Skip to main content

privacy policy

last updated: May 23, 2026

1. who we are

data controller: Webnation AB, Stockholm, Sweden

privacy contact: info@webnation.se

We process your personal data according to the EU General Data Protection Regulation (GDPR) and the Swedish Data Protection Act.

2. what information we collect

To deliver Hubbub, we collect information you provide and data generated as you use our service:

  • account data. email, name, optional profile picture, password hash, authentication tokens. if you sign in with google, we receive your email and public profile (name, picture) from google.
  • presentation content. slide text, poll questions, audience responses (votes, word-cloud entries, Q&A submissions, quips, ratings). audience responses may contain personal data (e.g., a user's name typed into a free-text field). we treat all response content as potentially personal data.
  • usage logs. timestamps, browser type, user-agent, IP address. we use IP addresses only for rate-limiting, abuse detection, and security investigation — not for profiling or advertising.
  • payment information. we do not store credit card data. stripe handles all payment processing. we retain invoices for 7 years per swedish law.
  • file uploads & exports. slide images, uploaded presentation files, and generated PDFs/spreadsheets are stored on AWS S3 (encrypted, EU region).
  • error & performance data. when the app crashes, Sentry collects stack traces and request metadata. we strip email, payment data, and slide content before sending.
  • product analytics (opt-in). when you grant analytics consent, PostHog (EU region) receives: pages you visit, button and link clicks (element labels only, not what you typed), and semantic events (e.g. "presentation created", "slide added"). we do NOT record sessions or screen replays of any kind, and we do not send your email or name to PostHog — events are tied to a pseudonymous account id only. you can revoke consent any time and the data is deleted on request.
  • cookies. see our cookie policy for details.

3. why we process your data

under GDPR Article 6, we process data based on:

  • contract performance (Art. 6(1)(b)): account creation, service delivery, billing, support
  • legitimate interest (Art. 6(1)(f)): security monitoring, fraud prevention, product improvement via aggregate analytics
  • consent (Art. 6(1)(a)): optional PostHog analytics — you control this in settings
  • legal obligation (Art. 6(1)(c)): swedish tax records (required 7 years)

4. how we use your data

  • service delivery: authentication, hosting, rendering your slides for audiences
  • billing & support: processing subscriptions, sending invoices and transactional email
  • product improvement: pseudonymous product analytics (PostHog — no session recording, no email) to find bugs, polish flows, and prioritize fixes during beta
  • security: detecting unauthorized access, spam, and terms violations
  • legal compliance: tax filings and regulatory obligations

we do not sell, rent, or trade personal data. we do not send marketing email unless you opt in.

5. who we share your data with

we use these subprocessors:

servicepurposelocationsafeguards
Stripepayment processingUSstandard contractual clauses
Resendtransactional emailUSstandard contractual clauses
specific.devhosting & CDNEU + globalEEA-first with SCCs for edge
AWS S3file storageEU (eu-north-1)within EEA
Temporalworkflow orchestrationEUwithin EEA
Sentryerror monitoringUSstandard contractual clauses
PostHoganalytics (opt-in)EU (eu.i.posthog.com)stays within EEA
GoogleOAuth sign-in (optional)US/globalstandard contractual clauses

we chose PostHog's EU region so consented analytics never leave the EEA. for US-based processors (Stripe, Resend, Sentry, Google), we rely on standard contractual clauses plus supplementary measures: encryption in transit, minimal payloads, and access logging. see our sub-processors page for each provider's DPA and privacy policy.

6. how long we keep your data

  • active account: indefinitely while your account exists
  • audience responses: retained while the parent presentation exists; deleted when you delete the presentation or close your account
  • account closure: sign-in credentials, sessions, and workspace content are permanently and immediately deleted — there is no recovery window, so export anything you want to keep before you close your account
  • invoices: 7 years (swedish bookkeeping act)
  • analytics: 12 months, then aggregated or deleted
  • error logs (Sentry): 30 days
  • email logs (Resend): 90 days
  • IP address logs: 30 days for abuse detection, then deleted

7. your privacy rights

under GDPR, you can:

  • access (Art. 15): request a copy of your personal data
  • correct (Art. 16): fix inaccurate or incomplete data
  • erase (Art. 17): request deletion ("right to be forgotten")
  • export (Art. 20): receive data in a portable format
  • restrict (Art. 18): pause processing for specific purposes
  • object (Art. 21): object to processing based on legitimate interest
  • withdraw consent (Art. 7(3)): revoke analytics consent at any time
  • complain: file a complaint with Datainspektionen (IMY, www.imy.se)

how to request:

  • erasure: self-service via settings → profile → danger zone (delete account)
  • other requests: email info@webnation.se with "data subject request" in the subject line. include your account email. we respond within 30 days per GDPR Article 12(3); complex requests may take 60 additional days.

8. automated decision-making

we do not use automated decision-making or profiling that produces legal effects about you (GDPR Art. 22). Stripe may run automated fraud checks, but we review any account suspension ourselves.

9. international data transfers

PostHog (eu.i.posthog.com) keeps analytics data in the EEA. Stripe, Resend, Sentry, and Google may process operational data in the US under standard contractual clauses, our Article 46 safeguard. we've assessed adequacy per Schrems II (C-311/18) and apply supplementary encryption and access controls.

10. security

we implement technical and organizational measures:

  • HTTPS encryption in transit
  • password hashing (bcrypt)
  • access controls and audit logs
  • regular security updates and monitoring via Sentry
  • encrypted backups

no security is absolute. we cannot guarantee protection against all threats.

11. children

Hubbub is not aimed at children under 13. if we discover a user is under 13, we delete their account and data. parents/guardians with concerns can contact info@webnation.se.

12. policy updates

we may update this policy at any time. changes are effective when posted. material changes are announced via email.

13. contact

privacy questions:
Webnation AB
Stockholm, Sweden
info@webnation.se

file a complaint with the swedish data protection authority:
datainspektionen (IMY)
box 193
SE-581 01 linköping, sweden
www.imy.se | +46 13 19 18 00