Last updated: 2026-06-27
For municipal IT-security managers and procurement officers: see also Security page for technical security information (encryption, secrets management, incident response, compliance status).
For municipal procurement officers: see also Data protection and subprocessors for operational GDPR detail (subprocessor list, retention per collection, DPIA-light), and the DPA template for a data processing agreement.
Data controller
Data controller: Skolspegeln AB (org. no. 559359-7288). Contact person: Markus Reimer. Contact: info@skolkoll.se
What data do we collect?
User accounts
If you create an account on Skolkoll, we store the following in our database (Firebase/Firestore — see Data protection and subprocessors for the current database regions):
- Email address and display name — for login and identification in the portal.
- Login method — which social login (Google, Microsoft, GitHub, Facebook or Apple) or email/password you use.
- Organisation membership — if you belong to an organisation, we store which organisation and your role (administrator/user).
- Timestamps — when the account was created.
Legal basis: Contract (GDPR Art. 6(1)(b)) — the data is necessary to provide the service.
Retention: Data is stored for as long as the account exists. When an account is deleted, your personal data is removed from our database.
Organisation data
If you create or join an organisation, the following may be stored:
- Organisation name and registration number — public information for identification.
- Billing details — contact person, phone, address, email and reference/PO number for invoicing.
- Customer number (SK-NNNNN) — system-generated for invoice management.
Legal basis: Contract (GDPR Art. 6(1)(b)) and legitimate interest (Art. 6(1)(f)) — necessary for contract management and invoicing.
Payments
Payments are handled by Stripe. We do not store card details — these are handled entirely by Stripe in accordance with PCI DSS. We store transaction IDs and payment status to link payments to the correct organisation.
Retention: Payment history is stored for 7 years in accordance with Swedish bookkeeping legislation (BFL).
API access
API keys are handled only for agreed pilot cases, not as public self-service. If a pilot is activated, we store:
- SHA-256 hash of the API key — the full key is shown only at creation time and is never stored in plaintext on our server.
- Label, organisation ID and the user who created the key — so administrators can identify the key in the organisation's API view.
- Monthly usage counters (
apiQuota/{orgId}/months/{YYYY-MM}) — request count (count) and the organisation's configured monthly quota (quota).
Legal basis: Contract (GDPR Art. 6(1)(b)). Usage counters are retained for 13 months for billing reconciliation (Art. 6(1)(c)).
Webhook subscriptions
Pro organisations can register webhook subscriptions to receive events in real time. We store:
- Webhook URL — the address that events are delivered to. Only HTTPS URLs with a public host are accepted (private IP literals and userinfo are blocked at registration).
- Encrypted signing secret (
secretEnc) — an AES-256-GCM-encrypted envelope. The plaintext version is returned to the customer once at creation and never stored on our server. The secret is used by the customer to verify webhook signatures. - Configuration and delivery status — which event types trigger delivery, an optional description (200 characters max), enabled/paused status, and the time and result of the most recent delivery.
Server logs record only the webhook hostname, not the full URL — because subscription URLs often carry tokens in path or query segments.
Legal basis: Contract (GDPR Art. 6(1)(b)) — webhook delivery is part of the Pro service.
Error monitoring
We use Sentry (EU-region ingestion, Germany) to detect and fix technical errors. Sentry may collect:
- Error messages and stack traces. We configure Sentry not to associate errors with a signed-in user, but in exceptional cases a stack trace may contain data from form fields that were active when the error occurred.
- Browser, operating system and IP address. The IP address is anonymised shortly after receipt (Sentry's IP scrubbing); the full IP address is not stored permanently.
Legal basis: Legitimate interest (GDPR Art. 6(1)(f)) — necessary to maintain the service's functionality.
Journalist data orders
If you submit a data order through the journalist form, we store the details you provide: outlet/newsroom, beat, name, email address, order message, language, consent version and timestamp. The form posts to our own server and is first stored in the Firestore collection journalist_orders in the EU region.
When the Zoho intake has been approved and explicitly enabled, the same order may create a Zoho Desk ticket of type Databeställning with internal triage tags and a private quality/neutrality comment (risk class and flags for signals such as prompt injection or AcadeMedia relevance). A minimal Zoho CRM contact may also be created to manage the relationship and order status. We do not use this data for newsletters, Campaigns sends or other marketing without separate consent/provenance.
Legal basis: consent (GDPR Art. 6(1)(a)) to store and contact you through the form; handling your order — performance of a request where applicable; and legitimate interest in answering and delivering journalist data orders.
Retention: the Firestore record is targeted for deletion 180 days from submission via the purgeAfter field and Firestore TTL when the policy is active. Orders unresolved after 180 days require documented approval and have a hard cap of 12 months. Zoho Desk tickets are deleted no later than 12 months after closure and order-specific CRM status/description is removed when no longer needed.
Cookies and analytics
If you consent via our consent banner, we use Google Analytics 4 and Zoho PageSense for visitor statistics, A/B testing and site improvement. These tools collect:
- Which pages are visited and for how long
- Device type, browser, screen size and approximate geographic location
- Page interactions such as clicks, scrolling, heatmaps, session recording and experiment variant when PageSense tests are active on public pages
GA4 automatically anonymises IP addresses at collection — your full IP address is not stored by Google. Zoho PageSense is loaded from Zoho's EU CDN and uses cookies or similar technologies to connect visits, experiment variants and goal conversions. Skolkoll does not sell visitor data and does not share analytics data with third parties beyond Google and Zoho in their role as data processors. Google and Zoho may process data under their own terms — see Google's privacy policy and Zoho's privacy policy.
Retention period: GA4 data is stored for 14 months and then automatically deleted by Google. PageSense data is stored according to the selected Zoho PageSense plan, currently 1, 6 or 12 months, and Skolkoll does not use PageSense data for longer than 12 months. See also Zoho's plan-based retention.
If you choose "Only necessary" in the consent banner, Google Analytics and Zoho PageSense are not loaded at all.
Third-country transfers
Google Analytics may involve data being transferred to and processed in the USA. Google applies EU Standard Contractual Clauses (SCC) as the legal basis for such transfers. More information is available in Google's privacy policy.
Zoho PageSense is operated by Zoho. We use the EU script (cdn-eu.pagesense.io) and treat PageSense as an analytics subprocessor that is activated only after consent. Zoho provides a DPA/SCCs for GDPR-regulated processing.
Zoho Desk and Zoho CRM are used server-side for support and approved journalist data orders through Zoho's EU endpoints (desk.zoho.eu and www.zohoapis.eu). Zoho provides DPA/SCCs for GDPR-regulated processing.
Resend (email provider for school watching) is a US-based company and may process email addresses in the USA. Resend applies EU Standard Contractual Clauses (SCC).
Stripe (payment provider for Pro services) is a US-based company. Card details are handled entirely by Stripe in accordance with PCI DSS. Stripe applies EU Standard Contractual Clauses (SCC). More information in Stripe's privacy policy.
Sentry (error monitoring) is operated by Functional Software, Inc. (USA). We use Sentry's EU region (ingestion in Germany) so that error reports are stored within the EU/EEA. Sentry may receive technical error information (stack trace, browser info, IP address that is anonymised shortly after receipt). EU Standard Contractual Clauses (SCC) apply for any support or administrative access by Sentry's US team.
Anthropic (AI assistant) is a US-based company. Chat messages sent via Kollen are processed by Anthropic to generate responses. Anthropic applies EU Standard Contractual Clauses (SCC). Processing is governed by Anthropic's Data Processing Agreement (DPA) included in their API terms of service. Anthropic may retain message content for up to 30 days for trust and safety purposes, in accordance with their API terms. Messages are not permanently stored by Skolkoll. More information in Anthropic's privacy policy.
OpenAI (image stylisation) is a US-based company. If you voluntarily submit a photo of a school for stylisation, the image may be processed by OpenAI. OpenAI applies EU Standard Contractual Clauses (SCC).
Social login providers — if you sign in with Google, Microsoft, GitHub, Facebook or Apple, authentication is handled by the respective provider, all of which are US-based companies. Only the information you approve (typically name and email address) is received. Transfer to the USA is supported by EU Standard Contractual Clauses (SCC).
Other third-party services (Nominatim, ResRobot, JobEd Connect, Skolverket API) process data within the EU/EEA. Leaflet and D3.js are served locally from our own server. Firebase authentication loads client scripts from Google's CDN (gstatic.com); these CDN servers may be located outside the EU.
Email for school watching
If you choose to watch a school, you provide your email address. The following is stored in our database (Firestore):
- Email address — used to send notifications. Deleted when you unsubscribe.
- SHA-256 hash of your email — used to look up your existing watches without exposing your email in database queries.
- School unit code and name — which school you are watching.
- Timestamps — when the watch was created, confirmed and last notified.
Legal basis: Consent (GDPR Art. 6(1)(a)) via double opt-in. You confirm your watch through a link sent to your email.
Retention: Your data is stored for as long as the watch is active. If you unsubscribe via the link in any notification email, the watch is marked inactive and your email address is deleted.
What triggers notifications: You receive an email when merit score changes by more than 5 points, gymnasium eligibility changes by more than 5 percentage points, pupil count changes by more than 20%, or the School Inspectorate issues a new decision about the school.
How to unsubscribe: Every notification email contains an unsubscribe link. You can also contact us at info@skolkoll.se.
Local storage (localStorage)
The following data may be stored locally in your browser:
- Consent (
skolkoll_consent) — your choice in the consent banner (accepted/declined) - Home address (
skolnav_home_location) — if you use the commuting feature, coordinates for your home address are stored locally. When you calculate travel times, the coordinates may be sent to ResRobot via our server as the start point for the trip suggestion. You can delete this by clearing the field in settings or clearing your browser's local storage. - Paywall attribution (
skolkoll_paywall_ab_v1) — if you have accepted analytics consent, we store which paywall variant you saw so we can measure conversion between school-page CTAs and trial starts in analytics events. Click attribution (skolkoll_paywall_last_click) is stored only in sessionStorage and cleared when the browser session ends.
The AI chat also stores conversation and consent in sessionStorage (automatically deleted when the browser tab is closed): skolkoll_ai_consent, skolkoll_ai_chat, skolkoll_ai_context. Paywall click attribution is also stored in sessionStorage under skolkoll_paywall_last_click after accepted analytics consent.
AI assistant (Kollen)
Kollen is not specifically directed at children under 13.
Skolkoll offers an AI-powered chat ("Kollen") that answers questions about school statistics. If you choose to use Kollen, the following applies:
- Consent — the first time you open the chat, a consent prompt is displayed. Consent is stored in
sessionStorageand applies to the current browser session. - Message processing — your chat messages are sent to Anthropic (USA) via their Claude API to generate responses. Messages are not permanently stored by Skolkoll — they are forwarded in real time and only temporarily stored during your session in the browser's
sessionStorage. - Screening — each question is first sent to Anthropic's Claude Haiku model for relevance classification (on-topic/off-topic). Irrelevant questions are filtered out without being answered.
- Audit log — for each AI call, pseudonymised entries are written to the
ai-audit-logcollection: SHA-256 hash of your IP address (16 characters, not the full IP), length of the question and response (not content), school context code, status and timestamp. Each entry is tagged at write time withexpiresAt = now + 90 daysso it can be deleted by Firestore's TTL mechanism when the TTL policy is active. TTL deletion is asynchronous after expiry and is not guaranteed exactly on day 90. You can request immediate deletion via info@skolkoll.se. - Rate limiting — a hash of your IP address is stored for 48 hours for the daily limit (a limited number of questions per day), and for up to 2 hours for short-term burst limiting (max requests per hour).
Legal basis: Consent (GDPR Art. 6(1)(a)) — you accept the terms before using the chat. The consent prompt informs you of your right to withdraw consent.
Data processor: Anthropic PBC (San Francisco, USA) — the AI model that generates responses. Anthropic processes messages as a sub-processor. Transfer to the USA is supported by EU Standard Contractual Clauses (SCC).
Withdraw consent: Close the browser tab to delete session consent. You can also click "Withdraw AI consent" in the chat to immediately revoke consent.
Third-party services
The following tables separate browser-loaded services from server-side processors used in specific situations:
Browser-loaded and direct feature services
| Service | When | Data sent |
|---|---|---|
| Google Analytics 4 | Page view (requires consent) | Anonymised IP, page views, device info |
| Zoho PageSense | Page views, experiments, heatmaps and session recording on public pages (requires consent) | Page views, clicks/scrolling, heatmap and session-recording interactions, experiment variant, device and browser info |
| Nominatim (OpenStreetMap) | "Near me" or home address | Your address query for geocoding |
| JobEd Connect (JobTech) | Career tab in school view | Education text for occupational matching |
| Skolverket API | School view (surveys, documents) | School unit code (no personal data) |
| Google CDN (gstatic.com) | Login (Firebase authentication) | IP address when downloading login scripts |
| Stripe | Payment for Pro services | Email, organisation name, card details (handled by Stripe) |
| Sentry (EU region, Germany) | Automatically on technical errors | Error messages and stack traces, browser info, IP address (anonymised by Sentry shortly after receipt) |
Server-side processors
The following services receive data only via our servers when you use the relevant feature or after approved activation:
| Service | When | Data sent |
|---|---|---|
| ResRobot (Trafiklab) | Commuting tab in school view | Coordinates for start/destination |
| Resend | School watching (confirmation and notification emails) | Email address |
| Firebase / Google Cloud | User accounts and database | Account data, organisation data (EU region) |
| Anthropic (Claude API) | AI chat (Kollen) — requires consent | Chat messages, school context |
| OpenAI | Stylisation of voluntarily submitted school photos | Submitted school image |
| Zoho Desk | Support tickets and journalist data orders after approved activation | Name, email, outlet/newsroom, beat, order content, consent metadata, internal triage tags and private quality/neutrality comment |
| Zoho CRM | Minimal contact record for journalist data orders after approved activation | Name, email, outlet/newsroom, beat, source and order status |
Nominatim, ResRobot and JobEd Connect are contacted only when you actively use a feature that requires them — they are never loaded automatically.
Fonts
We use the typefaces Literata and Sora, which are self-hosted on our server. No requests are sent to Google Fonts or other font providers. The Leaflet map library is served locally from our server. Firebase authentication does load client scripts from Google's CDN (gstatic.com), see the table above.
School data and public information
All school data shown on Skolkoll is public information from Skolverket, SCB, Bolagsverket and Skolinspektionen.
Personal data about school staff
In a school's detail view, the following personal data may be displayed:
- Principal's name — from Skolverket's public school unit register
- School contact details (email and phone number) — fetched in real time from Skolverket's API and not stored by Skolkoll
The principal's name is public information published by Skolverket in their school unit register. Our legal basis for displaying this is legitimate interest (GDPR Art. 6(1)(f)) — the information is already publicly available and there is a public interest in transparency regarding school leadership.
We publish no personal data about pupils, teachers or other school staff beyond the above.
Balancing test
We have conducted a balancing test under GDPR Art. 6(1)(f):
- Legitimate interest: The public's interest in transparency about who leads publicly funded schools
- Source: Data is obtained exclusively from Skolverket's open API — we do not collect data independently
- Limitation: Only the principal's name is displayed. We do not publish personal contact details, home address or other private information about school staff
- Right to object: If you are a named principal and object to your name being displayed, email us at info@skolkoll.se and we will remove it for your school within 14 days (the GDPR requirement is 30 days under Art. 12(3))
- Only the current principal is published: We display only the principal currently registered in Skolverket's school unit register — historical principal names for previous holders are not stored in published views
Embeddable widgets
Skolkoll offers embeddable widgets (/widget/skola/{slug}/ and /widget/kommun/{slug}/) that can be used on external websites. We do not restrict which domains may embed them — they are openly available and designed to support transparency around school data.
Attribution is preserved through the widget footer, which links back to Skolkoll. If you observe misuse (e.g. phishing sites embedding our widgets to gain credibility), contact us at info@skolkoll.se and we will assess the need for additional measures.
Your rights
Under GDPR, you have the right to:
- Decline consent — choose "Only necessary" in the consent banner
- Withdraw consent — go to Settings and click "Revoke cookie consent", or clear your browser's local storage. For the AI chat: click "Withdraw AI consent" in the chat window, or close the browser tab.
- Delete data — you can delete your account under account settings. All personal data (profile, memberships, watches) will be deleted. Organisation data and billing history are retained if other members remain. Locally stored data (home address, consent and paywall attribution) is deleted by clearing your browser's localStorage. AI chat data (conversation) and paywall click attribution in sessionStorage are deleted when you close the browser tab. AI audit log entries are tagged with
expiresAtfor a 90-day TTL and removed asynchronously by Firestore's TTL mechanism when the policy is active (see Data protection and subprocessors for operational status). - Object to processing — if you are a named principal and do not want your name displayed, email info@skolkoll.se and we will remove it within 14 days (the GDPR requirement is 30 days) per our documented personal-data removal routine
- Right of access — you have the right to request a copy of your personal data. Contact us at info@skolkoll.se
- Data portability — you have the right to receive your personal data in a structured, machine-readable format
- Restrict processing — you have the right to request restriction of processing of your personal data under certain circumstances
- Lodge a complaint — you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY), imy.se
Changes
We may update this policy as needed. The latest version is always available on this page.