Effective date: 22 February 2026
Controller: Univise AB
Registered in: Sweden
Organization number: 559575-3293
Contact: privacy@hiiit.org
1. Introduction
Univise AB (“we”, “us”) is committed to protecting personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable data protection laws.
We maintain governance, security, and risk management processes designed to ensure the confidentiality, integrity, and availability of personal data processed through the HIIIT platform.
This Privacy Policy describes how we collect, use, store, and protect personal data in connection with:
- Use of hiiit.org
- Use of the HIIIT platform
- Customer relationships
- Organizational assessments conducted through HIIIT
2. Roles and Responsibilities
Depending on context, HIIIT acts as:
- Data Controller – for website visitors, customer contacts, and marketing communication
- Data Processor – when processing personal data on behalf of customer organizations within the HIIIT platform
When acting as Data Processor, processing is governed by a Data Processing Agreement (DPA) in accordance with Article 28 GDPR.
3. Categories of Personal Data
3.1 Account and Identity Data
- Name
- Email address
- Organizational affiliation
- Role or title
3.2 Platform Data
- Assessment responses
- Organizational metrics
- Strategic inputs
- Uploaded documentation
3.3 Technical and Security Data
- IP address
- Device identifiers
- Access logs
- System usage metadata
4. Legal Basis for Processing
We process personal data based on:
- Contractual necessity (Art. 6(1)(b))
- Legitimate interests (Art. 6(1)(f))
- Legal obligation (Art. 6(1)(c))
- Consent (Art. 6(1)(a)), where applicable
Legitimate interests may include maintaining platform security, preventing fraud, and improving service performance.
5. Purpose of Processing
Personal data is processed to:
- Deliver and operate the HIIIT platform
- Generate AI-based insights
- Provide customer support
- Maintain security and system integrity
- Improve platform performance
- Comply with legal obligations
6. AI-Based Processing and Transparency
HIIIT uses AI-based analytical models to generate structured insights and recommendations on priorities.
AI functionality:
- Supports analysis at the organizational level
- Does not perform automated decision-making with legal or similarly significant effects on individuals
- Does not replace human judgment in leadership or governance
- Is not used to determine employment or contractual decisions
AI outputs are advisory and should be interpreted by humans.
7. Information Security
HIIIT maintains technical and organizational security measures aligned with recognized information security principles, including those reflected in ISO/IEC 27001 and Article 32 of the GDPR.
7.1 Organizational Measures
- Defined access control policies
- Role-based access manangement
- Confidentiality agreements
- Internal information security governance
- Vendor risk management procedures
7.2 Technical Measures
- Encryption in transit (TLS)
- Secure cloud infrastructure within the EU (Google Cloud Platform)
- Logical separation of customer environments
- Access logging and monitoring
- Regular backups
- Vulnerability management
- privacyPolicy.security.technical.list.6
7.3 Secure Development Practices
- Controlled code deployment processes
- Separation of development, staging, and production environments
- Restricted access to production systems
- Security monitoring
8. Hosting and Data Location
All customer platform data is stored within the European Union using Google Cloud Platform (GCP) infrastructure located in EU data centers.
Data is not intentionally transferred outside the EU/EEA unless appropriate safeguards are in place.
9. Sub-Processors
HIIIT engages carefully selected sub-processors for infrastructure and service delivery, including:
- Google Cloud Platform (EU infrastructure)
- Infrastructure and security service providers
- Analytics providers (where applicable)
All sub-processors are subject to contractual data protection and confidentiality obligations. HIIIT maintains oversight of sub-processor compliance.
10. Data Retention
Personal data is retained:
- For the duration of an active subscription
- For 30 days following termination to allow data export
- In backup copies retained for up to 90 days
- For longer where required by law
Once the applicable retention period has expired, data is securely deleted or anonymized.
11. Incident Management and Breach Notification
HIIIT maintains internal procedures for incident detection, response, and mitigation.
In the event of a personal data breach affecting customer data:
- Customers will be notified without undue delay
- Notification will comply with GDPR Article 33 and 34 requirements
- Appropriate remediation measures will be taken
12. International Transfers
If personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including:
- EU Standard Contractual Clauses
- Adequacy decisions
- Other equivalent lawful transfer mechanisms
13. Data Subject Rights
Individuals have the right to:
- Access their personal data
- Request correction of inaccurate data
- Request erasure
- Request restriction of processing
- Receive their data for portability
- Object to processing
Requests may be submitted to privacy@hiiit.org. Individuals may lodge complaints with the Swedish Authority for Privacy Protection (IMY).
14. Cookies
HIIIT uses cookies and similar technologies. Please refer to our Cookie Policy for more information.
15. Updates to This Policy
We may update this Privacy Policy to reflect changes in legal, technical, or operational requirements.
The latest version will always be available at hiiit.org.