GDPR

Last updated May 20, 2026

This page describes how Inly Technology AB applies the EU General Data Protection Regulation (GDPR): our roles, the sub-processors we rely on for inly.se and the Core platform, and how to exercise data subject rights.

Our role

For visitor data on inly.se, Inly is the data controller. For customer data inside the Core platform, Inly acts as a data processor on behalf of the customer. Each customer remains the controller of the personal data they bring into Core, with Inly processing it under their instructions and a signed Data Processing Agreement.

Data Processing Agreement (DPA)

A Data Processing Agreement is signed together with the Master Services Agreement (MSA). The DPA defines the scope of processing, customer instructions, and the technical and organizational measures Inly applies. It references this page as the current list of sub-processors; material changes are notified to customers in advance. To request a copy of the DPA, contact [email protected].

Cookies and tracking

inly.se does not use cookies for tracking, advertising, or third-party analytics. Web analytics are provided by Cloudflare Web Analytics, which is cookieless and does not fingerprint visitors.

International transfers

Where personal data is transferred outside the EU/EEA, Inly relies on the European Commission’s Standard Contractual Clauses (SCCs) — the EU-approved contractual framework for safeguarding personal data sent to countries outside the EEA — and, where applicable, the EU-US Data Privacy Framework.

Website sub-processors

The following services process data when you visit inly.se.

  • Vercel

    United States (global edge)

    Website hosting and edge delivery

  • Cloudflare

    United States (global edge)

    DNS, DDoS protection, cookieless Web Analytics

  • Cloudflare Turnstile

    United States (global edge)

    Anti-bot verification on the discovery-call form. No tracking or profiling.

  • Google Workspace

    United States

    Inbound email for hello@, legal@, [email protected]

  • Notion

    United States

    Careers page, job application form, and CRM storage for discovery-call submissions

Platform sub-processors

When Inly operates Core for a customer, the following services may process customer data under the DPA. Customer-specific integrations are added per deployment and documented in the DPA appendix.

  • Laravel Cloud

    European Union

    Application hosting for Core deployments

  • DigitalOcean Spaces

    European Union (Frankfurt)

    Object storage for customer files and long-term backups

  • Resend

    United States

    Transactional email from Core

  • Brevo

    European Union (France)

    Templated and marketing email from Core

  • Twilio

    United States

    SMS delivery from Core

  • OpenAI

    United States

    AI features in Core. Customer prompts and outputs are not used to train OpenAI's models. OpenAI may retain API content for up to 30 days for abuse monitoring before deletion.

  • Laravel Nightwatch

    Tied to Laravel Cloud (EU)

    Application monitoring and error tracking

Your rights

Data subjects can request access, correction, deletion, restriction, objection, or portability of their personal data. For visitor data, email [email protected] and we will respond within 30 days. For customer data inside Core, requests are routed through the customer (the controller); Inly assists as processor.

Complaints can be lodged with the Swedish Authority for Privacy Protection (IMY) at imy.se.

Contact

Privacy and GDPR matters: [email protected].

Legal