Privacy Policy

Effective Date: March 1st, 2025.

• 1. Introduction

  Massive Dynamic Sweden (“MDS”), reg. no. 559239-0081 ("we," "our," "us") is the data controller for the processes described in this privacy policy. MDS is committed to protecting your privacy. The following privacy policy outlines how MDS processes your personal data according to the General Data Protection Regulation (EU 2016/679), (hereinafter “GDPR”), and other applicable data protection legislation, when you use KIOKU, our digital scenario-based learning platform for disaster and incident management.

• 2. Data We Collect

  When you use KIOKU, we may process the following personal data:

  • Account Information: First name, last name, email address, organization (if applicable), sector or occupation, and role at the company.
  • Log-in Credentials: Log in credentials are managed by a third-party provider, Clerk (see further below under 4).
  • Usage Data: Learning progress, scenario interactions, time spent in the activity, and feedback history.
  • Contact Details: Name, email address, and phone number.

• 3. How We Process Your Data

  We process your personal data for the following purposes and with the following legal basis in accordance with the GDPR:

  We process your Account Information for the purpose of creating your KIOKU account, in order to manage your account, and to provide you with access to KIOKU. The legal basis for the processing when creating your account is the use of a contract in accordance with article 6.1.b of the GDPR.

  We may also process your Account Information for the purpose of complying with legal obligations and regulatory requirements. The legal basis for such processing is in compliance with legal obligations that are in accordance with article 6.1.c GDPR.

  We process your Usage Data for the purpose of tracking and improving your learning. The legal basis for such processing is our interest in accordance with article 6.1.f GDPR. Our interest consists of giving you the best experience of KIOKU, which is considered to outweigh your interest in keeping your personal data processed.

  We process your Usage Data for the purpose of ensuring platform security and preventing unauthorized access to KIOKU. The legal basis for such processing is our legitimate interest in accordance with article 6.1.f GDPR. Our legitimate interest consists of keeping KIOKU and your account safe, which is considered to outweigh your interest in keeping your personal data processed.

  We process your Contact Details for the purpose of identifying and communicating with you if you contact us through our communication channels, such as for customer service issues. The legal basis for the processing is of legitimate interest in accordance with article 6.1.f GDPR. The processing is necessary to fulfil our legitimate interest in responding to your queries, requests and other remarks, which is considered to outweigh your interest in keeping your personal data processed.

• 4. Data Sharing and Third-Party Services

  We will never sell your personal data. However, we may share it with:

  • Service Providers: Hosting services and authentication systems to ensure the platform functions properly. The login credentials for your KIOKU account are managed by a third-party provider, Clerk. You can find more information regarding the processing of your login credentials in the privacy policy of Clerk
  • Legal Compliance: Authorities if required by law or in response to legal processes.
  • European research projects: Anonymized data may be shared with the NERO and ESCORT project for research purposes and to inform project reports. This data will not contain personally identifiable information and will be used solely for academic and scientific research.

  We take steps to ensure that adequate safeguards are in place at the recipient of the transfer to ensure your data protection rights continue to be protected as set out in this policy. If we transfer any personal data to a third country outside of the EU/EEA, the adequate safeguard measures include a determination by the European Commission that the country of the recipient has an adequate level of protection for personal data or that adequate contractual obligations are imposed on the recipient. Contractual obligations mean that we and the applicable recipient, the third party, have entered into an agreement on the transfer of personal data using the European Commission's standard contractual clauses. You can read the European Commission's standard contractual clauses here: https://eur lex.europa.eu/eli/decimpl/2021/914/oj.

  In countries outside of the EU/EEA, the GDPR does not apply, which may entail an increased risk in terms of privacy for your personal data, including the possibility for authorities in the third country to access your personal data and for opportunities to exercise control over the personal data. Data is only transferred to the US if the recipient is a member of the EU-US Data Privacy Framework.

• 5. Data Retention

  We retain your personal data as long as your account is active or has been in the past two years, or as required by law. You may request deletion of your data at any time.

• 6. User Rights

  Under the GDPR, you have several rights as a data subject. You have the following rights:

  • Right to information
    You have the right to be provided with accruate information concerning the processing of your personal data. You have the right to receive, free of charge, a copy of your personal data (Sw. “registerutdrag”).
  • Right to erasure
    Under certain conditions, you have the right to have your personal data erased. This applies, for example, if personal data no longer needs to be processed for the purpose for which it was collected. It also applies if you have objected to the processing of your personal data based on our legitimate interest in accordance with article 6.1.f GDPR (see under 3. above) and it turns out that there are no legitimate reasons that outweigh your interest in having your personal data protected. You also have the right to have your personal data erased if it has been processed unlawfully. If we are under a legal obligation to process the personal data, they will not be deleted even if one of the above situations applies. The personal data will also not be deleted if we need them to establish, exercise or defend legal claims.
  • Right to rectification
    We always strive to process personal data that is correct and complete. You have the right to demand that we rectify or complement the personal data that we process about you, if you consider the personal data to be incorrect, incomplete or misleading.
  • Right to limitation of processing
    You have the right to request the processing of your personal data to be limited in certain cases, for example if you believe that your personal data is inaccurate, and you have requested rectification of the data. While the matter is being investigated, you can also request that the processing of the data be limited. You can also request a limitation in cases where the processing of personal data is deemed to be unlawful, but you object to the erasure of the personal data. The processing of personal data may also be limited in cases where we no longer need the data, but you need it to establish, exercise or defend legal claims. Finally, you can request limitation of our processing when you have objected to processing based on the legal basis of legitimate interest in accordance with article 6.1.f GDPR; During which time we are working to verify whether our interest outweighs your interest in having your personal data protected. Where processing has been restricted under any of the above situations, we may only process the data for the establishment, exercise or defending of legal claims, for the protection of the rights of another person, or because you have given your consent, in addition to the storage itself.
  • Right to data portability
    You have the right to have your personal data transferred to another data controller under certain circumstances (so-called data portability). Data portability is applicable if we process your personal data based on the legal basis contract in accordance with article 6.1.b GDPR (see under 3. above). Data is only transferred if it is technically possible.
  • Right to object
    You have the right to object to our processing of your personal data if we do so based on the legal basis of legitimate interest (see under 3. above). If we cannot demonstrate compelling legitimate grounds to continue processing the data, we will cease the processing based on the legal basis of legitimate interest in accordance with article 6.1.f GDPR. However, we always have the right to continue processing the data for the establishment, exercise or defense of legal claims.

• 7. Complaints

  You have the right to complain to the Swedish Authority for Privacy Protection (IMY) if you believe that we are processing your data in violation of applicable data protection legislation. You can also read more about your rights on the website of the Swedish Authority for Privacy Protection: www.imy.se.

  You are always welcome to contact us with questions or comments regarding our personal data processing. Contact information is located under 10.

• 8. Security Measures

  We implement security measures to protect your data, including encryption, access controls, and secure storage practices. However, we encourage users to take precautions when sharing personal data online.

• 9. Changes to this Policy

  We may update this privacy policy from time to time, any changes will be communicated through the platform or via email. The latest version of the privacy policy can be found on this page and on our website.

• 10. Contact Information

  For any questions or requests regarding this privacy policy, please contact us at:
  Massive Dynamic Sweden AB.
  Frejgatan 16, 113 30. Stockholm.
  lab@massivedynamic.se