Privacy Policy • gapXplorer

Our GDPR responsibilities

gapXplorer AB (Org. No. 559528-6880), Lillmossvägen 54B, 19636 Kungsängen, Sweden, is the data controller for the public site and customer dashboards. You can reach our data protection contact at contact@gapxplorer.com.

We process personal data only to deliver and improve our services, manage customer relationships, meet Swedish legal obligations, and – when you opt in – conduct privacy-friendly marketing. Depending on the action, we rely on contractual necessity, legitimate interest, legal obligation, or consent as the lawful basis.

Categories: identification details, business contact information, payment data, and usage data from our website or dashboards.
Retention: we keep data only as long as needed for the stated purpose. Invoice records are retained for seven years under the Swedish Accounting Act, then deleted or anonymized.
Sharing: information may be shared with vetted IT/analytics providers via data processing agreements or with authorities when required. We do not sell personal data and do not transfer it outside the EU/EEA without adequate safeguards. Payment processing is handled by Stripe.
Security: encryption, secure hosting, and strict access controls protect your information from unauthorized use.

Payments and billing (Stripe)

We use Stripe to process payments. Payment details are submitted directly to Stripe and are handled under Stripe’s own privacy and security standards. gapXplorer does not store or have access to your full payment card details.

We receive only limited transaction information (such as confirmation, amount, date, and invoice details) so we can provide access to the service, issue receipts and invoices, and comply with Swedish accounting obligations.

Vi använder Stripe för betalningar. Betalningsuppgifter skickas direkt till Stripe och gapXplorer sparar aldrig fullständiga kortuppgifter. Vi får endast begränsad transaktionsinformation för fakturering och åtkomst.

Authentication-related storage

When you sign in through the Amazon Cognito hosted UI we generate a PKCE verifier and, after the callback, store the resulting ID/access tokens. The storage happens only inside your device and never on our marketing site servers. The information below summarises the safeguards for each item.

When you use Google sign-in via Cognito, we also receive basic profile details (such as your email address) to create and maintain your account.

När du loggar in via Cognito skapar vi en PKCE-kod och sparar de tokens som behövs för att hålla dig inloggad. Allt lagras endast i din webbläsare.

Om du använder Google-inloggning via Cognito får vi även grundläggande profiluppgifter (t.ex. din e-postadress) för att skapa och administrera ditt konto.

PKCE verifier (`gx_pkce_verifier`)

Stored in both sessionStorage and localStorage so that an interrupted login can resume on refresh.
Purpose: generate the S256 challenge required by the OAuth 2.0 Authorization Code flow.
Lifetime: removed immediately after a successful token exchange or after you sign out; unused values expire when the browser session ends.
Lawful basis: performance of a contract (the login flow could not function without it).

Tokens (`gx_tokens`)

Stored only in localStorage inside the user’s browser.
Purpose: temporarily hold Cognito ID/access tokens so that account pages can call our APIs.
Lifetime: we keep tokens until their Cognito expiry (60 minutes for ID tokens, up to 24 hours for refresh tokens) or until you sign out, whichever happens first.
Lawful basis: performance of a contract and legitimate interest (maintaining a secure session).

Cookies and local storage overview

We do not set marketing cookies. The only browser storage we rely on is described below so that you can understand why it exists and delete it whenever you prefer.

Vi använder endast nödvändiga cookies och lokal lagring enligt tabellen nedan.

Storage items and lawful bases
Storage name	Type & lifetime	Purpose	Lawful basis
`gx_pkce_verifier`	Session + local storage; cleared once OAuth exchange completes.	PKCE challenge verifier for secure authentication.	Performance of a contract.
`gx_tokens`	Local storage; removed at logout or when Cognito expires the token (≤24h).	Stores Cognito ID/access tokens for signed-in requests.	Performance of a contract & legitimate interest.
`gx_locale`	Local storage; persists until you change language or clear storage.	Remembers the language you selected on the site.	Legitimate interest (providing a localized experience).
`gx_selected_coords`	Local storage on the map page; cleared when you choose a new area.	Keeps your last map selection while generating a report.	Legitimate interest.
`gx_cookie_consent`	Local storage; 12 months or until you revoke consent.	Records your consent choice for the cookie banner.	Consent.

Managing or revoking your consent

Use the Cookie settings button in the consent banner (or revisit this page) to open this section at any time. From there you can follow the steps below to reset your choices.

Open your browser’s site data controls or use the Cookie settings link to revisit the banner.
Delete the storage items listed above or clear the site data for gapxplorer.com.
Reload the page — the banner will reappear so you can choose again or stay logged out.

You can delete your account yourself from the My Account page when signed in. If you need help removing tokens, cannot log in, or want us to close your account on your behalf, email privacy@gapxplorer.com.

Du kan radera ditt konto själv via sidan My Account när du är inloggad. Om du behöver hjälp eller inte kan logga in, kontakta oss på privacy@gapxplorer.com så hjälper vi dig.

Account deletion and retention of invoices

If you no longer wish to use gapXplorer, you can delete your account at any time from the My Account page inside the signed-in dashboard. When you confirm deletion, we remove or anonymize your personal data in our operational systems as described below, and you are automatically signed out.

As part of the deletion process, your profile data, map files and other report-related content linked to your user ID are deleted from our main storage. Order records in our internal database are marked as belonging to a deleted user and stripped of directly identifying fields such as name, email, company details and contact information.

We are still required under the Swedish Accounting Act to retain invoice and transaction records for seven years. For this reason, a copy of your invoices is moved to a separate, access-restricted billing archive and kept there only for bookkeeping and audit purposes. Once the statutory period has passed, these records are deleted or irreversibly anonymised.

In practice this means that after account deletion:

You can no longer sign in or access your reports or dashboards.
Your profile and report data are removed from our active systems, except for data that must be kept to comply with law.
Invoice copies remain in an archive with strictly limited access and are not used for marketing or profiling.

If you cannot access your account but wish to request deletion, contact us at privacy@gapxplorer.com and we will help you verify your identity and handle the request.

När du raderar ditt konto tar vi bort din profil och dina rapporter från våra aktiva system. Vi sparar endast de fakturauppgifter som krävs enligt bokföringslagen (vanligen sju år), i ett separat och åtkomstbegränsat arkiv, och inte för marknadsföringsändamål.

Lawful basis overview

We rely on the following GDPR lawful bases depending on the action you take:

Performance of a contract: allowing you to sign in, redeem reports, access and manage your gapXplorer account, and process payments.
Legitimate interest: providing a localized experience, keeping map interactions intact between reloads, and ensuring basic product analytics and security.
Legal obligation: retaining invoices and transaction records for seven years to comply with the Swedish Accounting Act and other mandatory regulations.
Consent: storing the minimal cookie banner preference so that we respect your choice.

Your data rights

You may exercise the rights granted by the GDPR at any time by emailing contact@gapxplorer.com. You can also use the Delete my account option inside the app if you want to close your account yourself.

Access, correct, delete, restrict, or object to the processing of your personal data.
Request data portability for information you provided to us.
Withdraw consent for marketing or cookie preferences without affecting prior lawful processing.

We will respond within one month, or sooner when feasible, and explain any lawful exemptions that apply.

Cookies and analytics

Our site relies primarily on the functional storage described above. When we use analytics providers, they operate under data processing agreements and, if data leaves the EU/EEA, Standard Contractual Clauses approved by the European Commission. You can always disable cookies in your browser, though some interactive features might no longer work properly.

Du kan när som helst stänga av cookies i din webbläsare, men vissa funktioner kan då sluta fungera som tänkt.

Contact and complaints

For privacy-related questions, contact our data protection lead at privacy@gapxplorer.com or contact@gapxplorer.com.

If you believe your rights have been infringed, you may lodge a complaint with the Swedish Authority for Privacy Protection (IMY): https://www.imy.se.