Privacy Policy

Last updated: April 10, 2026

1. Who Is Responsible for Your Personal Data?

This policy covers two contexts:

• This website (reonoma.com / reonoma.se) — where you can read about our products and services. Reonoma UF is the data controller for this website.
• Our visitor management system (reonomavisiting.com) — where visitors check in at customer premises. The company whose premises you visit is the data controller. Reonoma UF acts as data processor on their behalf.

For questions about how your visitor data is handled, contact the company you visited first. For questions about the website or our technical platform, contact Reonoma at info@reonoma.com.

2. What Personal Data Do We Collect?

2.1 Visitor Data (via our check-in system)

When checking in as a visitor, the following data may be collected:

Data	Required	Purpose
Name	Yes	Identify visitor, evacuation list
Company/organisation	Yes	Identify the visitor's affiliation
Host (person you are visiting)	Yes	Direct the visitor to the correct recipient
Email address	Optional*	Contact possibility if needed
Phone number	Optional*	Contact possibility if needed

* Configured by the responsible company. Some fields may be disabled.

2.1b Pre-registration Data (via Outlook add-in or admin panel)

When pre-registering visitors, the following data may be collected:

Data	Source	Purpose
Name and email	Meeting invitation / admin	Create personal pre-registration, send invitation email
Host name and email	Meeting organiser / admin	Link visit to the correct host
Meeting subject	Meeting invitation	Displayed to the reception
Meeting time	Meeting invitation	Scheduling, automatic deletion

In addition, the following is recorded automatically:

• Check-in and check-out times
• IP address and browser info — for abuse protection (logged separately)

2.2 Website Data

When you visit reonoma.com or reonoma.se, we collect anonymized usage data via Google Analytics (GA4) — only with your consent. See Section 7 for cookie details.

2.3 Contact Form Data

When you use our contact form, we collect your name, email, and message. This data is processed by Formspree and forwarded to our email.

3. Why Do We Process Your Data?

Personal data is processed to:

• Manage and document visits to the premises
• Enable safe evacuation in an emergency (fire list)
• Provide the visitor with relevant information (directions, Wi-Fi, etc.)
• Prevent abuse of the check-in system
• Send invitation emails with practical information to pre-registered guests
• Notify host via email, SMS, or Microsoft Teams when a visitor arrives

4. Legal Basis

The processing of visitor data is based on legitimate interest (GDPR Article 6(1)(f)). The legitimate interest is:

• Safety on the premises (knowing who is in the building)
• Efficient visitor management (directing visitors, notifying hosts)

A balancing test has been conducted where the company's need for safety and visitor management is deemed to outweigh the intrusion that the processing entails, particularly given the short retention period and the limited amount of data collected.

5. Data Retention

Data	Retention Period
Active visits	Until you check out
Archived visits	8 days after check-out, then automatically deleted
Pre-registrations (manual)	Deleted upon check-in or after 8 days
Pre-registrations (Outlook)	Deleted upon check-in or at latest 12 hours after the scheduled meeting time
Access logs (IP)	8 days
SMS logs	30 days (recipient number + timestamp)
Website analytics	14 months (Google Analytics default)

6. Who Has Access to Your Data?

We do not sell personal data.

Website (reonoma.com / reonoma.se)

Data from this website is shared with:

• Google Analytics — website usage statistics (only with your consent)
• Formspree — contact form processing
• Cloudflare — website hosting, CDN, and security

Visitor Management System (reonomavisiting.com)

Visitor data in our check-in system is shared with:

• The responsible company — admins and authorised staff can view the visitor log
• Reonoma UF — as data processor (technical operations)
• Supabase GmbH (Frankfurt, Germany) — sub-processor for authentication and file storage
• Hetzner Online GmbH (Germany) — sub-processor for server infrastructure
• 46elks AB (Sweden) — SMS notifications to hosts (if SMS is enabled by the customer company)
• SMTP provider (EU) — sending invitation emails to guests and email notifications to hosts

Employees without admin privileges can only see visits where they are the designated host.

All visitor data is stored within the EU/EEA. No data is transferred to third countries.

7. Cookies and Local Storage

Website (reonoma.com / reonoma.se)

Type	Name	Purpose	Duration
Cookie	_ga	Google Analytics — distinguish unique users	2 years
Cookie	_ga_*	Google Analytics — maintain session state	2 years
localStorage	reonoma_consent	Remember cookie consent choice	Persistent

Google Analytics cookies are only set after you give consent via the cookie banner. We do not use marketing or advertising cookies.

Visitor Management System

Type	Name	Purpose	Duration
Cookie	sb_access_token	Login for authorised staff	1 hour
Cookie	reonoma_visit	Easier check-out (visitor does not need to type name)	24 hours
localStorage	sb_access_token	Login (admin interface)	Until logout

Visitors checking in via QR code do not need to log in. An optional cookie (reonoma_visit, 24 hours) may be set to enable easier check-out.

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

• Access your personal data (Article 15)
• Rectification of inaccurate data (Article 16)
• Erasure of your data (Article 17)
• Object to the processing (Article 21)
• Restriction of processing (Article 18)
• Lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se

To exercise your rights, contact the company whose premises you visited or Reonoma at info@reonoma.com.

9. Data Security

We implement appropriate technical and organizational measures to protect personal data, including:

• HTTPS/TLS encryption for all data communication
• Role-based access control (admin, employee, receptionist)
• JWT-based authentication with time-limited tokens (1 hour)
• Parameterised SQL queries (protection against SQL injection)
• Database access restricted to the application layer
• All servers located within the EU (Hetzner, Germany)
• Automatic deletion of visitor data after 8 days
• Weekly visitor limit with soft overage (check-in is never blocked)
• Rate limiting per authenticated user

10. Data Processing Agreement

Reonoma has a Data Processing Agreement (DPA) in place that governs the relationship between data controllers (our customers) and Reonoma as data processor. The DPA is included as part of the service agreement and covers sub-processors, technical measures, incident management, and data deletion procedures.

11. Changes to This Policy

We may update this privacy policy. In the event of material changes, the responsible company will be informed, and they are in turn responsible for informing their visitors.

12. Contact Us