General Terms and Conditions

Website use · Consulting services · Training programmes

Version 1.0 | Last updated: February 2026 | hsib.se

Data Controller

HSIB AB | Org.nr: 559502-3895

Mellanbågen 16, 907 38 Umeå, Sweden

support@hsib.se | hsib.se

VAT registered | F-skatt | Registered: Bolagsverket & Skatteverket

Note

These Terms govern your use of hsib.se and any engagement with HSIB AB for consulting, training, or documentation services. By accessing the website or engaging HSIB AB, you agree to these terms. Questions? Contact support@hsib.se before proceeding.

1. Definitions

The following terms have the meanings set out below throughout these Terms and Conditions:

HSIB AB / we / us

HSIB AB, Org.nr 559502-3895, a limited liability company (aktiebolag) registered in Sweden, with registered address at Mellanbågen 16, 907 38 Umeå, Sweden.

Client / you

Any person, legal entity, or organisation that accesses hsib.se, submits an inquiry, or enters into an engagement with HSIB AB.

Website

The website at hsib.se and all sub-pages and published content thereon.

Services

All consulting, advisory, documentation, training, compliance assessment, and registration services provided by HSIB AB as described on the Website and in Engagement Confirmations.

Engagement Confirmation

A written proposal acceptance, agreement, or email confirmation specifying scope, deliverables, timeline, and price for a specific engagement.

Deliverables

All written documents, reports, assessments, policies, training materials, and other outputs produced by HSIB AB for a specific engagement.

Confidential Information

All non-public information disclosed by either party in connection with an engagement, including business data, client details, regulatory findings, and pricing.

Applicable Law

Swedish law and applicable EU law, including GDPR (EU 2016/679), Cybersäkerhetslagen (SFS 2025:1506), EU AI Act (Regulation EU 2024/1689), and the Cyber Resilience Act (Regulation EU 2024/2847).

2. Scope of Services and Important Disclaimers

2.1 Nature of Services

HSIB AB is a compliance consulting firm — not a law firm (advokatbyrå). We do not provide legal representation and nothing we deliver constitutes a formal legal opinion. Where a matter requires licensed legal counsel, court representation, or formal legal advice, the Client should instruct independent counsel.

Important

HSIB AB is a compliance consulting firm — not a law firm (advokatbyrå). We do not hold an Advokat licence issued by Sveriges advokatsamfund. Our services are operational compliance consulting and documentation — not legal advice within the meaning of Rättegångsbalken or the Swedish Bar Association's regulations. Deliverables are compliance documents, not legal opinions.

2.2 No Lawyer-Client Relationship

Engaging HSIB AB does not create a lawyer-client relationship. Where a matter requires formal legal advice, court representation, or complex contractual dispute resolution, HSIB AB will inform the Client and recommend that independent licensed legal counsel is sought.

2.3 Regulatory Currency

HSIB AB makes reasonable efforts to ensure all advice and documents reflect current law as of the date of delivery. Regulatory frameworks are subject to change. Previously delivered Deliverables are not automatically updated unless the Client holds a Monthly Compliance Retainer or commissions a specific update engagement.

2.4 Jurisdictional Scope

Services are designed for organisations operating within Sweden and the European Union under EU regulatory frameworks. HSIB AB does not provide advice on laws outside the EU/EEA unless explicitly agreed in writing.

3. How Engagements Are Formed

An engagement with HSIB AB is formed when: (a) the Client submits an inquiry via the Website or by email; (b) HSIB AB provides a written proposal specifying scope, deliverables, timeline, and price; and (c) the Client accepts the proposal in writing including by email. Verbal agreements and informal communications do not constitute binding engagements.

3.1 Intake Information

Deliverable quality depends on the completeness and accuracy of information provided by the Client. HSIB AB is not liable for deficiencies arising from inaccurate, incomplete, or delayed information from the Client.

3.2 Scope Changes

Changes to agreed scope must be requested and confirmed in writing before work on the change begins. Scope changes may result in revised pricing and timelines.

3.3 Delivery

Deliverables are provided in the formats specified in the Engagement Confirmation (typically Word and PDF). Timelines are estimates made in good faith and assume timely receipt of required information. HSIB AB will notify the Client promptly if a timeline cannot be met.

4. Fees, Payment, and Pricing

4.1 Pricing and VAT

All fees are in Swedish kronor (SEK) unless otherwise specified. Prices on the Website are indicative starting prices. Final fees are confirmed per engagement. All prices are exclusive of Swedish VAT (moms) at the applicable rate, which will be added to invoices.

4.2 Payment Terms

Unless otherwise agreed in the Engagement Confirmation:

Invoices are issued upon completion of the engagement or delivery of the agreed Deliverable.

Payment is due within 30 days of the invoice date.

For engagements exceeding 15,000 SEK, HSIB AB may require a 50% advance payment before commencing work.

Monthly Compliance Retainer fees are invoiced monthly in advance.

4.3 Late Payment

Late payments are subject to statutory interest under the Swedish Interest Act (Räntelagen, SFS 1975:635) at the Riksbank reference rate plus 8 percentage points from the due date.

A reminder fee (påminnelseavgift) may be charged only if agreed between the parties and may not exceed the statutory maximum (currently 60 SEK). Statutory collection costs may also apply where applicable, in accordance with Lag (1981:739) om ersättning för inkassokostnader m.m.

4.4 Disputed Invoices

Good-faith invoice disputes must be notified in writing to support@hsib.se within 14 days of the invoice date, specifying the nature of the dispute. Undisputed portions remain payable on the original due date.

5. Intellectual Property

5.1 HSIB AB's Pre-Existing IP

All methodologies, frameworks, templates, training materials, checklists, and know-how developed by HSIB AB prior to or independently of a client engagement remain the exclusive intellectual property of HSIB AB. Nothing in these Terms transfers ownership of HSIB AB's pre-existing IP to the Client.

5.2 Deliverables Licence

Upon receipt of full payment, HSIB AB grants the Client a perpetual, non-exclusive, non-transferable licence to use the Deliverables for the Client's own internal compliance purposes. The Client may not resell, sublicence, publish, or distribute Deliverables to third parties without HSIB AB's prior written consent.

5.3 Website Content

All content on hsib.se is the intellectual property of HSIB AB, protected by Swedish and EU copyright law. Reproduction or systematic copying of Website content without written permission is prohibited.

6. Confidentiality

Both parties agree to keep confidential all Confidential Information received from the other party in connection with an engagement, during the engagement and for five (5) years following its termination. Permitted disclosures: (a) to employees or contractors of HSIB AB who need access to deliver Services, under equivalent obligations; (b) where required by Applicable Law or court order; or (c) with prior written consent. HSIB AB may use anonymised and aggregated information to improve its services, but will not use Client-identifying information in published materials without written consent.

7. Limitation of Liability

Important

This section is important. Please read carefully.

7.1 No Guarantee of Regulatory Outcome

HSIB AB delivers compliance consulting based on its professional assessment of applicable regulatory requirements at the time of delivery. HSIB AB does not guarantee that any Deliverable or advice will result in full regulatory compliance, prevent enforcement action by IMY, MCF, or any other regulatory authority, or protect the Client against all regulatory risk. Regulatory authorities retain independent enforcement discretion.

7.2 Liability Cap

To the maximum extent permitted by Swedish law, HSIB AB's total aggregate liability for any claim arising out of or connected with an engagement shall not exceed the total fees paid by the Client for the specific engagement giving rise to the claim. For Monthly Compliance Retainer clients, the cap is three (3) months of retainer fees.

7.3 Excluded Losses

HSIB AB shall not be liable for: indirect, consequential, or special losses; loss of profit, revenue, or business; regulatory fines or penalties imposed on the Client; losses arising from the Client's failure to implement recommendations; losses from inaccurate information provided by the Client; or losses from changes in law after the date of delivery.

8. Data Processing in Service Engagements

Where HSIB AB processes personal data on behalf of a Client while delivering Services (for example, reviewing client data as part of a GDPR audit), HSIB AB acts as data processor and the Client acts as data controller. In such cases, the parties will enter into a separate Data Processing Agreement (DPA) as required by GDPR Article 28, governing the processing of personal data in connection with the Services. Personal data of website visitors and inquiry submitters is processed by HSIB AB as data controller, governed by the Privacy Policy in Part 2 of this document.

9. Website Use

You may access and use hsib.se to learn about HSIB AB's services, submit inquiries, and access published content. You may not: use the Website unlawfully; transmit spam via contact forms; attempt unauthorised access to any part of the Website; use automated tools to scrape Website content; transmit malicious code; or misrepresent your identity. HSIB AB accepts no liability for losses arising from Website unavailability.

10. Termination

10.1 Termination by Either Party

Either party may terminate an ongoing engagement by giving 30 days' written notice. For fixed-scope, fixed-price engagements already commenced, termination by the Client does not entitle the Client to a refund for work already completed.

10.2 Immediate Termination by HSIB AB

HSIB AB may terminate immediately and without notice if the Client: fails to pay any invoice within 60 days of the due date; provides materially false information; requests that HSIB AB perform any act that would violate Applicable Law or HSIB AB's professional standards; or engages in abusive or threatening conduct toward HSIB AB staff.

10.3 Effect of Termination

Upon termination, the Client pays for all work completed and costs incurred up to the termination date. Sections 5 (IP), 6 (Confidentiality), 7 (Liability), and 11 (Governing Law) survive termination.

11. Governing Law and Disputes

These Terms and all engagements are governed by Swedish law, excluding its conflict of law provisions. Disputes shall first be attempted to be resolved by good-faith negotiation within 30 days of written notice. If unresolved, disputes shall be settled by the Swedish courts, with Umeå tingsrätt as the court of first instance, unless mandatory law requires otherwise. Consumer clients (konsumenter) retain all rights under mandatory Swedish consumer protection law and may contact Allmänna reklamationsnämnden (ARN) at www.arn.se.

12. Changes to These Terms

HSIB AB may update these Terms at any time. The current version is always published at hsib.se with the date of last update. Material changes to ongoing engagements will be notified by email at least 30 days before taking effect. Continued use of the Website or services after the effective date constitutes acceptance.

13. Miscellaneous

Force Majeure: HSIB AB is not liable for failure or delay due to circumstances beyond its reasonable control, including pandemics, cyberattacks, or third-party infrastructure failures. Entire Agreement: These Terms, the Engagement Confirmation, and any applicable DPA constitute the entire agreement and supersede all prior communications. Severability: If any provision is unenforceable, it shall be modified to the minimum necessary extent, and remaining provisions continue in full force. No Waiver: Failure to enforce any right does not constitute a waiver. Contact: support@hsib.se

Privacy Policy

How HSIB AB collects, uses, and protects your personal data

Version 1.0 | Last updated: February 2026 | hsib.se

Data Controller

HSIB AB | Org.nr: 559502-3895

Mellanbågen 16, 907 38 Umeå, Sweden

support@hsib.se | hsib.se

VAT registered | F-skatt | Registered: Bolagsverket & Skatteverket

Note

HSIB AB is committed to protecting your privacy. This policy explains what personal data we collect, why, the legal basis, how long we keep it, and your rights under GDPR and Swedish law. Supervisory authority for personal data: IMY (Integritetsskyddsmyndigheten, www.imy.se).

1. Who We Are

Data Controller

HSIB AB

Organisation number

559502-3895

Registered address

Mellanbågen 16, 907 38 Umeå, Sweden

Email

support@hsib.se

Website

hsib.se

Personal data authority

IMY — www.imy.se

Contact us at any time at support@hsib.se. We respond within 30 days to all privacy-related requests.

2. What Data We Collect and Why

Contact form & email inquiries Data:

Name, email, company name, job title, message content Legal basis: Art. 6(1)(b) — steps prior to contract; or Art. 6(1)(f) — legitimate interest in responding to business inquiries Retention: 12 months after last contact, or until engagement commences

Delivering consulting services Data:

Name, email, company details, and information shared during the engagement (may include business data, staff information, and system details depending on service scope) Legal basis: Art. 6(1)(b) — performance of contract Retention: 7 years after engagement end (Bokföringslagen requirement)

Invoicing and accounting Data:

Name, company name, organisation number, address, email, invoice amounts Legal basis: Art. 6(1)(c) — legal obligation under Bokföringslagen (SFS 1999:1078) Retention: 7 years after the end of the calendar year in which the financial year ended (Swedish accounting archiving rule).

Monthly Compliance Retainer Data:

Name, email, company details, support correspondence Legal basis: Art. 6(1)(b) — performance of contract Retention: Retainer duration + 12 months after termination

BAM Training Data:

Participant name, email, employer, course completion records, certificates. Legal basis: Art. 6(1)(b) — performance of contract; and/or Art. 6(1)(f) — legitimate interest in record-keeping and certificate verification.

Website analytics (cookie-free; Framer Analytics):

Data: Framer’s built-in analytics counts page views and unique visitors using a hashed IP address + user agent with a daily rotating salt; no cookies and no persistent identifiers.
Legal basis: Art. 6(1)(f) — legitimate interest in understanding site usage and improving the Website.
Retention: Analytics are stored in aggregated form in the Framer dashboard; the daily hash resets each day.

Marketing (opt-in only) Data:

Name, email, company, preferences Legal basis: Art. 6(1)(a) — consent, opt-in only; you may withdraw at any time Retention: Until unsubscription or consent withdrawal

Legal claims and disputes Data:

Any personal data relevant to the dispute Legal basis: Art. 6(1)(f) — legitimate interest in establishing or defending legal claims Retention: Duration of proceedings + Swedish statutory limitation periods

Your Rights

We never sell your personal data. We do not use your data to train AI models. We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects on you.

3. Special Categories of Data

HSIB AB does not intentionally collect special categories of personal data (health data, racial or ethnic origin, political opinions, biometric data, etc.) in standard service delivery. If a specific engagement involves such data (for example, reviewing a healthcare organisation's processing), appropriate GDPR Article 9 safeguards will be agreed separately in writing.

4. Who We Share Your Data With

4.1 Service Providers (Processors)

We use trusted third-party processors, including providers of email and communication services, cloud storage and document management, invoicing and accounting software, and website hosting. All processors are bound by Data Processing Agreements and must implement appropriate security measures. We use only providers in the EU/EEA or covered by adequate transfer mechanisms.

4.2 Legal Requirements

We may disclose personal data if required by Swedish or EU law, a court order, or a regulatory authority (IMY, MCF, PTS), or where necessary to establish, exercise, or defend legal claims.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of all or part of HSIB AB's business, personal data may transfer to the acquiring entity under equivalent privacy protections.

5. International Data Transfers

HSIB AB is based in Sweden and processes personal data primarily within the EEA. Where any third-party service provider processes personal data outside the EEA, we ensure an appropriate GDPR Chapter V transfer mechanism is in place — Standard Contractual Clauses (SCCs), adequacy decision, or other approved safeguards. Contact support@hsib.se for information about specific mechanisms.

6. Security

HSIB AB implements appropriate technical and organisational security measures under GDPR Article 32, including: HTTPS/TLS encryption for all website communications; access controls limiting data access to personnel who require it for service delivery; secure document storage; regular security reviews; and incident response procedures including 72-hour notification to IMY for qualifying personal data breaches under GDPR Article 33.

Important

No method of electronic transmission is 100% secure. While we use commercially reasonable means to protect your data, we cannot guarantee absolute security.

7. Cookies

HSIB AB does not use cookies or similar tracking technologies on hsib.se for analytics or marketing.
Framer’s built-in analytics is cookie-free and does not set cookies.
If we add third-party embeds or tools in the future that set cookies (e.g., video embeds, maps, payment widgets), we will update this policy and, where required, obtain consent before placing non-essential cookies.

8. Your Rights Under GDPR

Your Rights

You can exercise any of the rights below by contacting support@hsib.se. We acknowledge within 5 business days and respond in full within 30 days (extendable to 3 months for complex requests, with notice). You also have the right to lodge a complaint with IMY at any time, without first contacting us.

Access (Art. 15)

Obtain confirmation of whether we process your data, and receive a copy together with information about the processing.

Rectification (Art. 16)

Have inaccurate data corrected and incomplete data completed.

Erasure (Art. 17)

Request deletion where data is no longer necessary, consent is withdrawn and no other basis exists, or processing is unlawful.

Restriction (Art. 18)

Request that we limit processing in certain circumstances — e.g., while you contest data accuracy.

Portability (Art. 20)

Receive your data in a structured, machine-readable format where processing is based on consent or contract and is automated.

Object (Art. 21)

Object to processing based on legitimate interests. We will cease unless compelling legitimate grounds override your interests, or processing is needed for legal claims.

Withdraw Consent (Art. 7(3))

Withdraw consent at any time where processing is consent-based. Withdrawal does not affect prior lawful processing.

Complaint to IMY

Lodge a complaint with IMY (www.imy.se) or PTS (www.pts.se) for cookies, or the supervisory authority in your EU member state.

9. Retention Periods

We retain personal data only as long as necessary for the purpose collected, or as required by law. Key retention rules:

Accounting/invoicing records: 7 years after the end of the calendar year in which the financial year ended — mandatory under Bokföringslagen (SFS 1999:1078).

Inquiry-only contacts who do not become clients: 12 months from last contact

Marketing data: until unsubscription or withdrawal of consent

BAM course records: 5 years after completion

On expiry, data is securely deleted or irreversibly anonymised

10. Children's Data

HSIB AB's services are directed at businesses and professionals. We do not knowingly collect personal data from individuals under 18. If you believe a person under 18 has provided data without parental consent, contact support@hsib.se and we will delete it promptly.

11. AI and Automated Processing

HSIB AB does not use AI systems to make automated decisions about individuals that produce legal or similarly significant effects. Where HSIB AB uses AI-assisted tools internally for research or drafting, human review is always applied before output is delivered to a Client. Client data is not used to train any AI models.

12. Changes to This Policy

HSIB AB may update this Privacy Policy to reflect changes in law (including IMY and PTS guidance), regulatory requirements, or our data processing practices. The current version is always published at hsib.se with the date of last update. Material changes affecting existing clients will be notified by email at least 30 days before taking effect.

13. Contact and Complaints

Email

support@hsib.se

Post

HSIB AB, Mellanbågen 16, 907 38 Umeå, Sweden

Response time

Acknowledgement within 5 business days; full response within 30 days

IMY (personal data)

www.imy.se — you may complain at any time without first contacting us

PTS (cookies)

www.pts.se

Note

This Privacy Policy was prepared by HSIB AB in accordance with GDPR (EU 2016/679), the Swedish Supplementary GDPR Act (Dataskyddslagen, SFS 2018:218), the Swedish Electronic Communications Act (LEK, SFS 2022:482), and current IMY and PTS guidance including IMY's April 2025 cookie banner standards. Last reviewed: February 2026.