§ Colophon · Privacy policy
How we handle your data.
A policy written for an editorial context, grounded in the GDPR and Swedish practice. No dark corners, no legalese where plain language will do.
§ I
Who we are.
The data controller is Ahody Labs AB, reg.no 559553-1376, headquartered in Stockholm, Sweden. The responsible editor and contact person for privacy matters is Nicklas Salmin. We can be reached at compliance@ahody.com.
§ II
What data we collect.
On the marketing site (ahody.com) we collect a minimum: the data you provide in contact forms (name, title, email, organization, any free text) and technical data required to serve the page (IP, user agent, timestamp). We do no behavioral profiling and no third-party marketing tracking. Inside the product (app.ahody.com) personal data is processed only under the data processing agreement (DPA) signed with each newsroom — the newsroom is the controller, Ahody is the processor.
§ III
Legal basis.
For contact forms and demo requests: legitimate interest (GDPR art. 6(1)(f)) — responding to an inbound inquiry. For operational telemetry on the marketing site: legitimate interest (operations, security, fraud prevention). For the product itself: our agreement with the newsroom and the newsroom's instruction as controller (art. 6(1)(b) and art. 28).
§ IV
What we do with it.
The data you provide in contact forms is used to get back to you — nothing else. It is not entered into any marketing automation without consent, and it is never used to train language models. Product material flowing through our systems is processed only to deliver the functionality the newsroom has requested, with anonymization before any language model sees the text.
§ V
Who we share it with.
We share data with a small number of subprocessors that provide the infrastructure: among others Anthropic and OpenAI for language models, Bahnhof for primary hosting, Proton for email, Supabase for authentication and Railway for the marketing site. All are listed on the Subprocessors page with jurisdiction and transfer basis, and all are covered by a written DPA.
§ VI
Transfers outside the EU/EEA.
Some subprocessors are established outside the EU/EEA. When we transfer data there, it is done under the European Commission's Standard Contractual Clauses (2021/914) and, where applicable, supplementary technical measures. Source-protected material never leaves EU territory — it is handled only in our Swedish infrastructure.
§ VII
Retention.
Contact inquiries are deleted no later than 18 months after the last interaction, unless you explicitly ask us to keep them longer. Product data is deleted according to the agreement with each newsroom (typically 30 days after contract termination, with full export on request).
§ VIII
Your rights.
You have the right to request access to your data, rectification, erasure, restriction, portability and to object to the processing. You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) if you believe we are not following the rules. To exercise your rights: email compliance@ahody.com. We respond within 30 days.
§ IX
Cookies and tracking.
The marketing site uses only functional cookies required for the page to work (language preference, session). We run no advertising cookies, no Google Analytics, no third-party pixels. Anyone who wants to know exactly what gets set in the browser can inspect devtools — that's the full list.
§ X
Source protection as a special case.
Material flagged as source-protected by a newsroom is governed by a special regime that overrides this policy: it never leaves the newsroom's own workspace, never passes through a language model, and does not appear in any backup that Ahody staff can reach. Whistleblowers filing under meddelarfriheten get the same constitutional protection inside Ahody as in a traditional newspaper archive.