1. Who We Are
gridmap is operated by Big Ant AB (Stormyran), a company registered in Sweden. We are the data controller for the personal data processed through the Service.
2. What Data We Collect
We collect the following categories of data:
Account Information
- Name and email address
- Organization name (if applicable)
- Authentication credentials (passwords are hashed, never stored in plain text)
- SSO identity data (if you sign in via Microsoft Entra ID or Google Workspace)
Usage Data
- Actions performed within the Service (e.g., creating mappings, running syncs)
- API usage and request logs
- Feature interaction data for service improvement
Data You Upload
- Mapping data, registry data, and reference data you create or import
- Database connection details (credentials are encrypted at rest)
- Source values synced from your connected databases
3. How We Use Your Data
We use your data for the following purposes:
- Provide the Service — to operate your account, process your data mappings, run syncs, serve API requests, and deliver the core functionality of gridmap
- Improve the Service — to understand how the Service is used, identify issues, and develop new features
- Communicate with you — to send account-related notifications, respond to support requests, and inform you of important changes to the Service or these policies
- AI-powered features — when you use AI mapping suggestions, relevant source values and mapping context are sent to AI providers (see Section 8) to generate suggestions
4. Legal Basis for Processing
Under the General Data Protection Regulation (GDPR), we process your personal data on the following legal bases:
- Contract performance (Article 6(1)(b)) — processing necessary to provide the Service you have signed up for, including account management, data processing, and API access
- Legitimate interest (Article 6(1)(f)) — processing necessary for our legitimate interests, such as improving the Service, ensuring security, and preventing fraud, where those interests are not overridden by your rights
- Consent (Article 6(1)(a)) — where we rely on your consent, such as for optional communications or the use of AI features with third-party providers. You may withdraw your consent at any time
5. Data Storage
Your data is stored as follows:
- Application data — stored in a PostgreSQL database hosted on Microsoft Azure in the Sweden Central region
- Authentication tokens — stored in your browser's localStorage (not in cookies). These tokens are used to keep you signed in
- User preferences — sidebar state, view mode, and theme preference are stored in your browser's localStorage
- Temporary SSO state — stored in sessionStorage during SSO authentication flows and cleared when you close the browser tab
- Database credentials — encrypted at rest using industry-standard encryption before being stored in our database
6. Data Retention
We retain your personal data for as long as your account is active or as needed to provide the Service. If you request account deletion, we will delete your personal data within 30 days, except where we are required by law to retain certain data for a longer period.
Usage logs and audit trail data may be retained for up to 12 months for security and operational purposes.
Mapping data and registry data are retained as long as your organization's account is active. Upon account termination, data is available for export for a reasonable period before permanent deletion.
7. Your Rights Under GDPR
As a data subject, you have the following rights under the GDPR:
- Right of access — you may request a copy of the personal data we hold about you
- Right to rectification — you may request that we correct any inaccurate or incomplete personal data
- Right to erasure — you may request that we delete your personal data, subject to legal retention obligations
- Right to data portability — you may request a machine-readable copy of your personal data to transfer to another service
- Right to object — you may object to processing based on legitimate interests
- Right to restrict processing — you may request that we limit the processing of your personal data in certain circumstances
To exercise any of these rights, please contact us at info@stormyran.se. We will respond to your request within 30 days.
You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) or the supervisory authority in your country of residence.
8. Third-Party Services
We use the following third-party services to operate gridmap:
- Microsoft Azure — cloud infrastructure hosting (Sweden Central region). Azure processes data in accordance with their Privacy Statement and GDPR Data Processing Addendum
- Anthropic — AI provider used for mapping suggestions when you enable the AI features. Source values and mapping context are sent to Anthropic's API to generate suggestions. Anthropic processes this data in accordance with their privacy policy and does not use it for model training
We may also integrate with AI providers such as OpenAI and Google AI if you choose to use your own API keys. In those cases, your data is processed according to the respective provider's privacy policy.
9. International Data Transfers
Your application data is primarily stored and processed within the European Economic Area (EEA), specifically in Microsoft Azure's Sweden Central data center.
When you use AI-powered features, data may be transferred to AI providers whose servers may be located outside the EEA (e.g., in the United States). In such cases, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions, to protect your data in compliance with the GDPR.
10. Cookies and Local Storage
gridmap primarily uses browser localStorage and sessionStorage rather than traditional cookies. For detailed information about what we store in your browser and why, please see our Cookie Policy.
In summary: we use sessionStorage to store authentication tokens (for your current session) and localStorage for user preferences (sidebar state, view mode, theme). We do not use tracking cookies, analytics cookies, or advertising cookies.
11. Data Security
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption in transit (TLS/HTTPS for all connections)
- Encryption at rest for stored data and database credentials
- Multi-factor authentication (MFA) available for all accounts
- Role-based access control and row-level security within the application
- Regular security reviews and updates
While we take all reasonable precautions, no method of transmission or storage is 100% secure. If you discover a security vulnerability, please contact us at info@stormyran.se.
12. Children's Privacy
gridmap is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. When we make material changes, we will notify you by email or through the Service and update the effective date at the top of this page.
We encourage you to review this policy periodically.
14. Contact and Data Protection
If you have any questions about this Privacy Policy, wish to exercise your rights, or have concerns about how your data is handled, please contact us: