Privacy Policy
Version 1.4 · Last updated 30 June 2026 · CommandCenter (Cmdcenter AB, org.nr 559591-9753)
1. Who we are
CommandCenter is operated by Cmdcenter AB (org.nr 559591-9753), a Swedish company. We provide restaurant management software that helps restaurant groups track financial performance, staff costs and revenue. Our registered office address and full contact details are available at comandcenter.se.
If you have any questions about this policy or your data, contact us at privacy@comandcenter.se.
2. What data we collect
We collect the following categories of data:
Account data: Your name, email address, and organisation name when you register.
Business data: Financial information you enter or sync — including revenue, staff costs, food costs and P&L data for your restaurants.
Staff data: Employee names, working hours, shift costs and department information synced from Personalkollen, Caspeco or other connected HR systems. This data originates from your own HR systems and is processed on your behalf.
Integration credentials: API keys and OAuth tokens for third-party services you connect (Personalkollen, Fortnox, Ancon, Swess). These are encrypted at rest.
Usage data: Pages visited, features used, and error logs to help us improve the product.
Technical data: IP address, browser type and device information collected automatically when you use the service.
3. Legal basis for processing
We process your data under the following legal bases (GDPR Article 6):
Contract performance: To provide the service you have subscribed to, including syncing integrations, generating reports and forecasts.
Legitimate interests: To improve our product, prevent fraud, and ensure security of the platform.
Legal obligation: To comply with Swedish and EU law, including accounting regulations and tax requirements.
Consent: For optional features such as marketing emails. You may withdraw consent at any time.
4. How we use your data
We use your data to:
— Provide and improve the CommandCenter service
— Sync data from connected integrations (Personalkollen, Fortnox, etc.)
— Generate financial reports, forecasts and alerts
— Send service notifications (new features, billing, security alerts)
— Comply with legal obligations
— Prevent fraud and ensure platform security
AI-generated insight: parts of the product — anomaly explanations, weekly briefings, scheduling recommendations, budget analysis and the AI assistant — are produced by a third-party large language model (Anthropic Claude). In line with EU Regulation 2024/1689 (AI Act) Article 52, every AI-generated output in the app is visibly labelled. AI output is advisory; it is not an automated decision with legal effect for you or your staff (GDPR Article 22).
We do not sell your data. We do not use your data for advertising.
5. Data sharing and sub-processors
We share data with the following sub-processors. Each operates under a GDPR-compliant Data Processing Agreement, which we put in place before any production customer data is processed, and each processes data only on our documented instruction.
DATABASE — Supabase Inc.
Role: Database infrastructure and authentication
Data: All customer and business data stored in our platform
Location: EU (Frankfurt, Germany) — AWS eu-central-1
Compliance: SOC 2 Type II certified, GDPR compliant (Data Processing Agreement)
Privacy: supabase.com/privacy
HOSTING — Vercel Inc.
Role: Application hosting and edge network
Data: Request logs, application code execution
Location: EU regions with EU data processing addendum
Compliance: SOC 2 Type II, GDPR compliant
Privacy: vercel.com/legal/privacy-policy
AI PROCESSING — Anthropic PBC
Role: AI assistant features, anomaly explanations, weekly briefings, budget suggestions, scheduling recommendations.
Data: Aggregated business data — revenue totals, staff-hour totals, cost breakdowns — is sent to Anthropic to generate insight and written commentary. Individual staff personal data (names, employee IDs) is not routinely included; business/financial figures are. Zero Data Retention is enabled before any production customer data is processed, so Anthropic does not retain inputs or outputs beyond the processing window and does not use them to train models.
Location: USA. Standard Contractual Clauses are in place as the Chapter V transfer mechanism.
Privacy: anthropic.com/privacy · anthropic.com/legal/commercial-terms
PAYMENT PROCESSING — Stripe Inc.
Role: Subscription billing and payment processing
Data: Billing information only — payment card details never stored by us
Location: EU with EU data processing addendum
Privacy: stripe.com/privacy
ERROR MONITORING — Sentry (Functional Software, Inc.)
Role: Production error and crash reporting — stack traces, breadcrumbs, session replay on error only.
Data: Stack traces, URL of the failing page, user id and organisation id (used for error-by-customer filtering). Sensitive strings (auth cookies, bearer tokens, API keys) are scrubbed by a beforeSend hook before transmission. Customer business data and AI question text never leave our server via Sentry.
Location: EU region (ingest.de.sentry.io). Standard Contractual Clauses are in place for any incidental US transfer.
Privacy: sentry.io/privacy
TRANSACTIONAL EMAIL — Resend (Resend, Inc.)
Role: Delivery of transactional emails — account verification, password reset, weekly business digest, alert notifications, onboarding welcome.
Data: Recipient email address, subject line, HTML body (may include business name, revenue figures, staff-cost metrics, alert text). No raw staff personal data is transmitted in email bodies.
Location: USA. Standard Contractual Clauses are in place as the Chapter V transfer mechanism.
Privacy: resend.com/legal/privacy-policy
PRODUCT ANALYTICS — PostHog (EU Cloud)
Role: Product-usage analytics — which features are used — so we can improve the service. Loads only after you accept analytics cookies; declined by default.
Data: Anonymous usage events keyed to your account's user ID (a UUID). Email, name, phone and any business or financial data are stripped client-side and never sent to PostHog.
Location: EU (PostHog EU Cloud, Frankfurt) — data does not leave the EU.
Privacy: posthog.com/privacy
INTEGRATION PARTNERS — data synced on your explicit instruction only
Personalkollen (Sweden): Staff scheduling and hours data
Fortnox (Sweden): Accounting and invoice data
Ancon / Swess / Caspeco: POS and revenue data
LEGAL DISCLOSURE — We may disclose data if required by Swedish law, court order or regulatory authority. We will notify you unless legally prohibited from doing so.
A full and current list of sub-processors is available on request at privacy@comandcenter.se.
6. Data retention
We retain your data for the following periods:
Account and business data: For the duration of your subscription, plus a 30-day grace period after cancellation (to allow reactivation and a final data export), after which it is permanently deleted. This follows the GDPR storage-limitation principle (Article 5(1)(e)).
Staff data synced from integrations: While your subscription is active we retain up to 3 years of history to support year-on-year comparison and forecasting. After cancellation it is deleted within the 30-day grace period above.
Billing and accounting records: Retained for 7 years where required by the Swedish Bookkeeping Act (Bokföringslagen, 1999:1078).
Usage logs: 90 days.
After the applicable retention period, data is permanently deleted from our active systems and removed from backups within the backup rotation cycle.
7. Your rights under GDPR
As a data subject you have the following rights:
Right of access: Request a copy of all personal data we hold about you.
Right to rectification: Request correction of inaccurate data.
Right to erasure: Request deletion of your data (subject to legal retention obligations).
Right to data portability: Receive your data in a machine-readable format (JSON).
Right to restrict processing: Request that we limit how we use your data.
Right to object: Object to processing based on legitimate interests.
Right to withdraw consent: Where processing is based on consent, withdraw it at any time.
To exercise any of these rights, use the Data & Privacy section in your account settings, or contact privacy@comandcenter.se. We will respond within 30 days.
8. Security
We protect your data with:
— Encryption at rest and in transit (TLS 1.3)
— Row-level security on all database tables
— Encrypted storage of API keys and credentials
— Access controls limiting staff access to production data
— Regular security reviews
Despite these measures, no system is completely secure. If you discover a security issue, please report it to security@comandcenter.se.
9. Cookies
We use the following cookies and similar browser storage:
Authentication (strictly necessary): A session cookie to keep you logged in. This cannot be disabled.
Preferences (strictly necessary): Your selected restaurant and UI preferences, stored in your browser's localStorage.
Product analytics (optional — consent required): If you accept analytics in the cookie banner, we use PostHog (EU Cloud) to understand which features are used so we can improve the product. These do not load until you accept, and you can decline or withdraw consent at any time. Analytics events are keyed to an anonymous user ID — we never send your email, name or business data to PostHog.
We do not use Google Analytics, Facebook Pixel, or any advertising or cross-site tracking cookies.
10. International transfers
Your data is stored in EU data centres (Supabase Frankfurt region). Where data is processed outside the EU (e.g. Anthropic AI in the USA), we ensure appropriate safeguards are in place including Standard Contractual Clauses as required by GDPR Chapter V.
11. Children
CommandCenter is a business software product intended for use by adults. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, contact us immediately.
12. Changes to this policy
We may update this policy from time to time. We will notify you of significant changes by email and in-app notification at least 30 days before they take effect. The current version is always available at comandcenter.se/privacy.
13. Complaints
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at imy.se.
We would always prefer to resolve concerns directly — please contact privacy@comandcenter.se first.
Cmdcenter AB (org.nr 559591-9753) · CommandCenter · privacy@comandcenter.se · comandcenter.se