Privacy
Policy

This Privacy Policy applies to settio.io, our marketing website, the Settio platform, the Settio companion app, and any related services (together, the “Services”).

When we are a controller

We act as a controller for personal data we collect for our own purposes — for example, prospects who contact us, demo requests, marketing recipients, and visitors to our website.

When we are a processor

When customers (typically employers, HR teams, and global mobility teams) use the Settio platform to onboard their employees and international hires, those customers are the controller of the personal data they upload or generate in the platform (“Customer Data”), and Settio acts as a processor on their behalf, governed by our Data Processing Agreement.

The controller for our own processing activities is Settio (the legal entity operating settio.io). You can reach us at [email protected]. If you are an EU/EEA data subject and prefer to write to a postal address or our Data Protection Officer (DPO), please use the same email and we will route your request appropriately.

3.1 Information you give us

• Account & profile data — name, work email, role, employer, language preference.
• Onboarding & relocation data (Customer Data) — information your employer enters or asks you to provide as part of your international onboarding (e.g. nationality, immigration status, work permit details, expected start date, family members relocating, address in Sweden, BankID/Personnummer status, checklist progress).
• Documents you upload — for example employment contracts, permit decisions, lease agreements. Documents are stored encrypted at rest in the EU/EEA.
• Support & feedback — content of messages you send us, demo requests, survey responses, recordings of demos you agree to.

3.2 Information we collect automatically

• Usage data — pages viewed, features used, actions taken in the platform, errors, performance telemetry.
• Device & log data — IP address, browser type, OS, device identifiers, timestamps, referring URL.
• Cookies and similar technologies — see our Cookie Policy.

3.3 Information from third parties

• ATS integrations — when your employer connects an applicant tracking system (e.g. Teamtailor, Reachmee), we receive candidate data necessary to start onboarding.
• SSO providers — name and email if you sign in with Google, Microsoft, or another identity provider.
• Public sources — for marketing, limited professional information (e.g. company, role).

We process personal data only for the purposes below, each tied to a GDPR Article 6 lawful basis (and Article 9, where relevant):

• Provide the Services — Article 6(1)(b) (performance of a contract) for our customers and their authorised users; Article 6(1)(f) (legitimate interests) where we act for a third-party employer.
• Account creation & security — Article 6(1)(b) and 6(1)(f) (securing the platform, preventing fraud).
• Customer support — Article 6(1)(b) and 6(1)(f).
• Service improvement & analytics — Article 6(1)(f), using minimised, pseudonymised data wherever possible.
• Marketing to businesses — Article 6(1)(f), with an easy opt-out, and Article 6(1)(a) (consent) where required.
• Legal & compliance — Article 6(1)(c) (legal obligation) for accounting, tax, audit, and responding to lawful requests.

You can object to processing based on legitimate interests at any time — see “Your rights” below.

Some Settio features use AI to summarise documents, draft communications, and guide hires through Sweden-specific onboarding steps. Read the full AI & Responsible Use policy for details. In short:

• We do not use Customer Data to train third-party foundation models.
• AI processing happens through enterprise-grade providers under contractual zero-retention / no-training terms.
• AI suggestions are surfaced for human review; we don’t make fully automated decisions with legal or similarly significant effects on individuals.

We share personal data only with:

• The customer (employer) whose workflow you are part of, and the users they have authorised inside that account.
• Subprocessors that help us run the Services (cloud hosting, email, AI inference, analytics, support tooling) — see our up-to-date list at /subprocessors. All subprocessors are bound by data processing agreements with equivalent obligations.
• Authorities when we are required to by law (e.g. a binding court order). We will challenge over-broad requests where appropriate.
• Successors in the event of a merger, acquisition, or asset sale, with notice and continued protection.

We do not sell personal data and we do not share it for cross-context behavioural advertising.

Customer Data is stored and processed in the EU/EEA, with our primary region in Stockholm, Sweden. Some support and operational tools may involve limited transfers outside the EEA. Where that happens we rely on:

• European Commission adequacy decisions (where they apply); or
• the EU Standard Contractual Clauses (Decision (EU) 2021/914) plus supplementary technical measures (encryption, pseudonymisation, access controls); or
• other safeguards permitted by Chapter V of the GDPR, with a transfer impact assessment on file.

You can request a copy of the safeguards in place at [email protected].

We keep personal data only for as long as we need it for the purposes above:

• Customer Data — for the duration of the customer’s subscription, then deleted or returned within 30 days of termination unless a longer period is required by law. Customers can also delete data on demand from the platform.
• Account data — until you close your account, then archived for up to 90 days for backup rotation.
• Marketing data — until you unsubscribe or after 24 months of inactivity, whichever comes first.
• Logs & security data — typically 90 days, longer for security incidents.
• Invoices & accounting — kept for the period required by Swedish bookkeeping law (currently 7 years).

We implement appropriate technical and organisational measures under Article 32 GDPR. See our Security Overview for detail. Highlights:

• TLS 1.2+ in transit, AES-256 at rest, encrypted backups.
• Role-based access, SSO, MFA on all admin tooling, least-privilege internal access reviewed quarterly.
• EU-hosted infrastructure, segregated environments, audit logging.
• Vendor reviews, secure SDLC, dependency scanning, penetration testing.
• Incident response plan with notification to controllers without undue delay (and within 72 hours of becoming aware, per Article 33 GDPR, where applicable).

You have the right to:

• access the personal data we hold about you (Article 15);
• request correction of inaccurate data (Article 16);
• request deletion (Article 17), subject to legal retention duties;
• request restriction of processing (Article 18);
• data portability of data you provided to us (Article 20);
• object to processing based on legitimate interests or for direct marketing (Article 21);
• not be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects (Article 22). Settio does not perform such decisions.

If your employer is the controller of the relevant data, please contact them first; we will support them in responding to your request. You also have the right to lodge a complaint with your local supervisory authority, in Sweden the Integritetsskyddsmyndigheten (IMY).

The Services are intended for use by businesses and adult employees. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

We may update this policy as our Services evolve. Material changes will be communicated through the platform or by email at least 30 days before they take effect. The “Last updated” date at the top reflects the most recent revision.

For privacy questions, requests, or to reach our Data Protection point of contact:

• Email: [email protected]
• Support: [email protected]
• Security disclosures: [email protected]