H
HIIIT

Privacy Policy for HIIIT

Powered by Univise AB

Effective date: 22 February 2026
Controller: Univise AB
Registered in: Sweden
Organization number: 559575-3293
Contact: privacy@hiiit.org

1. Introduction

Univise AB (“we”, “us”) is committed to protecting personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable data protection laws.

We maintain governance, security, and risk management processes designed to ensure the confidentiality, integrity, and availability of personal data processed through the HIIIT platform.

This Privacy Policy describes how we collect, use, store, and protect personal data in connection with:

  • Use of hiiit.org
  • Use of the HIIIT platform
  • Customer relationships
  • Organizational assessments conducted through HIIIT

2. Roles and Responsibilities

Depending on context, HIIIT acts as:

  • Data Controllerfor website visitors, customer contacts, and marketing communication
  • Data Processorwhen processing personal data on behalf of customer organizations within the HIIIT platform

When acting as Data Processor, processing is governed by a Data Processing Agreement (DPA) in accordance with Article 28 GDPR.

3. Categories of Personal Data

3.1 Account and Identity Data

  • Name
  • Email address
  • Organizational affiliation
  • Role or title

3.2 Platform Data

  • Assessment responses
  • Organizational metrics
  • Strategic inputs
  • Uploaded documentation

3.3 Technical and Security Data

  • IP address
  • Device identifiers
  • Access logs
  • System usage metadata

4. Legal Basis for Processing

We process personal data based on:

  • Contractual necessity (Art. 6(1)(b))
  • Legitimate interests (Art. 6(1)(f))
  • Legal obligation (Art. 6(1)(c))
  • Consent (Art. 6(1)(a)), where applicable

Legitimate interests may include maintaining platform security, preventing fraud, and improving service performance.

5. Purpose of Processing

Personal data is processed to:

  • Deliver and operate the HIIIT platform
  • Generate AI-based insights
  • Provide customer support
  • Maintain security and system integrity
  • Improve platform performance
  • Comply with legal obligations

6. AI-Based Processing and Transparency

HIIIT uses AI-based analytical models to generate structured insights and recommendations on priorities.

AI functionality:

  • Supports analysis at the organizational level
  • Does not perform automated decision-making with legal or similarly significant effects on individuals
  • Does not replace human judgment in leadership or governance
  • Is not used to determine employment or contractual decisions

AI outputs are advisory and should be interpreted by humans.

7. Information Security

HIIIT maintains technical and organizational security measures aligned with recognized information security principles, including those reflected in ISO/IEC 27001 and Article 32 of the GDPR.

7.1 Organizational Measures

  • Defined access control policies
  • Role-based access manangement
  • Confidentiality agreements
  • Internal information security governance
  • Vendor risk management procedures

7.2 Technical Measures

  • Encryption in transit (TLS)
  • Secure cloud infrastructure within the EU (Google Cloud Platform)
  • Logical separation of customer environments
  • Access logging and monitoring
  • Regular backups
  • Vulnerability management
  • privacyPolicy.security.technical.list.6

7.3 Secure Development Practices

  • Controlled code deployment processes
  • Separation of development, staging, and production environments
  • Restricted access to production systems
  • Security monitoring

8. Hosting and Data Location

All customer platform data is stored within the European Union using Google Cloud Platform (GCP) infrastructure located in EU data centers.

Data is not intentionally transferred outside the EU/EEA unless appropriate safeguards are in place.

9. Sub-Processors

HIIIT engages carefully selected sub-processors for infrastructure and service delivery, including:

  • Google Cloud Platform (EU infrastructure)
  • Infrastructure and security service providers
  • Analytics providers (where applicable)

All sub-processors are subject to contractual data protection and confidentiality obligations. HIIIT maintains oversight of sub-processor compliance.

10. Data Retention

Personal data is retained:

  • For the duration of an active subscription
  • For 30 days following termination to allow data export
  • In backup copies retained for up to 90 days
  • For longer where required by law

Once the applicable retention period has expired, data is securely deleted or anonymized.

11. Incident Management and Breach Notification

HIIIT maintains internal procedures for incident detection, response, and mitigation.

In the event of a personal data breach affecting customer data:

  • Customers will be notified without undue delay
  • Notification will comply with GDPR Article 33 and 34 requirements
  • Appropriate remediation measures will be taken

12. International Transfers

If personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including:

  • EU Standard Contractual Clauses
  • Adequacy decisions
  • Other equivalent lawful transfer mechanisms

13. Data Subject Rights

Individuals have the right to:

  • Access their personal data
  • Request correction of inaccurate data
  • Request erasure
  • Request restriction of processing
  • Receive their data for portability
  • Object to processing

Requests may be submitted to privacy@hiiit.org. Individuals may lodge complaints with the Swedish Authority for Privacy Protection (IMY).

14. Cookies

HIIIT uses cookies and similar technologies. Please refer to our Cookie Policy for more information.

15. Updates to This Policy

We may update this Privacy Policy to reflect changes in legal, technical, or operational requirements.

The latest version will always be available at hiiit.org.