Privacy Policy

Last updated: March 30, 2026

1. Introduction & Data Controller

This Privacy Policy explains how Mentcon AB ("we", "us", "our"), a company registered in Sweden, collects, uses, and protects personal data when you use the Verdnt service. Verdnt is the product name for our sustainability reporting tool. This policy covers the marketing site at verdnt.app and the Verdnt application hosted on subdomains of verdnt.app.

As the data controller under the EU General Data Protection Regulation (GDPR), we are responsible for your personal data.

We have appointed a Data Protection Officer (DPO) who can be reached at contact@mentcon.com.

2. Data We Collect

Account Data

  • Email address, display name
  • Securely hashed password or OAuth profile information (Google, Microsoft)
  • Security tokens (email verification, password reset)

Organisation Data

  • Organisation name, logo, industry classification
  • Headquarters address and country
  • Organisation description

Membership & Invitations

  • User roles within organisations
  • Invitation records (invitee email address, assigned role, status, and expiry date)

Report Data

  • VSME sustainability reporting data (disclosures, metrics, narratives)
  • Site location data (addresses submitted for VSME disclosures, geocoded via OpenStreetMap/Nominatim)
  • Entity identifiers, reporting periods, currency, report status

Activity & Audit Logs

  • VSME reporting audit logs — a record of changes to sustainability reporting data, including which user made each change and when
  • Report status history

Technical & Diagnostic Logs

  • Application performance and error logs used solely for troubleshooting and maintaining service reliability. These logs may contain user identifiers but are not used for profiling or analytics.

Collaboration

  • Real-time presence data (which users are editing which sections) — held in memory only, never persisted to disc

Marketing Site

  • Email address (if you sign up for the waitlist)
  • Anonymous usage data collected via Google Analytics, only if you consent (see Section 10 for details)

3. What We Do NOT Collect

  • We do not permanently store IP addresses. IP addresses may be used transiently for rate limiting and may appear in short-lived diagnostic logs (retained no longer than 90 days).
  • We do not use browser fingerprinting
  • We do not collect payment or financial data
  • We do not engage in automated decision-making or profiling as defined by GDPR Article 22

4. How We Use Your Data (GDPR Legal Bases)

Contract Performance — Art. 6(1)(b)

We process your account, organisation, and reporting data as necessary to provide the Verdnt service you signed up for. This includes creating and managing your account, enabling collaboration within your organisation, processing invitation records, and generating sustainability reports.

Legitimate Interest — Art. 6(1)(f)

We rely on legitimate interest for the following processing activities:

  • VSME reporting audit logs — we record changes to sustainability reporting data (e.g. which user modified a disclosure and when) to ensure the integrity and traceability of reports. Organisations rely on these logs to verify that their published data is accurate and accountable.
  • Technical and diagnostic logs — we collect application performance and error logs to maintain service reliability, diagnose issues, and keep the platform secure.

We have assessed that these interests do not override your rights and freedoms. The personal data processed is limited to user identifiers linked to specific actions, and is not used for profiling, marketing, or any purpose beyond data integrity and service maintenance.

Legal Obligation — Art. 6(1)(c)

We may process personal data where necessary to comply with a legal obligation, such as responding to valid requests from competent authorities or meeting regulatory record-keeping requirements under applicable sustainability reporting legislation.

Consent — Art. 6(1)(a)

We process your data on the basis of consent for the following:

  • Waitlist signup and optional communications
  • Analytics cookies on our marketing site (Google Analytics)

You may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

5. Obligation to Provide Data

Certain personal data is required in order to use the Verdnt service:

  • An email address and display name (or OAuth profile) are required to create an account. Without this information, we cannot register you as a user.
  • Organisation name, headquarters address, and other required fields are necessary to set up an organisation within Verdnt. Without this information, you will be unable to create or manage an organisation.

Providing this data is a contractual requirement, not a statutory one. If you choose not to provide the required data, you will simply be unable to use the corresponding features of the service.

6. Third-Party Services

  • Google Analytics — used on our marketing site (verdnt.app) only, to understand how visitors use the site in aggregate. Google Analytics is loaded only after you provide consent via our cookie banner. Google may process data outside the EEA under the EU–U.S. Data Privacy Framework. Google Analytics is not used on the Verdnt web application. See Google’s Privacy Policy for details.
  • Nominatim / OpenStreetMap — geocoding of site location addresses submitted in VSME disclosures. Queries are cached for 7 days. Governed by the OpenStreetMap Foundation Privacy Policy.
  • OAuth Providers (Google, Microsoft) — if you choose to sign in via OAuth, we receive your name, email, and profile picture from the provider. We do not receive or store your password from these services.
  • Email Delivery Service — we use a third-party email service provider for transactional emails only (account verification, password reset, invitations). We do not send marketing emails unless you opt in.

In-App Analytics

The Verdnt web application collects anonymous, aggregated usage statistics using our own built-in tooling. This includes data such as the number of active users and page navigation patterns. This data cannot be used to identify individual users, is never shared with third parties, and is used solely to maintain and improve the service.

7. Data Sharing

We do not sell, rent, or share your personal data with third parties for their own purposes. Your data is shared only:

  • With other members of your organisation, according to their assigned role
  • With the third-party service providers listed above, solely to provide the service
  • If required by law or a valid legal request from a competent authority

8. Data Retention

  • Account data — retained while your account is active, then deleted within 30 days of account deletion.
  • VSME reporting audit logs — retained for the lifetime of the associated report. When a report is deleted, its audit logs are deleted with it.
  • Technical and diagnostic logs — retained only for as long as necessary for troubleshooting and service maintenance, and in any case no longer than 90 days.
  • Invitation records — accepted, revoked, or expired invitations are deleted 30 days after their respective acceptance, revocation, or expiry date.
  • Waitlist emails — retained until the service is publicly available, then deleted. Regardless of service launch, waitlist emails will not be retained for more than 12 months from the date of collection.
  • Google Analytics data — retention is governed by our Google Analytics configuration and Google’s data retention policies. We configure Google Analytics with the shortest available data retention period.

9. Your GDPR Rights

Under the GDPR, you have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data (“right to be forgotten”) (Art. 17)
  • Restrict processing of your data (Art. 18)
  • Data portability — receive your data in a structured, machine-readable format (Art. 20)
  • Object to processing based on legitimate interest (Art. 21)
  • Withdraw consent at any time, without affecting the lawfulness of prior processing (Art. 7(3))
  • Not be subject to automated decision-making, including profiling, that produces legal or similarly significant effects (Art. 22). We do not currently engage in any such processing.

To exercise any of these rights, contact us at contact@mentcon.com. We will respond within 30 days. If your request is particularly complex or we receive a large number of requests, we may extend this period by up to two further months, in which case we will inform you within the initial 30-day period.

You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se.

10. Cookies & Tracking Technologies

Marketing Site (verdnt.app)

Our marketing site uses a cookie consent banner. You may choose to accept or decline optional cookies.

  • Strictly necessary cookies — CSRF tokens to protect against cross-site request forgery. These do not require consent.
  • Analytics cookies (optional) — Google Analytics cookies, loaded only if you consent. These help us understand aggregate visitor behaviour on the marketing site. You may withdraw consent at any time via the cookie settings on our site.

Verdnt Web Application

The Verdnt web application does not use third-party analytics cookies. It uses only:

  • CSRF tokens — functional security cookies to protect against cross-site request forgery.
  • Session storage — cached profile data for performance, cleared when you close your browser tab.

11. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Passwords securely hashed using industry-standard algorithms (never stored in plain text)
  • All traffic encrypted via HTTPS
  • Role-based access controls within organisations

12. International Transfers

Our marketing site is hosted by Websupport (Sweden). The Verdnt web application and database are hosted by Railway within the European Economic Area.

Some of the third-party services we rely on may process limited personal data outside the EEA:

  • Google (OAuth authentication, Google Analytics) and Microsoft (OAuth authentication) may transfer data to the United States. These providers operate under the EU–U.S. Data Privacy Framework or EU-approved Standard Contractual Clauses (SCCs) to ensure an adequate level of data protection as required by the GDPR.
  • Email delivery provider — our email service provider may process limited personal data (email addresses) outside the EEA. We ensure that any such provider operates under adequate data protection mechanisms as required by the GDPR.

If the legal basis for any international transfer were to be invalidated, we will take steps to ensure continued compliance, including adopting alternative transfer mechanisms or ceasing the relevant data transfer.

13. Children’s Privacy

Verdnt is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page reflects the most recent revision. We will notify registered users of material changes via the application or email.

15. Contact

If you have any questions about this Privacy Policy or how we handle your data:

Mentcon AB
Org.nr 559018-4825
Drakes väg 2C, 186 42 Vallentuna, Sweden
contact@mentcon.com