Last updated September 17, 2021
The app “Let's Do” (the “App”) and the website letsdo.io is operated by Andersson-Larsson Holding AB with company registration no. 559254-7078 (“we”, “us”, “our”).
App: Let's Do.
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
SCC: The Standard Contractual Clauses for the transfer of Personal Data to processors established in third countries, set forth in the European Commission Decision of 5 February 2010.
How we collect personal data
We most usually receive Personal Data when we enter into an agreement; through the users use of the App or use of our Website; when the user contacts us by e-mail; or in connection with registration to any newsletter from us.
What personal data we collect
We try to work primarily through the principle of purpose limitation and data minimization regarding the storage of Personal Data, by only Processing Personal Data that is necessary, adequate and relevant for each individual purpose.
When a user grants the App access to its Slack workspace, the App gets access to the following Personal Data from Slack about the user: name, time zone, title, avatar and the name of the organization that owns the Slack workspace. If a person signs in using Slack on the Website, we will get information about that person (name and e-mail). This is usually done as part of the process to setup payment details with our payment provider Paddle. Name, e-mail and time zone are saved as long as the user keep the App authorized for its Slack account.
We have access to unidentified usage information about how users use the Website and the App. This is done in order to improve our services and the App through analysis of user behaviors. Our Website also uses Plausible Analytics (third party application) which analyzes the activity on the website. All data sent to Plausible Analytics is anonymized.
We don't perform manual registrations of users. Almost all data shared by users on the Website and in the App are done by self-service, and users are clearly informed about what information they share with us before the data is shared.
Why we process personal data and the legal basis for the Processing of Personal Data
The legal basis we mainly base the Processing of Personal Data on is “Contract”. This legal basis gives us the right to Process Personal Data in order to fulfill our obligations under a contract with the Data Subject.
If the Data Subject has consented to the Personal Data Processing, through voluntary active approval to the Processing, we may Process the Personal Data on the legal basis of “Consent”. A given consent can be revoked at any time and in such cases the Processing of the Personal Data shall cease, but this only applies if the Personal Data is no longer necessary for us to Process in order to fulfill our obligations under a contract or other legal obligations.
We have the right to Process Personal Data if we have a legal obligation to do so, for example according to the Swedish Bookkeeping Act (1999:1078). In such cases, only necessary Personal Data will be Processed. Personal Data that is part of any necessary accounting documentation is stored for as long as the law requires.
We have the right to Process Personal data, based on the legal basis “Legitimate interests”, in order to for example market the App, provide good support, improve our services, the Website or the App etc. However, sensitive Personal Data is never Processed on this legal basis. The Data Subjects always have the right to object in writing if the Data Subject do not want us to use their Personal Data for marketing. We have the right to Process Personal Data on this legal basis in order to comply with applicable law, demand payment for a past due claim, report a debt or protect our rights/property and to prevent crimes.
Storage of personal data
We store and Process Personal Data according to the principle of integrity and confidentiality. When Personal Data is stored in a country outside of the EU/EEA, the storage provider must comply with the provisions of the GDPR and we shall enter into a data processing agreement that is compliant with the regulations stated in the GDPR and SCC.
We store user details (name, time zone, Slack user id) of the users who use the App. User's email is stored if a user has signed in using Slack on the Website. Slack channel names are stored in some cases, primarily when the App is used in ”Direct message” channels.
The Personal Data associated with a user account (like the user’s name and time zone) is needed to make the App work, this will be stored for the entire time you are a customer/user. The data for to-dos, such like title, assignments, notes content and the Slack channel id are saved until the to-do is deleted by the user or as long you are a customer.
The App undergoes a daily backup of stored data. Backup storage is saved for up to thirty (30) days. The backup files are stored on the Heroku Platform.
We store Personal Data as long as it’s needed and necessary to fulfill the purposes for which the Personal Data was collected. If it is necessary for us to comply with applicable legislation, we may store Personal Data for a longer period for that purpose. Personal Data that is no longer needed, will be deleted according to the principle of storage limitation. When the App is removed from a Slack workspace, the associated stored data will get removed from the Apps database within thirty (30) days.
Sub-processor and transfer of personal data
We have the right to engage Sub-processors to fulfill the obligations under the agreement between us and the Data Subject. We engage Sub-processors as part of the delivery of the App and Website. This means that we may disclose Personal Data to Sub-processors, to fulfill our obligations under the Agreement, applicable legislation, legal obligations, to safeguard our legal interests or to detect and prevent technical or security issues with the App. The Data Subjects are entitled to request a complete overview on which Sub-processors that are involved in the Processing of the Data Subjects Personal Data.
The data subjects rights
The Data Subjects have certain rights according to GDPR regarding the Processing of their Personal Data. The Data Subjects have the right to:
- information about what Personal Data that is being Processed and to whom it is shared.
- access the Personal Data that is being Processed.
- ask for modifications of the Personal Data.
- withdraw a previously given consent for the Processing of Personal Data for a specific purpose.
- object to the Processing of the Personal Data.
- object to automated Processing of the Personal Data and to a decision based on an automated processing.
- be forgotten and to ask for the deletion of Personal Data.
- transfer the Personal Data to another controller (data portability).
- submit complaints to us, or the Swedish Authority for Privacy Protection which is the Supervisory Authority or other equivalent regulatory authority in the data subject’s state.
- get information about any Personal Data Breach concerning the Personal Data of the data subject.
You may contact us if you request any of the above-mentioned rights, regarding your Personal Data. However, some of the rights apply only in certain situations.
We certify that our activities and security measures are conducted in a manner that ensures compliance with the provisions and requirements of the GDPR regarding adequate protection of Personal Data Processing (according to the principle of integrity and confidentiality). All our internal registers and systems that contain Personal Data are password protected. We have also developed internal routines for employees with access to the databases containing Personal Data, in order to protect the data, and only authorized employees with a direct need for access to the Personal Data in order to perform their tasks have access to them. We also work according to the data protection principles (Article 5 GDPR) and ensure that our employees are aware of the principles.
Personal data breach
All Personal Data Breaches will be documented internally and reported to the Swedish Authority for Privacy Protection within 72 hours, when it is required according to the GDPR.
How to contact us