Privacy Policy (GDPR)
Last updated: 2026-02-10
1. Data Controller
The data controller for the processing of personal data under this Privacy Policy is:
BareCRM (Martin Kylberg AB)
Company reg. no: 559487-9453
Address: Vävnadsvägen 13, 178 37 Ekerö, Sweden
Email: martin@barecrm.se
BareCRM is responsible for ensuring that personal data is processed in accordance with the EU General Data Protection Regulation (GDPR).
2. Scope of this Policy
This Privacy Policy applies to the processing of personal data related to:
- • users of the BareCRM service
- • customer representatives whose data is entered into the system
- • visitors to BareCRM websites and services
BareCRM processes personal data only to the extent necessary to provide and operate the service.
3. Categories of Personal Data
BareCRM may process the following categories of personal data:
3.1 Account and Identity Data
- • Name
- • Email address
- • User ID
- • Role and access level
- • Organization affiliation
3.2 Customer Data (entered by users)
- • Contact names
- • Email addresses
- • Phone numbers
- • Job titles
- • Notes, activities, meeting records and sales-related information
BareCRM processes such data solely on behalf of the customer.
3.3 Technical and Usage Data
- • Login events
- • Timestamps
- • Audit logs
- • Security-related metadata
- • IP address (to the extent required for security and fraud prevention)
4. Purposes and Legal Basis for Processing
Personal data is processed for the following purposes:
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provision and operation of the service | Performance of contract |
| User authentication and access control | Performance of contract |
| Security, logging and audit trails | Legitimate interest |
| Compliance with legal obligations | Legal obligation |
| Service improvement and stability | Legitimate interest |
BareCRM does not use personal data for profiling or automated decision-making.
5. Customer Data & Processor Role
For customer data entered into the system (e.g. CRM contacts and notes):
- • The customer is the Data Controller
- • BareCRM acts as Data Processor under Article 28 GDPR
- • Processing is governed by a Data Processing Agreement (DPA)
- • BareCRM processes customer data only according to documented instructions from the customer
6. Data Retention
Personal data is retained only for as long as necessary to fulfill its purpose.
- • Account data is retained for the duration of the customer relationship
- • Customer data is deleted or returned upon termination, in accordance with the DPA
- • Legal retention requirements override deletion where applicable
7. Data Security
BareCRM implements appropriate technical and organizational measures to protect personal data, including:
- • Role-based access control
- • Tenant isolation
- • Encryption in transit
- • Audit logging
- • Principle of least privilege
Security measures are reviewed continuously.
8. Data Sharing and Subprocessors
BareCRM does not sell personal data.
Personal data may be shared with approved subprocessors strictly necessary to deliver the service (e.g. infrastructure and hosting providers).
All subprocessors are subject to:
- • GDPR-compliant data processing agreements
- • Appropriate safeguards under Chapter V GDPR where applicable
A current list of subprocessors is available upon request.
9. International Data Transfers
Personal data is processed within the EU/EEA or transferred under appropriate safeguards such as:
- • Standard Contractual Clauses (SCCs)
- • Adequacy decisions by the European Commission
10. Data Subject Rights
Data subjects have the following rights under GDPR:
- • Right of access (Art. 15)
- • Right to rectification (Art. 16)
- • Right to erasure (Art. 17)
- • Right to restriction of processing (Art. 18)
- • Right to data portability (Art. 20)
- • Right to object (Art. 21)
Requests can be submitted to: privacy@barecrm.com
11. Complaints
Data subjects have the right to lodge a complaint with a supervisory authority, including:
IMY (Integritetsskyddsmyndigheten) in Sweden https://www.imy.se
12. Changes to this Policy
This Privacy Policy may be updated to reflect changes in legal requirements or service functionality. The latest version is always available on this page.