Hoppa till innehåll
Cupa
Boka demo
Legal

Privacy policy

How Cupa handles your personal data — what we collect, why, how long, and the rights you have.

Last updated: 2026-05-12

1. Controller and processor

Zettler AB (company reg. no. 559580-9293), Västra Järnvägsgatan 3, 111 64 Stockholm, is the controller for personal data processed via cupa.se — including demo requests, email correspondence, and operation of the website — and for marketing of the Cupa service.

When Zettler AB delivers the Cupa platform to a customer (a staffing agency), Zettler AB acts as processor for personal data handled within the customer's instance. Those terms are governed by the Data Processing Agreement (DPA) between Zettler AB and the customer. There are no live customers at the time of writing; the processor role activates with the first customer agreement.

Privacy questions: dataskydd@cupa.se.

Zettler AB's Data Protection Officer (DPO) is Nathan Allard, reachable at dataskydd@cupa.se.

2. What personal data we process and why

We split our processing into six categories. Today — before the platform is live with any customer — only (a)–(c) are active. Category (d) AI features and (e) cookies are described in § 4 below. Category (f) activates the moment the first staffing agency goes live on the Cupa platform; we list it here so the policy is predictable for anyone whose data may be processed post-launch.

a) Contact details from the demo form

Data: name, company, email, phone (optional), role, agency size, free-text notes about what you'd like to see in the demo, IP address, and submission timestamp. Purpose: respond to your enquiry, book a demo, follow up within a reasonable time. Lawful basis: consent (Art. 6(1)(a) GDPR) via the mandatory consent checkbox, plus legitimate interest (Art. 6(1)(f)) for ordinary B2B follow-up to a demo enquiry. Retention: 24 months after the last interaction or until you withdraw consent — whichever comes first.

The IP address is stored briefly for abuse prevention (rate-limiting of the form).

b) Direct correspondence by email

Data: email address, name (if provided), message content, any attachments. Purpose: respond to enquiries sent to hello@cupa.se or dataskydd@cupa.se. Lawful basis: legitimate interest (Art. 6(1)(f)) — to answer the question you put to us. Retention: 24 months unless the thread is billing- or accounting-relevant. Accounting material is retained for 7 years under the Swedish Bookkeeping Act (Bokföringslagen 1999:1078); for that material the lawful basis shifts to legal obligation (Art. 6(1)(c)).

c) Operational and security logs for cupa.se

Data: IP address, request path, timestamp, user-agent, error messages. Purpose: operations, debugging and abuse prevention. Lawful basis: legitimate interest (Art. 6(1)(f)) — keeping the site secure and available. Retention: 90 days.

d) Data processed by AI features

AI processing happens only inside a customer's instance once the platform is live. See § 4 below on AI features — Anthropic Claude and OpenAI are used for matching and CV parsing, no data is used to train the providers' foundation models, and EU residency is enabled where the provider offers it.

e) Cookies

No cookies are set on cupa.se today. We run no third-party analytics. See § 4 below on cookies in the platform post-launch.

f) Platform use (post-launch)

Activates when a staffing agency (a Cupa customer) starts using the platform. Cupa is then a processor on the customer's behalf and processes the data on the customer's documented instructions under the DPA. The customer is the controller.

Data (main categories): name, email, phone number, employment data for consultants, candidate applications and CVs, scheduling and time-reporting data, payroll data, invoicing data. Purpose: deliver the platform's functions — scheduling, time reporting, payroll, invoicing, recruitment. Lawful basis: contract (Art. 6(1)(b)) between the customer and its employees, consultants, or candidates — Cupa supports the processing as processor under the DPA. Retention: per the customer's own policies and the category-level retention rules in the DPA; accounting material 7 years (Art. 6(1)(c)).

3. Legal basis

We tie each processing activity to a specific lawful basis — we do not rely on the phrase "all bases as appropriate".

  • Demo enquiries (§ 2 a): consent (Art. 6(1)(a)) as the primary basis via the consent checkbox, plus legitimate interest (Art. 6(1)(f)) for the subsequent B2B follow-up. You can withdraw consent at any time.
  • Direct correspondence and customer support (§ 2 b): legitimate interest (Art. 6(1)(f)) — to answer the question you put to us.
  • Operational and security logs, abuse prevention (§ 2 c): legitimate interest (Art. 6(1)(f)) — to keep the service secure, available, and free from automated attacks.
  • Bookkeeping and invoicing: legal obligation (Art. 6(1)(c)) under the Swedish Bookkeeping Act (Bokföringslagen 1999:1078).
  • Processing in a customer's instance (§ 2 f, post-launch): contract (Art. 6(1)(b)) between the customer and its employees, consultants, or candidates. Cupa is processor under the DPA and supports the customer's basis.
  • AI features (§ 4): the same lawful basis as the underlying processing the AI supports — we do not introduce a separate AI-specific basis.
  • Forwarding ads to Platsbanken / Eures (§ 4): legitimate interest (Art. 6(1)(f)) for publishing the ad content. For the contact person's data a separate consent is required, which Arbetsförmedlingen collects in its capacity as independent controller.

Withdrawing consent: email dataskydd@cupa.se. Withdrawal does not affect the lawfulness of any processing carried out before the withdrawal.

4. How your personal data is shared

Sub-processors

A current list of our sub-processors is published at cupa.se/legal/sub-processors. We give at least 30 days' notice before engaging new sub-processors.

International transfers

Personal data is processed within the EU/EEA. Where sub-processors transfer data to third countries (the US), they do so on the basis of EU Commission Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework.

AI features

Cupa uses generative AI (Anthropic Claude and OpenAI) for matching and CV parsing. No data is used to train the providers' foundation models. EU residency is enabled where the provider offers it.

Job ads

When you publish an ad via Cupa, we may forward the ad to Platsbanken (the Swedish Public Employment Service) and Eures. The contact person's data — name, email, telephone — is processed by Arbetsförmedlingen as an independent controller and requires their consent.

SMS

Outbound SMS to consultants and candidates is delivered via Sinch Sweden AB (Stockholm). Phone numbers and message content are processed by Sinch under their DPA.

Cookies

cupa.se sets no cookies — neither first-party nor third-party — and runs no web analytics. There is therefore no cookie banner. Should Cupa introduce statistical or analytics cookies in future, we will ask for your consent first and update this policy. On the live platform (post-launch) only strictly necessary session cookies are used for sign-in and security; these do not require consent.

5. How long your personal data is stored

We delete or anonymise data when it is no longer needed for the purpose stated in § 2. Specifically:

  • Demo enquiries (§ 2 a): 24 months after the last interaction or until you withdraw consent.
  • Direct correspondence (§ 2 b): 24 months. Bookkeeping-relevant email — quotes, invoices, contract correspondence — is retained for 7 years under the Swedish Bookkeeping Act (1999:1078) § 7.
  • Operational and security logs (§ 2 c): 90 days.
  • Invoices, accounting material, signed contracts: 7 years (Bokföringslagen 1999:1078 § 7).
  • Candidate data (post-launch, § 2 f): 24 months from last interaction by default. Adjustable per customer in the DPA. Talent pools live inside the customer's own instance — Cupa deletes or exports on the customer's documented instructions. Recruitment data must be retained long enough for the customer to answer a possible discrimination complaint to the Equality Ombudsman (DO); the exact period is set in the customer's own recruitment policy.
  • Employee and consultant data during ongoing assignments (post-launch, § 2 f): retained for the duration of the assignment plus the retention periods the customer is itself required to apply under labour law and the relevant collective agreement.
  • Anonymised statistics: may be retained indefinitely — anonymised data is no longer personal data.

6. Your rights

You have the right to request access to, rectification of, erasure of, or restriction on the processing of your personal data (Articles 15–18 GDPR), the right to data portability (Article 20), and the right to object to processing (Article 21).

Response time: we respond to a request without undue delay and at the latest within one month of receipt (Article 12(3)). For complex requests this may be extended by a further two months; in that case we will tell you the reason within the first month.

Automated decision-making and profiling (Article 22): Cupa makes no automated decisions that produce legal effects or similarly significantly affect you. The platform's AI features (matching, CV parsing) produce suggestions that are reviewed by a human before any decision is made — see § 4.

Children's data: Cupa is not directed at people under 16 and does not knowingly collect their data. If the platform — at a customer's initiative — handles data about minors (e.g. 15-year-old summer workers), this is governed by the customer's DPA and lawful basis.

For contact about your rights, see § 7. How Cupa protects your data technically is described at cupa.se/security.

If you believe Cupa is processing your personal data in violation of the GDPR, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY).

7. Contact us

dataskydd@cupa.se

8. Changes to this policy

Material changes are published at least 30 days before they take effect. Minor editorial changes are reflected in the date stamp above.