Privacy Policy
Last updated: 2026-06-10
1. Data controller
The data controller is Hieratek AB (org.nr 559580-3429).
Contact:
Email: [email protected]
Website: bokalk.se
2. What data is collected?
Currently (before the app has launched), we only collect email addresses voluntarily submitted via the "Get notified at launch" form on bokalk.se. No other personal data is collected.
3. Purpose
The email address is used solely to notify you when BoKalk launches. Your email is not used for marketing or other purposes without new and separate consent.
4. Legal basis
Processing is based on your consent (GDPR Art. 6.1 a), given when you submit the form.
5. Storage
Email addresses are stored in Cloudflare KV (Cloudflare, Inc., USA). Cloudflare applies the EU Standard Contractual Clauses (SCC) for data transfers and does not process the data for marketing purposes. More information: cloudflare.com/privacypolicy.
For automated messages (e.g. registration confirmation and launch notification), we use Resend (Resend, Inc., USA). Resend processes your email address solely in connection with message delivery. Resend applies the EU Standard Contractual Clauses (SCC) and is certified under the EU-US Data Privacy Framework. More information: resend.com/legal/dpa.
Data is deleted upon request, or no later than 6 months after BoKalk has launched.
6. Sharing with third parties
We do not share your email address with any third parties beyond Cloudflare (infrastructure provider) and Resend (email delivery provider for automated messages).
7. Your rights
You have the right to:
- Access — know what data we process about you
- Rectification — correct inaccurate data
- Erasure — request that we delete your email address
- Withdraw consent — at any time, without affecting the lawfulness of processing carried out prior to withdrawal
Contact us at [email protected] to exercise these rights. We will respond to your request within 30 days.
You also have the right to lodge a complaint with the supervisory authority: Integritetsskyddsmyndigheten (IMY), www.imy.se.
8. Cookies and tracking
The website (bokalk.se) does not use cookies and does not store any information on your device between visits. We collect anonymous visitor statistics (page views, referrer sources) via TelemetryDeck (TelemetryDeck GmbH, Germany).
- No cookies are used.
- No data is permanently stored on your device.
- No IP addresses are logged.
- Individual users cannot be identified — each visit is assigned a random, temporary ID that disappears when you close the tab.
- All data is stored within the EU (Germany).
During an active visit, the website uses temporary session storage so that forms function correctly (e.g. which page you came from). This information is automatically deleted when you close the browser tab.
The legal basis for the anonymous statistics is legitimate interest (GDPR Art. 6.1 f) — we need to understand how the website is used in order to improve it. Since no personal data is processed and no information is permanently stored on your device, no consent is required under the ePrivacy Directive.
More info: telemetrydeck.com/privacy.
9. Changes to this policy
We may update this privacy policy. The current version is always available on this page.
Questions? Contact us at [email protected].
The app has not launched yet. This policy describes how we plan to handle your data and will be updated at launch.
1. Data controller
The data controller is Hieratek AB (org.nr 559580-3429).
Contact:
Email: [email protected]
Website: bokalk.se
2. What data is collected?
2.1 Account information
When registering, you sign in with your Google or Apple account. We do not collect personal identity numbers or bank details.
2.2 User-generated content
The app stores the properties and calculations you create, including details about price, fees, size, and household finances that you enter yourself.
2.3 Anonymous usage statistics
We collect anonymous usage statistics via TelemetryDeck. No personal data is included. You can turn this off under Settings in the app.
3. Purpose
Your data is used to:
- Provide the service — calculate housing costs, save your properties, and synchronize between devices.
- Manage subscriptions — administer your account and any payments.
- Improve the service — through anonymous, aggregated usage statistics.
We do not use your data for marketing, profiling, or automated decision-making.
4. Legal basis
| Processing | Legal basis |
|---|---|
| Providing the service (account, calculations, synchronization) | Performance of a contract (GDPR Art. 6.1 b) |
| Subscription management | Performance of a contract (GDPR Art. 6.1 b) |
| Anonymous usage statistics | Legitimate interest (GDPR Art. 6.1 f) — see section 4.2 |
| Push notifications (interest rate changes, reference values) | Consent (GDPR Art. 6.1 a) |
| AI processing of third-party data in uploaded documents | Legitimate interest (GDPR Art. 6.1 f) — see section 4.1 |
4.1 Balancing test — third-party data in uploaded documents
Documents uploaded by users to BoKalk's AI services may contain names of individuals. We do not extract or store these names — they only pass through Google Vertex AI during processing. Informing each affected individual would require disproportionate effort (Article 14.5 b GDPR), since we lack contact details, the names are not stored, and the information is very likely already public.
4.2 Balancing test — anonymous usage statistics
We use TelemetryDeck (TelemetryDeck GmbH, Germany) to collect aggregated, anonymous usage statistics — for example which features are used most and where users abandon a flow.
Our legitimate interest: Understanding how the app is used in order to improve functionality, fix problems, and prioritize development.
Why the intrusion on the data subject's privacy is limited:
- No cookies or local tracking are used.
- No IP addresses are logged.
- No device IDs, advertising IDs, or personal data are collected.
- Users are identified by a double hash that neither we nor TelemetryDeck can link to an individual.
- All data is stored within the EU (Germany).
- Data is not shared with third parties for other purposes.
Opt-out: You can turn off anonymous statistics at any time under Settings > Data & Analytics in the app. The change takes effect immediately.
5. Storage and sub-processors
Your data is processed by the following sub-processors:
| Sub-processor | Purpose | Location | Link |
|---|---|---|---|
| Firebase/Google Cloud | Account management and data storage | EU (Finland) | Privacy policy |
| RevenueCat | Subscription management (App Store/Google Play receipts, not calculations) | USA | Privacy policy |
| TelemetryDeck | Anonymous usage statistics (no cookies, no PII) | EU (Germany) | Privacy policy |
| Google Vertex AI | AI import of property information | EU (Belgium) | Terms |
5.1 Transfers to third countries
Personal data is transferred to third countries (outside the EU/EEA) in the following cases:
- RevenueCat (USA) — subscription receipts are transferred with support from the European Commission's Standard Contractual Clauses (SCC) pursuant to GDPR Art. 46.2 c. RevenueCat is also covered by the EU-US Data Privacy Framework.
- Google Cloud (Firebase & Vertex AI) — data is stored and processed in the EU (europe-north1, Finland and europe-west1, Belgium), but Google's parent company is American and is also subject to US law. Transfers are protected by Google's Cloud Data Processing Addendum with SCC (Art. 46.2 c) and the EU-US Data Privacy Framework.
5.2 AI services
BoKalk uses Google Vertex AI (region europe-west1, Belgium) for automatic extraction of data from documents users upload. Google acts as a data processor pursuant to Google's Cloud Data Processing Addendum. All AI processing takes place within the EU. Data sent to the API is not used for training AI models.
Any personal identity numbers (personnummer) that may appear in uploaded documents are technically removed before transfer. Individual personal names are not extracted and are not stored.
Images and documents you upload are processed by Google Vertex AI and deleted from BoKalk's servers immediately. Google's own data retention rules apply to processing via their API.
5.3 Logging of AI calls
We log metadata about AI calls (timestamp, function name, success/failure) linked to your user ID for debugging and quota management. These logs are automatically deleted after 90 days. When an account is deleted, all logs are deleted immediately.
6. Retention periods
| Data | Retention period |
|---|---|
| Account and calculations | As long as the account is active |
| AI call logs | 90 days, or immediately upon account deletion |
| Bug reports (submitted via the app) | Until the issue is resolved, then deleted. Reports are anonymous by default; contact details are provided voluntarily. |
| Household invitations | Until accepted, declined, or expired (7 days) |
| Anonymous statistics | Aggregated, cannot be linked to an individual |
| Accounting-related data (e.g. subscription receipts) | 7 years pursuant to the Swedish Bookkeeping Act (1999:1078) |
Upon account deletion, all personal data is deleted or anonymized within 30 days, except for data we are legally required to retain.
6.1 Backups
Deleted data may remain in encrypted backups until the next backup cycle has completed. Backups are not used to restore deleted personal data. Backups are stored encrypted within the EU (Google multi-region storage) and are automatically deleted after 30 days. In the event of a restore from backup, data belonging to deleted accounts is automatically deleted again.
7. Sharing with third parties
We never sell your data. Data is only shared with the sub-processors in section 5 to the extent required to provide the service. We disclose data to authorities if we are legally required to do so.
If you invite a partner, you share a household profile and joint properties — your partner sees the same data as you.
8. Security
We implement technical and organizational measures to protect your personal data against unauthorized access, loss, and misuse. Data is stored encrypted in Firebase/Google Cloud. Communication is encrypted via TLS. We continuously update our security measures as new technologies and risks emerge.
9. Push notifications
BoKalk can send push notifications about interest rate changes and updated reference values. Notifications are only sent if you have explicitly consented via the operating system's permission dialog (consent pursuant to GDPR Art. 6.1 a). You can turn off push notifications at any time in the app's settings or in your device's system settings.
10. Local storage on your device
The app stores certain data locally on your device (outside Firebase):
- Settings — your preferences (e.g. theme, statistics consent) are saved in the device's local storage (SharedPreferences/NSUserDefaults).
- Cache — global reference values are cached locally so the app works offline.
Locally stored data is automatically deleted if you uninstall the app. It is not synchronized with our servers.
11. App permissions
BoKalk requests a small number of permissions from the operating system. Each permission is used solely for the purpose described below and is requested only when the feature requiring it is used for the first time.
| Permission | Platform | Purpose |
|---|---|---|
| Camera | Android, iOS | Scan QR codes to accept household invitations and import shared properties. Photograph property listings and prospectuses for AI import of property information. |
| Photo library | Android, iOS | Upload images of property listings and prospectuses for AI import of property information. |
| Internet | Android, iOS, web | Communicate with Firebase (account management, data synchronization) and other sub-processors in section 5. |
| Push notifications | Android, iOS | Receive notifications about interest rate changes and updated reference values (see section 9). |
| File access | Android (older versions) | Save exported PDF files and retrieve documents for AI import. This permission applies to Android 12 and older; newer versions handle this automatically. |
The app also receives shared images from other apps (e.g. screenshots of property listings) for AI import. This feature does not require a separate permission.
12. Automated decisions
BoKalk does not make automated decisions that have legal effects or similarly significant impact on you (GDPR Art. 22). KALP calculations (affordability assessment), pre-approval indicators, and interest rate suggestions are informational tools and do not replace the assessment of a bank or financial advisor.
13. Minors
BoKalk is intended for users aged 16 or older. If you are under 16, you may not create an account without the involvement of a guardian.
14. Your rights
Under the GDPR, you have the following rights:
- Access (Art. 15) — know what data we process about you.
- Rectification (Art. 16) — correct inaccurate or incomplete data.
- Erasure (Art. 17) — request that we delete your account and all associated data.
- Restriction (Art. 18) — request that we restrict the processing of your data.
- Data portability (Art. 20) — export your calculations in a machine-readable format (JSON). An export function is available under Settings in the app.
- Objection (Art. 21) — object to processing based on legitimate interest. You can turn off anonymous statistics at any time under Settings > Data & Analytics.
- Withdraw consent (Art. 7.3) — for consent-based processing (e.g. push notifications), at any time without affecting the lawfulness of prior processing.
The app includes a function to export all your data. Contact us at [email protected] to exercise these rights. We will respond to your request within 30 days.
You also have the right to lodge a complaint with the supervisory authority: Integritetsskyddsmyndigheten (IMY), Box 8114, 104 20 Stockholm, www.imy.se.
15. Cookies and tracking
The app does not use cookies.
16. Changes to this policy
We may update this privacy policy. For material changes, we will notify you in the app. The current version is always available on this page.
Questions? Contact us at [email protected].