23 years from Stockholm
Privacy Policy

Privacy Policy

This Privacy Policy describes how Authorize Hosting collects, uses, shares, retains, and protects personal data in connection with our email infrastructure services. We are the data controller for personal data collected about you as a customer, prospect, or website visitor. Our practices comply with the General Data Protection Regulation (GDPR), the Swedish Data Protection Act, and the ePrivacy Directive as transposed into Swedish law.

1. Data controller

The data controller for personal data collected under this Privacy Policy is Authorize Hosting, a Swedish private company operating from registered address Nybrokajen 7, Våning 4, 11148 Stockholm, Sweden. For all questions, requests, or complaints relating to the processing of your personal data, including exercising your rights under the GDPR, you may contact us by email at the address published on the privacy@authorizehosting.com (or via the contact page) or by postal mail at the registered address above. We will respond to data protection requests within the timeframes required by the GDPR.

For matters where Authorize Hosting processes personal data on behalf of a customer rather than as a data controller — typically, recipient data contained within emails that customers transmit through our infrastructure — the customer is the data controller and Authorize Hosting acts as a data processor. The rights and obligations in that processor relationship are governed by the Data Processing Addendum rather than by this Privacy Policy.

2. Personal data we collect

We collect personal data in the following categories, each tied to a specific purpose and legal basis described in Section 3.

2.1 Account and contact data

When you register an account or make an enquiry, we collect the name, email address, phone number (where provided), company name, job title, billing address, and any other information you voluntarily provide in the registration form or through subsequent communications with our team. This data is provided directly by you at the point of registration or enquiry.

2.2 Billing and payment data

For paid services, we collect billing address, VAT identification number (for business customers), payment method details, and transaction history. Payment method details for card or PayPal payments are handled by our payment processors and are not stored on our infrastructure; we receive only transaction references, amounts, status, and the last four digits of cards where applicable. For cryptocurrency payments (Bitcoin, USDT), we record the transaction hash and amount. For SEPA bank transfers, we receive standard bank transfer metadata.

2.3 Service usage and technical data

When you use the Services, we collect technical operational data including SMTP connection logs (IP address of origin, timestamp, SMTP response codes, message identifiers), API access logs (endpoint, request metadata, response status, timestamps), authentication events (login timestamp, source IP, user agent), dashboard activity (feature usage, configuration changes), and similar operational telemetry. This data is collected automatically when you interact with our infrastructure and is used for service delivery, troubleshooting, security, and compliance.

2.4 Support and communications data

When you contact our support or operator team, we collect the content of your communications (email bodies, support tickets, chat transcripts where applicable), attachments you send, metadata about the communication (timestamps, the communication channel), and notes that our team records in the course of resolving your enquiry. We retain this data to provide support continuity and to maintain a record of our operational interactions with you.

2.5 Website visitor data

When you visit our website without registering or contacting us, we collect limited technical data automatically: IP address (truncated for analytics purposes where applicable), browser type and version, operating system, referring URL, pages viewed, time on site, and approximate geographic location derived from IP. This data is collected through server logs and through the minimal analytics described in Section 10.

2.6 Data we do not collect

We do not collect sensitive personal data (also called "special categories" of personal data) as defined in Article 9 of the GDPR — including data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation — unless you voluntarily provide such data in communications with us (for example, if you describe your organisation's work in a scoping call). We do not ask for such data and we process it only to the extent necessary to respond to the communication in which you volunteered it.

3. Legal bases for processing

We process personal data on the following legal bases under Article 6 of the GDPR.

Contract (Article 6(1)(b)). Processing is necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering into a contract. This legal basis applies to account and billing data, service delivery telemetry, and support interactions. If you do not provide data necessary for contract performance (for example, a valid billing address), we cannot provide the Services.

Legal obligation (Article 6(1)(c)). Processing is necessary for compliance with a legal obligation to which we are subject. This legal basis applies to retention of billing records for Swedish tax and accounting law purposes, retention of data required by law enforcement requests lawfully served upon us, and retention of data required by anti-money-laundering or sanctions screening obligations where applicable.

Legitimate interests (Article 6(1)(f)). Processing is necessary for the legitimate interests pursued by Authorize Hosting or by third parties, except where overridden by your fundamental rights and freedoms. We rely on legitimate interests for operational security monitoring, abuse prevention, infrastructure telemetry, aggregate analytics, and direct communications with existing customers about their services. We conduct legitimate interest assessments (LIAs) where appropriate to balance our interests against the rights of data subjects, and we provide opt-out mechanisms where meaningful alternatives exist.

Consent (Article 6(1)(a)). For specific processing activities where consent is the most appropriate legal basis — such as subscription to optional newsletters or marketing communications that are not necessary for contract performance — we rely on consent. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal. We do not rely on consent for any processing necessary to provide the Services.

4. Purposes of processing

We process personal data for the following purposes. Service provision: delivering the email infrastructure services you have subscribed to, including routing, deliverability, reporting, and dashboards. Account administration: registering your account, authenticating you, managing subscriptions, and handling payments. Customer support: responding to enquiries, troubleshooting issues, and providing operator-led engagement. Billing and accounting: issuing invoices, reconciling payments, and maintaining financial records. Security and integrity: monitoring for unauthorised access, preventing abuse of our infrastructure, and investigating security incidents. Legal compliance: complying with tax, accounting, anti-money-laundering, sanctions, law enforcement, and other legal obligations applicable to us under Swedish and EU law. Service improvement: analysing aggregate usage patterns (with data pseudonymised or anonymised where practical) to improve our Services, infrastructure, and documentation. Direct communications: sending you service announcements, security notices, pricing changes, and similar communications that are part of the contractual relationship, plus optional newsletters or marketing communications subject to your consent where applicable.

5. Data retention

We retain personal data for the periods described below. Retention is granular by data category because different categories have different operational and legal requirements, and retaining data longer than necessary would conflict with the GDPR's storage limitation principle.

Data retention periods by category, April 2026
Data categoryRetention periodRationale
Account and contact dataDuration of contract + 5 years after terminationContract performance plus the Swedish Accounting Act (Kirjanpitolaki) retention obligation for records related to business transactions
Billing and invoicing records10 years from end of accounting periodSwedish Accounting Act; Swedish tax law; VAT records; applies to invoices, payment references, and transaction records
SMTP and API operational logs30 to 90 days (varies by plan tier)Service delivery, troubleshooting, and operational telemetry; tier-specific retention is published on the respective service pages; we do not retain operational logs for longer than required by the applicable plan tier
Authentication and security event logs12 monthsSecurity monitoring, incident investigation, and abuse prevention; balances our security interests with the data minimisation principle
Support tickets and communicationsDuration of contract + 3 yearsSupport continuity and operational record-keeping; shorter than contract-plus-5 because these are not financial records
Aggregate analytics (pseudonymised)IndefiniteAggregate analytics with personal identifiers removed; not personal data after pseudonymisation completes; retained for long-term trend analysis
Marketing consent recordsUntil consent is withdrawn + 3 yearsEvidence that consent was obtained; required to defend against claims that marketing was sent without consent
Website visitor logs30 daysBasic server logs for security and troubleshooting; not used for profiling
Data under legal holdDuration of holdData subject to lawful preservation orders from competent authorities; retention overrides the standard periods above until the hold is lifted

After the applicable retention period expires, personal data is either deleted, anonymised beyond recovery, or — where pseudonymisation is sufficient for the remaining purpose — pseudonymised. We conduct retention review at least annually and adjust retention periods where operational or legal requirements change.

6. Data sharing and recipients

We share personal data with the following categories of recipients only to the extent necessary for the stated purposes. We do not sell personal data, and we do not share personal data for third-party marketing purposes.

6.1 Subprocessors

We use a limited set of subprocessors to deliver the Services. Current subprocessors include: payment processors (for card, PayPal, cryptocurrency, and SEPA transactions), transactional email infrastructure for our own account communications (we use our own infrastructure for customer-facing communications where practical), cloud and data-centre providers for infrastructure hosting in the European Union, helpdesk and ticketing software providers, and legal and accounting service providers. The current subprocessor list is maintained in Exhibit A of the Data Processing Addendum and is updated as subprocessors change. Subprocessors are bound by written agreements that include GDPR-compliant data protection obligations.

6.2 Affiliated companies

Where Authorize Hosting operates through affiliated companies or through wholly-owned subsidiaries for specific regional or operational purposes, personal data may be shared within the corporate group subject to the same data protection commitments described in this Privacy Policy. Any such sharing is internal and does not constitute disclosure to third parties.

6.3 Legal and regulatory disclosures

We may disclose personal data where required by applicable law, by a lawful order from a competent authority, by a valid subpoena, warrant, or court order, or where we have a good-faith belief that disclosure is necessary to protect our rights, property, or safety, or those of our customers or the public. We review requests carefully and challenge requests that appear to exceed lawful authority. We notify affected data subjects of such disclosures where permitted by law.

6.4 Business transfers

In the event of a merger, acquisition, reorganisation, or sale of substantially all of our assets, personal data may be transferred to the acquiring entity or to the surviving entity of the transaction, subject to continued protection under a privacy policy at least as protective as this Privacy Policy. We will notify affected data subjects of material changes resulting from such transfers with reasonable advance notice where practical.

7. International transfers

Our infrastructure is operated primarily within the European Union, and personal data is processed within the EU under the direct jurisdiction of the GDPR. Where transfers outside the European Economic Area (EEA) occur — for example, where a subprocessor operates internationally or where a customer's sending infrastructure integrates with external services — such transfers are conducted only under one of the following safeguards permitted by Article 46 of the GDPR: European Commission adequacy decisions for the destination jurisdiction, Standard Contractual Clauses (SCCs) in the form adopted by the European Commission on 4 June 2021 or any successor form, binding corporate rules where applicable to the subprocessor, or other appropriate safeguards recognised under the GDPR.

Where transfers to the United States are involved, we assess the availability of the EU-US Data Privacy Framework (adopted July 2023) as a transfer mechanism for US-based recipients self-certified under that framework, or fall back to Standard Contractual Clauses with supplementary safeguards where the Framework is not applicable. We conduct transfer impact assessments (TIAs) consistent with guidance from the European Data Protection Board where third-country transfers present elevated risk.

8. Data subject rights

Under the GDPR and Swedish data protection law, you have the following rights with respect to your personal data. You may exercise these rights at any time by contacting us through the channels described in Section 1.

Right of access (Article 15). You have the right to obtain confirmation as to whether personal data concerning you is being processed, and, where that is the case, access to that personal data together with information about the processing. We respond to access requests within one month; complex requests may be extended by up to two additional months with notice.

Right to rectification (Article 16). You have the right to obtain correction of inaccurate personal data concerning you and to have incomplete personal data completed. For account and billing data, you can rectify most information directly through the Client Area; for other data, contact us.

Right to erasure — "right to be forgotten" (Article 17). You have the right to obtain erasure of personal data concerning you where the processing is no longer necessary, where you withdraw consent (for consent-based processing), where you object to processing based on legitimate interests and no overriding legitimate interest exists, or where the data has been unlawfully processed. This right is subject to exceptions for compliance with legal obligations (for example, tax law retention) and for establishment, exercise, or defence of legal claims.

Right to restriction of processing (Article 18). You have the right to obtain restriction of processing under specific circumstances, including where you contest the accuracy of the data, where processing is unlawful but you oppose erasure, or where we no longer need the data but you require it for legal claims.

Right to data portability (Article 20). For data processed on the basis of consent or contract and by automated means, you have the right to receive the personal data in a structured, commonly used, machine-readable format, and to transmit that data to another controller.

Right to object (Article 21). You have the right to object, on grounds relating to your particular situation, to processing based on legitimate interests. You have an unconditional right to object to processing for direct marketing purposes.

Rights related to automated decision-making and profiling (Article 22). You have the right not to be subject to a decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you. We do not conduct automated decision-making with legal or similar significant effects on our customers.

Right to withdraw consent. Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

Right to lodge a complaint with a supervisory authority. You have the right to lodge a complaint with the supervisory authority in the Member State of your habitual residence, your place of work, or the place of the alleged infringement. The Swedish supervisory authority (IMY) is the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), Ratapihantie 9, 00520 Stockholm, Sweden. We encourage you to contact us first so that we can address your concern directly, but you are not required to do so before contacting the supervisory authority.

9. Security measures

We implement technical and organisational measures appropriate to the risk, as required by Article 32 of the GDPR, to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These measures include encryption of data in transit using current TLS standards, encryption of sensitive data at rest, access controls based on the principle of least privilege, multi-factor authentication for administrative access to our infrastructure, network segmentation and firewall policies, regular security monitoring and log review, documented incident response procedures, regular backups with tested restoration, physical security at data-centre facilities, employee training on data protection, background checks for personnel with access to customer data, and contractual obligations on subprocessors to implement equivalent measures.

No security measure is absolute, and we do not guarantee that personal data will be immune from all possible threats. We continually review and update our security posture based on emerging threats, technology developments, and regulatory guidance.

10. Cookies and similar technologies

Our website uses a minimal set of cookies and similar technologies. Strictly necessary cookies are used to operate the Client Area, maintain session state, and preserve security. These cookies are exempt from consent requirements under Article 5(3) of the ePrivacy Directive and do not require your opt-in. Analytics cookies — where used — are configured with IP anonymisation and are limited to aggregate site usage measurement. We do not use third-party advertising cookies, tracking pixels for cross-site profiling, or behavioural advertising technologies. Where consent is required for non-essential cookies, we present a clear consent mechanism before setting such cookies; you may manage or withdraw consent through your browser settings at any time.

Our website does not deploy fingerprinting scripts, session replay tools that record visitor interactions beyond aggregate metrics, or similar invasive tracking technologies. The absence of these technologies is deliberate: our visitors are typically technical evaluators making infrastructure decisions, and minimal-footprint analytics is appropriate to that audience.

11. Data breach notification

In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we notify the Swedish supervisory authority (IMY) (Tietosuojavaltuutetun toimisto) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, we also notify affected data subjects without undue delay, as required by Article 34 of the GDPR. Breach notifications include the nature of the breach, categories and approximate number of data subjects affected, categories and approximate number of personal data records concerned, the likely consequences, and the measures taken or proposed to address the breach.

For breaches affecting data processed on behalf of customers (where Authorize Hosting acts as a processor), notification obligations are governed by the Data Processing Addendum, which requires us to notify the affected customer without undue delay to enable the customer to meet its own notification obligations as controller.

12. Children's privacy

Our Services are directed to businesses and technical professionals and are not intended for use by children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and you become aware that your child has provided personal data to us, contact us and we will take appropriate steps to delete that data unless retention is required by law.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, in our Services, in applicable law, or in regulatory guidance. Material changes will be communicated to customers via email to the account contact address or via prominent notice on our website, with reasonable advance notice where practical. The version and effective date of this Privacy Policy are indicated at the top of this page. Prior versions are retained and available upon request.

Continued use of the Services after the effective date of updated policy constitutes acknowledgement of the updated policy. The updated policy does not, by itself, change the legal basis for processing personal data collected under a prior version; where a change to the legal basis is required, we will contact affected data subjects separately to explain the change and, where applicable, request consent.

14. Contact and data protection enquiries

For all data protection enquiries, including exercising the rights described in Section 8, contact us at the email address published on the contact page, or by postal mail at Authorize Hosting, Nybrokajen 7, Våning 4, 11148 Stockholm, Sweden. We aim to respond to data protection enquiries within the GDPR-mandated one-month response period; straightforward requests are typically resolved more quickly. For urgent security-related data protection matters — for example, a suspected account compromise affecting personal data — contact us through the security escalation channels described on the contact page for faster routing.

For matters specific to processing of recipient data or other personal data processed on behalf of a customer, see the Data Processing Addendum for the applicable rights, obligations, and notification procedures.