Version 1.0 Senast uppdaterad: april 29, 2026
1. Introduction
This Privacy Policy explains how Bantero AB (“Bantero”, “we”, “us”, or “our”), a company registered in Sweden (Org. nr: 556943-5273), registered address: Långholmsgatan 16, 117 33 Stockholm, Sweden, collects, uses, and protects personal data in connection with:
- Our website at okrnest.com (the “Website”); and
- The OKRnest application and related services (the “Service”).
This is a combined privacy policy. Where processing activities differ between Website visitors and Service users, this is clearly indicated. When we refer to “your organization” in this policy, we mean your employer or the company, organization, or entity you represent.
The OKRnest Service is designed for professional use. We process personal data through the Service in the context of your professional relationship with us or the organization you represent. We do not intentionally collect or process special categories of personal data (such as health data, political opinions, or religious beliefs).
User roles in the Service
The Service has three user roles, which determine what data is processed and what communications you receive:
- Owner — The person who creates the organization in OKRnest and accepts the Terms of Service on behalf of the organization, thereby binding the organization to the agreement with Bantero. Each organization has one Owner. The Owner is the only role that can manage billing, and can also invite users and transfer ownership to another user.
- Admin — Invited by the Owner or another Admin. Admins can manage user roles (e.g., promote a User to Admin) but cannot manage billing or transfer ownership.
- User — Invited by an Owner or Admin. Users work with OKRs and related content within the Service.
Who is responsible for your personal data?
Bantero AB is the controller of personal data that we collect and process for our own purposes — for example, to operate the Website, manage the customer relationship with the organization Owner, provide support to the Owner, send communications, and process billing.
If you are an Owner, Bantero is the controller of your account data, profile data, and billing data, because you have entered into a direct contractual relationship with Bantero on behalf of your organization. Bantero is also the controller of personal data collected independently of the Service, such as website visitor data, marketing contacts, and CRM data.
If you are an Admin or User, your organization is the controller of your personal data in the Service — including your account data (name, email, role), profile data (job title, department), and usage and log data — because your organization decided to provision your account and determines the purposes of processing your data through the Service. Bantero processes this data solely to provide the Service, acting as a processor on behalf of your organization. This processing is governed by our Data Processing Agreement (DPA) with your organization.
Contact information
For questions about this Privacy Policy or to exercise your rights regarding data for which Bantero is the controller:
- Email: privacy@okrnest.com
- Company: Bantero AB, Org. nr: 556943-5273
- Address: Långholmsgatan 16, 117 33 Stockholm, Sweden
2. When You Use the OKRnest Service
What personal data do we process?
When you use the OKRnest Service, the following personal data is processed:
| Data category | Examples | Source |
|---|---|---|
| Account data | Name, email address, user role (Owner, Admin, or User) | Provided during account creation or by your organization’s administrator |
| Profile data | Profile picture, job title, department | Provided by you |
| Usage and log data | IP address, login timestamps, feature usage, activity patterns, device and browser information | Automatically collected |
To create an account, you must provide your name and email address. This information is required for us to provide the Service and cannot be omitted.
In addition, the Service stores content data created by you and your colleagues — such as objectives, key results, check-ins, progress updates, and comments. This content is not intended to contain personal data, but may incidentally include personal data such as names or other references to individuals. Your organization is the controller of all content data, regardless of your role, and Bantero processes it for the purposes set out in the DPA — including providing, securing, and supporting the Service.
Why do we process your personal data?
The processing activities below apply to all Service users. For Owner data, Bantero is the controller and the legal bases are listed in the table. For Admin and User data, Bantero performs the same activities as a processor on behalf of your organization under the DPA — see Section 1 for details.
| Purpose | Personal data used | Legal basis (Owner data) |
|---|---|---|
| Provide and operate the Service | Account data, usage data | Performance of contract (Art. 6(1)(b)) |
| Create and manage your account | Account data, profile data | Performance of contract (Art. 6(1)(b)) |
| Communicate with you — including: (1) transactional emails and in-product notices delivered to all users as part of the Service; and (2) non-transactional emails (such as product news, feature updates, information about available capabilities including paid features, and educational content such as webinar invitations), delivered to all users by default, subject to an organisational setting that allows the Owner to restrict these to Admins and Owners only, or to the Owner only | Email, name | Performance of contract (Art. 6(1)(b)); Legitimate interest (Art. 6(1)(f)) for non-transactional communications |
| Provide customer support and proactive customer success — including reviewing your use of the Service to provide tailored guidance and best-practice advice | Account data, usage data, content data, information provided to us | Legitimate interest (Art. 6(1)(f)) — to maintain and improve our customer service and help customers get more value from the Service |
| Improve the Service and analyze usage patterns | Usage data (aggregated or pseudonymized) | Legitimate interest (Art. 6(1)(f)) — to develop and improve our product |
| Ensure security, prevent fraud, debug, and manage capacity and performance | Log data, IP address | Legitimate interest (Art. 6(1)(f)) — to protect, maintain, and optimize our Service |
| Process data through AI Sub-processors (where AI Features are enabled) | As applicable | Legitimate interest (Art. 6(1)(f)) |
You can opt out of non-transactional emails at any time via the unsubscribe link or by contacting us at privacy@okrnest.com. In addition, the account Owner can restrict non-transactional emails to Admins and Owners only, or to the Owner only, via an organisational setting in the Service. This does not affect transactional emails or in-product notices, which are part of the Service.
If you are an Admin or User and have questions about how your data is processed, or wish to exercise your data protection rights, please contact your organization’s administrator in the first instance. We will assist your organization in fulfilling such requests.
How long do we store your personal data?
| Data type | Retention period |
|---|---|
| Account and profile data | Duration of the customer contract or until the user is removed, whichever is earlier; deleted from production systems within 30 days of termination or removal. Backups purged within 90 days of production deletion, subject to any legal retention obligations. |
| Usage and log data | Up to 12 months |
| Content data (OKRs, comments, check-ins) | Duration of the customer contract; deleted from production systems within 30 days of termination. Backups purged within 90 days of production deletion, subject to any legal retention obligations. |
Aggregated and anonymised data
Bantero may derive aggregated, non-identifiable statistics from Customer Data within the Service (“Aggregated Data”). Aggregated Data is processed so that it cannot be used to identify any individual, user, or customer, and does not reproduce any customer’s original content.
We use Aggregated Data to operate, analyse, improve, and develop the Service and to produce benchmarks and industry insights. Aggregated Data is only published or shared at an aggregate level across a sufficient number of customers so that no individual customer’s data can be inferred. Since Aggregated Data does not constitute personal data, it may be retained after the end of the customer relationship.
Billing (Owner only)
If you are an account Owner, we process billing-related personal data to fulfill our contractual obligations.
| Data category | Examples | Source |
|---|---|---|
| Billing data | Company billing address, VAT number, invoice details | Provided by the account Owner |
| Payment data | Payment method | Processed by Stripe — we do not store card details |
Legal basis: Performance of contract (Art. 6(1)(b)).
Retention: Billing and invoice data is retained for at least 7 years after the end of the financial year, in accordance with Swedish bookkeeping law (Bokföringslagen).
For self-service plans, payments are processed by Stripe, which acts as an independent controller for the payment transaction. For details on Stripe’s data protection commitments, see Stripe’s Privacy Policy and Stripe’s GDPR documentation.
Cookies in the Service
Within the OKRnest application, we use only strictly necessary cookies required to maintain your session and provide the Service. No analytics or marketing cookies are used within the application.
3. When You Visit Our Website
Where we get your personal data
We collect personal data directly from the device you use when visiting our Website. With your consent, third-party analytics and retargeting providers may also process personal data they have previously collected about you.
What personal data do we process?
| Data category | Examples | Source |
|---|---|---|
| Technical data | IP address, browser type, operating system, device type, screen resolution | Automatically collected |
| Usage data | Pages visited, time spent, referral source, click patterns | Automatically collected via cookies |
| Retargeting data | Information collected by marketing pixels to enable us to show you OKRnest ads on other platforms after your visit | Third-party retargeting providers (with consent) |
| Contact data | Name, email, company name | Provided by you via contact forms or demo requests |
Why do we process your personal data?
| Purpose | Legal basis | Details |
|---|---|---|
| Provide a functioning website | Legitimate interest (Art. 6(1)(f)) | Essential technical operation, session management, security |
| Analyze and improve the website | Consent (Art. 6(1)(a)) | Analytics to understand usage patterns. We cannot identify you individually. |
| Retargeting — show OKRnest ads on other platforms | Consent (Art. 6(1)(a)) | After you visit our Website, you may see OKRnest ads on other platforms. We do not display third-party advertising on our Website. |
| Respond to your inquiries | Legitimate interest (Art. 6(1)(f)) | When you contact us via forms or email |
Cookies and tracking technologies
Our Website uses cookies for essential functionality, analytics, and retargeting. You can manage your preferences at any time through our cookie banner. You can also restrict or block cookies through your browser settings — consult your browser’s help function for instructions. For full details on which cookies we use and how to control them, see our Cookie Policy.
How long do we store your personal data?
| Data type | Retention period |
|---|---|
| Strictly necessary cookie data | Duration of your session or up to 3 months |
| Analytics data | Up to 14 months (as defined by our analytics provider’s retention settings) |
| Retargeting cookie data | Up to 6 months from your visit |
| Contact form inquiries | As long as necessary for the purpose of the inquiry and any ongoing business relationship. We review and delete data that is no longer needed at least annually. |
Profiling
The retargeting technologies used on our Website enable third-party platforms (for example, LinkedIn and Meta) to identify that you visited okrnest.com, so that we can show OKRnest ads to you on those platforms. This constitutes profiling. The purpose is to reach organizations that have shown interest in our product — never to make decisions about you as an individual. You have the right to object to profiling — see Section 7 below.
Beyond this limited retargeting, we do not carry out automated decision-making or profiling within the meaning of Art. 22 GDPR that produces legal effects or similarly significantly affects you.
4. Marketing and Business Relationships
We may process your personal data in connection with marketing activities and business interactions with you or the organization you represent.
Personal data processed: Name, email address, role, organization, contact details, meeting notes, event attendance, correspondence, and information from public sources (e.g., your organization’s website, LinkedIn).
Legal basis: Legitimate interest (Art. 6(1)(f)) — to send relevant product information, document business interactions, and maintain customer and prospect relationships. If we record a meeting, we will obtain your consent before the recording starts (Art. 6(1)(a)).
We analyze how newsletters are opened and what links are clicked to improve our communications.
Retention: We review marketing and relationship data at least annually and delete data where no active business relationship or legitimate purpose exists. Meeting recordings are retained for up to 12 months. If you opt out of marketing, we retain your email in an unsubscribe register to ensure we do not contact you again.
You can opt out of marketing at any time by using the unsubscribe link or contacting us at privacy@okrnest.com.
5. Sharing of Personal Data
We do not sell your personal data. Your data is handled by our employees and, where necessary, consultants we engage. All personnel with access to personal data are bound by confidentiality obligations, and access is limited to those who need it to perform their work.
Third-party service providers
We use sub-processors and third-party service providers to process personal data — both when acting as a processor on behalf of your organization and when acting as a controller. These include:
- Hosting and infrastructure providers — to host the Website and our internal business systems
- Payment processing providers — to handle payments for self-service plans (we do not store card details)
- Accounting and invoicing providers — to manage bookkeeping and invoicing
- Website analytics and retargeting providers — to analyze Website usage and enable retargeting (only with your consent)
- CRM and customer management providers — to manage relationships with customers and prospective customers
- Customer support tools — to handle support inquiries and communication
- Email and communication providers — to send newsletters and marketing communications
- Monitoring and error tracking providers — to ensure service stability and resolve technical issues
- Professional advisors and consultants — for legal, audit, marketing, and other business services
Any third-party service provider we engage to process personal data is required to do so in compliance with GDPR and applicable data protection law. Where they act as processors on our behalf, we have entered into data processing agreements to ensure appropriate safeguards are in place. Our sub-processor list is kept current and available at Sub-processor List.
Disclosure required by law or to protect legal rights
We may disclose your personal data if required to do so by law, regulation, or court order, or if such disclosure is necessary to protect Bantero’s legal rights, property, or safety, or the rights, property, or safety of others. We may also process your personal data to handle disputes, claims, or legal proceedings involving Bantero and the organization you represent.
6. International Data Transfers
For personal data that Bantero processes as controller, we and our service providers process your personal data primarily within the EU/EEA. In some cases, personal data may be transferred to countries outside the EU/EEA. Where such transfers occur, we ensure they are carried out in compliance with applicable data protection law, using one or more of the following safeguards:
- EU Standard Contractual Clauses (SCCs) under Article 46(2)(c) GDPR, together with supplementary measures where needed
- Adequacy decisions by the European Commission, where applicable
For information on international transfers related to Service data processed by Bantero as processor, see our Data Processing Agreement (DPA) and Sub-processor List.
7. Your Rights
Under the GDPR, you have rights regarding your personal data — including the right to access, rectify, erase, restrict processing, port your data, object to processing, and withdraw consent. For full details, see Articles 15–22 of the GDPR.
If you are an Owner, you may exercise these rights directly with Bantero by contacting us at privacy@okrnest.com. We will respond within 30 days.
If you are an Admin or User, your organization is the controller of your personal data in the Service. Please contact your organization’s administrator to exercise your rights. We will assist your organization in fulfilling such requests as required by the DPA and Applicable Data Protection Law.
8. Data Security
We implement appropriate technical and organizational measures to protect personal data processed in the OKRnest Service, including:
- Encryption of data in transit (TLS) and at rest
- Access controls and role-based permissions
- Regular security assessments and monitoring
- Employee and consultant confidentiality obligations
- Customer Data stored in the EU (AWS Frankfurt), with a preference for EU/EEA-based processing across all Sub-processors. Where processing outside the EU/EEA is necessary, appropriate transfer safeguards are in place as described in the DPA.
For detailed information, see our Technical and Organisational Measures (TOMs) document.
For personal data that Bantero processes as controller outside of the Service (such as website data, marketing, and CRM), we ensure that appropriate security measures are in place, including through our agreements with third-party service providers as described in Section 5.
In the event of a personal data breach, Bantero will comply with its notification obligations under the GDPR. For Service data processed by Bantero as processor, our data breach notification obligations to the Customer are set out in the Data Processing Agreement (DPA).
9. Children’s Privacy
OKRnest is a business-to-business service and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us and we will promptly delete it.
10. Right to Lodge a Complaint
If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. In Sweden, the competent authority is:
Integritetsskyddsmyndigheten (IMY) Website: www.imy.se
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify the account Owner by email or through a notice in the Service. The “Last updated” date at the top indicates the most recent revision.
12. Governing Law
This Privacy Policy is governed by Swedish law. Bantero AB is subject to the EU General Data Protection Regulation (GDPR) and the Swedish supplementary data protection act (Dataskyddslagen, SFS 2018:218).