Privacy Policy – Altaria Analytics

We use cookies to understand how you use our platform and improve your experience. Read our Privacy Policy.

Legal

Privacy Policy

Altaria Analytics AB  ·  Last updated: 6 May 2026

1. Introduction

Altaria Analytics AB (“we”, “us”, “our”) is committed to protecting the personal data we process in connection with our services. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights under the EU General Data Protection Regulation (GDPR) and the UK General Data Protection Regulation (UK GDPR).

Our service is a B2B SaaS platform that ingests retailers’ order data, trains bespoke machine learning models on that data, and uses those models to predict whether incoming orders are likely to result in a return. We operate as a data processor on behalf of our retail clients (who are the data controllers) with respect to the personal data of their customers, and as a data controller in our own right with respect to the personal data of our clients’ business contacts.

2. Who We Are

Data Controller (for client and prospect data):
Altaria Analytics AB
Högbergsgatan 7, 151 33 Södertälje
559521-1797
Sweden

For privacy-related enquiries, contact us at: privacy@altariaanalytics.com

If you are an end customer of one of our retail clients and wish to exercise your data rights, you should contact that retailer directly. We will cooperate with them to fulfil any requests.

3. The Data We Process and Why

3.1 Data We Control — Our Clients and Their Contacts

Business contact details (such as name, job title, work email address, and phone number) are processed on the basis of our legitimate interests and, where applicable, to perform our contract with the client. We use this data for account management, service delivery, customer support, and invoicing.

Account and billing data (such as company name, billing address, and payment records) are processed to fulfil our contractual obligations, including billing and financial record-keeping.

Platform usage data (such as login timestamps, feature usage, and API activity) are processed on the basis of our legitimate interests in maintaining platform security, improving our service, and supporting customer success.

3.2 Data We Process on Behalf of Clients — Retailer Order Data

When our retail clients connect their order management systems to our platform, they transfer order data to us for the purpose of training and running their bespoke return-prediction models. This data may include:

  • Customer names and contact details
  • Shipping and delivery addresses
  • Billing information (typically limited to billing address and payment method type — we do not store full payment card numbers)
  • Order contents, values, and history
  • Return and refund history

We process this data solely on documented instructions from the relevant retail client, under a Data Processing Agreement (DPA). We do not use this data for our own purposes, and we do not combine data across clients. The retail client remains the data controller and is responsible for ensuring they have a valid legal basis for sharing this data with us.

4. Machine Learning and Automated Processing

Our core service involves training machine learning models on a client’s historical order data and using those models to classify new incoming orders by return risk. This constitutes automated processing within the meaning of GDPR Article 22.

Our platform produces a prediction score or classification that is provided to the retail client. Any decision taken on the basis of that score — for example, whether to accept, flag, or modify an order — is made by the retail client, not by us. We do not make legally significant decisions about individuals directly.

Retail clients who use our outputs to make automated decisions about their customers must ensure they have appropriate safeguards in place, including informing affected individuals and, where required, offering the option of human review.

5. Data Retention

We retain different categories of data for different periods depending on their purpose and our legal obligations.

  • Client business contact data: Duration of contract plus three years
  • Billing and financial records: Seven years in line with legal obligations
  • Retailer order data and trained model weights: As specified in the individual DPA with each client; deleted upon contract termination on request
  • Platform usage and log data: Rolling 12 months

6. International Transfers

Altaria Analytics AB is headquartered in Sweden and operates within the European Economic Area (EEA). Where we engage sub-processors or infrastructure providers located outside the EEA or UK, we ensure appropriate safeguards are in place. These include:

  • EU Standard Contractual Clauses (SCCs) under Commission Decision 2021/914
  • UK International Data Transfer Agreements (IDTAs) or UK Addenda to SCCs, as applicable
  • Transfer Impact Assessments where required

A list of our current sub-processors is available on request at privacy@altariaanalytics.com.

7. Who We Share Data With

We do not sell personal data. We may share data with the following categories of recipients:

  • Cloud infrastructure providers (such as hosting, storage, and compute services), under appropriate DPAs
  • Business software providers (such as CRM, billing, and helpdesk tools), on a need-to-know basis
  • Professional advisors (such as lawyers and auditors), under confidentiality obligations
  • Competent authorities, where we are required to do so by law

8. Security

We implement technical and organisational measures appropriate to the risk, including encryption of data in transit and at rest, access controls and least-privilege principles, regular security testing, and incident response procedures.

In the event of a personal data breach affecting data we control, we will notify the relevant supervisory authority within 72 hours where required, and will notify affected individuals without undue delay where the breach is likely to result in a high risk to them.

9. Your Rights

If we are the data controller for your personal data — that is, if you are a contact at one of our client or prospect organisations — you have the following rights under GDPR and UK GDPR:

  • Right of access — to obtain a copy of your personal data
  • Right to rectification — to have inaccurate data corrected
  • Right to erasure — to request deletion in certain circumstances
  • Right to restriction — to limit how we use your data
  • Right to data portability — to receive your data in a structured, machine-readable format
  • Right to object — to processing based on legitimate interests
  • Rights related to automated decision-making — to not be subject to solely automated decisions that produce significant legal effects

To exercise any of these rights, please contact us at privacy@altariaanalytics.com. We will respond within one month.

If you are unsatisfied with our response, you have the right to lodge a complaint with your relevant supervisory authority. Our lead supervisory authority in Sweden is the Integritetsskyddsmyndigheten (IMY), reachable at www.imy.se. If you are based in the UK, you may also contact the Information Commissioner’s Office (ICO) at www.ico.org.uk.

If you are a customer of one of our retail clients and wish to exercise your rights, please contact that retailer directly.

10. Cookies and Tracking

Our website at https://altariaanalytics.com may use cookies and similar technologies. Where we use non-essential cookies, we will obtain your consent before placing them. You can manage your cookie preferences at any time via the cookie settings banner on our website.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify our clients by email or via the platform. The date at the top of this policy reflects the most recent revision. We encourage you to review this policy periodically.

12. Contact Us

Altaria Analytics AB
Email: privacy@altariaanalytics.com
Website: https://altariaanalytics.com