Privacy Policy

Last updated: March 2026

VER&IT AB ("we", "us", "our"), org.nr 556985-1206, operates the RiskNote service at risknote.io. We are committed to protecting your privacy and handling your data transparently in accordance with the EU General Data Protection Regulation (GDPR).

Data Controller

VER&IT AB

Nygatan 71, 462 32 Vänersborg, Sweden

Org.nr: 556985-1206

Email: privacy@risknote.io

VER&IT AB has not appointed a Data Protection Officer (DPO) as we do not meet the threshold criteria under GDPR Article 37. For all privacy-related inquiries, please contact us at the email address above.

Data We Collect

Account Data

When you create an account, we collect your name and email address. If you authenticate via Google, Microsoft, or Apple OAuth, we receive your name, email, and provider user ID. We do not store OAuth access tokens.

Providing your name and email is necessary to create an account — without this data, we cannot provide access to RiskNote.

Risk Assessment Data

The content you create in RiskNote — risk note names, descriptions, risk areas, and individual risks — is stored to provide the service. This data belongs to you and can be exported or deleted at any time.

AI Analysis Data

When you use the AI analysis feature, your risk note context (name, description, and selected risk areas) is transmitted to Anthropic's Claude API for processing. We log the AI model used, input/output token counts, and estimated cost for usage tracking and rate limiting (max 20 analyses/hour). We do not use your content to train AI models, and Anthropic's Commercial API terms prohibit using customer inputs/outputs for model training.

Payment Data

Web subscriptions are processed by Stripe. Mobile subscriptions are processed through Apple App Store or Google Play, managed via RevenueCat. We store Stripe customer IDs and RevenueCat subscriber identifiers, but never handle credit card numbers, bank details, or other payment instruments.

Technical Data

We collect minimal technical data: IP address (rate limiting and security), browser type, and timestamps. We do not use third-party analytics or tracking pixels.

Account Deletion Feedback

When deleting your account, you may optionally provide feedback. This is anonymised after deletion and not linked to your personal data. Based on consent (Art. 6(1)(a) GDPR) — withdrawable at any time.

How We Use Your Data

We process your data for the following purposes, each paired with its legal basis:

Purpose	Legal Basis
Service delivery — providing and operating RiskNote	Contract performance (Art. 6(1)(b))
AI-powered risk analysis — generating risk suggestions	Contract performance (Art. 6(1)(b))
Billing — managing subscriptions via Stripe, Apple, or Google	Contract performance (Art. 6(1)(b))
Security — preventing abuse, fraud, unauthorised access	Legitimate interest (Art. 6(1)(f)): protecting the service and users
Transactional emails — verification, reports, billing	Contract performance (Art. 6(1)(b))
AI usage analytics — monitoring token consumption and cost	Legitimate interest (Art. 6(1)(f)): service quality and cost management
Account deletion feedback (optional)	Consent (Art. 6(1)(a))

AI-Powered Risk Analysis

RiskNote uses artificial intelligence to generate risk suggestions. This section provides transparency about how AI processes your data.

What the AI does: When you click "Analyse Risks", your risk note's name, description, selected risk areas, and any existing risks are sent to Anthropic's Claude API. The AI returns 5 risk suggestions with likelihood and consequence scores. This is a decision-support tool — all suggestions require your review and approval.

AI provider: Anthropic (San Francisco, USA). Processing via the Claude API under Anthropic's Commercial Terms of Service. Your inputs and outputs are not used by Anthropic to train or improve their AI models.

No automated decision-making: The AI analysis feature is advisory only. No decisions with legal or similarly significant effect are made solely by automated means (GDPR Art. 22). You retain full control over which suggestions to accept, modify, or reject.

What we log: For each analysis: AI model version, input/output token counts, estimated cost, and timestamp. Used for usage limits, billing accuracy, and service monitoring.

Rate limiting: AI analyses are limited to 20 per hour per user. Monthly allocation depends on your subscription plan.

Your right to object: You may object to AI processing under Art. 21 GDPR. Since AI risk analysis is the core contracted service, objecting may limit your ability to use RiskNote's primary features. You can still create risk notes and add risks manually.

Sub-Processors & International Transfers

Your data is primarily hosted within the EU on Elastx infrastructure in Stockholm, Sweden (ISO 27001-certified). We engage the following sub-processors:

Processor	Purpose	Data	Location	Safeguard
Elastx	Backend & frontend hosting	All service data	Stockholm, SE	EEA
Anthropic	AI risk analysis	Risk note content	USA	DPF + SCCs
Stripe	Web payments	Customer ID, subscriptions	USA / EU	DPF + SCCs
RevenueCat	Mobile subscriptions	User IDs, purchases	USA	SCCs

You may request copies of applicable safeguard documentation (Standard Contractual Clauses) by contacting privacy@risknote.io.

Data Retention

●

Active account: Data retained for as long as your account is active.

●

Account deletion: All personal data and risk assessment content permanently removed within 30 days.

●

Billing records: Retained up to 7 years per Swedish accounting law (Bokföringslagen, SFS 1999:1078).

●

Anonymised feedback: May be retained indefinitely for product improvement.

Your Rights

Under the GDPR, you have the following rights:

AccessRequest a copy of your personal data (Art. 15).

RectificationCorrect inaccurate data via account settings or by contacting us (Art. 16).

ErasureDelete your account and all data using the in-app feature, or contact us (Art. 17).

Data portabilityExport risk assessments in PDF; structured JSON export available upon request (Art. 20).

RestrictionRequest that we limit processing of your data (Art. 18).

ObjectObject to processing based on legitimate interest, including AI analysis (Art. 21).

Withdraw consentWhere processing is based on consent, withdraw at any time without affecting prior lawfulness (Art. 7(3)).

Lodge a complaintContact the Swedish Authority for Privacy Protection (IMY) at imy.se.

To exercise any of these rights, contact privacy@risknote.io. We will respond within 30 days.

Automated Decision-Making

RiskNote uses AI to generate risk suggestions, but does not make decisions with legal or similarly significant effect based solely on automated processing (GDPR Art. 22). All AI-generated suggestions are presented for your review — you decide which to accept, modify, or discard. Subscription access limits (usage caps, trial expiry) are applied automatically based on your plan, but these are standard service operations, not profiling.

Cookies

RiskNote uses only strictly necessary cookies for authentication session management. We do not use marketing, analytics, or preference cookies. No cookie consent banner is required as we only use essential cookies exempt under the ePrivacy Directive (Art. 5(3)), as implemented in Sweden's Electronic Communications Act (LEK, Chapter 6, Section 18).

Children

RiskNote is not intended for use by individuals under the age of 16. We do not knowingly collect data from children. If we become aware that we have collected data from a child under 16, we will promptly delete it.

Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to registered users at least 30 days before taking effect. The "last updated" date at the top reflects the most recent revision.

Contact

For privacy-related inquiries:

privacy@risknote.io

VER&IT AB · Nygatan 71, 462 32 Vänersborg, Sweden · Org.nr: 556985-1206