17 July 2026
Privacy policy.
ProseID processes two kinds of data: data about you, our customer, and data about your end users who complete Flows you've published. We treat these differently, and we never sell your data.
Who we are
ProseID (“ProseID”, “we”, “us”) operates the ProseID website, hosted Flows (including Standard Forms, Guided Assessments, Determinations and Compliance Checklists), workspace, and developer API from Edingekroken 12, 163 63 Spånga, Stockholm, Sweden. This policy explains how we handle personal data across those services. For privacy questions, to exercise your rights, or to contact the controller, email [email protected] or use our contact form.
Two roles, handled differently
We process two kinds of data. Data about you, our customer — a publisher or organization using ProseID — for which we are the controller. And data about your end users who complete Flows you publish, for which you are the controller and we act as your processor, handling submissions only on your instructions under our Data Processing Addendum.
Data we collect about you (the customer)
Account data: your email and name; a password (stored only as a secure hash by our authentication provider) or, if you sign in with Google or GitHub, the basic profile those providers return; your publisher handle and organization. Operational data: the IP address and device/browser you sign in from, and your activity inside the app, used to run the service, secure your account, and prevent abuse. Support data: the content of messages you send us.
Verification data (optional, for publishers seeking the verified badge)
If you apply to become a verified publisher, you provide professional credentials and your operating country. This evidence is stored privately, is accessible only to authorized staff, and is used to assess and monitor eligibility for the verified badge, investigate complaints, and prevent fraud, abuse, and impersonation. The evidence itself is never shown publicly. You can withdraw a pending application at any time, but withdrawal or later revocation does not require us to erase the decision record or limited supporting evidence immediately where it remains necessary for security, fraud prevention, disputes, legal claims, or legal obligations.
Data we process for your end users
When an end user completes a Flow you publish, we receive their submission, validate it against the schema bound to the Flow, and deliver the verified record to you through the channels you configured (API, webhook, email). We retain completed records in your workspace until you instruct us to delete them; they are not automatically purged after delivery. The deletion process and recovery period are described under “Retention”. Two related cases: if an end user asks us to email themselves a copy of a completed record, we send it to the address they enter, via our email provider; and if you issue a browser-bound Flow link, we process the recipient email you supply to deliver it. For all of this we act as your processor — you are the controller and are responsible for having a lawful basis to collect the data your Flows request.
Payments
Payments and publisher transfers are handled by Stripe. We do not receive or store full card or bank-account details. For customer billing, we store Stripe customer and subscription identifiers, paid subscription credits, purchased top-up credits, non-cash promotional credits, and their ledger. If a verified publisher enables earnings, Stripe collects the identity, business, bank, and tax information needed for its recipient account; we store the Stripe account identifier, capability/status summaries, fee history, earning ledger, hold state, verification status, transfer-freeze reason, and transfer identifiers. If publisher verification becomes inactive, we use those status and ledger data to stop withdrawals and retries while we investigate and settle affected amounts. Stripe may act as an independent controller for parts of its identity, compliance, and payment processing.
Cookies, storage & analytics
Essential storage — a sign-in session from our authentication provider that keeps you logged in securely — is strictly necessary and always on. Analytics (Google Analytics for Firebase) is off by default and runs only if you opt in through the cookie banner; you can change or withdraw that choice anytime via the “Cookie preferences” link in the footer. We also keep three things in your browser’s local storage: your cookie choice; an email you ask us to remember for receipts; and, when you use a browser-bound Flow link, an unfinished local draft so a refresh does not erase your answers. The draft stays in that browser, is sent to us only when you submit, is removed after a successful submission, and is discarded after its limited recovery period.
Legal bases (GDPR)
We rely on: performance of a contract (to operate the service and bill you); legitimate interests (to secure the service, prevent abuse, and improve the product); consent (analytics only, which you can withdraw); and legal obligation (e.g. tax and accounting records). For end-user submissions we process on your documented instructions under our processor role.
Security
All data is encrypted in transit (TLS) and at rest. End-user submissions and any signature are additionally encrypted at the application layer using Google Cloud KMS and cryptographically bound to the owning organization — the organization’s identifier is required to decrypt, so one organization’s submissions cannot be decrypted in another’s context, and key operations are logged. This is strong encryption at rest, not end-to-end encryption or anonymization: our server can decrypt a submission after authorizing an active member of the owning organization so it can render receipts and the workspace. Encrypted data that can be restored to an identifiable person remains personal data. No method of storage or transmission is perfectly secure.
Signatures
For a basic electronic signature, we collect the respondent’s typed name, explicit acknowledgement, and a server-recorded capture time. These signature data are encrypted and retained with the completed record under the customer’s instructions. The respondent is the signer; ProseID hosts and records the ceremony but does not present itself as the signer.
Sub-processors & international transfers
We use a small set of infrastructure providers (hosting, database, email, payments, and — if you opt in — analytics). The current list is at /legal/sub-processors. Some providers (e.g. Google and Stripe) may process data outside the EEA; where they do, transfers rely on an adequacy decision or Standard Contractual Clauses. Transactional email is sent through our provider’s EU data centre.
Retention
We keep your account and its data until you delete it. You can export and then delete your account from account settings. Completed records are durable, customer-controlled evidence: by creating them, the customer instructs us to retain their encrypted submissions, validation proofs and any signature artifacts unless and until a deletion instruction is actioned, including after account closure. Organization owners and admins can submit one or more owned record IDs from Settings. After authorised ProseID staff validate and action the instruction, the affected records become unavailable through the workspace, API, proof and receipt routes immediately. They remain in a restricted administrative recovery state for 30 days so an accidental instruction can be reversed. When that period ends, the submission payload, validation proof, signature artifacts, delivery copies and completed Flow link are permanently deleted. Only a minimal payload-free administrative audit and anti-recreation record, along with financial records we must retain, remain. Publisher fee, earning, transfer, Stripe-account-reference, tax, accounting, fraud-prevention, verification-revocation, and dispute records may survive profile or account deletion for as long as required to investigate activity, settle obligations, prevent repeat impersonation or abuse, and satisfy applicable retention duties; public profile details are removed or reduced to the minimal provenance record needed for permanent releases. Before actioning an instruction, we may defer deletion where storage is required by law or necessary for an actual legal claim; restricted data is removed when that reason ends. Deleting a signed payload prevents later verification against its original contents. Verification evidence is kept while a badge is active and afterward only for the period reasonably required for review, fraud prevention, disputes, legal claims, or legal obligations. Backups are removed through their normal rotation.
Your rights
You have the right to access, correct, delete, export (portability), restrict, or object to the processing of your personal data, and to withdraw consent at any time. Customers can export or delete account data in settings, or contact us with a record-return or deletion instruction. If you are an end user who completed someone’s Flow, contact the publisher who sent it to you — they are the controller — and we will assist them in responding under our Data Processing Addendum. Erasure can be limited where a specific legal obligation or the establishment, exercise or defence of a legal claim requires continued restricted storage. You may also lodge a complaint with your data-protection supervisory authority (in Sweden, the IMY).
Children & changes
ProseID is not directed to children and should not be used to collect data from anyone under 16 without a lawful basis. We may update this policy; we will change the “last updated” date above and, for material changes, notify you.
Privacy questions or requests: [email protected].