Garba
CustomersPricing
EnglishSvenska
Legal

Last updated: 24 April 2026

1. Introduction

1.1 General

Your privacy and the security of your personal data are important to us at Garba AI AB, reg. no. 559516-6348 ("Garba AI", "we", "us"). In this Privacy Policy (the "Policy"), we explain how we process personal data in connection with our services and business operations. We strive to provide you with information about our processing of personal data in a concise, transparent, intelligible, and easily accessible manner, in accordance with Article 12 of the GDPR. This Policy covers the processing of personal data that takes place within the framework of our services, our business operations, our communications, and our use of digital tools and integrations.

If you have any questions about this Policy or how we handle your data, you can contact us at:

Company: Garba AI AB, reg. no. 559516-6348
Address: Anckargripsgatan 3, 211 19 Malmö, Sweden
Email: support@garba.ai

Garba AI has not currently appointed a Data Protection Officer. We continuously monitor whether the circumstances of our operations change in a manner that gives rise to an obligation to appoint one.

1.2 Data Controller and Data Processor

Garba AI is the data controller for the processing of personal data described in this Policy, including personal data relating to our Client (being the legal person subscribing to our Service, represented by a natural person with contractual authority) relationships, such as contact details of Client representatives, billing information, and usage data.

Where Garba AI processes data on behalf of a Client, Garba AI acts as a data processor. The processing carried out by Garba AI as a data processor is governed by the applicable data processing agreement entered into with the Client and is not the primary subject of this Policy.

1.3 What is Personal Data?

Personal data means any information relating to an identified or identifiable natural person. This includes, for example, name, contact details, IP address, device identifiers, meeting-related information, or any other information that can be directly or indirectly linked to a living individual.

1.4 Scope

The purpose of this Policy is to inform you about how we process personal data, the legal bases on which we rely, how long data is retained, and the rights you may have as a data subject.

2. Data We Collect

2.1 General

The personal data we process depends on your relationship with us and whether we act as data controller or data processor in respect of the relevant processing. This section describes the categories of data subjects, the categories of personal data we process, and the sources from which we obtain such data.

2.2 How We Process Personal Data

We process personal data only for legitimate, specified, and explicitly stated purposes. We strive not to process more personal data than is necessary having regard to the purpose of the processing, and we work continuously to ensure that the data is accurate, relevant, and adequately protected.

2.3 Categories of Data Subjects

The categories of data subjects whose personal data we process depend on the context. In our capacity as data controller, the following categories of data subjects are primarily concerned:

  • representatives, contact persons, and signatories of Clients and prospective clients;
  • Users and Administrators with accounts on our platform;
  • contact persons at suppliers, partners, and other business contacts;
  • newsletter subscribers and recipients of other communications;
  • job applicants and potential referees; and
  • visitors to our website and persons who communicate with us via email, telephone, social media, or other digital channels.

In our capacity as data processor, we process such personal data relating to meeting participants and attendees as is necessary for the provision of the Service on behalf of our Clients. The processing of such data is governed by the applicable data processing agreement with the relevant Client.

2.4 Categories of Personal Data We Process as Data Controller

Depending on the context, we may process the following categories of personal data in our capacity as data controller:

  • identity and contact details, such as name, email address, telephone number, postal address, and company affiliation;
  • role and organisational information, such as job title, position, and employer;
  • account information, such as login credentials, account settings, and preferences;
  • billing and financial information, such as payment details, invoicing data, and information required for accounting purposes;
  • communication data, such as the content of emails, support requests, and other correspondence with us;
  • technical data, such as IP address, device identifiers, browser type, referring URL, cookie-related information, usage logs, and other data collected automatically through cookies and similar technologies on our website and platform; and
  • usage data, such as information about how you interact with our Service, including features used, settings configured, and integrations enabled.

2.5 Categories of Personal Data We Process as Data Processor

When acting as a data processor on behalf of our Clients, we process personal data as instructed by the Client in connection with the provision of the Service. The categories of personal data processed in this capacity vary depending on the Client's use of the Service and are specified in the applicable data processing agreement entered into with the relevant Client.

The processing of such data is carried out solely in accordance with the Client's documented instructions and is governed by the applicable data processing agreement.

3. How We Use Your Data

3.1 General

We process your personal data for the purposes set out below. The legal bases on which we rely for each category of processing are described in further detail in Section 3.2 (Legal Bases for Processing). Specifically, we use your data to:

  • provide and improve our services;
  • authenticate users and manage access;
  • administer billing, payments, and contractual obligations;
  • ensure compliance with legal and security requirements;
  • communicate with Clients, business contacts, and other relevant persons;
  • analyse usage patterns in order to maintain, develop, and improve our Service; and
  • conduct marketing activities, including sending newsletters and promotional communications.

3.2 Legal Bases for Processing

Our processing of personal data is always carried out on the basis of at least one legal ground pursuant to Article 6(1) of the GDPR. The following sets out the legal bases on which we rely.

3.2.1 Performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR)

Where you, as a client representative or individual user, are a party to a contractual relationship with us, we may process your personal data to the extent necessary for the performance of the agreement or to take steps at your request prior to entering into an agreement. This includes, for example, creating and maintaining your account, providing our services, and processing payment information.

3.2.2 Legal obligation (Art. 6(1)(c) GDPR)

We process personal data where it is necessary to comply with legal obligations to which we are subject, for example under applicable accounting rules, tax legislation, or other binding regulations.

3.2.3 Legitimate interest (Art. 6(1)(f) GDPR)

We also process personal data on the basis of Article 6(1)(f) of the GDPR where the processing is necessary for the purposes of our or a third party's legitimate interests, provided that such interests are not overridden by the data subject's interests or fundamental rights and freedoms. Typical legitimate interests in our operations include, for example:

  • the interest in administering, documenting, and following up on customer and business relationships;
  • the interest in communicating with customers, job applicants, referees, business contacts, and other relevant external persons;
  • the interest in analysing usage patterns in order to maintain, develop, and improve the Service provided to the Client;
  • the interest in maintaining the security, quality, and functionality of our services and IT infrastructure;
  • the interest in handling and defending legal claims;
  • the interest in handling and responding to support requests, enquiries, and other correspondence;
  • the interest in administering recruitment processes, including evaluating applications, conducting interviews, and contacting referees; and
  • the interest in conducting marketing activities directed at existing and prospective customers.

3.2.4 Consent (Art. 6(1)(a) GDPR)

In certain cases, we process personal data on the basis of your consent. This may include, for example, the use of non-essential cookies on our website, subscription to newsletters, or receipt of promotional communications. Where consent constitutes the legal basis for processing, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of the consent prior to its withdrawal. We will inform you of the specific purpose of the processing at the time consent is collected.

4. Data Sharing and Third Parties

4.1 General

We only share personal data when necessary:

  • Service providers: In our capacity as data controller, we engage service providers for purposes such as payment processing, customer support, identity management and authentication, CRM and customer relationship management, and cloud infrastructure. Where we act as data processor, we may engage sub-processors to provide the Service. A complete and up-to-date list of sub-processors is maintained separately and made available to Clients in accordance with the applicable DPA.
  • Legal compliance: Where disclosure is required by law or by a competent regulatory authority.

We do not sell personal data to third parties.

Where external service providers process personal data on our behalf as data processors or sub-processors, we ensure through data processing agreements and other appropriate measures that they only process the data in accordance with our instructions and with adequate security measures in place.

4.2 International Data Transfers

Garba AI strives to process personal data within the EU/EEA. In certain cases, however, it may be necessary to transfer personal data to countries outside the EU/EEA, for example where a service provider carries out relevant processing in a third country.

Where personal data is transferred outside the EU/EEA, such transfers are carried out on the basis of an applicable transfer mechanism under the GDPR. The primary mechanism applied by Garba AI is the European Commission's Standard Contractual Clauses (SCCs). Where necessary, we assess on a case-by-case basis, for each provider or transfer, whether supplementary technical, organisational, or contractual safeguards are required having regard to the conditions in the relevant country. Where applicable, we may also rely on adequacy decisions issued by the European Commission or, where circumstances so require, on derogations pursuant to Article 49 of the GDPR.

Further details regarding international transfers and the safeguards applied may be obtained by contacting us at support@garba.ai.

5. Data Security and Personal Data Breaches

We have implemented appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration, disclosure, and other forms of unlawful processing. Our security measures include, but are not limited to:

  • encryption of data in transit and at rest;
  • strict access controls and authentication mechanisms; and
  • regular security audits and compliance assessments.

In the event of a personal data breach, we handle the incident in accordance with applicable procedures and legal requirements. Where we act as data controller and a breach is subject to notification requirements, we shall report it to the Swedish Authority for Privacy Protection (Sw. Integritetsskyddsmyndigheten, "IMY") without undue delay and, where required, no later than seventy-two (72) hours after having become aware of the breach.

Where we act as data controller and a personal data breach is likely to result in a high risk to the rights and freedoms of the affected data subjects, we will notify the data subjects concerned without undue delay to the extent required by applicable law.

For detailed security and compliance documentation, including our sub-processor list, certifications, and DPA, please visit our Trust Center.

6. Your Rights Under GDPR

If you are located in the EU/EEA, you may, depending on the circumstances, have the following rights under applicable data protection legislation in relation to the personal data we process about you.

Right of access. You may have the right to obtain information about whether we process personal data about you and, if so, to access such data and receive a copy of the personal data being processed, along with certain supplementary information about the processing.

Right to rectification. You may have the right to request that inaccurate, incomplete, or misleading personal data be corrected or supplemented.

Right to erasure. In certain cases, you may have the right to request the erasure of your personal data, for example where the data is no longer necessary for the purpose for which it was collected and there is no other legal basis for continued processing. This right is limited where we are required to retain the data to comply with legal obligations or to establish, exercise, or defend legal claims.

Right to restriction of processing. In certain cases, you may have the right to request that the processing of your personal data be restricted, for example while we verify the accuracy of the data or while an objection is being assessed.

Right to object. Where our processing is based on legitimate interest, you may, on grounds relating to your particular situation, have the right to object to the processing. You always have the right to object to processing for direct marketing purposes, and we will cease such processing upon your objection.

Right to data portability. Where the processing is based on your consent or a contract with you and is carried out by automated means, you may have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format and to have such data transmitted to another controller.

Right to withdraw consent. Where our processing is based on your consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of the consent prior to its withdrawal.

Where we act as data controller, we will respond to all data subject requests without undue delay and in any event within one (1) month of receipt, in accordance with the GDPR. Where a request is complex or where we have received a large number of requests, the response period may be extended by up to two (2) additional months. We will inform you of any such extension within one (1) month of receipt of the request, together with the reasons for the delay.

Where we act as data processor on behalf of a Client, we will assist the Client in fulfilling data subject requests without undue delay to enable the Client to meet its obligations towards data subjects.

To exercise your rights, contact us at support@garba.ai.

7. Data Retention

We retain personal data for as long as necessary for the purpose for which it was collected and thereafter only to the extent there is a legal basis or legitimate need for continued retention. The specific retention periods depend on the nature of the data, the context of the processing, and whether we act as data controller or data processor in respect of the relevant processing.

For active Clients, retention of certain categories of data — including recordings, transcriptions, emails, and meeting data — may be configured by the Client through the Service. Where the Client has configured an automatic deletion policy, the relevant data will be deleted in accordance with the retention period specified by the Client. Data that is not subject to a Client-configured retention policy will be retained for as long as the Client's subscription remains active.

Upon termination of a Client's account, all associated customer data — including, but not limited to, recordings, transcriptions, emails, calendar data, user accounts, CRM data, and audit logs — will be deleted within three (3) months following the date of account termination. Backup copies are retained and expire in accordance with their respective backup retention schedules, which range from seven (7) days to three (3) years depending on the type of backup.

Notwithstanding the foregoing, we may retain personal data for longer periods where required by applicable law, for example under accounting or tax legislation, or where necessary to establish, exercise, or defend legal claims. Where we act as data controller, data subjects may request deletion of their personal data at any time in accordance with Section 6 of this Policy.

8. Profiling and Automated Decision-Making

In our capacity as data controller, we do not engage in profiling or automated decision-making that produces legal effects or similarly significantly affects data subjects. While we may use analytical tools and automated processes to administer and improve our services, such processing does not involve the evaluation of personal aspects of individuals for the purpose of making decisions with legal or equivalent effects. All material decisions affecting individuals are subject to human oversight and review.

9. Updates to this Privacy Policy

We may update this Policy from time to time. We will notify users of significant changes via email or in-app notifications. This Policy is effective as of 24 April 2026.

10. Complaints to the Supervisory Authority

If you consider that our processing of your personal data infringes applicable data protection legislation, you have the right to lodge a complaint with a supervisory authority. The competent supervisory authority in Sweden is IMY. Further information on how to file a complaint and your rights is available on IMY's website at www.imy.se.