—— Legal
Privacy Policy
What we collect, why, and your rights. Last updated 30 April 2026.
Last updated: 29 April 2026
This policy explains how Hojt Communication AB, organisation number 559017-1459, registered in Sweden (“Adamiro“, “we“, “us“) processes personal data when you visit our website at adamiro.com, use the Adamiro service, contact us, or interact with our marketing.
1. Who is the controller
For personal data we collect about you as a website visitor, account holder, prospect, or contact person at a customer organisation, Hojt Communication AB is the data controller.
For personal data you submit through the Service about other people (your colleagues, contacts, prospects, or end users), you are the controller and we are the processor. That relationship is governed by the Data Processing Addendum, which forms part of these Terms.
| Item | Value |
|---|---|
| Controller | Hojt Communication AB |
| Organisation number | 559017-1459 |
| Postal address | Höjeågatan 243, 23433 Lomma, Sweden |
| Privacy contact | privacy@adamiro.com |
| General contact | hello@adamiro.com |
| Data Protection Officer | Not appointed — we are not required to appoint a DPO under GDPR Art. 37. Privacy enquiries are handled at the address above. |
2. Scope
This policy covers personal data we process as controller, including:
- Visitors to adamiro.com and adam.hojt.se (staging).
- People who fill in forms, sign up for a free trial, or subscribe.
- Account holders and seat-level users on customer accounts.
- Contact persons at prospects, suppliers, and partners.
- People who email or call us.
- Job applicants who contact us via the website.
Where customers process personal data of third parties through the Service (for example, their prospects in Match, recipients in Outreach Automation, or contacts in Mentor / The Tank conversations), we act as a processor on the customer’s behalf and the DPA governs that processing.
3. What personal data we process, why, and on what lawful basis
The table below lists each processing activity. “Lawful basis” refers to GDPR Art. 6(1) letters (a) consent, (b) contract, (c) legal obligation, (d) vital interests, (e) public task, (f) legitimate interest. Where we rely on legitimate interest, we have carried out a documented Legitimate Interest Assessment (LIA) and the assessed interests are summarised in the Why column.
3.1 Visitors to our website
| Data | Examples | Source | Lawful basis | Why | Retention |
|---|---|---|---|---|---|
| Technical session data | IP address, browser type, OS, referrer, pages viewed | Browser | Art. 6(1)(f) legitimate interest in site operation, security, and abuse prevention | Operate and secure the site, detect attacks, debug | 12 months in security logs, then deletion |
| Cookie / analytics data | See section 8 below | Browser | Consent (Art. 6(1)(a)) for non-essential cookies; legitimate interest for strictly-necessary | Measure aggregate site traffic, improve UX | Up to 13 months from last visit (CNIL guidance) |
| Form submissions | Name, email, message, company | You | Art. 6(1)(b) (pre-contractual steps) for trial / sales enquiries; Art. 6(1)(f) for general enquiries | Respond to enquiries, set up a trial | 24 months from last contact, or until you object |
3.2 Account holders and customer users
| Data | Examples | Source | Lawful basis | Why | Retention |
|---|---|---|---|---|---|
| Account profile | Name, email, password hash, phone (optional), company, role, time zone, locale | You | Art. 6(1)(b) contract | Provide the Service, authenticate you | While account active + 90 days; then anonymised or deleted on request |
| Billing data | Card last 4 digits (held by Stripe), VAT ID, billing address, invoices, payment history, plan, Task balance | You via Stripe | Art. 6(1)(b) contract; Art. 6(1)(c) Swedish bokföringslagen (7 years for accounting records) | Charge you, fulfil tax/accounting duties | Accounting records: 7 years per Swedish law. Card data is held by Stripe, not us. |
| Usage and Service data | Run history, Task consumption, module activity, run inputs and outputs, file uploads, advisory session transcripts | You | Art. 6(1)(b) contract | Operate the Service, support, troubleshooting | While account active + 90 days unless you delete sooner; then deletion or anonymisation |
| Support correspondence | Tickets, chat transcripts, emails | You | Art. 6(1)(b) contract; Art. 6(1)(f) for record-keeping | Resolve your issues, audit trail | 36 months from ticket close |
| Security logs | Login times, IP, device fingerprint, abuse-detection incidents (see TODO §2) | System | Art. 6(1)(f) legitimate interest in account security and prevention of abuse | Detect compromised accounts, investigate abuse | 12 months; abuse incidents up to 24 months |
| Marketing communications | Email opens, clicks, preferences | System and you | Consent (Art. 6(1)(a)) for newsletters; Art. 6(1)(f) for B2B service updates to existing customers | Send relevant updates and offers | Until you unsubscribe; then suppression-list only |
3.3 People you contact through the Service (third parties)
When you use Match, Outreach Automation, or any feature where you submit data about real people, you are the controller. The DPA governs that processing. We do not use those individuals’ data for our own purposes beyond delivering the Service to you.
3.4 Service improvement and model training
We may use de-identified, anonymised Input and Output to evaluate, debug, and improve the Service, including to train and develop our own models, prompt libraries, and agentic workflows.
| Aspect | Detail |
|---|---|
| Lawful basis | Art. 6(1)(f) legitimate interest, balanced against the right to opt out at any time |
| What is collected | Anonymised Input/Output text only; no user, account, or session identifiers; PII surrogates replace names, emails, phone numbers, addresses, personnummer, organisation numbers, account numbers, IP addresses, and other re-identifying values |
| Where it lives | Separate corpus table with no foreign keys back to user identities |
| Retention | Up to 24 months from capture; then automatic deletion |
| Provider exclusions | Outputs we receive from upstream providers whose terms forbid downstream training are excluded at capture time |
| Opt-out | A toggle in your account settings; turning it off prevents future capture and triggers retroactive removal of already-captured rows within 7 days |
4. Where we get personal data
We receive personal data from:
- You directly — when you sign up, fill in a form, send us an email, or use the Service.
- Your colleagues — when an account owner adds you as a seat or shares a workspace.
- Stripe — billing and payment data when you pay an invoice.
- Public sources — when relevant for B2B prospecting on our side (LinkedIn profile pages, company websites, press releases).
- Cookies and similar technologies — see section 8.
5. Who we share personal data with
We share personal data only as needed to operate the Service:
- Sub-processors (see section 9 and the DPA Annex 2) — providers who process personal data on our behalf under written contracts that include GDPR Art. 28 obligations.
- Professional advisers — accountants, auditors, lawyers, under confidentiality obligations.
- Authorities — where required by Swedish or EU law, court order, or to defend our legal rights. We push back on overbroad requests.
- Acquirer or successor — in a corporate transaction (sale, merger, spin-out to a successor entity holding the Adamiro business); in that case the acquirer takes over as controller subject to this policy or a comparable one.
We do not sell personal data and do not share personal data with advertisers for cross-context behavioural advertising.
6. Children
The Service is intended for business users only. We do not knowingly collect personal data from anyone under 18. If you believe a minor has given us their data, contact privacy@adamiro.com and we will delete it.
7. Automated decisions and AI output
The Service uses generative AI to produce Output. We do not use the Service to make automated decisions producing legal or similarly significant effects on you within the meaning of GDPR Art. 22. Output is decision support — you remain responsible for any decision you make based on it.
We do run automated processes that may affect your account in operational ways (login throttling, fraud / abuse detection per TODO §2, billing-related suspensions). These are not Art. 22 decisions because a human can review them on request and they are necessary to perform the contract or to comply with law.
8. Cookies and analytics
We use a small number of cookies and similar technologies. They fall into two groups:
- Strictly necessary — required for sign-in, session security, and the basic functioning of the site/app. Set on the basis of legitimate interest; cannot be disabled without breaking the Service.
- Optional — analytics and product-usage measurement. Set only with your consent via the cookie banner.
The cookie banner on adamiro.com is operated by the CookieYes WordPress plugin. CookieYes shows the live cookie / SDK list (provider, purpose, duration), records consent, and gives you per-category controls (strictly necessary, functional, performance, analytics, advertisement). You can re-open the banner at any time from the “Cookie settings” link in the site footer to change your choices.
CookieYes itself stores the consent record (a hashed identifier, the choices made, and a timestamp) so we can demonstrate compliance under GDPR Art. 7. The full CookieYes privacy notice is available at cookieyes.com/privacy-policy.
9. Sub-processors
We use the following sub-processors. The current list with locations, roles, and transfer mechanism is also in DPA Annex 2; both lists must agree.
| Sub-processor | Role | Country of processing | Transfer mechanism |
|---|---|---|---|
| OpenAI Ireland Ltd. | Large-language-model inference for various modules | Ireland (with potential US transfer) | EU SCCs |
| Anthropic Ireland Ltd. | LLM inference (Claude) | Ireland (with potential US transfer) | EU SCCs |
| Google Ireland Ltd. | Gemini LLM inference; Google Workspace for our internal email/files | Ireland / EU (with potential US transfer) | EU SCCs |
| Stripe Payments Europe Ltd. | Payment processing, invoicing | Ireland (with potential US transfer) | EU SCCs |
| n8n GmbH (n8n Cloud) | Workflow orchestration that ties module steps together | Germany | Within EU/EEA — no transfer required |
| Hojt Communication AB hosting (FTP / WordPress) | Hosting of adamiro.com and adam.hojt.se | Sweden | Within EU/EEA |
| Qdrant Solutions GmbH (Qdrant Cloud) | RAG and persona memory for Mentor and The Tank | Germany (Frankfurt region) | Within EU/EEA — no transfer required |
| Mailjet SAS (a Sinch company) | Transactional email (account, billing, run notifications) | France (data centres in Belgium and Germany) | Within EU/EEA — no transfer required |
| CookieYes | Cookie consent management (banner, consent log, category controls) | EU/EEA + India (CookieYes is operated by Webtoffee, India) | EU SCCs |
We will give you reasonable advance notice of new sub-processors in this list and offer you a right to object on documented data-protection grounds.
10. International transfers
The default position is to keep personal data inside the EU/EEA. Where a sub-processor processes data outside the EU/EEA (in particular for US- based AI providers and their parent companies), the transfer is covered by Standard Contractual Clauses (EU Commission decision 2021/914) and, where appropriate, supplementary measures (encryption in transit and at rest, access logging, contractual prohibitions on government access not strictly required by law).
You may request a copy of the relevant SCCs by writing to privacy@adamiro.com. Confidential commercial terms may be redacted.
11. Security
We apply technical and organisational measures appropriate to the risk of the processing, including:
- Transport encryption — TLS 1.2+ across all customer-facing endpoints.
- At-rest encryption — for databases, backups, file storage, and vector stores where supported by the provider.
- Access control — least-privilege role-based access; named-person admin accounts; multi-factor authentication required for production access.
- Secrets management — credentials and API keys are kept in a password manager / secrets store, not in source code.
- Logging and monitoring — application, security, and access logs with anomaly detection on the staging-to-production deploy pipeline.
- Backups — daily database backups retained for 30 days; recovery drills annually.
- Vulnerability management — dependency monitoring, patching on documented cadence; staging environment used for pre-production validation per DEVELOPMENT_PIPELINE.md.
- Personnel — confidentiality obligations for everyone with access; background checks for production access.
- Sub-processor diligence — contracts include GDPR Art. 28 and Art. 32 obligations.
A more detailed list of measures is in DPA Annex 3.
No system is perfectly secure. If you discover a vulnerability, please report it to security@adamiro.com — we operate good-faith vulnerability disclosure and won’t pursue researchers acting in good faith.
12. Your rights
Under GDPR Articles 15-22, you have the right to:
| Right | What it means | How to exercise |
|---|---|---|
| Access (Art. 15) | A copy of personal data we hold about you and information about how we process it | Email privacy@adamiro.com |
| Rectification (Art. 16) | Correction of inaccurate or incomplete data | Account settings or email us |
| Erasure (Art. 17) | Deletion where there is no overriding lawful reason to keep it | Email us; note legal-retention exceptions (e.g. accounting records under Swedish law) |
| Restriction (Art. 18) | Processing limited while a dispute is resolved | Email us |
| Portability (Art. 20) | Your data in a structured, machine-readable format | Email us; we provide JSON exports for the data you submitted |
| Objection (Art. 21) | To processing based on legitimate interest, including direct marketing and the training-data use described in section 3.4 | Email us, or use the in-product opt-out for training |
| Withdraw consent (Art. 7(3)) | For processing based on consent (newsletters, optional cookies) | Use the unsubscribe link / cookie-banner controls |
| Not be subject to solely automated decisions (Art. 22) | We do not run such decisions; if you believe an automated process has affected you significantly, ask for human review | Email us |
We will respond within one month of receipt of a verifiable request, extendable by two further months for complex requests with notice. We may need to verify your identity before disclosing data — usually by asking you to confirm a recent account action or email from the address on file.
We do not charge a fee for the first request in a 12-month period and will not refuse a request unless it is manifestly unfounded or excessive (in which case we will explain).
13. Right to complain
If you believe we have processed your data unlawfully, you may complain to the Swedish data-protection authority:
Integritetsskyddsmyndigheten (IMY) Box 8114, 104 20 Stockholm, Sweden imy@imy.se · imy.se
You may also complain to the supervisory authority of the EU/EEA member state where you live or work.
14. Changes to this policy
We may update this policy. Material changes will be notified by email or in-app at least 30 days before they take effect. Non-material changes (typo fixes, sub-processor additions of the same type) take effect on posting.
A change log is maintained at the bottom of this document.
15. Contact
| Subject | Address |
|---|---|
| Privacy and data-subject requests | privacy@adamiro.com |
| Security disclosures | security@adamiro.com |
| Legal notices | legal@adamiro.com |
| General | hello@adamiro.com |
| Postal | Hojt Communication AB, Höjeågatan 243, 23433 Lomma, Sweden |
Change log
| Version | Date | Summary |
|---|---|---|
| 1.0 | 2026-04-29 | Initial draft (pending Swedish counsel review). |