Effective Date: 4 June 2026

1. Introduction

Emmtry AB ("Emmtry", "we", "us", or "our") is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our smart access control platform ("Service").

We comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws. By using our Service, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

The data controller responsible for your personal data is:

Emmtry AB
Organisationsnummer: 556977-1495
Stockholm, Sweden
Email: privacy@emmtry.com

3. Personal Data We Collect

We collect the following categories of personal data:

3.1 Account Information

• Email address or mobile phone number (at least one is required for account creation and sign-in)
• First and last name (optional)
• Additional verified email addresses or phone numbers you choose to link to your account
• Profile photo (optional)
• Preferred language and timezone

3.2 Authentication and Verification Data

• One-time verification codes (OTPs) sent to your email or by SMS to verify it's you when you sign in or link a new identifier
• Sign-in timestamps and the platform used to sign in (iOS, Android, or web)

3.3 Access Control Data

• Device identifiers and names
• Access schedules and permissions
• Location names and addresses
• Visitor information (names, email addresses)

3.4 Activity and Log Data

• Lock/unlock events with timestamps
• User actions within the Service
• IP addresses and device information
• Browser type and operating system

3.5 Device Data

• Smart lock status and configuration
• Connection status and battery levels
• Firmware versions

4. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR:

• Contract Performance: Processing necessary to provide the Service you requested (Article 6(1)(b))
• Legitimate Interests: Processing for our legitimate interests such as improving the Service, fraud prevention, and security (Article 6(1)(f))
• Consent: Processing based on your explicit consent for marketing communications and analytics (Article 6(1)(a))
• Legal Obligation: Processing necessary to comply with legal requirements (Article 6(1)(c))

5. How We Use Your Data

We use your personal data to:

• Provide and maintain the Service
• Authenticate you when you sign in or link a new identifier, by emailing or texting a one-time verification code
• Process your access control requests
• Send important service notifications
• Respond to your inquiries and support requests
• Improve and personalize the Service
• Detect and prevent fraud and security threats
• Send marketing communications (only with your consent)
• Comply with legal obligations

6. Data Sharing and Disclosure

We may share your personal data with:

• Service Providers (Sub-processors): Third-party vendors who process personal data on our behalf to operate the Service. At the date of this policy our sub-processors are: Fly.io (cloud hosting, Frankfurt EEA region), GatewayAPI (SMS delivery of one-time verification codes — your phone number is shared only at the moment a code is sent), Sentry (crash and error reporting), Stripe (payment processing for paid plans), and Tigris (S3-compatible object storage for profile photos). We may update this list from time to time; material changes will be communicated in line with section 13.
• Organization Members: Other members of your organization who need access to perform their roles
• Legal Requirements: When required by law or to protect our rights and safety
• Business Transfers: In connection with a merger, acquisition, or sale of assets

We do not sell your personal data to third parties. We require all service providers to process data only as instructed and to maintain appropriate security measures.

7. International Data Transfers

Your data is primarily stored and processed within the European Economic Area (EEA). If we transfer data outside the EEA, we ensure adequate protection through:

• European Commission adequacy decisions
• Standard contractual clauses
• Other appropriate safeguards as required by GDPR

8. Data Retention

We retain your personal data only as long as necessary for the purposes described in this Privacy Policy:

• Account Data: Retained while your account is active, plus 30 days after deletion
• Activity Logs: Retained for 12 months for security and audit purposes
• Consent Records: Retained for 5 years to demonstrate compliance
• Financial Records: Retained as required by applicable tax and accounting laws

9. Your Rights Under GDPR

As a data subject, you have the following rights regarding your personal data:

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data ("right to be forgotten")
• Right to Restrict Processing: Request limitation of how we use your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or for marketing
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise these rights, please visit your Profile Settings or contact us at privacy@emmtry.com. We will respond without undue delay and in any event within one month of receiving your request, in line with Article 12(3) GDPR. Where a request is particularly complex or where we have received a large number of requests, we may extend this period by a further two months and will let you know within the first month if we need to do so.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data. Our current practices include:

• Encryption of data in transit (TLS) and at rest at the hosting and storage layers
• Role-based access control inside the Service, with multi-tenant isolation enforced at the database query layer
• Passwordless sign-in using one-time codes and federated identity providers; no long-lived passwords are stored
• Automated dependency vulnerability scanning and code review on every change
• Centralized error and security monitoring with on-call alerting
• Documented incident response procedures

No system can be guaranteed perfectly secure. If you become aware of any vulnerability or suspected compromise, please contact us at security@emmtry.com.

11. Cookies and Tracking

We use only essential cookies necessary for the Service to function. These cookies are required for:

• User authentication and session management
• Security and fraud prevention
• Remembering your preferences

We do not use third-party tracking cookies or advertising cookies. If you opt in to analytics, we use privacy-respecting analytics that do not track you across websites.

12. Children's Privacy

The Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will delete it promptly.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the new Privacy Policy on this page
• Updating the "Effective Date" at the top
• Sending you an email notification for significant changes
• Requesting re-acceptance for material changes

14. Supervisory Authority

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with your local data protection supervisory authority. In Sweden, this is:

Integritetsskyddsmyndigheten (IMY)
Box 8114
104 20 Stockholm
Sweden
Website: www.imy.se

15. Contact Us

For any questions or concerns about this Privacy Policy or our data practices, please contact us:

Emmtry AB
Organisationsnummer: 556977-1495
Data Protection Officer
Email: privacy@emmtry.com
Address: Stockholm, Sweden

Last updated: 4 June 2026 • Version 1.1