Privacy policy

This privacy policy describes how IMI supply chain solutions (Industri-Matematik International AB, Industri-Matematik International AS, Industri-Matematik International Sp. z o.o and Industri-Matematik International LTD), org.nr 556102-7680 (”IMI”, ”we”, ”us” or ”our”), processes personal data in its capacity as a data controller for individuals outside our organization. The policy covers, among other things, representatives, employees and consultants at our customers, suppliers, partners and authorities, job applicants and references, individuals who visit our website or sign up for our mailings and events, and others who contact us.

We deliver software, cloud services, and support services to corporate customers. When we process personal data on behalf of our customers within the scope of our services, we function as the customer’s personal data processor. Such processing is governed by the applicable Data Processing Agreement (DPA) between IMI and the respective customer and is not described in detail in this Policy. For information about such processing, we refer our customers to the applicable DPA.

Contact details for IMI:

Address: Repslagaregatan 24, 582 22 Linköping
Email: [email protected]

How we collect personal data

We collect personal data:

when you or the organization you represent communicate or enter a contract with us;
when you sign up for newsletters, webinars, events, or use forms on our landing pages;
when you visit our website (incl. via cookies and similar technologies in accordance with our specific cookie information which you can find in the tool for this on our website);
from third parties, e.g. your employer, public registers (e.g. company signature from the Swedish Companies Registration Office), recruitment platforms and social media, job applicants, and providers of marketing and sales support.

Categories of data subjects and purposes

Below we describe our processing by categories of data subjects. Therefore, read more below under the heading or headings that apply to you. Please note that additional data may be processed if you choose to provide it.

When it is stated below that ”Weighing of interests” as a legal basis, it means that we have made the assessment that we have a legitimate interest in the processing which is not overridden by your interests.

Representatives, employees and consultants at customers, suppliers, partners, and authorities

Purpose	Legal basis	Types of personal data	Storage time
Conclude, administer, and follow up agreements with your employer/client as well as ongoing business communication (incl. meetings, email, case management)	Weighing of interests, performance of agreements (if sole proprietorship)	Name, title, employer/client, email address, telephone number, personal identity number, information in communication (e.g. email), meeting and case history, audio and video at online meetings, technical metadata linked to digital signing	During the contractual relationship and thereafter normally up to 10 years from the termination of the agreement
Project and time reporting as well as follow-up of deliveries.	Weighing of interests	Name, title, employer/client, email address, telephone number, information in communication (e.g. email), meeting and case history, project/case and time reporting data	During the contractual relationship and thereafter normally up to 10 years from the termination of the agreement
Customer care and customer service	Weighing of interests	Name, title, employer/client, email address, telephone number, case history, information in communication	During the handling of the case and up to 1 year thereafter
Invoicing, payment processing, and accounting	Legal obligation, weighing of interests	Name, title, employer/client, email address, telephone number, invoice and payment information, references on verifications	Until the seventh year following the end of the calendar year in which the relevant financial year ended
Marketing and information about our products/services and publishing customer cases	Weighing of interests	Name, title, employer/client, email address, phone number, quotes/reviews, images, interaction with mailings	During the ongoing relationship and normally up to 1 year from the last relevant contact, you can object or unsubscribe at any time
Marketing suppression list	Legal obligation	Name, email address, telephone number	Without limitation in time
Mailing of newsletters	Consent	Name, title, employer/client, email address, preferences, interaction with mailings	Until consent is withdrawn
Customer surveys	Weighing of interests	Name, email address, responses to surveys	Up to 1 year from implementation
Conducting in events and webinars	Weighing of interests, consent for specific data (e.g. allergies)	Name, title, employer/client, email address, telephone number, information in the registration, sound and video at online meetings, picture, allergies	Up to 2 years after event/webinar, posting on social media platforms according to the platform’s terms and conditions
Produce statistics and develop our services and processes	Weighing of interests	All data that we process based on a weighing of interests can be used as a basis for anonymized statistics	Only as long as the data is processed for other specified purposes
Establishing, exercising, or defending legal claims and demonstrating compliance	Weighing of interests	Name, email address, telephone number, relevant case/contract details	Up to 10 years from the event that can give rise to a claim

Recipient and disclosure

Category of recipients	Personal data that may be disclosed
Suppliers that provide systems for customer management, case management, and mailing/marketing	Name, title, employer/client, email address, telephone number, interaction and case history, technical metadata linked to digital signing
Project and time reporting system provider	Name, title, employer/client, email address, telephone number, communication data (e.g. email), meeting and case history, project/case and time reporting data
Providers of email services, collaboration tools, and other IT operations	All personal data we process
E-signing service providers	Name, title, employer/client email address, telephone number, personal identity number, technical metadata
Financial, accounting and payment services	Name, title, employer/client, email address, telephone number, invoice/payment details, references on verifications
Survey and customer satisfaction tools	Name, email address, responses to surveys
Webinar/event platforms	Name, title, employer/client, email address, telephone number, information in the registration, sound and video at online meetings, picture, allergies
Professional advisors (accountants, lawyers)	Relevant case/contract details
Authorities	The information that we are obliged or have a legitimate interest in disclosing in the individual case
IMI Group companies (for group-wide functions such as IT operations, security, finance, and compliance)	Name, title, employer/client, email address, telephone number, information in communication (e.g. email), technical metadata, meeting and case history, project/case and time reporting details, invoice/payment details, references on verifications
Potential acquirer in the event of a business transfer	Relevant information for customary due diligence under confidentiality

Some suppliers may be established outside the EU/EEA or use sub-processors in third countries. Upon transfer, we will when applicable use the European Commission’s Standard Contractual Clauses (SCC, read more here) and/or adequacy decisions (read more here), together with the necessary additional safeguards.

Representatives, employees, and consultants of potential customers (leads)

Purpose	Legal basis	Types of personal data	Storage time
Marketing of our products and services.	Weighing of interests	Name, title, employer/client, email address, telephone number, information in communication (e.g. email)	Up to three months from the receipt or acquisition of the information and during the duration of the communication
Marketing suppression list	Legal obligation	Name, email address, phone number	Without limitation in time
Establishing, exercising, or defending legal claims and demonstrating compliance	Weighing of interests	Name, email address, telephone number, relevant case/contract details	Up to 10 years from the event that can give rise to a claim

Recipient and disclosure

Category of recipients	Personal data that may be disclosed
Suppliers that provide systems for customer management, case management, and mailing/marketing	Name, title, employer/client, email address, telephone number, information in communication
Providers of email services, collaboration tools, and other IT operations	All personal data we process
Professional advisors (accountants, lawyers)	Relevant case/contract details
Authorities	The information that we are obliged or have a legitimate interest in disclosing in the individual case

Job seekers

Purpose	Legal basis	Types of personal data	Storage time
Managing applications, selections, interviews, and reference checking	Weighing of interests	Name, personal identity number, email address, telephone number, CV/application, title, employer/client, education/qualifications, certificates, information in communication, references, and reviews, if necessary background information from public sources/social media	During the recruitment process and normally up to 2 years from the appointment/termination of the procedure
Save data for future recruitments	Consent	Same as above	Until consent is withdrawn (we may ask for renewed consent after 12 months)
Establishing, exercising, or defending legal claims and being able to demonstrate compliance	Weighing of interests	Name, email address, telephone number, relevant case details	Up to 10 years from the relevant event

Recipient and disclosure

Category of recipients	Personal data that may be disclosed
Suppliers of recruitment platform and support systems	Name, personal identity number, email address, telephone number, CV/application, title, employer/client, education/qualifications, certificates, information in communication, references, and reviews, if necessary background information from public sources/social media
Providers of email services, collaboration tools, and other IT operations	All personal data we process
Professional advisors (accountants, lawyers)	Relevant case/contract details
Authorities	The information that we are obliged or have a legitimate interest in disclosing in the individual case
IMI Group companies (for Group-wide functions such as IT operations, security, HR, finance, and compliance)	Name, personal identity number, email address, telephone number, CV/application, title, employer/client, education/qualifications, certificates, information in communication, references, and reviews, if necessary background information from public sources/social media

Reference people

Purpose	Legal basis	Types of personal data	Storage time
Obtain and document references in recruitment	Weighing of interests	Name, email address, telephone number, title, employer/client, reviews of applicants, information in communication	Linked to the recruitment case and normally up to 2 years from the appointment/termination of the procedure
Establishing, exercising, or defending legal claims and being able to demonstrate compliance	Weighing of interests	Name, email address, telephone number, relevant case details	Up to 10 years from the relevant event

Recipient and disclosure

Category of recipients	Personal data that may be disclosed
Suppliers of recruitment platform and support systems	Name, email address, telephone number, title, employer/client, reviews of applicants, information in communication
Providers of email services, collaboration tools, and other IT operations	All personal data we process
Professional advisors (accountants, lawyers)	Relevant case/contract details
Authorities	The information that we are obliged or have a legitimate interest in disclosing in the individual case
IMI Group companies (for Group-wide functions such as IT operations, security, HR, finance, and compliance)	Name, email address, telephone number, title, employer/client, reviews of applicants, information in communication

Visitors of our website

Purpose	Legal basis	Types of personal data	Storage time
Provide the website, maintain security and necessary features	Weighing of interests	IP address, device and browser data, cookies, interactions, technical metadata	Up to 1 year from the date of visit (see the information on cookies on our website)
Website usage statistics and analysis	Weighing of interests, consent for non-essential cookies	IP address, device and browser data, interactions, cookies, technical metadata	According to valid consent and the storage period of the respective cookie (see the information on cookies on our website)
Marketing via cookies and similar technologies	Consent	IP address, device and browser data, interactions, cookies, technical metadata	According to valid consent and the storage period of the respective cookie

Recipient and disclosure

Category of recipients	Personal data that may be disclosed
Providers who provide and administer our website and necessary cookies	IP address, device and browser data, cookies, interactions, technical metadata
Web analytics and lead identification providers (only in accordance with applicable consents)	IP address, device and browser data, interactions, cookies, technical metadata
Providers of email services, collaboration tools, and other IT operations	All personal data we process
Professional advisors (accountants, lawyers)	Relevant case/contract details
Authorities	The information that we are obliged or have a legitimate interest in disclosing in the individual case
IMI Group companies (for group-wide functions such as IT operations, security, and compliance)	IP address, technical metadata

People who fill out forms on our landing pages, register for, and participate in events/webinars or competitions, or interact via social media

Purpose	Legal basis	Types of personal data	Storage time
Manage forms and expressions of interest on landing pages	Consent	Name, title, employer/client, email address, telephone number, information in forms	Up to 1 year from the last relevant contact, or until consent is withdrawn
Mailing of newsletters	Consent	Name, title, employer/client, email address, preferences, interaction with mailings	Until consent is withdrawn
Conducting in events and webinars	Weighing of interests, consent for specific data (e.g. allergies)	Name, title, employer/client, email address, telephone number, information in the registration, sound and video at online meetings, picture, allergies	Up to 2 years after event/webinar
Conduct contests, lotteries, and campaigns (incl. administration, draw, eventual publication of winners, and follow-up)	Weighing of interests, consent for specific information or publication	Name, email address, telephone number, username/profile (in the case of social media), contributions/submitted material, information in communication, if applicable picture	During the campaign and normally up to 1 year after the end of the campaign for follow-up
Manage social media interactions (messages, comments)	Weighing of interests	Username/profile, content of interaction, other information you provide	During the dialogue and up to 1 year thereafter, posting on social media platforms according to the platform’s terms and conditions

Recipient and disclosure

Category of recipients	Personal data that may be disclosed
Suppliers that provide systems for notification and mailing	Name, title, employer/client, email address, telephone number, information in forms, interaction with mailings, technical metadata
Webinar/Event Platforms	Name, title, employer/client, email address, telephone number, information in the registration, sound and video at online meetings, picture, allergies
Social media platforms	Username/profile, content of interaction, other information you provide
Providers of email services, collaboration tools, and other IT operations	All personal data we process
Professional advisors (accountants, lawyers)	Relevant case/contract details
Authorities	The information that we are obliged or have a legitimate interest in disclosing in the individual case
IMI Group companies (for group-wide functions such as IT operations, security, and compliance)	Name, title, employer/client, email address, telephone number, information in forms, interaction with mailings, technical metadata

For our presence on social media (e.g. Facebook and LinkedIn), we are in many cases joint data controllers with the platform provider in accordance with Article 26 GDPR. Please see the section ”Joint Data Controller with Social Media” below for links to Meta’s and LinkedIn’s privacy policies and information on the division of responsibilities.

People contacting IMI

Purpose	Legal basis	Types of personal data	Storage time
Manage requests, support, and general communications	Weighing of interests	Name, contact information, title, employer/client, case history, information in communication, in the case of phone calls also recordings if we have informed about it	During the case and normally up to 1 year thereafter, recordings for quality development up to 3 months
Establishing, exercising, or defending legal claims and demonstrating compliance	Weighing of interests	Name, email address, telephone number, relevant case/contract information	Up to 10 years from the event that can give rise to a claim

Recipient and disclosure

Category of recipients	Personal data that may be disclosed
Suppliers that provide customer and case management systems	Name, contact information, title, employer/client, case history, information in communication, in the case of telephone calls also recordings if we have informed about it
Providers of email services, collaboration tools, and other IT operations	All personal data we process
Professional advisors (accountants, lawyers)	Relevant case/contract details
Authorities	The information that we are obliged or have a legitimate interest in disclosing in the individual case
IMI Group companies (for group-wide functions such as IT operations, security, and compliance)	Name, contact details, title, employer/client, case history, information in communication, technical metadata

People involved in whistleblower cases

Purpose	Legal basis	Types of personal data	Storage time
Reception, follow-up, communication, investigation, and action of reports in the whistleblower system	Legal obligation, weighing of interests	Information provided in the report (e.g. where applicable, identity and contact details of the complainant and affected persons, description of events), information that emerges from the investigation (e.g. collected documentation, interviews, logs), reports and assessments from internal/external investigators	For as long as is needed for the case. Personal data in follow-up cases is processed for a maximum of up to 2 years after the case has been closed, longer if necessary for legal claims
Establishing, exercising, or defending legal claims and demonstrating compliance	Weighing of interests	Name, email address, telephone number, relevant case/contract details	Up to 10 years from the event that can give rise to a claim

Recipient and disclosure

Category of recipients	Personal data that may be disclosed
Whistleblower system providers	Information provided in the report (e.g. where applicable, identity and contact details of the complainant and affected people, description of events), information that emerges from the investigation (e.g. collected documentation, interviews, logs), reports and assessments from internal/external investigators
Professional advisors (accountants, lawyers)	Relevant case/contract details
Authorities	The information that we are obliged or have a legitimate interest in disclosing in the individual case
IMI Group companies (for group-wide functions such as IT operations, security, and compliance)	Information in the report and relevant parts of the investigation documentation, technical metadata

Joint data controller with social media platforms

When we administer our pages and interactions on social media platforms, we process personal data together with the platform provider as joint data controllers. This applies, among other things, to the statistics and page insights functions as well as the advertising and communication tools provided by the platform.

You can exercise your data protection rights against both IMI and the respective platform. For questions about the platforms’ own processing, we refer to their privacy policies and contact channels. We receive aggregated page insights and statistics from the Platforms but do not have access to your personal user data beyond what you yourself make visible in your interactions with our pages. Below is a link to each platform’s privacy policy and information on how the joint personal data responsibility is distributed.

Meta (Facebook)
Privacy policy and Division of responsibility.
LinkedIn
Privacy policy and Division of responsibility.

Your rights

You have several rights under applicable data protection legislation. Below we briefly describe what they mean. You can read more about your rights on the Swedish Authority for privacy protection’s website.

Right of access

You can request confirmation as to whether we are processing your personal data. If this is the case, you have the right to receive a copy of the data as well as information about, among other things, the purposes of the processing, the categories of data processed, how long they are stored, which recipients have received it and where the data comes from.

Right to rectification

You have the right to have incorrect personal data corrected and to complete incomplete data when relevant to the purposes of the processing.

Right to erasure

You can request that we erase your personal data in certain cases, for example when the data is no longer needed for the purposes for which it was collected, if you object to processing based on legitimate interest and there are no compelling reasons for continued processing, or if the processing has taken place in violation of law.

Right to limitation of processing

You can request that we temporarily restrict the processing of your data in certain situations, for example while we are checking the accuracy of the data, if the processing is unlawful but you oppose erasure, if we no longer need the data but you need it for legal claims, or pending the assessment of an objection.

Right to data portability

When our processing is automated and based on your consent or on an agreement with you, you can request to receive the personal data you have provided us in a structured, commonly used and machine-readable format, and to the extent technically feasible, have it transferred to another data controller.

Right to object

You can object at any time to processing based on our legitimate interest (weighing of interests), including any profiling that takes place based on such legal basis. Following an objection, we may only continue the processing if we can demonstrate legitimate reasons that override your interests, rights and freedoms or if the processing is necessary for legal claims. You always have an absolute right to object to processing for direct marketing purposes.

Right to withdraw consent

If the processing is based on consent, you can withdraw it at any time. The withdrawal does not affect the lawfulness of the processing that took place before the consent was withdrawn.

Complaints to supervisory authorities

If you have any comments on our processing of your personal data, you have the right to submit a complaint with the relevant supervisory authority, which in Sweden is the Swedish Authority for privacy protection (IMY). We would appreciate it if you contacted us first and we will try to address your concerns.

How to exercise your rights

Please contact us at [email protected] or by post at the address above if you wish to exercise any of your rights.

Jurisdiction-specific information

Individuals in the United Kingdom (UK GDPR)

If and to the extent that we offer products/services to or monitor the behavior of individuals in the UK, we process personal data in accordance with the UK GDPR and supplementary UK legislation. Your rights are essentially similar to those described in the ”Your Rights” section above. You can also lodge a complaint with the Information Commissioner’s Office (ICO). For transfers from the UK to countries outside the UK, we use, where required, UK approved transfer mechanisms, such as the European Commission’s Standard Contractual Clauses in combination with the UK Addendum or the UK International Data Transfer Agreement (IDTA), as well as additional safeguards where necessary. We can also rely on UK adequacy rules where they exist.

California residents (CCPA/CPRA)

This supplement applies to consumers residing in California. It describes how we collect, use, and disclose personal data under the California Consumer Privacy Act, as amended (CPRA).

Categories, sources, purposes, and recipients: The categories of personal information, typical sources, business purposes, and recipient categories described in the respective tables above correspond to the information we are required to disclose under the CCPA/CPRA.
Sale/sharing: We do not sell personal information and do not share personal information beyond what is stated above. Any use of non-essential cookies or similar technologies that may constitute sharing under California law is managed through our cookie settings on our website.
Rights of California consumers: the right to access including categories and specific data, rectification, erasure, opt-out of sale/sharing, the right to limit the use of sensitive personal information where applicable, and the right not to be discriminated against for exercising your rights.
How to exercise these rights: contact us at [email protected]. We will verify your identity (and, if applicable, California residency) before processing the request. You can appoint an authorized representative if the representative can demonstrate valid authorization.
Storage time: According to the tables above.

Other similar regulations

To the extent that other local data protection regulations become applicable (e.g. Swiss Data Protection Law or Brazil’s LGPD), we process personal data in accordance with these. The rights are essentially similar to those described above, and complaints can be submitted with the relevant local supervisory authority. For cross-border transfers, we use applicable transfer mechanisms (e.g. standard contractual clauses, adequacy decisions, and supplementary safeguards).