Log In
Book a Demo

Privacy policy

Last updated: 2025‑12‑10

 

1. Introduction and scope

This Privacy Policy explains how Mitigram AB (“Mitigram”, “we”, “us”, “our”) collects, uses, shares and protects personal data in connection with our websites, platforms and services, including MitiManager, MitiSquare, Mitigram platform and any related portals or applications (together the “Services”).

This Policy applies where we act as a data controller, for example:

  • users who create accounts in our Services
  • contacts at our customers and prospective customers
  • visitors to our websites and marketing pages
  • people who communicate with us or exercise privacy rights

 

2. Controller and contact details

Controller: Mitigram AB, org nr 556962‑9511, Tulegatan 2A, 113 58 Stockholm, Sweden
Contact for privacy matters and data subject rights: privacy@mitigram.com

 

3. Categories of personal data and sources

We may process the following categories of personal data:

  • Identification and contact data: name, email, phone number, job title, employer, country, company domain
  • Account and usage data: username, login times, roles, access rights, feature usage, click paths, in product settings
  • Device Data: device type, device model, manufacturer, unique device identifiers, screen resolution, hardware configuration, sensor capabilities, operating system
  • Browser Data: browser name, browser version, rendering engine, user agent string, supported capabilities, referrer header, Do Not Track preference, viewport size
  • Network Identifiers: IP address, time zone, network connection type
  • Localization Data: language, preferred currency
  • Diagnostic Data: log files, diagnostic data
  • Communication data: messages and correspondence with us (email, support, chat, meeting notes)
  • Billing and payment data: billing contact details, invoice details, payment status, limited payment metadata (we do not store full card details)
  • Marketing and preference data: newsletter subscriptions, marketing preferences, event participation, feedback, survey responses
  • Third party data: business and trade related data about companies and contacts obtained from external data providers (for example via APIs used) where such data may incidentally contain personal data

 

We collect personal data from:

  • you directly when you register, log in, use the Services, contact us or respond to communications
  • your organisation if it designates you as a user or contact
  • automatic collection through cookies, similar technologies and server logs
  • third party service providers and data partners where they are lawfully allowed to share data with us

 

We do not intentionally collect special categories of personal data and we instruct users not to upload such data to our Services. If such data is identified, we will delete or restrict it.

 

4. Purposes and legal bases for processing

We process personal data only where we have a lawful basis under GDPR. Below is a summary of the purposes for which we process data and the legal bases we rely on.

  • Provide and operate the Services.
    We use personal data to create and manage user accounts, authenticate users, deliver platform features and ensure reliable operation of the Services. Legal basis: performance of contract and our legitimate interest in providing secure Services.
  • Maintain security and prevent misuse.
    We monitor logs and system activity to detect fraud, abuse, unauthorised access and security incidents. Legal basis: legitimate interest and, where applicable, legal obligation
  • Customer support and communication.
    We process personal data to handle support requests, incidents and service notifications. Legal basis: performance of contract and our legitimate interest in ensuring service quality.
  • Billing, payments and accounting.
    We use billing contact data for subscription management, invoicing, payment processing and compliance with bookkeeping rules. Legal basis: performance of contract and legal obligation.
  • Analytics and service improvement.
    We analyse usage data and performance to improve features, develop new functionality and optimise reliability. Legal basis: our legitimate interest in developing the Services.
  • Marketing and relationship management.
    We maintain CRM records, send newsletters, updates and event information where permitted. Legal basis: legitimate interest and consent where legally required.
  • Legal and regulatory compliance.
    We process data to comply with legal obligations, respond to authorities, enforce agreements and manage claims. Legal basis: legal obligation and legitimate interest.
  • Business contact enrichment.
    We supplement CRM data with information from permitted third party sources to maintain accurate B2B contact records. Legal basis: legitimate interest.

 

5. When we act as processor

For certain enterprise deployments of our Services, Mitigram processes personal data on behalf of a customer that is the data controller (for example where a financial institution uploads its own counterparty data). In those cases:

  • we process personal data only on the customer’s documented instructions
  • the customer’s privacy notice explains how it uses personal data
  • our obligations are set out in the data processing agreement (DPA) with that customer

 

Data subjects may still contact us, but we may need to redirect requests to the relevant customer.

 

6. Subprocessors and other recipients

We share personal data only where necessary and in accordance with this Policy, applicable law and contractual safeguards.

 

6.1 Subprocessors

We use carefully selected subprocessors to host, support and operate our Services. These subprocessors process personal data solely on our instructions and are bound by contractual confidentiality and security obligations. Our current list of authorized subprocessors is available at https://mitigram.com/subprocessors and is kept up to date. Customers are responsible for reviewing the list regularly to stay informed of any changes.

 

6.2 Other recipients

We may also share personal data with:

  • your organisation if it is our customer and you are a user linked to that organization
  • professional advisers (for example auditors, legal counsel, accountants) under confidentiality obligations
  • competent authorities, regulators, courts or law enforcement where required by law or to protect our rights or those of others
  • potential buyers or investors and their advisers in connection with a corporate transaction, subject to appropriate confidentiality protections

 

7. International transfers

Personal data is primarily processed and stored within the European Economic Area. Some subprocessors or group entities may be located outside the EEA or may access data from outside the EEA. In such cases we will ensure that an adequate level of protection is in place, for example by:

  • relying on an adequacy decision by the European Commission or the UK government, or
  • entering into Standard Contractual Clauses or other approved transfer mechanisms, and
  • applying additional technical and organisational measures where required.

 

8. Retention

We retain personal data only for as long as necessary for the purposes described in this Policy or as required by law. Typical retention periods are:

  • account and profile data: for as long as the account is active, then up to two years after closure for bookkeeping, security and dispute handling
  • billing and payment records: for the period required by applicable accounting and tax law, typically seven years
  • technical logs and analytics data: up to twelve months, unless a longer period is needed for security or incident investigation
  • support communications: up to twenty four months after the ticket or conversation is closed

 

When personal data is no longer needed, we will delete it or irreversibly anonymise it, unless we are legally required or permitted to keep it longer.

 

9. Cookies and similar technologies

We use cookies and similar technologies in our websites and Services to:

  • enable basic functionality, authentication and security
  • remember preferences and settings
  • understand how the Services are used and improve them
  • measure performance of pages and features

 

Strictly necessary cookies are required for the Services to function and are set without consent. Non essential cookies, such as analytics cookies, are used only where permitted by law and, in the EU and UK, only after you have provided consent through our cookie banner or settings.

 

10. Security

We implement appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include:

  • access controls, role based access and least privilege principles
  • encryption in transit and at rest where appropriate
  • network and infrastructure security, including logging and monitoring
  • secure development and change management practices
  • subprocessors bound by security and confidentiality obligations

 

Despite these measures, no system is completely secure. Use of the Services always involves some residual risk.

 

11. Your rights

Depending on your location and subject to legal conditions, you may have the following rights regarding your personal data:

  • right of access to obtain confirmation and a copy of your personal data
  • right to rectification of inaccurate or incomplete data
  • right to erasure where certain grounds apply
  • right to restriction of processing in specific situations
  • right to object to processing based on legitimate interests or to direct marketing
  • right to data portability for data you provided to us, where processed by automated means and based on consent or contract
  • right to withdraw consent at any time where processing is based on consent


To exercise these rights, contact privacy@mitigram.com. We may need to verify your identity before handling your request.

 

12. Children

The Services are not directed to children and are intended for users who are at least eighteen years old. We do not knowingly collect personal data from children. If we learn that we have collected such data, we will take appropriate steps to delete it.

 

13. Changes to this Policy

We may update this Privacy Policy to reflect changes in our Services, data processing practices or legal requirements. When we do so, we will change the “Last updated” date at the top. Continued use of the Services after the updated Policy takes effect means you acknowledge the changes.

 

14. Contact and complaints

If you have questions about this Policy or how we process personal data, or if you wish to exercise your rights, contact: privacy@mitigram.com

close menu icon

Transform Your Trade Finance Operations

Get in contact with our experts right away by signing up below: