Privacy notice

1. INTRODUCTION

This privacy notice applies to the processing of your personal data by DigitalRoute in connection with your use of DigitalRoutes websites (“Site”), and its products or services collectively ”DigitalRoute Services”. For the purpose of this privacy notice, “DigitalRoute”, “we”, “our”, “us” means Digital Route AB or any of its affiliates or subsidiaries, including the DigitalRoute entity with wihou you or your employer have ocontracted if you are a DigitalRoute customer or the employee of such a customer.

This Privacy Notice explains how we collect, use, and protect personal data from users of our Website and in connection with the DigitalRoute Services. It also outlines your rights under applicable data protection laws, including Regulation (EU) 2016/679, the General Data Protection Regulation (“GDPR”). Unless otherwise defined in this Privacy Notice, the terms used shall have the meanings given in the GDPR.

We encourage you to read this privacy notice together with any other privacy or fair processing notices we may provide on specific occasions when we collect or process personal data about you. These notices are designed to ensure you are fully informed about how and why your data is being used. This privacy notice supplements those notices and does not override them.

By using our Site, you acknowledge that you have read and understood this Privacy Notice and agree to its terms. If you do not agree with the terms, please do not use our Site.

2. WHEN WE COLLECT YOUR PERSONAL DATA

2.1 Website Visitors
When you visit our Site and consent to the use of cookies, we collect information related to your use of the Site. For example, we use cookies or other online tracking technologies to collect information automatically about your use of the Site, please refer to our “Cookie Notice” for more information.

2.2 Communication and Prospects
When you contact us (including via demo requests or event registrations), we may collect contact information such as your name, email address, phone number, company, and title. Your conversations with our employees may be recorded and transcribed for us to document agreements, review your feedback on our offer/services, improve our delivery and support, quality assurance and training, with your option to opt out.

2.3 Marketing Communications
If you sign up for marketing communications such as newsletters, events, or webinars, we use the personal data you provide to send you tailored offers, product updates, and relevant news. To enhance and personalize these communications, we may analyze your engagement using tracking technologies such as pixels or web beacons. These marketing activities are based on your consent, which you can withdraw at any time by clicking the unsubscribe link in our messages or by contacting us directly. In addition, we process personal data for targeted email marketing directed at our existing customers. This may include your email address, details about your visits to our website (such as visited URLs, search terms, and content viewed), and user activity patterns, all used to provide more relevant and personalized marketing content.

Where we send marketing communications to existing customers, we do so on the basis of our legitimate interest in informing you about relevant DigitalRoute products and services. You have the right to object at any time to receiving such communications by using the unsubscribe link in our messages or by contacting us at marketing@digitalroute.com.

2.4 Third Parties
DigitalRoute may also receive personal data about you from third-party sources, even if those parties do not have a direct relationship with you. These sources may include data aggregators or third parties that collect information on DigitalRoute’s behalf—for example, when you download content from our websites or interact with marketing materials delivered through third-party platforms. In addition, we may receive personal data from companies that distribute DigitalRoute products, as well as from our marketing, resale, or distribution partners who provide us with information necessary to fulfil orders and deliver our services.

2.5 Website Analytics and Targeted Advertising
We use analytics and advertising services (e.g., Google Analytics, Hotjar, Microsoft Clarity, HubSpot, Google Ads, LinkedIn Ads, Meta Ads, X Ads and Reddit Ads) to understand and reach our audience, subject to your cookie preferences. These platforms may process pseudonymized identifiers for targeted advertising, and you may update your cookie settings at any time through our cookie management tool.

2.6 Marketing funnel
We use the services HubSpot, LinkedIn Sales Navigator and ZoomInfo to import data from our marketing and sales tools, including Salesforce, to analyze customer journeys. In this context, we process information such as your email address, job title, your on-site activity (if you have consented to cookies), interactions with advertisements (such as ad clicks), email engagement (including opens and responses), participation in events and webinars, marketing offers we’ve contacted you about, emails we’ve sent, and records of phone calls we’ve made to you. This information allows us to better understand which features or services might be of interest to you, so we can provide you with relevant and personalized information.

2.7 Meetings
DigitalRoute may collect your personal data to facilitate your registration for, and participation in, webinars, events, programs, as well as for marketing and promotional activities.

3. WHAT PERSONAL DATA WE COLLECT AND WE USE IT

3.1 Categories of Personal Data
DigitalRoute may collect and process the following categories of personal data:

• Customer Data: This refers to personal data you or your organization upload to DigitalRoute Services. It may include company-related information such as industry, job title, role, department, and the nature of your organization’s relationship with DigitalRoute. It may also include support interactions, administrative communications (e.g., confirmations, invoices, technical updates, and security notifications), as well as photographs or video recordings from events or meetings.
• Contact and Business Address Details: Including personal and professional contact information such as postal addresses, email addresses, phone numbers, and details relating to your employer, such as company name, department, and function.
• Registration and Site Usage Data: This includes usernames, passwords, IP addresses, Wi-Fi (guest network) credentials, access logs, pages visited, documents viewed, browser type, device or application data, cookies and similar technologies, and general website or application usage behaviour.

3.2 Purposes and Legal Basis
DigitalRoute processes your personal data to operate and manage its business effectively. The purposes for which personal data may be used include:

• Responding to inquiries and communication requests
• Delivering products and services, and managing relationships with customers, suppliers, partners, and prospects
• Delivering website or application functionality
• Ensuring the security and proper functioning of our websites, facilities, networks, and systems
• Managing workplace hygiene, safety procedures, and access controls at physical locations
• Complying with legal and contractual obligation
• Handling insurance and indemnity claims
• Managing bookkeeping and related regulatory requirements
• Exercising legal rights, including litigation and legal defence.

DigitalRoute processes personal data strictly for the purposes outlined in this privacy notice or those explicitly disclosed to you in relation to the use of DigitalRoute Services and in accordance with specific contractual agreements. We are committed to collecting and processing only the minimum amount of personal data necessary for the intended purposes.

The table below outlines the specific purposes of data processing, and the corresponding legal bases relied upon:

4. FOR HOW LONG WE RETAIN DATA

DigitalRoute retains personal data only for as long as necessary to fulfil the purpose for which it was collected, unless a longer retention period is required or permitted by law. The specific retention period may vary depending on the nature of your interactions with us. When we no longer need your personal data, we will delete it or anonymize it.

Generally, personal data is kept for the duration of the respective contractual relationship, including a possible statutory retention period. Personal Data that is no longer necessary is deleted securely in line with DigitalRoute’s storage and deletion processes and policies. Notably, recordings from meetings are deleted after a maximum of one (1) year.

The information collected by cookies will be stored during the retention period stated for each cookie in our Cookie Notice. You can also clear your browser from cookies and the information will be deleted.

Please note that the storage periods may not apply if DigitalRoute is required to retain your personal data (partly or in full) under applicable mandatory law (e.g., accounting laws).

5. HOW WE SHARE YOUR DATA

5.1 General
Access to your personal data within DigitalRoute is strictly limited to employees and departments who need it to perform their duties and only for legitimate business purposes.

We may share your personal data with carefully selected third parties solely for the purposes outlined in this privacy notice. These third parties may include cloud service providers for hosting and storage, customer relationship management (CRM) platforms, marketing and email service providers, analytics and business intelligence partners, event and webinar platforms, professional advisors such as auditors or legal counsel, and subcontractors or integration partners involved in delivering DigitalRoute services.

All such third parties act under our instructions, are bound by strict confidentiality and security obligations, and are governed by data processing agreements where applicable.

We do not sell or rent your personal data. However, we may disclose your data to authorities if legally required.

5.2 Third Party Websites
Our Sites may contain links to third-party sites or services not operated by DigitalRoute. We are not responsible for the content, data practices, or privacy policies of these external sites. We encourage you to review their privacy notices before providing any personal data.

Where third-party content (e.g. videos, forms, or social plugins) is embedded on our site, those providers may collect data directly from you or via cookies. Such processing is governed solely by the third party’s terms and policies.

5.3 International Data Transfers
DigitalRoute operates globally, and as such, your personal data may be transferred to, and processed in, countries outside the European Union (EU) and European Economic Area (EEA), including jurisdictions that may not provide the same level of data protection as within the EU/EEA.

Where we transfer personal data to countries that have not been recognized by the European Commission as providing an adequate level of data protection, such transfers are safeguarded by appropriate legal mechanisms in accordance with Chapter V of the GDPR. These mechanisms include:

• Standard Contractual Clauses (SCCs) adopted by the European Commission, which contractually oblige the recipient to protect personal data to EU standards;
• Supplementary technical and organizational measures, where required, based on a risk assessment in line with the recommendations of the European Data Protection Board (EDPB).

In limited cases, we may rely on specific derogations under Article 49 GDPR, such as where the transfer is necessary for the performance of a contract or where you have explicitly consented to the transfer.

We continually assess the legal framework of destination countries and monitor updates in international data transfer regulations to ensure your personal data remains protected, regardless of where it is processed.

6. PROTECTION OF YOUR DATA

DigitalRoute has implemented and taken appropriate technical, organisational and administrative security measures to protect your personal data from loss, abuse, deletion, unauthorized access, alteration and destruction. Should a security breach occur that is likely to result in a high risk to your rights and freedoms, e.g. risk of fraud or identity theft, we will contact you without undue delay to explain what action you can take to mitigate potential adverse effects of the breach.

We regularly audit our systems, conduct staff training, and ensure incident response plans are in place. Data is encrypted at rest and in transit where appropriate.

7. CHILDREN’S PRIVACY

DigitalRoute Services and the Sites are not intended for or directed at children under the age of 16. We do not knowingly collect or process personal data relating to children. If we become aware that personal data of a child under 16 has been collected without appropriate consent, we will take steps to delete such data without undue delay.

8. AI

DigitalRoute integrates Artificial Intelligence (AI) technologies into our product development and internal business operations, always in alignment with applicable data protection laws, including the GDPR. The use of AI may support a range of purposes such as enhancing software capabilities, optimizing internal workflows, enabling data-driven insights for service improvement, and personalizing marketing efforts.

The lawful basis for processing personal data in connection with AI varies depending on the context. In many cases, we rely on our legitimate interest—for example, to improve our services or streamline internal processes—provided that such interests are not overridden by your fundamental rights and freedoms. In other cases, particularly where AI is used for personalized marketing or user analytics, we may process personal data based on your explicit consent. If AI functionality forms part of the services we deliver to you under a contractual agreement, processing may also be based on the performance of that contract.

To ensure AI-related processing is secure and compliant with data protection principles, DigitalRoute applies several safeguards. Personal data is anonymized or pseudonymized where appropriate, and processing is subject to purpose limitation and data minimization. Data used to train or test AI systems is retained only as long as necessary and in accordance with defined retention schedules. Where required, Data Protection Impact Assessments (DPIAs) are conducted, and all AI systems are protected by strict access controls and logging mechanisms. Furthermore, AI model outputs are reviewed to mitigate the risk of bias and ensure fairness.

Importantly, AI tools used at DigitalRoute do not result in fully automated decision-making that produces legal or similarly significant effects on individuals, within the meaning of Article 22 of the GDPR. All AI-based decisions are subject to meaningful human oversight, and any outcome that could materially affect individuals is reviewed or made by a qualified person. Employees involved in the use or development of AI technologies receive appropriate training and follow internal governance policies designed to ensure responsible, ethical, and transparent use of AI.

9. YOUR RIGHTS

As a data subject, you have certain rights under applicable data protection laws, including the GDPR. Depending on the circumstances, you may exercise the following rights in relation to the personal data processed by DigitalRoute:

• The right to be informed – You have the right to be informed about how your personal data is collected, used, and processed;
• The right to rectification – If any personal data we hold is inaccurate or misleading, you have the right to request that it be corrected.
• The right to erasure – Also known as the “right to be forgotten,” this allows you to request the deletion of your personal data under certain conditions.
• The right to restrict processing – You may request the restriction of further processing of your personal data in specific situations.
• The right to data portability – Where technically feasible, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to have it transferred to another controller.
• The right to object – You can object to the processing of your personal data, including certain types of processing such as direct marketing.
• Rights related to automated decision-making and profiling – You have the right not to be subject to a decision based solely on automated processing, including profiling, unless certain conditions are met.

If you believe that any personal data we hold is inaccurate or outdated, or if you wish to exercise any of your data protection rights, please contact us using the contact details set out in Section 12 below.

If you believe that your personal data has been processed unlawfully or that your rights under applicable data protection laws have been violated, you have the right to lodge a complaint with the relevant supervisory authority, which in Sweden (the seat of Digital Route AB) is the Swedish Authority for Privacy Protection (Sw: Integritetsskyddsmyndigheten): https://www.imy.se/kontakta-oss/.

In addition to contacting the Swedish Authority for Privacy Protection, you can also submit a complaint to your local supervisory authority. A full list of EU data protection authorities is available here: https://edpb.europa.eu/about-edpb/board/members_en

10. CHANGES TO THIS PRIVACY NOTICE

We may update this privacy notice from time to time to reflect changes in our processing activities or legal obligations. We encourage you to review this notice periodically.

This privacy notice may be amended by us at any time. It was last amended on 2 july 2025.

11. IDENTITY OF THE DATA CONTROLLER

Unless otherwise expressly stated in a contract or specific notice, Digital Route AB, with its registered address at Fleminggatan 18, 112 26 Stockholm, Sweden, is the data controller for the processing of your personal data as described in this privacy notice.

For matters relating to contract management—such as invoicing, execution, or administration of a contractual relationship—the data controller is the DigitalRoute group entity that has entered into the contract with the relevant counterparty. Additionally, for purposes related to compliance with local legal or regulatory obligations, where such obligations require independent processing of personal data, the DigitalRoute group entity subject to those obligations shall act as the data controller.

If you are unsure which DigitalRoute entity is your contracting party or the applicable data controller, you may contact us using the contact details provided in Section 12.

12. CONTACT DETAILS TO THE DATA CONTROLLER

If you have any questions or complaints regarding this DigitalRoute’s privacy practices and/or this privacy notice or want to communicate an opt-out request to DigitalRoute, please contact us by:

• Sending an email request to: dpo@digitalroute.com
• Regular mail to:
  DigitalRoute AB
  Fleminggatan 18
  112 26 Stockholm
  Sweden
  Attn: Legal and Compliance Department