Last updated: 2026-06-04
Roughly Right cares about privacy and protecting your personal data. This policy describes how we handle personal data in connection with our own business — for example when someone visits our website, requests a demo, or registers an account. In relation to the data described in this policy, Roughly Right acts as the data controller.
Using the Roughly Right tool? This policy does not cover data that your organisation enters into the Roughly Right application — such as your employees' time reports, projects, or contacts. That data belongs to you, and how we handle it on your behalf is set out in our Personal Data Assistance Agreement. If one of your employees or contacts wants to know how their data is handled within your use of Roughly Right, they should contact you directly.
Roughly Right AB, Reg. No. 556912-2871 ("Roughly Right", "we", "us", "our") is the data controller for the personal data described in this policy.
Contact:St Paulsgatan 16, 118 46 StockholmEmail: info@roughlyright.comPhone: +46 709 42 20 94
"Applicable Law" refers to the legislation applicable to the processing of Personal Data, including the GDPR, supplementary national legislation, as well as practices, guidelines and recommendations issued by a national or EU supervisory authority.
"Controller" is the company/organisation that decides for what purposes and in what way personal data is to be processed and is responsible for the Processing of Personal Data in accordance with Applicable Law.
"Data Subject" is the living, natural person whose Personal Data is being processed.
"Personal Data" is all information relating, directly or indirectly, to an identifiable natural person.
"Processing" means any operation or set of operations which is performed on Personal Data, e.g. storage, modification, reading, handover and similar.
"Processor" is the company/organisation that processes personal data on behalf of the Controller and can therefore only process the Personal Data according to the instructions of the Controller and Applicable Law.
The definitions above shall apply in this policy regardless of whether they are capitalised or not.
We process personal data on one of the following grounds:
Performance of a contract — The processing is necessary for the performance of a contract entered between us and you, or to prepare for entering into an agreement with you.
Legitimate interest — We may process personal data where we have assessed that our legitimate interest overrides your interest in protecting your privacy, and where the processing is necessary for the purpose in question.
Consent — Where you have given us explicit consent to process your data for a specific purpose, such as connecting your Google account. You may withdraw consent at any time — see Your Rights below.
We will keep your personal data only as long as necessary for the purpose for which it was collected.
Account registration — to give you access to the Roughly Right tool.Personal data: e-mail, name, company, number of employees/users. Source: directly from you. Lawful basis: performance of a contract. Retention: for the duration of your account.
Demo or meeting requests — to respond to your enquiry.Personal data: e-mail, name. Source: directly from you. Lawful basis: legitimate interest. Retention: 24 months.
Website analytics — to understand how our website is used and improve it.Personal data: IP address, browser and device information. Source: automatically collected. Lawful basis: legitimate interest. Retention: 26 months.
Sourcing potential customers from publicly available sources.Personal data: name, e-mail, telephone number, company. Source: publicly available sources such as websites and LinkedIn. Lawful basis: legitimate interest. Retention: 24 months.
Opt-out records — to respect your wish not to be contacted.Personal data: name, e-mail, company. Source: directly from you. Lawful basis: legitimate interest. Retention: 24 months.
Google Calendar integration — to allow you to import calendar events as time report entries. See the dedicated section below.Personal data: calendar event data (titles, times, attendees). Source: your Google account, with your consent. Lawful basis: consent. Retention: retained as time report entries for the duration of your account, or until you disconnect your Google account and request deletion.
This section describes how we access, use, store and share data obtained through Google APIs, in compliance with the Google API Services User Data Policy.
Roughly Right's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
When you choose to connect your Google account to Roughly Right, we request access to the following scope:
calendar.readonly — Read-only access to your Google Calendar, allowing us to retrieve calendar events (titles, start and end times, attendee information) so you can import them as time reporting entries.
We request only the minimum permissions necessary. We do not access your Gmail, Google Drive, contacts, or any other Google services.
Google Calendar data is used solely to import calendar events as time report entries. When you initiate an import, we fetch events for a selected period and present them for you to choose which to log. We do not use Google Calendar data for advertising, profiling, or any other purpose.
We do not sell, rent, or share your Google Calendar data with third parties for their own purposes. It is stored within our application infrastructure hosted by Digital Ocean (EU/EEA).
Imported calendar data is stored on Digital Ocean within the EU/EEA and protected by the same technical and organisational security measures described in the Security section below.
Imported calendar data is retained as part of your time reporting records for the duration of your account. If you disconnect your Google account, we immediately stop fetching new data. You can request deletion of previously imported data at any time by contacting info@roughlyright.com — we will process deletion requests within 30 days. Upon account closure, all data is deleted or anonymised.
You are in control of your personal data. You have the right to:
Access — receive information about the personal data we hold about you.
Rectification — ask us to correct inaccurate or incomplete data.
Erasure — request deletion of your personal data when it is no longer necessary for the purpose for which it was collected.
Withdraw consent — if processing is based on your consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
Object — object to processing based on legitimate interest. We will review our assessment and cease processing if we cannot demonstrate compelling grounds.
Restriction — ask us to restrict processing in certain circumstances.
Data portability — receive your data in a commonly used, machine-readable format.
To exercise any of these rights, contact us at info@roughlyright.com.
To run our business, we share personal data with the following processors. We have entered into Personal Data Assistance Agreements with all of them. Where data is transferred outside the EU/EEA, we ensure adequate protection through EU Commission standard contractual clauses (SCCs) or by verifying the data is processed within the EU/EEA.
Google (GSuite)Personal data: e-mail, name, information arising via communication.Purpose: our internal e-mail provider.Transfer safeguard: SCCs.
Google Calendar APIPersonal data: calendar event data (titles, times, attendees) — read-only, with your consent.Purpose: calendar import feature. See Google Calendar section above.Transfer safeguard: SCCs.
PostmarkPersonal data: e-mail, name.Purpose: automated e-mails such as account registration confirmations.Transfer safeguard: SCCs.
Amazon Web Services (AWS)Personal data: IP address, website visitor data.Purpose: hosts our public website (roughlyright.com).Transfer safeguard: data processed within EU/EEA.
Digital OceanPersonal data: database, logs, images and all data entered into the Roughly Right application, including data imported via integrations such as Google Calendar and Fortnox.Purpose: hosts the Roughly Right application and all associated user data.Transfer safeguard: data processed within EU/EEA.
DatadogPersonal data: user ID, name, e-mail address.Purpose: technical logging for the Roughly Right application — used for debugging, troubleshooting and detecting unexpected behaviour.Transfer safeguard: data processed within EU/EEA.
ScrivePersonal data: e-mail, name.Purpose: contract generation and electronic signing.Transfer safeguard: data processed within EU/EEA.
PipedrivePersonal data: e-mail, name, information arising via communication.Purpose: organising our communications with potential and existing customers. Used only for Roughly Right's own sales and support — does not process data entered into the Roughly Right application.Transfer safeguard: data processed within EU/EEA.
Google AnalyticsPersonal data: IP address, geographic location, OS, browser.Purpose: website and app traffic analysis.Transfer safeguard: SCCs.
Fortnox (optional — only if activated by the customer)Personal data: customers, projects, suppliers and invoices, to the extent you connect your Fortnox account.Purpose: optional integration with Fortnox as an accounting system.Transfer safeguard: data processed within EU/EEA.
We may also disclose personal data to designated authorities where required by applicable law or legally binding judgement.
Roughly Right has taken the following measures to protect your personal data against loss, misuse and unauthorised access.
Organisational measures: login and password management, physical security of premises, confidentiality agreements for employees and contractors.
Technical measures: secure network with VPC and firewall, encryption in transit and at rest, regular security inspections, two-step verification, backup procedures.
Roughly Right uses cookies and similar tracking techniques. For more information, see our Cookie Policy.
If you believe we are not handling your personal data correctly, you are entitled to submit a complaint to the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY).
We reserve the right to update this policy. We will notify you of material changes before they take effect. The current version is always available at roughlyright.com/en/privacy.