. We will notify registered users in advance of any material changes.

PowersportOS is a multi-tenant SaaS platform operated by Umbr AB, a Swedish company (org. number 559512-5252, VAT SE559512525201), registered in Sweden, EU. We take privacy seriously, both because GDPR requires us to and because handling other people's commercial data with care is the only way to build trust as a B2B platform.

This Policy explains what personal data we collect, why we collect it, how we use and store it, who we share it with, and what rights you have. If anything is unclear, write to us at info@powersportos.com and we will explain in plain language.

1. Who is the data controller?

Umbr AB, org. number 559512-5252, is the data controller for personal data processed via PowersportOS.

Postal address and contact details are available on request via info@powersportos.com. For privacy-specific inquiries, write to info@powersportos.com with the subject line "Privacy".

2. What data do we collect?

2.1 Account data (tenant users and admin users)

When you or your colleagues create accounts to use the customer portal or admin interface, we store:

2.2 Customer (tenant) data

When you use PowersportOS as a customer (a "tenant"), you may upload or generate:

This data belongs to you. We process it on your behalf to deliver the service. We do not analyze it, profile it, or sell it.

2.3 End-customer data

When tenants embed PowersportOS storefront widgets (such as YMM search, dealer map, or store locator) in their own webshops, those widgets may process limited end-customer data, including IP address, approximate location (where the end customer has shared it for "find a store near me" functionality), search terms, and timestamps. With respect to such end-customer data, the tenant acts as the data controller and Umbr AB acts as the tenant's data processor under the DPA. End customers wishing to exercise their GDPR rights with respect to data collected via widgets should contact the relevant tenant in the first instance; we will support tenants in responding to such requests as required by GDPR Article 28(3)(e). Widget data is processed in transit and is not retained beyond what is strictly necessary to return the requested result, except where a tenant has explicitly enabled a feature that requires retention (for example, a future end-customer "saved garage" feature) and the tenant's own privacy notice covers that processing.

2.4 Technical data

To operate the service securely, we collect:

3. Why we process your data (lawful bases)

Under GDPR Article 6, we rely on the following lawful bases:

4. Subprocessors

We use the following third-party services to deliver PowersportOS. All are reputable providers with their own GDPR-compliant data-processing terms:

We will provide Customers with at least thirty (30) days' prior notice before adding or replacing a subprocessor that processes Customer personal data, by updating this list and, where the Customer has subscribed to such notifications, by email. A Customer may object to a new subprocessor on reasonable grounds related to data protection by writing to info@powersportos.com within the notice period. If we and the Customer cannot agree on a resolution, the Customer may terminate the affected services with a pro-rata refund of any prepaid fees for the unused remainder of the term, as the Customer's exclusive remedy. The full mechanism is described in the Data Processing Agreement, Section 6 and Annex 3.

5. Data retention

Account data is retained for as long as the account is active, plus a reasonable period after deletion to allow for restoration in case of accidental closure. After that period, data is permanently deleted from primary storage and removed from backups within the regular backup-rotation window (currently 30 days).

Tenant data (catalog, dealers, stock, etc.) is retained for as long as the tenant subscription is active, plus 90 days after termination to allow for export and reactivation. After that, it is permanently deleted.

Technical logs (request logs, error traces) are retained for 30 to 90 days depending on type.

Some records may be retained longer where required by law (for example, accounting records under the Swedish Bookkeeping Act, Bokföringslagen (1999:1078), are retained for 7 years after the end of the calendar year to which they relate).

6. International transfers

Your data is hosted in the European Union (Hetzner data center in Finland). We do not transfer personal data outside the EU/EEA except where a subprocessor unavoidably operates outside the EU (for example, error-tracking via Sentry's US-based infrastructure). Where this happens, we rely on the European Commission's Standard Contractual Clauses or equivalent transfer safeguards.

7. Cookies and similar technologies

7.1 Cookies

PowersportOS uses minimal cookies. Specifically:

7.2 Browser storage (sessionStorage)

The customer portal and admin interface use the browser's sessionStorage API for ephemeral UI state such as dismissed announcement banners and cached postal-code geocoding results. sessionStorage is technically not a cookie: it is client-side only, never transmitted to our servers, and is cleared automatically when the browser tab is closed.

7.3 What we do not use

We do not use cookies or similar technologies for advertising, profiling, or third-party tracking. There are no Google Analytics, Facebook Pixel, or similar tags anywhere on PowersportOS. Our public marketing site uses self-hosted, cookieless Umami analytics (see section 2.4); the customer portal and admin interface do not run any analytics tracking at all.

8. Your rights

Under GDPR, you have the right to:

To exercise any of these rights, write to info@powersportos.com with the subject line "Privacy". We will respond within one month, as required by GDPR Article 12(3).

9. Security

We use industry-standard security measures including TLS in transit, hashed passwords, hardened server configurations, regular backups, and isolated tenant data. We monitor errors and access patterns continuously. In the event of a personal-data breach affecting your data, we will notify you and the relevant supervisory authority without undue delay and within 72 hours where required by GDPR Article 33.

10. Changes to this Policy

We may update this Policy from time to time. The version number and "Last updated" date at the top of this page will reflect the most recent revision. For material changes, we will notify registered users by email with at least 30 days' notice before the change takes effect.

11. Contact

For any privacy-related questions, requests, or complaints, contact us at info@powersportos.com. For full official correspondence:

Umbr AB
Org. number 559512-5252
VAT SE559512525201
Sweden, EU