Privacy Policy
This Privacy Policy explains how Firma Kimmo Björnsson, org. no. 780106-5595, Grankullegatan 67, 441 46 Alingsås, Sweden (“BottomUp”, “we”, “us”) collects, uses and protects personal data when you use the BottomUp service (the “Service”) and the website bottomup.se.
1. Two Roles: Controller and Processor
BottomUp processes personal data in two distinct roles:
- As controller for personal data of website visitors, prospects, end-users of the Service (the people logging in), and customer contacts. This Privacy Policy describes that processing.
- As processor for personal data that a customer organisation imports into the Service for forecasting and analysis (for example employee compensation data). That processing is governed by the Data Processing Agreement at https://www.bottomup.se/dpa.html and not by this Privacy Policy.
2. Personal Data We Process and Why
| Category | Examples | Purpose | Legal basis (GDPR) |
|---|---|---|---|
| Account data | Name, email, organisation, role, password hash | Authenticate users; provide the Service | Contract (Art. 6(1)(b)) |
| Usage data | IP address, login timestamps, audit log entries, browser/device info | Operate the Service; security; troubleshooting | Legitimate interest (Art. 6(1)(f)) |
| Communication data | Email correspondence with support; meeting notes | Respond to enquiries; support | Contract / legitimate interest |
| Billing data | Customer name, address, org. no., payment status | Invoicing and accounting | Contract; legal obligation (Bookkeeping Act) |
| OAuth tokens | Access/refresh tokens for connected services (e.g. Google, Fortnox, QuickBooks) | Enable the integration the user activates | Contract (Art. 6(1)(b)) |
| Website analytics | Aggregated traffic statistics | Improve the website | Legitimate interest |
The Service is not designed for, and we do not intentionally process, special categories of personal data (Article 9 GDPR) or data on criminal convictions (Article 10 GDPR). You should not upload such data to the Service.
3. Google Services Integration
When you connect a Google account to the Service using OAuth 2.0, we request only the minimum scopes required for the features you enable in the BottomUp app. The exact scopes are shown to you at the consent screen at the time of connection.
We use the access only to operate the features you have enabled — we do not access or process Google data beyond what those features require, and we do not use it to build profiles, target advertising, or train AI models.
You may revoke our access to your Google account at any time at https://myaccount.google.com/permissions.
BottomUp’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
4. Other Integrations (Fortnox, QuickBooks, Microsoft Business Central, Shopify, Banking)
When you connect another third-party system, we request the minimum scopes needed to provide the integration. Data flows between the third-party system and your account in BottomUp under your own agreement with that provider. We do not use such data for any purpose other than providing the Service to you, and we do not sell or share it with unrelated third parties.
Bank account aggregation (PSD2): When you connect a bank account, balances and transaction history are retrieved through a licensed PSD2 account-information service provider (Enable Banking Oy, Finland). We read this data in read-only mode and never initiate payments. You authorise the bank connection at your bank and may revoke it at any time.
5. Sub-Processors
We use sub-processors to deliver the Service (e.g. cloud hosting, transactional email, AI providers, bot/CAPTCHA protection on sign-up and sign-in). The current list is published at https://www.bottomup.se/subprocessors.html.
Bot- and CAPTCHA protection is delivered by Cloudflare Turnstile and processes your IP address and User-Agent at sign-up and sign-in to distinguish humans from automated traffic.
Some sub-processors are established outside the EU/EEA (currently in the United States — see the sub-processor list). Transfers to those processors take place under Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework, supplemented by additional safeguards where required.
6. AI Features
The Service includes features that use a third-party large-language-model provider (currently Anthropic, USA — see the sub-processor list) to generate insights, summaries and chat responses. To answer your queries, the AI provider may be sent data drawn from across the Customer Data held in your BottomUp tenant — including, depending on the question asked, financial records, account data and personnel cost data.
Data sent to the AI provider is used only to generate the response shown to you. It is not used to train the AI provider’s models. AI output is decision support and may be incorrect — see Section 5 of the Terms of Service for the full disclaimer.
7. Storage and Retention
Primary storage of personal data is on infrastructure within the EU/EEA (Google Cloud Platform, region europe-west1). Some processing is performed by sub-processors based outside the EU/EEA, as described in Section 5 — such processing is governed by SCCs and additional safeguards.
Account, usage and billing data are retained for the duration of the customer relationship and for the period required by the Swedish Bookkeeping Act (currently 7 years for accounting records) or other applicable law. Other personal data is retained only as long as necessary for the purposes set out above and is then deleted or anonymised.
8. Sharing
We do not sell personal data. We share personal data only:
- with sub-processors acting on our instructions (see Section 5);
- where required by law, court order or competent authority; and
- in connection with a corporate transaction (e.g. sale of the BottomUp business), in which case we will require the acquirer to honour this Privacy Policy or an equivalent policy.
9. Your Rights
Subject to the conditions in the GDPR, you have the right to:
- access your personal data;
- have inaccurate personal data rectified;
- have personal data erased;
- restrict or object to certain processing;
- receive your personal data in a portable format; and
- not be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
To exercise your rights, contact info@bottomup.se. If your personal data is processed by BottomUp on behalf of your employer or another customer organisation (i.e. processor data), please direct your request to that organisation.
10. Security
We apply appropriate technical and organisational measures to protect personal data, including TLS encryption in transit, encryption at rest, role-based access control, multi-factor authentication for privileged access, security monitoring and regular backups. Further detail is published in Annex 2 of the Data Processing Agreement at https://www.bottomup.se/dpa.html.
11. Supervisory Authority
If you believe that your personal data has been processed in violation of applicable data protection law, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY): https://www.imy.se.
12. Changes to this Policy
We may update this Privacy Policy from time to time. The current version is always published at https://www.bottomup.se/privacy.html with the version number and last-updated date at the top.
13. Contact
Firma Kimmo Björnsson Grankullegatan 67, 441 46 Alingsås, Sweden Email: info@bottomup.se