Privacy Policy for Komisio
This Privacy Policy explains how personal data is collected, used, shared, and protected when you use the Komisio platform (the “Service”), including the Komisio mobile applications, web backoffice, APIs, and related documentation and support channels.
Komisio is designed for businesses operating commission-based and second-hand retail workflows. The Service may process personal data relating to store staff users, sellers, and (where the store chooses) end-customers.
1. Who We Are
The Service is provided by Inority AB (“Komisio”, “we”, “us”, “our”), a Swedish company.
Company details
Inority AB
Organization number: 559142-6720
Registered address: Fru Gustavas väg 6, S-65346 Karlstad
Country: Sweden
Contact
General/support email: support@komisio.com
Privacy inquiries: privacy@komisio.com (or use support email)
Website: https://komisio.com
2. Roles Under GDPR: Data Controller & Data Processor
Depending on the context, Inority AB may act as a Data Controller or a Data Processor under the EU General Data Protection Regulation (GDPR).
2.1 When Inority AB is the Data Controller
Inority AB is the Data Controller for personal data processed to run, administer, secure, and improve the Service, such as:
- Account registration and administration for store staff users (admins, employees)
- Subscription management, billing, and payment status
- Support communications and service notices
- Security, anti-abuse measures, diagnostics logs, and audit logs
- Platform telemetry and diagnostics (e.g., Application Insights)
2.2 When Stores Are the Data Controller
Stores using Komisio are typically the Data Controller for personal data they enter or manage in the Service, including:
- Seller identities, contact information, and agreements
- Item handling and sales records tied to identifiable individuals
- Customer-related data (if the store chooses to store such data in Komisio)
- Any personal information that may appear in uploaded content (e.g., photos)
- National identification numbers (where legally permitted and configured by the store)
2.3 When Komisio Acts as Data Processor
For seller/customer data processed on behalf of a store, Komisio acts as a Data Processor and processes data only on the store’s documented instructions. This relationship is typically governed by a Data Processing Agreement (DPA) under GDPR Article 28.
3. Personal Data We Process
The categories of personal data we process depend on how the Service is used and configured by the store. Below are common categories.
3.1 Account & Identity Data (staff users)
- Name, email address, username
- Authentication data (e.g., password hash, tokens) and login events
- Role and permissions within a tenant/store
- Optional profile data (e.g., phone number) if provided
3.2 Store-Provided Seller Data
- Seller name and contact details (email, phone, address) as configured by the store
- Seller identifiers (e.g., internal seller number)
- Seller payout, sales history, and statements (as configured by the store)
- National identification numbers (where legally permitted and configured by the store)
3.3 Customer Data (if stored by the store)
- Customer name and contact details
- Purchase history and receipts linked to a customer profile
- Notes entered by the store (which may contain personal information)
3.4 Item Content (photos and metadata)
- Photos of items uploaded by store staff or sellers
- Item metadata such as title, description, category, brand, size, price, and status
- Operational history (who registered/approved/updated an item and when)
3.5 Technical & Usage Data
- IP address
- Device information (model), operating system, app version
- Event logs (feature usage, errors/crashes)
- Approximate location derived from IP (country/region level)
3.6 Diagnostics, Telemetry & Logging
We use telemetry and diagnostics to operate, secure, and improve the Service (for example, stability, crash analysis, performance, and incident response). We use Microsoft Application Insights for telemetry.
We do not intentionally log personal data. Where personal data may appear in diagnostic context, we apply masking and data minimization to reduce and avoid personal data in logs.
3.7 Communications
- Support tickets, emails, and messages sent to us
- Attachments you provide when asking for help (e.g., screenshots)
4. Purposes of Processing
- Provide and operate the Service
- Authenticate users and manage access permissions
- Enable store workflows (item intake, review, registration, pricing, sales tracking)
- Provide support, respond to requests, and communicate service updates
- Maintain security, prevent fraud/abuse, and protect tenants
- Improve performance, reliability, and user experience
- Comply with legal obligations and enforce our terms
5. Legal Bases (GDPR)
If GDPR applies, we rely on one or more of these legal bases:
- Contract – to provide the Service under our agreement with the store/customer
- Legitimate interests – to secure, maintain, and improve the Service, and prevent misuse
- Legal obligations – e.g., accounting/security obligations where applicable
- Consent – where required (for example push notifications and certain marketing communications)
6. Push Notifications
The Komisio mobile application may send push notifications if a store enables the feature and the user grants permission on their device. Push notifications may be used for operational messages such as item status updates, tasks, or store-related notifications.
- You can disable push notifications at any time in your device settings.
- Where applicable, stores may also provide in-app settings to manage notification preferences.
- Push tokens/identifiers are stored securely and used only to deliver notifications.
7. AI / Automated Processing
The Service may offer AI-assisted features such as item search and categorization support. Komisio uses Azure AI Search to index item content and improve search functionality within a store’s tenant.
- AI outputs are intended as suggestions and may be inaccurate.
- Stores remain responsible for verifying item classification, pricing, and compliance.
- We do not use AI for automated decisions producing legal or similarly significant effects on individuals.
8. Sharing of Personal Data
We may share personal data in the following circumstances:
8.1 With subprocessors (service providers)
We use trusted third-party providers to deliver the Service (e.g., cloud hosting, monitoring, email, payments). These providers process personal data only as necessary to provide their services.
8.2 Within your organization / tenant
Data entered into a store tenant is accessible to authorized users within that tenant, subject to role-based access controls.
8.3 Legal requirements
We may disclose data if required to comply with law, regulation, legal process, or enforceable governmental request.
8.4 Business transfers
If we are involved in a merger, acquisition, restructuring, or asset sale, personal data may be transferred as part of that transaction, subject to appropriate safeguards.
We do not sell personal data.
9. Subprocessors
We use subprocessors to operate the Service. The list may change over time. The table below reflects our current core vendors.
| Subprocessor | Purpose | Location |
|---|---|---|
| Microsoft Azure | Hosting, storage, databases, backups | Sweden Central (EU/EEA) |
| Microsoft Application Insights | Telemetry, diagnostics, performance monitoring | Sweden Central / EU (configured in Azure) |
| Azure AI Search | Search indexing and AI-assisted search in the Service | Sweden Central / EU (configured in Azure) |
| MailerLite | Email communications (transactional and service notices; and marketing where applicable) | EU/EEA and/or other regions depending on MailerLite configuration |
| Stripe | Subscription billing and payment processing | EU/EEA and/or global (depending on Stripe setup) |
| Swish | Payment processing (Sweden) | Sweden |
10. International Transfers
If personal data is transferred outside the EU/EEA, we ensure appropriate safeguards such as Standard Contractual Clauses (SCCs) or another lawful transfer mechanism, and implement additional protections where necessary.
11. Data Retention
We retain personal data only as long as necessary for the purposes described in this Policy, including: providing the Service, compliance, security, dispute resolution, and enforcing agreements.
| Data category | Typical retention | Notes |
|---|---|---|
| Account data (staff users) | For the duration of the account + a limited period after closure | Some logs may be retained longer for security/compliance. |
| Support communications | As needed to handle the case + reasonable archival period | May be deleted earlier upon request where feasible. |
| Operational logs / telemetry | Limited period (e.g., weeks/months) | Used for stability, incident response, and security monitoring; masked to avoid personal data. |
| Store tenant data (seller/customer/item) | As configured by the store | Store is typically the controller and decides retention. |
12. Security
We implement appropriate technical and organizational measures to protect personal data. These measures may include:
- Encryption in transit (HTTPS/TLS)
- Encryption at rest for sensitive fields (including national identification numbers)
- Role-based access controls and least-privilege
- Secure hosting in Sweden Central (Azure)
- Monitoring, masked logging, and incident response
- Regular updates and vulnerability management
13. Cookies and Analytics
The Service (web backoffice and documentation pages) may use cookies or similar technologies for essential functionality and to understand usage patterns.
- Essential cookies – required for login, session handling, and security.
- Analytics/Telemetry – used to improve reliability and performance (including Application Insights).
Where required by law, cookie/consent mechanisms may be used depending on how and where Komisio is deployed.
14. Data Subject Rights
Depending on your location, you may have rights regarding your personal data, such as:
- Access and receive a copy of your personal data
- Rectification (correction)
- Deletion (where applicable)
- Restriction and objection
- Data portability
- Withdraw consent (where processing is based on consent)
- Lodge a complaint with a supervisory authority
If you are a seller or end-customer, the store is typically the Data Controller for your data in Komisio, and the store should handle your request. If you are a staff user of a store, you may also contact us.
15. Data Breach Notification
In the event of a personal data breach, we will take reasonable steps to investigate, mitigate, and document the incident. Where Komisio acts as a processor for store-controlled data, we will notify the store without undue delay so the store can meet its obligations under GDPR Articles 33 and 34, where applicable.
16. Complaints
If you are in the EU/EEA and believe that we process your personal data unlawfully, you have the right to lodge a complaint with your local supervisory authority. In Sweden, this is typically the Swedish Authority for Privacy Protection (IMY).
17. Children’s Privacy
The Service is not intended for children under 16, and we do not knowingly collect personal data from children.
18. Changes to This Policy
We may update this Privacy Policy from time to time. The updated version will be published on this page and the “Last updated” date will be revised.
19. Contact Us
For privacy-related questions or requests:
- Email: privacy@komisio.com (or support@komisio.com)
- Website: https://komisio.com