Integritetspolicy
Hur CLVR Benefits samlar in, använder och skyddar personuppgifter.
Översikt
CLVR Benefits AB ("CLVR", "we", "us") provides an employee benefits platform to companies and the employees of those companies. This Privacy Policy explains what personal data we collect, why we collect it, and the rights you have under the EU General Data Protection Regulation (GDPR) and Swedish data protection law.
This policy applies to all of our services: the marketing site at clvrbenefits.com, the employee webapp at app.clvrbenefits.com, the admin back-office, and any conversations you have with our team.
If you have questions about this policy, you can reach our Data Protection Officer at dpo@clvrbenefits.com. We respond within five business days.
Vem är ansvarig
CLVR Benefits AB is the data controller for personal data we collect on the marketing site, from prospects we talk to, and from our own employees.
CLVR is not a self-serve product. Every customer is onboarded under a bespoke commercial agreement that we prepare and counter-sign with the company, and individuals cannot register for CLVR on their own. If you are using the platform, it is because your employer has entered into that agreement with us and has chosen to extend access to you.
For employees using the platform through their employer, the employer is the data controller and CLVR acts as the data processor under a signed Data Processing Agreement (DPA) appended to that commercial agreement. The DPA governs how we process employee data on the employer's behalf, and any benefit provider you transact with through the platform becomes a separate controller for the order they fulfil.
Vad vi samlar in
The categories of personal data we process depend on how you use the service. The table below covers everything we may hold, the data points in each category, and why we need them.
| Data category | Type of data | Purpose |
|---|---|---|
| Identity and contact | First name, last name, date of birth, social security number |
|
| Billing and contact | Billing address, delivery address, private and work email address and phone numbers |
|
| Profile | Password, start date, end date |
|
| UI preferences | Language preference (sv/en), theme preference (light/dark/auto) | To improve user experience and remember your preferences across devices when signed in |
| Interests and preferences | User preferences and interests |
|
| Transactions | Details about orders and payments to and from you and other details of products and services you have purchased |
|
| Reward | Annual salary, pension, benefit allowance, and insurances |
|
| Technical | IP address, sign-in data, browser type and version, time zone, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access the platform |
|
| Usage | Information about how you use our website, the CLVR Benefits platform, and services (cookies) | To improve user experience of the platform |
| Feedback and survey responses | User feedback and survey responses |
|
| Marketing and communications | Communication preferences, historical purchases or orders made by you, your interests, preferences of products |
|
| Receipt and expense documents | Receipt images or PDFs, benefit category names (when AI-assisted prefill is enabled by your employer) | To prefill expense report forms when your employer has enabled AI receipt scanning. Processing is performed by Anthropic (Claude) for extraction only. We do not use your data to train models. We retain only what is necessary for the feature and for audit compliance. |
We do not collect special categories of personal data (such as racial or ethnic origin, religious beliefs, health, sexual orientation, trade union membership, or genetic / biometric data). Nor do we collect information about criminal convictions or offences.
CLVR Benefits also collects and uses aggregated data (such as statistical or demographic data) for any purpose. Aggregated data is derived from personal data but is not personal data in law because it does not directly or indirectly reveal your identity. If we ever combine aggregated data with your personal data so that it can identify you, we treat the combined data as personal data and apply this policy to it.
Rättslig grund
We rely on one of these legal bases for each processing activity:
- Contractual necessity for processing your selections, receipts, and payments. Without this we cannot deliver the service that your employer has contracted CLVR to provide.
- Legitimate interest for product analytics, security logs, fraud prevention, and quality improvements. We balance the interest against your rights and freedoms each time we rely on it.
- Consent for marketing emails, optional cookies, and any sensitive data tied to a specific benefit. You can withdraw consent at any time without affecting the lawfulness of processing we did before you withdrew.
- Legal obligation for tax reporting, accounting, anti-money-laundering checks, and responding to lawful requests from authorities.
Lagring
We keep personal data only as long as we need it for the purposes set out in this policy, or as long as we are legally required to. Concretely:
- Account data is kept while your employer maintains an active CLVR contract and you are listed as an active user under it, and for 90 days after your access ends, in case the access change is disputed or reversed.
- Benefits activity and transactions are kept for 7 years to comply with Swedish bookkeeping law (Bokföringslagen).
- Support messages are kept for 24 months from the last interaction.
- Marketing data is deleted within 60 days of unsubscribing or going inactive.
We may retain data for a longer period if you raise a complaint or where we reasonably believe there is a prospect of litigation in respect to our relationship with you.
Dina rättigheter
Under the GDPR you have the right to:
- Access the personal data we hold about you.
- Correct it if it is wrong or incomplete.
- Delete it, subject to the retention requirements above.
- Restrict or object to certain types of processing, including direct marketing.
- Port your data to another provider in a structured, commonly used, machine-readable format.
- Withdraw consent at any time, without affecting prior processing.
- Not be subject to decisions based solely on automated processing. See the next section on AI-assisted decisions.
To exercise any of these rights, email dpo@clvrbenefits.com. We aim to respond within one month. If you are not satisfied with our response, you can lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY).
Säkerhet
We treat security as a product feature, not a checklist. CLVR runs on EU-based cloud infrastructure with encryption at rest and in transit, scoped access controls, audit logging, and regular third-party penetration tests. Our staff cannot access employee benefit details without a documented, ticketed reason.
We have procedures in place to handle any suspected personal data breach and will notify you and the relevant regulator where we are legally required to do so.
For full detail on our security posture, controls, and certifications, see our Trust Center.
AI-assisterade beslut
CLVR Benefits offers optional AI-powered features that assist in processing expense reports. These features are enabled at the discretion of your employer and include:
- Receipt scanning. AI extracts vendor, date, amount, and VAT information from uploaded receipt images to pre-fill expense forms.
- Expense evaluation. AI evaluates certain categories of expense reports (currently wellness and gym membership receipts) and may automatically approve, decline, or defer them to human review.
Human oversight. All AI decisions are subject to HR review. HR can view every AI decision with its confidence score and reasoning, and can revert any decision at any time. When the AI is uncertain (confidence below 85%), the expense is automatically deferred to human review. This constitutes human-in-the-loop processing under GDPR Article 22.
Your rights. If an expense is declined by AI, you are notified with a clear explanation and can edit and resubmit the expense. You may also contact your HR representative to request manual review of any automated decision.
Data sent to AI. Receipt images and PDFs, expense form data, and benefit category names. If your employer enables it, company policy documents may also be read by the AI for context. No employee personal data (names, emails, salaries) is included. AI processing is performed by Anthropic (Claude). We do not use your data to train models. We retain only what is necessary for these features and for audit compliance.
Ändringar i denna policy
We may update this policy from time to time. Material changes will be notified to customers in the webapp at least 30 days before they take effect, and where appropriate by email to the designated representatives of our customers.
The current version and effective date are always shown at the top of this page. The version number tracks the release of the marketing site; if it changes, this page has been touched.
Kontakt
For any questions about this Privacy Policy or how we handle your personal data, contact us:
CLVR Benefits AB (org. nr 559418-3641)
Vegagatan 23
172 34 Sundbyberg, Sweden
dpo@clvrbenefits.com