Blue Cromos AB – Service Privacy Policy

Effective date: 14 April 2026

Last updated: 21 April 2026

Company: Blue Cromos AB

1. Scope of This Privacy Policy

This Privacy Policy applies to the processing of personal data in connection with the use of:

Blue Cromos mobile applications
Blue Cromos web-based dashboard (the “Platform”)

This Privacy Policy does not apply to Blue Cromos’ public marketing website or to third‑party services that customers may integrate with the Platform.

2. Roles and Responsibilities

2.1 Data Processing Roles

For the purposes of applicable data protection laws, including the EU General Data Protection Regulation (“GDPR”):

Blue Cromos AB acts primarily as a data processor, processing personal data on behalf of its customers.
Customers act as data controllers, determining:
- The purposes and means of processing
- Which individuals may use the Platform
- What data is collected and uploaded
- How long data is retained

2.2 End Users

If you are an end user accessing the Platform through an organization (for example, an employee or contractor of a Blue Cromos customer), your organization is the data controller responsible for processing your personal data.Questions regarding your data should primarily be directed to that organization.

3. Categories of Personal Data Processed

Depending on customer configuration and use of the Platform, Blue Cromos may process the following categories of personal data:

3.1 User and Account Data

Email address
User identifier
Authentication and access information

Authentication and single sign‑on (SSO) may be handled via customer‑configured identity providers, including Authentik.

3.2 Device and Technical Data

Device type and model
Operating system
Application version
IP address
Technical identifiers generated by the Platform

3.3 Usage and Log Data

User interactions within the mobile app or dashboard
System logs and audit logs
Timestamps and operational metadata

Usage data is collected solely for platform operation, security, and improvement, and is analyzed internally by Blue Cromos. Log visualizations are not shared with customers unless contractually agreed.

3.4 Image and Image‑Related Data

Images captured or uploaded through the Platform
Associated metadata (such as timestamps and capture parameters)

3.5 Location Data

Approximate or precise location data

4. Purposes of Processing and Legal Bases

Blue Cromos processes personal data exclusively on documented instructions from its customers and for the following purposes:

Providing, operating, and maintaining the Platform
Authenticating users and managing access
Processing images and related data using AI and computer vision systems
Generating and storing authentication labels within the dashboard
Ensuring platform security, integrity, and availability
Detecting, preventing, and investigating misuse or technical issues
Complying with applicable legal obligations

Under the GDPR, processing is based on the following legal bases, as determined by the data controller:

Performance of a contract
Legitimate interests (e.g., security and service improvement)
Compliance with legal obligations

Blue Cromos does not process personal data for unrelated or independent purposes.

5. Automated Processing and AI Use

The Platform performs automated analysis of images and related metadata to generate authentication scores and technical outputs.

These outputs are provided to and controlled by the customer.
No automated decision‑making with legal or similarly significant effects on individuals is performed by Blue Cromos within the meaning of GDPR Article 22.

6. Customer Responsibilities

Customers are responsible for:

Determining the lawful basis for processing personal data
Informing end users about data processing
Obtaining any required consents or approvals
Configuring retention periods and access controls
Ensuring that uploaded content complies with applicable laws

Blue Cromos does not routinely monitor or review uploaded content.

7. Sensitive Personal Data

The Platform is not designed to process special categories of personal data (e.g. health data, biometric identifiers under Article 9 GDPR).

Due to the nature of image capture, sensitive data may incidentally appear in uploaded images.Customers are responsible for ensuring that such processing is lawful and necessary.

8. Data Sharing and Sub‑Processors

8.1 Sub‑Processors

Blue Cromos uses carefully selected sub‑processors to support the Platform, including:

Microsoft Azure (cloud infrastructure, storage, security, monitoring)
Microsoft services supporting platform operations
Authentik (authentication and SSO, when enabled)

All sub‑processors are contractually bound to process personal data only on Blue Cromos’ instructions and in compliance with data protection laws.

8.2 No Sale of Personal Data

Blue Cromos does not sell personal data.We do not knowingly share personal data for monetary or advertising purposes.

9. International Data Processing

All personal data processed by Blue Cromos is stored and processed within the European Economic Area (EEA).

At this time, Blue Cromos does not rely on Standard Contractual Clauses (SCCs) or other international transfer mechanisms, as processing does not take place outside the EEA.

10. Data Retention

Personal data is retained only for as long as necessary to:

Provide the Platform
Fulfill contractual obligations
Comply with legal requirements

Unless otherwise agreed, all customer data is deleted upon contract termination, subject to any legally required retention periods.

Retention configuration may be controlled by the customer.

11. Data Security

Blue Cromos implements appropriate technical and organizational measures to protect personal data, including:

Access controls and authentication
Encryption in transit and at rest where applicable
Logging and monitoring
Secure cloud infrastructure

No system can be guaranteed to be completely secure, but we continuously improve our safeguards.

12. Data Subject Rights

Depending on your location, you may have rights including:

Access to personal data
Rectification of inaccurate data
Deletion of personal data
Restriction or objection to processing
Data portability

Processor notice

As Blue Cromos acts as a data processor, requests to exercise these rights should be directed to the relevant customer (data controller).Blue Cromos assists its customers in fulfilling such requests in accordance with the applicable Data Processing Agreement.

13. Rights of U.S. Residents

Where applicable under U.S. state privacy laws (such as CCPA/CPRA), individuals may have additional rights, including rights to access, delete, and opt‑out of certain data sharing.

Requests should be made via the relevant customer acting as controller.

14. Children’s Data

The Platform is not intended for individuals under the age of 18. Blue Cromos does not knowingly process personal data of minors.

15. Supervisory Authority Complaints

If you are located in the EEA, you have the right to lodge a complaint with your local data protection supervisory authority if you believe your personal data has been processed unlawfully.

16. Data Protection Contact

For questions regarding this Privacy Policy or data protection matters:

📧 support@bluecromos.se

Blue Cromos intends to appoint a Data Protection Officer (DPO) if and when required and will update this policy accordingly.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The current version will always be available within the Platform and indicated by the effective date above.