Privatlivspolitik

1. Introduction

Sandhed LLC ("Sandhed", "we", "us", or "our"), a company registered in Malta, operates the Sandhed IoT Digital Twin platform (the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect personal data in connection with our Service.

We are committed to protecting your privacy and processing your personal data in accordance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws. If you have any questions about this Privacy Policy, please contact us at [email protected].

2. Data Controller

Sandhed LLC is the data controller for personal data we collect directly from you (such as account registration information and usage data).

For personal data that Customers upload or transmit through the Service (including IoT telemetry data and warehouse management data that may contain personal information), the Customer is the data controller and Sandhed acts as a data processor on behalf of the Customer. The processing of such data is governed by our Data Processing Agreement.

3. Personal Data We Collect

We collect the following categories of personal data:

3.1 Account Information

• Name and email address
• Company/organization name
• Job title or role
• Profile picture
• Language preference
• Account credentials (passwords are stored in hashed form)

3.2 Usage Data

• Login times and session duration
• Features accessed and actions performed
• IP addresses
• User preferences and settings
• AI Co-Pilot queries and interaction metadata (see Section 5.5)

3.3 Device Information

• Browser user-agent string (which includes browser type, version, and operating system)
• Device type and screen resolution

3.4 IoT and Telemetry Data

When Customers use our Service to process IoT telemetry data, this data may include:

• Equipment location coordinates from RTLS and GPS systems
• Equipment status, sensor readings (temperature, humidity, battery level, etc.)
• Engine hours, fuel consumption, and maintenance indicators (via AEMP/ISO 15143-3)
• AirTag and Apple Find My location data (when configured)
• Device IP addresses (stored encrypted)

Sandhed processes this data on behalf of the Customer as a data processor. The Customer is responsible for ensuring that any personal data included in telemetry feeds is processed in compliance with applicable data protection laws.

RTLS and Location Tracking: Where Customers deploy real-time location systems (RTLS) that track the location of individuals, the Customer is solely responsible for providing appropriate notice and obtaining any required consent from individuals being tracked.

3.5 Warehouse Management Data

When Customers connect warehouse management systems (WMS) to the Service, the following data may be ingested:

• Employee identifiers, usernames, and full names
• Work location and department assignments
• Daily productivity metrics
• Inventory data (SKU, quantity, location, cost)
• Warehouse movement and audit records

Sandhed processes WMS data solely as a data processor on behalf of the Customer. The Customer, as the data controller, is responsible for ensuring a valid legal basis for sharing employee data with the Service and for providing appropriate notice to employees.

3.6 User-Uploaded Content

• Floor plan images and facility layouts
• Service documentation, photos, and certificates
• Custom asset images

4. Legal Basis for Processing

Under GDPR Article 6, we process personal data based on the following legal grounds:

• Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Service and fulfill our contractual obligations to you
• Legitimate Interests (Art. 6(1)(f)): Processing for security, fraud prevention, service improvement, and analytics, where our interests do not override your rights
• Consent (Art. 6(1)(a)): For optional AI-powered features and marketing communications where we have obtained your explicit consent
• Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable laws and regulations

5. How We Use Your Data

We use personal data for the following purposes:

5.1 Providing the Service

• Creating and managing your account
• Authenticating your access to the platform
• Processing and displaying your IoT data
• Processing warehouse management data when configured by Customer
• Sending service-related notifications and alerts

5.2 Security and Fraud Prevention

• Detecting and preventing unauthorized access
• Monitoring for security threats
• Investigating potential violations of our Terms of Service

5.3 Customer Support

• Responding to your inquiries and support requests
• Providing technical assistance

5.4 Analytics and Improvement

• Understanding how users interact with our Service
• Identifying areas for improvement
• Developing new features and functionality

5.5 AI-Powered Features

The Service includes an optional AI Co-Pilot feature that uses the Google Gemini API to provide operational insights and task assistance. When AI-powered features are enabled:

• Queries are sent to the Google Gemini API for processing. Google processes this data in accordance with its own privacy policies and data processing terms.
• We log interaction metadata including user ID, organization, model used, token count, and response duration for monitoring and billing purposes.
• Conversation content is not stored by Sandhed after the session ends.

Organization administrators can enable or disable AI-powered features for their organization at any time. AI features are disabled by default.

Sandhed does not use Customer Data or AI interaction data to train AI models.

6. Data Sharing

We may share personal data with the following categories of recipients:

6.1 Sub-Processors

We use the following third-party service providers to help operate our Service:

• Railway — Application hosting and database infrastructure (EU/US)
• Cloudflare R2 — File and object storage (EU)
• Google LLC (Gemini API) — AI-powered features (US)
• Resend — Transactional email delivery (US)
• LocationIQ — Geocoding and reverse geocoding (EU/US)

When Customers configure integrations, the following additional sub-processors may receive data:

• Trackunit — Heavy equipment telematics
• SmartPack — Container and cargo tracking
• Apple (Find My network) — AirTag location tracking
• Customer-specified RTLS vendors — Real-time location systems

All sub-processors are bound by data processing agreements and are required to protect your data in accordance with applicable laws. Sandhed will notify Customers of any new sub-processors at least 30 days before engagement, and Customers may object to such changes for legitimate data protection reasons.

6.2 Legal Requirements

We may disclose personal data if required by law, court order, or other legal process, or if we believe disclosure is necessary to protect our rights, property, or safety, or that of others.

6.3 Business Transfers

If Sandhed is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your data.

7. International Transfers

Sandhed is based in the European Union (Malta), and we primarily process personal data within the EU/EEA. Where we transfer personal data outside the EU/EEA, we ensure appropriate safeguards are in place, including:

• EU Standard Contractual Clauses (SCCs)
• Adequacy decisions by the European Commission
• EU-US Data Privacy Framework certifications where applicable
• Other approved transfer mechanisms under GDPR

8. Data Retention

We retain personal data for the following periods:

• Account Data: Duration of your account plus 90 days after account closure
• Usage and Audit Logs: 12 months from collection
• AI Interaction Metadata: 12 months from collection
• WMS Employee Snapshots: Duration of integration plus 90 days after disconnection
• IoT Telemetry Data: As configured by Customer, default 12 months
• Uploaded Files: Duration of account, deleted within 30 days of account closure
• Backup Retention: 30 days after deletion from active systems
• Support Records: 3 years from resolution for quality and legal purposes

We may retain certain data longer if required by law or for legitimate business purposes (such as resolving disputes or enforcing our agreements).

9. Your Rights Under GDPR

As a data subject, you have the following rights regarding your personal data:

• Right of Access (Art. 15): Request a copy of the personal data we hold about you
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to Restriction (Art. 18): Request limitation of processing in certain circumstances
• Right to Object (Art. 21): Object to processing based on legitimate interests
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days.

WMS Employee Data: If your personal data is processed through the Service because your employer has connected a warehouse management system, you should contact your employer (the data controller) in the first instance to exercise your data protection rights. Sandhed will assist your employer in responding to your request as required under our Data Processing Agreement.

Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority. In Malta, this is the Office of the Information and Data Protection Commissioner (IDPC).

10. Cookies and Tracking Technologies

We use cookies and similar technologies for the following purposes:

10.1 Essential Cookies

Required for the Service to function, including:

• Session management and authentication tokens
• Language preference cookie (NEXT_LOCALE)
• Content security policy tokens

These cookies cannot be disabled.

10.2 Analytics Cookies

The Service does not currently use third-party analytics cookies. If we introduce analytics cookies in the future, we will update this policy and obtain your consent before setting them.

11. Security

We implement appropriate technical and organizational measures to protect personal data, including:

• Encryption of data in transit using TLS 1.2 or higher
• AES-256-GCM encryption for sensitive credentials (API tokens, integration credentials, device addresses)
• Database infrastructure encryption at rest provided by our hosting provider
• Role-based access controls with four permission levels
• Comprehensive audit logging
• Incident response procedures

While we strive to protect your personal data, no method of transmission or storage is 100% secure. If you have reason to believe your data has been compromised, please contact us immediately.

12. Children's Privacy

The Service is not intended for use by children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete such data promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify you of material changes by:

• Posting the updated policy on our website
• Sending you an email notification
• Displaying a notice within the Service

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

14. Contact Information

For questions about this Privacy Policy or our data practices, please contact us: