Output ByPropel AB, org. no. 559201-1943, with registered address at Kungsgatan 57, 411 15 Gothenburg (hereinafter "we", "us", or "OBP"), is the Data Controller responsible for the processing of personal data described in this Privacy Policy.
This Privacy Policy always applies between OBP and the user of the website https://panelista.com, as well as all content, products, and services available through the digital product Panelista (collectively, "the Services").
We process personal data in accordance with applicable legislation, including the General Data Protection Regulation (GDPR). This means, among other things, that we protect your personal data with the necessary measures and that you always have the right to contact us to find out what personal data we hold about you.
Please note that Panelista operates both as a Data Controller (for the data of account holders and users who interact directly with OBP) and as a Data Processor on behalf of Panelista's clients (when users participate in a client's panel or submit information via an external touchpoint). This policy addresses both roles.
We collect only information that you yourself provide to us, for example when you:
As we continually strive to develop and improve our business, this Privacy Policy may be updated from time to time as a result of changes in legislation, technical requirements, or business needs.
OBP processes your personal data only for as long as is necessary to fulfil the purposes for which they were collected, or to comply with our legal obligations. More information about specific retention periods for each purpose is set out in the relevant sections below.
Unless otherwise stated, all undefined terms in this policy, such as "processing", "data processor", "data subject", and "personal data", have the meanings given to them in the GDPR.
The table below sets out the categories of personal data we collect, the purposes for which they are used, the legal basis for the processing, and the applicable retention periods.
| When collection occurs | Personal data processed | Purpose | Legal basis | Retention period |
|---|---|---|---|---|
| When you visit our website | IP address; cookies. | To provide localised access to the website. | Legitimate interest (website access). | IP address: 7 days after last visit. Language preference cookies: until deleted or expired. |
| When you register a user account (account administrator) | Name, email address, mobile number, User ID, and optional user image. | To create and manage your account, provide access to Panelista in full, and administer your subscription. | Performance of contract (Terms of Service). | Retained while your account is active. Deleted when the account is deactivated. |
| When you participate in a panel (panel participant) | Name, email address, mobile number, User ID, and other information you provide when participating in a panel owned and operated by one of Panelista's clients. | To enable participation in the client's panel and deliver the service in full. | Consent (you approve participation in the client's panel). | Processed for as long as you are a member of the panel or until you withdraw consent. Deletion scheduled according to the client's instructions as Data Controller. |
| When you submit contact information via an external touchpoint | Contact details (name, email, phone number, or other information) submitted via external digital forms (touchpoints) connected to the service. | To enable the client to contact you or include you in a panel. Panelista processes this data on behalf of the client. | User's approval (Panelista acts as Data Processor for the client as Data Controller). | According to the client's instructions as Data Controller. |
| When you contact Panelista's support | Personal data necessary to handle your support request, including case/ticket numbers. | To provide support, administer support and complaint cases, and contact you. | Performance of contract (Terms of Service). | For as long as necessary to resolve the matter, then deleted in accordance with our general retention periods. |
| When we send user surveys or product updates | Email address. | To conduct user surveys or deliver updated terms, newsletters, and other relevant information. | Legitimate interest (balance of interests). | For as long as you are an active user or until you object. |
| When you apply for a job at Panelista | Name, personal ID number (where applicable), address, email, phone number, CV, and other application materials. | To assess your application and, if consent is given, to consider you for future vacancies. | Legitimate interest / Consent (for future recruitment). | Until the position is filled, or 6 months for future recruitment if consent given. 2 years for anti-discrimination purposes (Discrimination Act 2008:567). |
| When a company contact person enters into an agreement with us | Name, email address, phone number, title, and employer. | To manage and maintain the business relationship. | Legitimate interest. | 3 years from the end of the service relationship. |
| When you enter into a contract with Panelista | Name of sole trader / personal ID number (sole traders and private individuals), address, email, phone number, purchased services. | To perform the service, communicate with you, and store our communication. | Performance of contract. | 3 years from the end of the service relationship. |
| Accounting and invoicing | Name, address, email address. | Bookkeeping, invoicing, and reporting of financial data. | Legal obligation (Accounting Act 1999:1078). | 7 years from the date of entry in the accounts. |
| Statute of limitations | Contract and invoice documentation. | To fulfil obligations under the Limitations Act (1981:130). | Legal obligation. | 10 years from signing or invoice date. |
| Legal obligation or enforcement of legal claims | Personal data processed in connection with the service or contractual relationship. | To fulfil legal obligations or to investigate, respond to, or establish legal claims. | Legal obligation / Legitimate interest. | For the duration required by the relevant obligation or until legal proceedings are concluded. |
We do not sell your personal data to third parties. We share your data only in the situations set out in this Privacy Policy or where required by law.
We use sub-processors for services connected to our Services. These sub-processors may need access to personal data collected through the Services. We limit such access to the minimum amount necessary and require all sub-processors to (i) protect your data in accordance with this Privacy Policy and (ii) not use your data for any other purpose than to provide the agreed services to OBP.
| Recipient | Purpose and location of processing | Role and responsibility |
|---|---|---|
| 46elks | We share Users' mobile numbers with 46elks, which delivers text messages on our behalf. Processing in Sweden (EU). | Data Processor. |
| Mailcoach (Spatie BV) | We share Users' email addresses with Mailcoach, which delivers emails on our behalf. Processing in Belgium (EU). | Data Processor. |
| Scaleway | We store images and videos at a data centre in Amsterdam. Headquarters in Paris. Processing in the EU. | Data Processor. |
| Hetzner Online GmbH | We host the application and database on Hetzner's servers in Nuremberg, Germany. Headquarters in Gunzenhausen, Germany. | Data Processor. |
| Bunny (CDN) | Bunny acts as Content Delivery Network and processes visitors' IP addresses and network request contents. Headquarters in Ljubljana, Slovenia. Processing in the EU. | Data Processor. |
| Panelista's clients (where Panelista acts as Processor) | When you participate in a client's panel or submit contact information via an external touchpoint, Panelista shares your data with that client as Data Controller. Processing location varies by client. | Panelista acts as Data Processor; the client is the independent Data Controller for that processing. |
| Public authorities | Personal data are disclosed when required by law or upon request from authorities. Processing in the EU. | Independent responsibility: processing pursuant to legal obligations. |
We store and process user data exclusively within the EU/EEA to ensure a high level of data protection. For tasks outside of the web application such as notifications about product news or managing job applicants, should a situation arise in which we need to process your personal data outside the EU/EEA, we will take appropriate safeguards in accordance with the GDPR. Such safeguards include, for example, a decision by the European Commission that the country in question ensures an adequate level of protection, or the use of appropriate safeguards such as Standard Contractual Clauses (SCCs) adopted by the Commission, other contractual solutions, or obtaining your explicit consent for the transfer.
You are not obliged to provide personal data to us, but where processing is based on the performance of a contract, we need your data in order to fulfil our obligations. If you do not provide your personal data, there is a risk that we will be unable to fulfil our contractual commitments.
We may ask for your consent to process certain personal data. You are not obliged to give such consent if you do not want your personal data to be processed for the specified purposes. You may withdraw your consent at any time by contacting us. Withdrawal of consent is effective from the time of withdrawal and does not affect processing carried out prior to that point.
You also have the following rights under the GDPR:
| Right | GDPR reference | Description |
|---|---|---|
| Right of access | Article 15 | You have the right to request a copy of the personal data we process about you and to receive information about how we use it. |
| Right to rectification | Article 16 | You have the right to have inaccurate or incomplete personal data about you corrected. |
| Right to erasure | Article 17 | You may request that we erase your personal data if they are no longer necessary or if you withdraw consent. |
| Right to restriction | Article 18 | You have the right to request that we restrict the processing of your personal data in certain situations. |
| Right to data portability | Article 20 | You may receive your personal data in a structured, machine-readable format and transfer it to another controller. |
| Right to object | Article 21 | You may object to processing of your personal data based on our legitimate interest. |
| Right to withdraw consent | Article 7(3) | If we process your data based on consent, you may withdraw it at any time. |
| Right to lodge a complaint | Article 77 | You have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at www.imy.se if you believe we are not fulfilling our obligations under GDPR. |
If you wish to exercise your rights, please contact us in writing with a copy of a valid ID document. You also have the right to lodge a complaint directly with the Swedish Authority for Privacy Protection (Datainspektionen/IMY) at www.imy.se.
Your security is important to us. We have therefore implemented appropriate technical, organizational, and administrative security measures to protect your personal data from loss, misuse, disclosure, alteration, destruction, unauthorized access, and other unlawful processing. We regularly analyze and evaluate these measures to ensure that the protection of your data is as robust as possible, and we continuously adapt our security measures in line with technical developments.
Access is strictly limited to ensure that personal data are handled responsibly and in accordance with applicable data protection legislation and internal security procedures. Only those individuals with a clearly defined and legitimate need to handle your data, in accordance with their duties, are granted access.
OBP's employees, partners, and suppliers are required to comply with OBP's rules, this Privacy Policy, and other internal regulations governing the processing of personal data.
| Security measure | Description and purpose |
|---|---|
| Encryption | Data at rest and in transit is protected using encryption (e.g. TLS, AES). |
| Access control | Access to data is restricted through authorisation management and two-factor authentication (2FA). |
| Regular review | Penetration testing and vulnerability scans to identify risks. |
| Privacy by Design | Data protection is built into our systems and processes from the outset. |
If you have questions about this policy, wish to exercise your rights under the GDPR, or have complaints about how we handle your personal data, please contact us in writing (signed and with a valid ID):
Output Bypropel AB
Email: jensa@panelista.com
Address: Kungsgatan 57, 411 15 Gothenburg, Sweden
Website: panelista.com
You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at www.imy.se.