Skrajb®← Back to home

Privacy Policy

Effective date: March 31, 2026

Last updated: March 31, 2026

This Privacy Policy describes how Aimm Sweden AB ("Aimm", "we", "us", "our") collects, uses, and protects personal data when you use the Skrajb® service at skrajb.com (the "Service"). Aimm Sweden AB is a Swedish limited company. For company details and contact information, see aimm.se.

This policy applies to all users of the Service, including authorized users of our business customers.

1. Data Controller

For personal data we collect about you as a user of the Service (such as your account data and usage data), Aimm Sweden AB is the data controller.

For personal data contained in meeting recordings, transcriptions, and summaries uploaded or generated through the Service, your organization (our business customer) is the data controller, and Aimm Sweden AB acts as the data processor. The processing of such data is governed by our Data Processing Agreement with the customer.

Contact for data protection inquiries:

Aimm Sweden AB
See aimm.se for postal address and contact details.
Email: info@aimm.se

2. Personal Data We Collect

2.1 Account Data

When you create an account or are invited by your organization, we collect:

  • Name
  • Email address
  • Organizational affiliation
  • Authentication credentials (stored securely in hashed form)

2.2 Meeting Data

When meetings are uploaded or recorded through the Service, the following data may be processed:

  • Audio recordings — containing voices, names, and spoken content of meeting participants.
  • Transcriptions — text generated from audio recordings via automated speech-to-text.
  • AI-generated summaries — summaries created from transcriptions using AI models.

This data is processed on behalf of and under the instructions of your organization (the data controller).

2.3 Usage Data

We automatically collect certain data when you use the Service:

  • IP address
  • Browser type and version
  • Pages visited and features used
  • Timestamps of interactions
  • Device information
  • Session identifiers

2.4 Communication Data

If you contact us for support or other inquiries, we collect the content of your communications and associated metadata.

3. Legal Basis for Processing

We process personal data on the following legal bases under the GDPR:

PurposeLegal BasisGDPR Article
Providing the Service (account management, transcription, summarization)Performance of a contractArt. 6(1)(b)
Processing meeting data on behalf of your organizationPerformance of a contract (DPA with controller)Art. 6(1)(b), Art. 28
Sending service-related notificationsPerformance of a contractArt. 6(1)(b)
Maintaining security and preventing abuseLegitimate interestArt. 6(1)(f)
Improving the Service (aggregated, anonymized analytics)Legitimate interestArt. 6(1)(f)
Complying with legal obligationsLegal obligationArt. 6(1)(c)
Marketing communications (if applicable)ConsentArt. 6(1)(a)

Where we rely on legitimate interest, we have assessed that our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us.

4. How We Use Your Data

We use the personal data we collect to:

  • Provide, operate, and maintain the Service.
  • Process meeting audio into transcriptions and AI summaries.
  • Authenticate users and manage accounts.
  • Send transactional emails (processing status, account notifications).
  • Monitor and improve the security and reliability of the Service.
  • Respond to support requests and inquiries.
  • Comply with legal obligations.

We do not use meeting content (audio, transcriptions, or summaries) to train AI models. Meeting data is processed solely for the purpose of providing the Service to the customer.

5. Data Sharing

5.1 Sub-processors

We use third-party service providers (sub-processors) to operate the Service. These providers process personal data on our behalf under contractual obligations consistent with the GDPR. A complete list of our sub-processors is available at skrajb.com/legal/subprocessors.

5.2 Enterprise API Keys

Enterprise customers may configure their own API keys or accounts for any sub-processor except Railway. When customer-provided keys are used, the data is sent to the provider under the customer's own agreement, though it passes through our infrastructure. See our Sub-processor page for details.

5.3 Legal Requirements

We may disclose personal data if required to do so by law, regulation, or legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity. We will notify affected customers before any such transfer.

We do not sell personal data to third parties.

6. International Data Transfers

We configure our sub-processors to process data within the EU/EEA where available. The current data residency for each sub-processor is listed on our Sub-processor page.

Where personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including:

  • European Commission adequacy decisions.
  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • The EU-U.S. Data Privacy Framework, where applicable.

7. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy:

Data TypeRetention Period
Account dataDuration of the account, plus 30 days after deletion
Audio recordingsConfigurable by customer; deleted from processing pipeline after transcription unless retention is configured
Transcriptions and summariesDuration of the customer's subscription, unless earlier deletion is requested
Usage dataUp to 12 months
Communication data (support)Up to 24 months

Upon termination of a customer's subscription, we delete or return all customer data within 30 days, in accordance with our Data Processing Agreement.

8. Data Security

We implement appropriate technical and organizational measures to protect personal data, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Row-Level Security (RLS) for multi-tenant data isolation.
  • Role-based access control and principle of least privilege.
  • Regular security reviews and dependency updates.

For full details, see Annex 2 of our Data Processing Agreement.

9. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15) — Request a copy of your personal data.
  • Right to rectification (Art. 16) — Request correction of inaccurate data.
  • Right to erasure (Art. 17) — Request deletion of your data ("right to be forgotten").
  • Right to restriction (Art. 18) — Request restriction of processing in certain circumstances.
  • Right to data portability (Art. 20) — Receive your data in a structured, machine-readable format.
  • Right to object (Art. 21) — Object to processing based on legitimate interest.
  • Right to withdraw consent (Art. 7(3)) — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

For meeting data: If you are a meeting participant and wish to exercise your rights regarding data in recordings, transcriptions, or summaries, please contact the organization that uploaded the recording. They are the data controller for that data.

For account and usage data: Contact us directly at info@aimm.se.

We will respond to your request within 30 days. In complex cases, this may be extended by an additional 60 days, in which case we will inform you of the extension.

Complaint to the Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY):

IMY — Integritetsskyddsmyndigheten
Box 8114, 104 20 Stockholm, Sweden
Website: imy.se
Email: imy@imy.se

10. Cookies and Analytics

The Service uses strictly necessary cookies for authentication and session management. These cookies are essential for the Service to function and do not require consent.

We may use analytics to understand how the Service is used. Where analytics involves personal data, we rely on legitimate interest and use privacy-friendly solutions that minimize data collection. We do not use third-party advertising cookies or tracking.

If we introduce additional cookies or tracking technologies that require consent, we will update this policy and implement a consent mechanism.

11. Children's Data

The Service is designed for business use and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a new "Last updated" date. For significant changes, we may also notify customers by email.

We encourage you to review this page periodically for the latest information on our privacy practices.