Privacy policy

Your data. Your terms.

Last updated: May 2026

What we collect

When you use the Thea Klara survey we collect your answers to the questions you choose to answer. We do not collect names, personal identity numbers or other identifying information unless you actively provide it.

Health data (GDPR Article 9)

Your symptom answers are health data under GDPR Article 9 — the highest protection tier in the regulation. We process this data on the basis of your explicit consent (Article 9(2)(a)), which you provide before the survey begins. You may withdraw consent at any time. Withdrawal leads to deletion of all remaining data. Health data never leaves the EU/EEA.

Why we collect it

Your answers are used solely to generate your PDF report. We do not use your answers for marketing, profiling or analysis. We never sell data to third parties.

How long we keep your data

Your data is automatically deleted 30 days after your report has been delivered. No action is required from you.

Where your data is stored

All data is stored within the EU. Our infrastructure is located in Frankfurt, Germany. No data is transferred to countries outside the EU/EEA.

Your rights

You have the right to request access to, correction of, or deletion of your personal data. You also have the right to withdraw your consent and to lodge a complaint with the Swedish Authority for Privacy Protection (IMY). Contact us at hej@theaklara.se. We respond within 72 hours.

Sub-processors

We use the following sub-processors to deliver the service: Supabase (database, Frankfurt), Vercel (hosting, EU region), Stripe (payments, Ireland), Resend (email, EU), Cloudflare (bot mitigation on the survey endpoint — IP address only), Upstash (rate limiting — IP address only). No health data is processed outside the EU/EEA.

View the full register →

Cookies and tracking

Thea Klara does not use marketing cookies. We use Umami for analytics — a cookieless GDPR-compliant tool.

In the event of a data breach

If a personal data breach occurs we will notify the Swedish Authority for Privacy Protection (IMY) within 72 hours of becoming aware of it, in accordance with GDPR Article 33. Affected users are informed directly if the breach is likely to result in a high risk to their rights (Article 34). Notifications are filed at imy.se/dataskydd/personuppgiftsincident. Our sub-processors are contractually required to notify us without undue delay of any breach affecting their systems.

Contact

Contact us at hej@theaklara.se. You can also file a complaint with IMY at imy.se.

This policy applies to theaklara.se and konto.theaklara.se.