This document summarises Portfoliobox Stockholm AB's processing of personal data.
Portfoliobox protects your personal privacy. We always strive for a high level of data protection and aim to comply with the rules and principles in the General Data Protection Regulation.
In this chapter, we define the roles that are of relevance for the processing of personal data.
Aktiebolaget Portfoliobox Stockholm AB is the controller.
Portfoliobox Stockholm AB
556894-4382
Rånövägen 30
168 39 Bromma, Sweden
Email: info@portfoliobox.net
Telephone: +46 702 57 90 16
Any subcontractors who process personal data on behalf of Portfoliobox are referred to as processors. Portfoliobox monitors the processors with regard to security and confidentiality.
At Portfoliobox, all decisions on the processing of personal data are made in the office in Sweden. Accordingly, the Swedish Authority for Privacy Protection is the competent supervisory authority.
If a data subject is of the view that errors have been made in the processing of his or her personal data, a complaint can be submitted to the Swedish Authority for Privacy Protection.
Before contacting the Swedish Authority for Privacy Protection, please contact Portfoliobox with any complaints.
Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten)
www.imy.se
Telephone: +46 8 657 61 00
Email: imy@imy.se
Portfoliobox complies with the following basic principles:
Portfoliobox has procedures for personal data that are consistent with the data subject's rights:
Right to information
Right to rectification
Right to erasure
Right to restriction of processing
Data portability
Right to object
Complaints
The general guidelines and principles form the basis for all processing of personal data. Portfoliobox has implemented the following procedures for the processing of personal data:
Portfoliobox strives to achieve a good level of security for personal data, including the use of the following security measures:
Portfoliobox continuously strives to improve the security of the technical systems, including by using the following measures:
According to the data protection reform, a personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss or alteration of the processed personal data.
If a personal data breach is discovered, it is reported to the product owner or to an employee who is considered to have a good overview of the system in question. This person is then responsible for notifying the breach within 72 hours. Thereafter, the incident shall be archived and added to the archive of historic incidents in this document (Appendix 1).
Children under the age of 16 are not allowed to use Portfoliobox and the Data Protection Regulations concerning enhanced protection of children's personal data is therefore not actualized.
If Portfoliobox would let children under the age of 16 create an account, we would also need to obtain consent from a parent or guardian. This is considered risky and complex and would require considerable administrative work to ensure the accuracy of the certificate. For this reason, we are introducing an age limit on all of Portfoliobox's services.
Portfoliobox continuously reviews the risk of storing and processing data. The following risks are considered to be the greatest:
| Risk | Description & Consequences |
|---|---|
| Hacking | All computer systems with internet access are at risk of hacker attacks. Portfoliobox is constantly working on the security of our computer systems, implementing the latest security procedures and updating vulnerable software. Portfoliobox does not store sensitive data or data that might be considered attractive to a hacker — for example, we do not store credit card details, personal identity numbers or decrypted passwords. |
| Passwords | According to research, the most common reason for a data breach is inadequate password management. Accordingly, proper password management is the single most important factor to prevent data theft. Portfoliobox uses secure procedures for passwords. |
| External software | External plug-ins and services used by the company are reviewed to ensure that they do not entail security risks or place the processing of personal data at risk. |
| Computer breaches | Employee computers are equipped with antivirus software. |
| Lack of knowledge and carelessness | Training on GDPR is provided to our employees. |
This chapter contains a list of all personal data held by Portfoliobox and the processing of such personal data.
Portfoliobox is an online service that can be used by people to create their own websites. The user registers at https://www.portfoliobox.com and creates the website directly in the web browser.
Location for storage
All text-based data added by the user is stored in Portfoliobox's database, which is located in Ireland. Images and files that are uploaded are stored on the file server that is closest to the customer. If the customer is located in the EU, the files are stored in Ireland. If the customer is located in the US, the files are uploaded there. Possible locations for file storage include the west coast of the US, the east coast of the US, Sao Paolo, Ireland, Singapore, Tokyo and Sidney. Portfoliobox also uses a CDN network, which means that data is cached (stored temporarily) for 30 days in Amazon's cloud. The location of this temporary file cannot be specified.
Time limit
As data is used continuously for the customer's website, it will not be removed unless erased by the customer. Customers are in control of their own data and can edit most of their data in the administration interface. If a customer erases his or her entire account, all information is erased (except receipts). Portfoliobox caches the data in a CDN network, which means that a temporary file is stored in Amazon's cloud. This file is always erased automatically after 30 days. This means that if a customer erases a file, it takes 30 days before it is completely erased from the CDN network.
Legal basis
When the user creates an account, the person accepts that Portfoliobox stores and processes personal data according to the information stated below.
| Activity | Details |
|---|---|
| The user creates an account using his or her email address | Purpose: The user wants to create a website Data: Customer ID, reference URL, reference partner, first name, last name, country, email address, password (encrypted), user name, IP (Facebook-ID, Facebook-AccessToken), (Flickr-ID, Flickr-oauth-token, Flickr-user-name) Legal basis: Agreement (Legitimate interest in case the user is a legal entity) |
| The user creates a student account — Portfoliobox offers a special student account, which can be opened by students from our partner schools. | Purpose: The user wants to create a website and use the student discount Data: The name of the school, the end date of the education, and other data according to the above Legal basis: Agreement |
| A person registers a partner school — Students can only create student accounts with Portfoliobox if their school is registered as a partner school. Students and teachers may notify their interest in registering their school. Portfoliobox will then contact the teacher in charge for further processing. | Purpose: Register a new partner school Data: The name of the school, the teacher's name, the teacher's email address, the teacher's telephone number (optional) Legal basis: Agreement with a school (a legitimate interest in processing contact information) |
| Activity | Details |
|---|---|
| The user creates a website — Portfoliobox is like an empty box that can be filled with content by the user. The user may add text, images, links, PDF files and other files. Portfoliobox has no control over the stored data. The user is responsible for the contents on his or her website. | Purpose: The user creates a website Data: Text, images, files, films with or without personal data Legal basis: The user is personally responsible for the content of his/her website. (In case Portfoliobox is processing data, the legal basis is the agreement with the user.) |
| Changes and regular erasure — The user can change and remove content. Removed data is deleted from the database and any files are removed from the server. | Purpose: The user wants to make changes to the website Data: — Legal basis: Agreement |
| The account is erased — The customer can erase the account from the administration interface. The account will then be marked for erasure and all data will be erased after a number of days. | Purpose: The user wants to remove the website Data: — Legal basis: Agreement |
| Logs — Portfoliobox logs technical errors and all requests that are sent to our servers. This is important for the discovery of technical errors and security threats, such as DDoS attacks. The logs are erased after a short time. | Purpose: Security and product improvement Data: IP address, user-agent, request-type, request URL, all incoming http-headers, request payload, timestamp Legal basis: Agreement |
| Activity | Details |
|---|---|
| Generation of receipts — For every payment received, a receipt is generated. The receipt is saved as a PDF file on Portfoliobox's server. The information on the receipt will also be saved in Portfoliobox's database. | Purpose: Used as supporting documentation for the accounting Data: Customer ID, Order ID, link to the PDF file, price, customer country, customer IP, ePay ID, the customer's incomplete credit card number. If the customer is a company, the following data is also saved: Company name, address, VAT number. Time limit: The receipt is saved in accordance with the prevailing regulations and laws governing accounting. |
| The user purchases a PRO subscription — The user upgrades his or her account and registers a payment card for future payments. The user makes a credit card payment via ePay. Portfoliobox does not administer, and has no ability to receive, information on the credit card data. If the payment succeeds, a unique subscription number is sent to Portfoliobox. This unique subscription number will be used when Portfoliobox charges the customer for the next subscription period. | Purpose: To receive the benefits of Portfoliobox PRO Data stored in Portfoliobox's database: A receipt is generated (see above), ePay subscription ID, incomplete credit card number, credit card expiry date, date of payment Data saved by ePay: Order ID, card type (e.g. Mastercard), amount, transaction ID, date Legal basis: Agreement |
| Payment of subscription — When the subscription period is to be renewed, the user's subscription ID is used to process a payment via ePay. | Purpose: The customer wants to keep his or her PRO account for another subscription period Data: A receipt is generated (see above) Legal basis: Agreement |
| The user downgrades to the free version — All information about the customer's credit card is removed and the subscription is erased from ePay. | Purpose: The user no longer needs an upgraded account Data: — Legal basis: Agreement |
| Alternative payment via PayPal — The customer wants to pay via its PayPal account. | Purpose: The customer wants to buy a Portfoliobox service but prefers paying by PayPal Data: A receipt is generated (see above) Data saved by PayPal: Name, address, country, telephone number, amount, date, email address Legal basis: Agreement and balancing legitimate interests |
| Alternative payment by bank transfer — The customer wants to pay by bank transfer. | Purpose: The customer wants to buy a Portfoliobox service but prefers paying by bank transfer Data: A receipt is generated (see above) Data saved by SEB: Name, address, amount, date Legal basis: Agreement |
| Service | Details |
|---|---|
| Amazon AWS — Portfoliobox uses Amazon's cloud services for its infrastructure. Amazon provides servers, file servers, databases and other server services. | Purpose: Running Portfoliobox Data: All programmes, files and data Legal basis: Agreement Physical location: Cloud service |
| Namecheap — Portfoliobox purchases domain names for our customers via the Namecheap service. | Purpose: Purchasing and managing customer domain names Data: Domain name only Legal basis: Agreement Physical location: Cloud service |
| Loopia — Portfoliobox previously purchased domain names for our customers via the Loopia service. This service has now been replaced by Namecheap, but old domain names are still stored by Loopia. | Purpose: Domain name management Data: Domain name only Legal basis: Agreement Physical location: Cloud service |
| ePay — Portfoliobox uses ePay's payment solution to accept payments. | Purpose: Accepting payments Data: Order ID, card type (e.g. Mastercard), amount, transaction ID, date, Customer ID Legal basis: Agreement Physical location: Cloud service |
| PayPal — Portfoliobox uses PayPal's payment solution to accept payments from customers who do not want to pay by credit card. | Purpose: Accepting payments Data: Name, address, telephone number, amount, date, email address Legal basis: Agreement/balancing legitimate interests Physical location: Cloud service |
| Stripe — Portfoliobox uses Stripe's payment solution to accept payments from customers who do not want to pay by credit card. | Purpose: Accepting payments Data: Name, address, telephone number, amount, date, email address Legal basis: Agreement/balancing legitimate interests Physical location: Cloud service |
| OpenSRS — Portfoliobox utilizes OpenSRS (legal name Tucows.com Co.) for managing user email accounts. | Purpose: Providing email services to Portfoliobox users Data: OpenSRS processes personal data related to email accounts, including email addresses and related information. See the OpenSRS Data Processing Addendum for details. Legal basis: Agreement Physical location: Cloud service |
Portfoliobox sends email messages to customers for the various reasons described below.
| Email type | Details |
|---|---|
| Automatically processed customer emails — These emails alternate depending on the status of the website. For example, a specific message may be sent to people who have uploaded over 30 images, and a different message may be sent to people who have not yet created any content. | Purpose: Portfoliobox offers customers assistance to get started with their websites Data: — Legal basis: Agreement; the customer may opt out from the emails |
| Manually processed customer emails — Portfoliobox regularly reviews its customers' websites and sends emails depending on the subjective status of the website. For example, an offer of assistance is sent to paying customers who have not yet managed to complete their websites. | Purpose: Portfoliobox offers customers assistance to get started with their websites Data: — Legal basis: Agreement; the customer may opt out from the emails |
| Automatic campaign emails — Various campaign messages are sent by the system. These emails alternate depending on the status of the website. For example, an offer may be sent to customers who have uploaded more than 30 images. | Purpose: Encouraging the customer to upgrade Data: — Legal basis: Agreement; the customer may opt out from the emails |
| Manual campaign emails — Portfoliobox regularly reviews its customers' websites and sends them offers and discounts based on subjective assessments. For example, customers who created particularly interesting websites may be offered a discount on an upgrade. | Purpose: Offer the customer discounts and other deals Data: — Legal basis: Agreement; the customer can opt out from the emails |
| Newsletters with or without campaigns — Roughly once a month, a newsletter is sent to all customers, with information on changes to Portfoliobox. The newsletter may also include campaigns, advice and other information. | Purpose: Informing our customers of changes and special campaigns Data: — Legal basis: Agreement; the customer can opt out from the emails |
| Automatic email notices — Portfoliobox may also send automatic emails to notify members of various events and warnings. For example, a notice may be sent about how many visitors the user's profile has had. | — |
Portfoliobox offers support, customer care and debugging. This work is processed in several different systems. Stored data and the processing of data varies between systems, see the table below. All systems are online-based cloud services.
| System | Details |
|---|---|
| Gmail — The customer contacts us with a request. | Purpose: Support and customer communication Data: Email, name and content, depending on the issue Legal basis: Balancing legitimate interests / information in the email footer |
| Freshworks — A ticketing system used for customer support. | Purpose: Support and customer communication Data: Email, name, Customer ID and content, depending on the issue Legal basis: Balancing legitimate interests / information in the email footer |
| Facebook — The customer contacts us on Facebook with a request. | Purpose: Support and customer communication Data: Name, Facebook account and content, depending on the issue Legal basis: Balancing legitimate interests |
| Sprout Social and other social media — The customer contacts us with queries from various social media sites (such as Twitter, Facebook, Instagram). | Purpose: Support and customer communication Data: The customer's social media account and content, depending on the issue Legal basis: Balancing legitimate interests |
| Skype — The customer contacts us with a request. | Purpose: Support and customer communication Data: Name, Skype account and content, depending on the issue Legal basis: Balancing legitimate interests / information in the email footer |
| Google Calendar — To book meetings with customers. | Purpose: The customer wants to book a meeting with our support team Data: Name, date, contact details depending on how the person wants to be contacted Legal basis: Balancing legitimate interests / information in the email footer |
| Mindomo — The customer reports a bug. Portfoliobox stores information about the bug in Mindomo. | Purpose: Debugging Data: Customer ID, email address, URL and content, depending on the report Legal basis: Balancing legitimate interests / information in the email footer |
| Linear — The customer reports a bug. Portfoliobox stores information about the bug in Linear. | Purpose: Debugging Data: Customer ID, email address, URL and content, depending on the report Legal basis: Balancing legitimate interests / information in the email footer |
| Google Form — The customer responds to a feedback form. | Purpose: Collection of feedback Data: IP, responses to queries Legal basis: Balancing legitimate interests / information in the email footer |
| Mailblast — Used to distribute newsletters and mass emails to many users at the same time. | Purpose: Newsletter Data: First name, last name, email address, user name Legal basis: Agreement |
| HotJar — A programme activated in the customer's admin panel that records how the customer uses the product. | Purpose: Improving the product's usability Data: The finalised video clip can be likened to a "screen recording", but only depicts the admin panel. Passwords and sensitive input fields are anonymised. Legal basis: This programme is generally not activated in Portfoliobox. If there is a reason to activate it, the customer is informed before the recording begins and approves after clear information. The legal basis is therefore agreement. |
| Portfoliobox Chatbot — The customer contacts us with a request. When the customer interacts with our chatbot, their queries are sent to the OpenAI API for processing and generating responses. We do not store the queries or responses from the API, but it's important to note that the content of the queries may be shared with the API. | Purpose: Support and customer communication Data: Name, email, site URL, questions and inquiries Legal basis: Agreement |
A cookie is a text file that is stored in the web browser. Portfoliobox uses several different types of cookies:
| Cookie type | Details |
|---|---|
| Session cookies are temporary cookies that cease to exist when the web browser is closed. Persistent cookies are stored in the web browser for a specific number of days. Third party cookies are added by third party websites (such as Google Analytics). The cookies stored by Portfoliobox in the web browser are fundamental for the functionality of the service. For example, there are no "save buttons" in Portfoliobox — instead, the content is saved in a cookie until it is sent to the database for permanent storage. The third party cookies used by Portfoliobox are from well-established services, such as Google Analytics. These cookies save comprehensive information on how the website is used. |
Purpose: Technology that is required for the functioning of the programme and for general analyses Legal basis: Agreement |
Portfoliobox is a service that can be used by private individuals and companies to create their own websites. The service can be compared to a "regular web hotel", but with more advanced interfaces.
Just like with a regular web hotel, customers are responsible for the content on their own websites. Accordingly, it is up to the users to ensure that they comply with the data protection reform and do not store or process personal data in a manner that is inconsistent with the Regulation.
Portfoliobox cannot be held liable for any incorrect processing of personal data on the customers' websites.
No incidents have occurred.