Privacy Policy

Last Updated: February 26, 2026

1. Data Controller Information

ICP Clarity is a Go-To-Market (GTM) intelligence consultancy helping Nordic B2B companies build data-backed Ideal Customer Profile (ICP) systems.

Data Controller (Personuppgiftsansvarig):

• Company Name: ICP Clarity
• Operating Entity: YNA AB
• Location: Stockholm, Sweden
• Swedish Organisation Number: 559508-0770
• Registered Address: Jakobsbergsgatan 24, 111 44 Stockholm, Sweden
• Responsible Person: Jahongir Mirzoev, Founder & Data Protection Contact

Contact for Privacy Inquiries:
Contact form will be available soon. For now, privacy inquiries can be submitted via our assessment form with "Privacy Request" in the message field.

Governing Law: This privacy policy is governed by Swedish law (Dataskyddslag 2018:218) and EU General Data Protection Regulation (GDPR).

2. What Personal Data We Collect

2.1 Information You Provide Directly

When you use our ICP Clarity Assessment tool, we collect:

Data Category	Specific Fields	Purpose
Contact Information	First name, last name, email address, phone number (optional), LinkedIn profile URL (optional)	To deliver your assessment results and follow up if you request consultation
Company Information	Company name, industry, company size, your role/title	To calculate your ICP Clarity Score and provide relevant insights
Assessment Responses	12 structured questions about your GTM strategy, ICP definition, data sources, segmentation, and activation	To score your ICP maturity and generate personalized recommendations

2.2 Information We Collect Automatically

When you visit our website, we collect minimal technical data:

• Access Logs: IP address (anonymized), browser type, device type, pages visited, time spent
• Cookies: Essential cookies only (session management, form progress tracking)

2.3 Information from Third Parties

We may enrich your company data using:

• Nordic Public Business Registries:
  • Allabolag.se (Sweden) - Company verification and firmographic data
  • Proff.no (Norway) - Company verification and firmographic data
  • Virk.dk (Denmark) - Company verification and firmographic data
• B2B Data Enrichment Providers:
  • Clearbit - Business email verification and company data
  • Hunter.io - Email validation
  • Apollo.io - Company and contact enrichment
• LinkedIn: If you provide your LinkedIn URL, we may view your public profile information to better understand your role and experience

Note: All third-party enrichment is limited to publicly available business information. We do not purchase consumer data or personal sensitive information.

3. How We Use Your Personal Data

3.1 Legal Basis for Processing

Under GDPR Article 6 and Swedish Dataskyddslag 2018:218, we process your data based on the following legal grounds:

Processing Activity	Legal Basis	GDPR Article	Explanation
Assessment Form Submission	Consent	Article 6(1)(a)	You explicitly agree by submitting the form
ICP Score Calculation	Legitimate Interest	Article 6(1)(f)	You requested the assessment; receiving results serves your interest
Data Enrichment (Clearbit, Hunter, Apollo, Nordic Registries)	Legitimate Interest	Article 6(1)(f)	To provide accurate, relevant insights; we use only publicly available business data
Storing Data in CRM (Airtable)	Contractual Necessity	Article 6(1)(b)	To manage our business relationship and provide requested services
Internal Notifications (Slack)	Legitimate Interest	Article 6(1)(f)	To respond promptly to your inquiry

3.2 Specific Purposes

We use your personal data to:

1. Deliver Assessment Results: Calculate your ICP Clarity Score and send personalized recommendations
2. Respond to Inquiries: Answer questions you submit via forms or assessment tool
3. Improve Our Services: Analyze aggregate assessment data to refine our scoring methodology (anonymized)
4. Business Operations: Manage customer relationships, invoicing, and service delivery if you become a client

We do NOT:

• ❌ Sell your personal data to third parties
• ❌ Use your data for advertising targeting
• ❌ Share your data with competitors or unrelated businesses
• ❌ Send marketing emails without your explicit consent

4. Data Sharing & Processors

4.1 Service Providers (Data Processors)

We share your data with the following trusted third-party processors to operate our services:

Service Provider	Purpose	Data Location	GDPR Safeguards
Make.com	Workflow automation - routes assessment data from website to Clay and Airtable	EU (Europe 2 endpoint)	EU-based processing, GDPR-compliant DPA
Clay.com	Data enrichment and ICP scoring automation	United States	Standard Contractual Clauses (SCCs), Data Processing Agreement
Airtable	CRM and customer data management	United States	Standard Contractual Clauses (SCCs), Data Processing Agreement
Netlify	Website hosting and content delivery	Global CDN (EU servers prioritized)	SOC 2 certified, GDPR-compliant hosting
Slack	Internal notifications when you submit assessment	United States / EU	Standard Contractual Clauses (SCCs)

4.2 Data Processing Agreements (DPA)

All processors listed above have signed Data Processing Agreements (DPAs) with ICP Clarity as required by GDPR Article 28. These agreements ensure processors:

• Process data only on our instructions
• Implement appropriate security measures
• Assist with data subject requests (your rights)
• Delete or return data when services end

4.3 No Data Selling or Advertising

We never sell, rent, or share your personal data with:

• Advertising networks
• Marketing agencies (beyond our own marketing, if you opt-in)
• Data brokers
• Third parties for their own marketing purposes

5. International Data Transfers

ICP Clarity is based in Stockholm, Sweden (EU), and we primarily process data within the European Economic Area (EEA). However, some of our service providers are located outside the EU/EEA, requiring international data transfers.

5.1 Transfers to the United States

The following processors may transfer your data to the United States:

• Clay.com - Data enrichment platform (US-based)
• Airtable - CRM database (US-based)
• Slack - Internal communication (US-based)
• Clearbit, Hunter, Apollo - Data enrichment APIs (US-based)

Legal Safeguards (GDPR Article 46):

All US-based processors have implemented Standard Contractual Clauses (SCCs) approved by the European Commission. These clauses provide equivalent data protection to EU law, even when data is processed in the US.

5.2 EU-Based Processing

The following services process your data within the EU:

• Make.com (Europe 2 endpoint) - Workflow automation stays in EU
• Netlify - Prioritizes EU servers for European visitors

5.3 Nordic Data Sources (No Transfer)

When we verify your company data using Allabolag (Sweden), Proff (Norway), or Virk (Denmark), this data remains within the Nordic region and EU/EEA.

5.4 Your Rights Regarding Transfers

If you have concerns about international data transfers, you have the right to:

• Request details about specific transfer mechanisms (SCCs, DPAs)
• Object to transfers and request EU-only processing (may limit service functionality)
• Lodge a complaint with IMY (Swedish Data Protection Authority)

6. How Long We Keep Your Data

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy, in compliance with Swedish law:

Data Category	Retention Period	Legal Basis
Active Client Contracts	Duration of service + 7 years	Swedish Tax Law (Bokföringslagen 2010:1142) - accounting records must be kept 7 years
Assessment Users (Non-Clients)	2 years from last interaction	Legitimate interest to provide follow-up value; you can request earlier deletion
Transactional Emails/Records	1 year from completion	Business record-keeping and customer service
Aggregated/Anonymized Data	Indefinitely	No longer personal data once fully anonymized (GDPR Recital 26)

Early Deletion: You can request deletion of your data at any time (see Section 7 - Your Rights). We will honor your request except where we have a legal obligation to retain data (e.g., invoicing records for tax authorities).

7. Your Rights Under GDPR & Swedish Law

As a data subject in Sweden/EU, you have the following rights under GDPR (Articles 15-22) and Swedish Dataskyddslag 2018:218:

7.1 Right to Access (GDPR Article 15)

You can request a copy of all personal data we hold about you. We will provide this in a clear, commonly used format (typically PDF or CSV).

Response Time: Within 30 calendar days (may extend to 60 days for complex requests, with notification).

7.2 Right to Rectification (GDPR Article 16)

You can correct inaccurate or incomplete data. Example: Update your email address, LinkedIn profile, or company information in our records.

7.3 Right to Erasure / "Right to be Forgotten" (GDPR Article 17)

You can request deletion of your personal data.

Limitations: We must retain financial records for 7 years if you're an invoiced client (Swedish tax law). We will delete all other data promptly.

7.4 Right to Restriction of Processing (GDPR Article 18)

You can ask us to limit how we use your data. Example: Keep your account active but stop sending any communications.

7.5 Right to Data Portability (GDPR Article 20)

You can receive your data in a machine-readable format (CSV or JSON) to transfer to another service.

What's Included: Contact info, assessment responses, ICP scores, any correspondence.

7.6 Right to Object (GDPR Article 21)

You can object to data processing based on legitimate interest (e.g., marketing, profiling, analytics).

How: Contact us via the method below with "OBJECT" in the subject line.

7.7 Right to Withdraw Consent (GDPR Article 7)

If processing is based on consent (e.g., marketing emails, cookies), you can withdraw consent at any time.

Effect: Withdrawal doesn't affect the lawfulness of processing before withdrawal.

7.8 Right to Lodge a Complaint (GDPR Article 77)

If you believe we've violated your privacy rights, you can file a complaint with the Swedish Data Protection Authority (see Section 9 for contact details).

7.9 How to Exercise Your Rights

Contact Method: Submit via our assessment form with "GDPR Request" in the message field, or wait for dedicated privacy contact form (coming soon).

Please Include:

• Your full name and email address
• The specific right you're requesting (e.g., "Right to Access," "Right to Erasure")
• Details about which data you're referring to (optional but helpful)
• Preferred response language (Swedish or English)

Response Time: We will respond within 30 calendar days. If your request is complex, we may extend by an additional 60 days (we'll notify you of any extension).

8. Data Security Measures

We implement appropriate technical and organizational measures to protect your personal data from unauthorized access, loss, or misuse:

8.1 Technical Security

• Encryption in Transit: All data transmission uses SSL/TLS encryption (HTTPS)
• Secure Hosting: Netlify provides SOC 2 Type II certified infrastructure
• Access Controls: Limited access to personal data on a need-to-know basis
• Secure APIs: All integrations use authenticated, encrypted API connections

8.2 Organizational Security

• Data Minimization: We collect only what's necessary for stated purposes
• Processor Vetting: All third-party processors are GDPR-compliant with signed DPAs
• Incident Response: We have procedures to detect and respond to data breaches

8.3 Data Breach Notification

In the unlikely event of a personal data breach, we will:

1. Notify IMY (Swedish Data Protection Authority) within 72 hours if the breach poses a risk to your rights and freedoms (GDPR Article 33)
2. Notify affected individuals without undue delay if the breach poses a high risk to their rights (GDPR Article 34)
3. Document the breach and remediation actions taken

9. Contact Information & Your Rights

9.1 Contact ICP Clarity About Privacy

Questions, concerns, or GDPR requests? Contact us:

Privacy Contact: Dedicated privacy contact form coming soon. For now, use our assessment form with "Privacy Request" in the message field.
Company Address: Jakobsbergsgatan 24, 111 44 Stockholm, Sweden
Response Time: We aim to respond within 48 hours (maximum 30 calendar days for GDPR requests as required by law)

9.2 Swedish Data Protection Authority (IMY)

If you have concerns about how we handle your personal data, or if you believe your rights have been violated, you have the right to file a complaint with the Swedish supervisory authority:

Integritetsskyddsmyndigheten (IMY)
(Formerly Datainspektionen - Swedish Authority for Privacy Protection)

Website: www.imy.se
Email: imy@imy.se
Telephone: +46 8 657 61 00
Postal Address: Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm, Sweden

9.3 EU Data Protection Authorities

If you're based in another EU country, you can also file a complaint with your national data protection authority. Find your authority at: edpb.europa.eu

10. Cookies & Tracking

10.1 Essential Cookies (No Consent Required)

Our website uses essential cookies required for basic functionality:

• Session Management: Maintains your session as you navigate the site
• Form Progress Tracking: Saves your assessment progress so you don't lose data if you refresh
• Security: CSRF protection and security tokens

Under Swedish ePrivacy Law (Elektronisk kommunikationslagen 2003:389), these cookies are exempt from consent requirements as they're strictly necessary for website functionality.

10.2 Analytics & Marketing Cookies (Not Yet Implemented)

10.3 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may prevent the website from functioning properly.

Browser Instructions:

• Google Chrome
• Mozilla Firefox
• Apple Safari
• Microsoft Edge

11. Changes to This Privacy Policy

We may update this privacy policy to reflect:

• Changes in our services or data processing practices
• New legal or regulatory requirements
• Implementation of planned features (GA4, email marketing)
• Feedback from users or regulators

Notification of Changes:

• Material Changes: We will notify you via email (if we have your contact) or prominent website notice
• Minor Updates: "Last Updated" date at the top of this page will be changed
• Your Acceptance: Continued use of our services after changes constitutes acceptance. If you disagree, please discontinue use and request data deletion.

Version History: This is version 2.0 (February 26, 2026) - Rebuilt for legal accuracy and Swedish GDPR compliance.

12. Third-Party Links

Our website may contain links to third-party services:

• LinkedIn (for profile viewing)
• Calendly or similar (for booking consultations, when implemented)
• Nordic business registries (Allabolag, Proff, Virk)

Important: We are not responsible for the privacy practices of these third-party services. Please review their privacy policies separately.

13. Children's Privacy

Our services are intended exclusively for business professionals (B2B). We do not knowingly collect personal data from individuals under 16 years of age.

If we discover that we have inadvertently collected data from a child under 16, we will delete it immediately and notify the parent/guardian if contact information is available.