Privacy policy

Last updated: 2026-06-27

For municipal IT-security managers and procurement officers: see also Security page for technical security information (encryption, secrets management, incident response, compliance status).

For municipal procurement officers: see also Data protection and subprocessors for operational GDPR detail (subprocessor list, retention per collection, DPIA-light), and the DPA template for a data processing agreement.

Data controller

Data controller: Skolspegeln AB (org. no. 559359-7288). Contact person: Markus Reimer. Contact: info@skolkoll.se

What data do we collect?

User accounts

If you create an account on Skolkoll, we store the following in our database (Firebase/Firestore — see Data protection and subprocessors for the current database regions):

  • Email address and display name — for login and identification in the portal.
  • Login method — which social login (Google, Microsoft, GitHub, Facebook or Apple) or email/password you use.
  • Organisation membership — if you belong to an organisation, we store which organisation and your role (administrator/user).
  • Timestamps — when the account was created.

Legal basis: Contract (GDPR Art. 6(1)(b)) — the data is necessary to provide the service.

Retention: Data is stored for as long as the account exists. When an account is deleted, your personal data is removed from our database.

Organisation data

If you create or join an organisation, the following may be stored:

  • Organisation name and registration number — public information for identification.
  • Billing details — contact person, phone, address, email and reference/PO number for invoicing.
  • Customer number (SK-NNNNN) — system-generated for invoice management.

Legal basis: Contract (GDPR Art. 6(1)(b)) and legitimate interest (Art. 6(1)(f)) — necessary for contract management and invoicing.

Payments

Payments are handled by Stripe. We do not store card details — these are handled entirely by Stripe in accordance with PCI DSS. We store transaction IDs and payment status to link payments to the correct organisation.

Retention: Payment history is stored for 7 years in accordance with Swedish bookkeeping legislation (BFL).

API access

API keys are handled only for agreed pilot cases, not as public self-service. If a pilot is activated, we store:

  • SHA-256 hash of the API key — the full key is shown only at creation time and is never stored in plaintext on our server.
  • Label, organisation ID and the user who created the key — so administrators can identify the key in the organisation's API view.
  • Monthly usage counters (apiQuota/{orgId}/months/{YYYY-MM}) — request count (count) and the organisation's configured monthly quota (quota).

Legal basis: Contract (GDPR Art. 6(1)(b)). Usage counters are retained for 13 months for billing reconciliation (Art. 6(1)(c)).

Webhook subscriptions

Pro organisations can register webhook subscriptions to receive events in real time. We store:

  • Webhook URL — the address that events are delivered to. Only HTTPS URLs with a public host are accepted (private IP literals and userinfo are blocked at registration).
  • Encrypted signing secret (secretEnc) — an AES-256-GCM-encrypted envelope. The plaintext version is returned to the customer once at creation and never stored on our server. The secret is used by the customer to verify webhook signatures.
  • Configuration and delivery status — which event types trigger delivery, an optional description (200 characters max), enabled/paused status, and the time and result of the most recent delivery.

Server logs record only the webhook hostname, not the full URL — because subscription URLs often carry tokens in path or query segments.

Legal basis: Contract (GDPR Art. 6(1)(b)) — webhook delivery is part of the Pro service.

Error monitoring

We use Sentry (EU-region ingestion, Germany) to detect and fix technical errors. Sentry may collect:

Legal basis: Legitimate interest (GDPR Art. 6(1)(f)) — necessary to maintain the service's functionality.

Journalist data orders

If you submit a data order through the journalist form, we store the details you provide: outlet/newsroom, beat, name, email address, order message, language, consent version and timestamp. The form posts to our own server and is first stored in the Firestore collection journalist_orders in the EU region.

When the Zoho intake has been approved and explicitly enabled, the same order may create a Zoho Desk ticket of type Databeställning with internal triage tags and a private quality/neutrality comment (risk class and flags for signals such as prompt injection or AcadeMedia relevance). A minimal Zoho CRM contact may also be created to manage the relationship and order status. We do not use this data for newsletters, Campaigns sends or other marketing without separate consent/provenance.

Legal basis: consent (GDPR Art. 6(1)(a)) to store and contact you through the form; handling your order — performance of a request where applicable; and legitimate interest in answering and delivering journalist data orders.

Retention: the Firestore record is targeted for deletion 180 days from submission via the purgeAfter field and Firestore TTL when the policy is active. Orders unresolved after 180 days require documented approval and have a hard cap of 12 months. Zoho Desk tickets are deleted no later than 12 months after closure and order-specific CRM status/description is removed when no longer needed.

Cookies and analytics

If you consent via our consent banner, we use Google Analytics 4 and Zoho PageSense for visitor statistics, A/B testing and site improvement. These tools collect:

GA4 automatically anonymises IP addresses at collection — your full IP address is not stored by Google. Zoho PageSense is loaded from Zoho's EU CDN and uses cookies or similar technologies to connect visits, experiment variants and goal conversions. Skolkoll does not sell visitor data and does not share analytics data with third parties beyond Google and Zoho in their role as data processors. Google and Zoho may process data under their own terms — see Google's privacy policy and Zoho's privacy policy.

Retention period: GA4 data is stored for 14 months and then automatically deleted by Google. PageSense data is stored according to the selected Zoho PageSense plan, currently 1, 6 or 12 months, and Skolkoll does not use PageSense data for longer than 12 months. See also Zoho's plan-based retention.

If you choose "Only necessary" in the consent banner, Google Analytics and Zoho PageSense are not loaded at all.

Third-country transfers

Google Analytics may involve data being transferred to and processed in the USA. Google applies EU Standard Contractual Clauses (SCC) as the legal basis for such transfers. More information is available in Google's privacy policy.

Zoho PageSense is operated by Zoho. We use the EU script (cdn-eu.pagesense.io) and treat PageSense as an analytics subprocessor that is activated only after consent. Zoho provides a DPA/SCCs for GDPR-regulated processing.

Zoho Desk and Zoho CRM are used server-side for support and approved journalist data orders through Zoho's EU endpoints (desk.zoho.eu and www.zohoapis.eu). Zoho provides DPA/SCCs for GDPR-regulated processing.

Resend (email provider for school watching) is a US-based company and may process email addresses in the USA. Resend applies EU Standard Contractual Clauses (SCC).

Stripe (payment provider for Pro services) is a US-based company. Card details are handled entirely by Stripe in accordance with PCI DSS. Stripe applies EU Standard Contractual Clauses (SCC). More information in Stripe's privacy policy.

Sentry (error monitoring) is operated by Functional Software, Inc. (USA). We use Sentry's EU region (ingestion in Germany) so that error reports are stored within the EU/EEA. Sentry may receive technical error information (stack trace, browser info, IP address that is anonymised shortly after receipt). EU Standard Contractual Clauses (SCC) apply for any support or administrative access by Sentry's US team.

Anthropic (AI assistant) is a US-based company. Chat messages sent via Kollen are processed by Anthropic to generate responses. Anthropic applies EU Standard Contractual Clauses (SCC). Processing is governed by Anthropic's Data Processing Agreement (DPA) included in their API terms of service. Anthropic may retain message content for up to 30 days for trust and safety purposes, in accordance with their API terms. Messages are not permanently stored by Skolkoll. More information in Anthropic's privacy policy.

OpenAI (image stylisation) is a US-based company. If you voluntarily submit a photo of a school for stylisation, the image may be processed by OpenAI. OpenAI applies EU Standard Contractual Clauses (SCC).

Social login providers — if you sign in with Google, Microsoft, GitHub, Facebook or Apple, authentication is handled by the respective provider, all of which are US-based companies. Only the information you approve (typically name and email address) is received. Transfer to the USA is supported by EU Standard Contractual Clauses (SCC).

Other third-party services (Nominatim, ResRobot, JobEd Connect, Skolverket API) process data within the EU/EEA. Leaflet and D3.js are served locally from our own server. Firebase authentication loads client scripts from Google's CDN (gstatic.com); these CDN servers may be located outside the EU.

Email for school watching

If you choose to watch a school, you provide your email address. The following is stored in our database (Firestore):

  • Email address — used to send notifications. Deleted when you unsubscribe.
  • SHA-256 hash of your email — used to look up your existing watches without exposing your email in database queries.
  • School unit code and name — which school you are watching.
  • Timestamps — when the watch was created, confirmed and last notified.

Legal basis: Consent (GDPR Art. 6(1)(a)) via double opt-in. You confirm your watch through a link sent to your email.

Retention: Your data is stored for as long as the watch is active. If you unsubscribe via the link in any notification email, the watch is marked inactive and your email address is deleted.

What triggers notifications: You receive an email when merit score changes by more than 5 points, gymnasium eligibility changes by more than 5 percentage points, pupil count changes by more than 20%, or the School Inspectorate issues a new decision about the school.

How to unsubscribe: Every notification email contains an unsubscribe link. You can also contact us at info@skolkoll.se.

Local storage (localStorage)

The following data may be stored locally in your browser:

The AI chat also stores conversation and consent in sessionStorage (automatically deleted when the browser tab is closed): skolkoll_ai_consent, skolkoll_ai_chat, skolkoll_ai_context. Paywall click attribution is also stored in sessionStorage under skolkoll_paywall_last_click after accepted analytics consent.

AI assistant (Kollen)

Kollen is not specifically directed at children under 13.

Skolkoll offers an AI-powered chat ("Kollen") that answers questions about school statistics. If you choose to use Kollen, the following applies:

Legal basis: Consent (GDPR Art. 6(1)(a)) — you accept the terms before using the chat. The consent prompt informs you of your right to withdraw consent.

Data processor: Anthropic PBC (San Francisco, USA) — the AI model that generates responses. Anthropic processes messages as a sub-processor. Transfer to the USA is supported by EU Standard Contractual Clauses (SCC).

Withdraw consent: Close the browser tab to delete session consent. You can also click "Withdraw AI consent" in the chat to immediately revoke consent.

Third-party services

The following tables separate browser-loaded services from server-side processors used in specific situations:

Browser-loaded and direct feature services

ServiceWhenData sent
Google Analytics 4Page view (requires consent)Anonymised IP, page views, device info
Zoho PageSensePage views, experiments, heatmaps and session recording on public pages (requires consent)Page views, clicks/scrolling, heatmap and session-recording interactions, experiment variant, device and browser info
Nominatim (OpenStreetMap)"Near me" or home addressYour address query for geocoding
JobEd Connect (JobTech)Career tab in school viewEducation text for occupational matching
Skolverket APISchool view (surveys, documents)School unit code (no personal data)
Google CDN (gstatic.com)Login (Firebase authentication)IP address when downloading login scripts
StripePayment for Pro servicesEmail, organisation name, card details (handled by Stripe)
Sentry (EU region, Germany)Automatically on technical errorsError messages and stack traces, browser info, IP address (anonymised by Sentry shortly after receipt)

Server-side processors

The following services receive data only via our servers when you use the relevant feature or after approved activation:

ServiceWhenData sent
ResRobot (Trafiklab)Commuting tab in school viewCoordinates for start/destination
ResendSchool watching (confirmation and notification emails)Email address
Firebase / Google CloudUser accounts and databaseAccount data, organisation data (EU region)
Anthropic (Claude API)AI chat (Kollen) — requires consentChat messages, school context
OpenAIStylisation of voluntarily submitted school photosSubmitted school image
Zoho DeskSupport tickets and journalist data orders after approved activationName, email, outlet/newsroom, beat, order content, consent metadata, internal triage tags and private quality/neutrality comment
Zoho CRMMinimal contact record for journalist data orders after approved activationName, email, outlet/newsroom, beat, source and order status

Nominatim, ResRobot and JobEd Connect are contacted only when you actively use a feature that requires them — they are never loaded automatically.

Fonts

We use the typefaces Literata and Sora, which are self-hosted on our server. No requests are sent to Google Fonts or other font providers. The Leaflet map library is served locally from our server. Firebase authentication does load client scripts from Google's CDN (gstatic.com), see the table above.

School data and public information

All school data shown on Skolkoll is public information from Skolverket, SCB, Bolagsverket and Skolinspektionen.

Personal data about school staff

In a school's detail view, the following personal data may be displayed:

The principal's name is public information published by Skolverket in their school unit register. Our legal basis for displaying this is legitimate interest (GDPR Art. 6(1)(f)) — the information is already publicly available and there is a public interest in transparency regarding school leadership.

We publish no personal data about pupils, teachers or other school staff beyond the above.

Balancing test

We have conducted a balancing test under GDPR Art. 6(1)(f):

Embeddable widgets

Skolkoll offers embeddable widgets (/widget/skola/{slug}/ and /widget/kommun/{slug}/) that can be used on external websites. We do not restrict which domains may embed them — they are openly available and designed to support transparency around school data.

Attribution is preserved through the widget footer, which links back to Skolkoll. If you observe misuse (e.g. phishing sites embedding our widgets to gain credibility), contact us at info@skolkoll.se and we will assess the need for additional measures.

Your rights

Under GDPR, you have the right to:

Changes

We may update this policy as needed. The latest version is always available on this page.