← Back to app

Privacy Policy

Version 1.4 · Last updated 30 June 2026 · CommandCenter (Cmdcenter AB, org.nr 559591-9753)

1. Who we are

CommandCenter is operated by Cmdcenter AB (org.nr 559591-9753), a Swedish company. We provide restaurant management software that helps restaurant groups track financial performance, staff costs and revenue. Our registered office address and full contact details are available at comandcenter.se. If you have any questions about this policy or your data, contact us at privacy@comandcenter.se.

2. What data we collect

We collect the following categories of data: Account data: Your name, email address, and organisation name when you register. Business data: Financial information you enter or sync — including revenue, staff costs, food costs and P&L data for your restaurants. Staff data: Employee names, working hours, shift costs and department information synced from Personalkollen, Caspeco or other connected HR systems. This data originates from your own HR systems and is processed on your behalf. Integration credentials: API keys and OAuth tokens for third-party services you connect (Personalkollen, Fortnox, Ancon, Swess). These are encrypted at rest. Usage data: Pages visited, features used, and error logs to help us improve the product. Technical data: IP address, browser type and device information collected automatically when you use the service.

3. Legal basis for processing

We process your data under the following legal bases (GDPR Article 6): Contract performance: To provide the service you have subscribed to, including syncing integrations, generating reports and forecasts. Legitimate interests: To improve our product, prevent fraud, and ensure security of the platform. Legal obligation: To comply with Swedish and EU law, including accounting regulations and tax requirements. Consent: For optional features such as marketing emails. You may withdraw consent at any time.

4. How we use your data

We use your data to: — Provide and improve the CommandCenter service — Sync data from connected integrations (Personalkollen, Fortnox, etc.) — Generate financial reports, forecasts and alerts — Send service notifications (new features, billing, security alerts) — Comply with legal obligations — Prevent fraud and ensure platform security AI-generated insight: parts of the product — anomaly explanations, weekly briefings, scheduling recommendations, budget analysis and the AI assistant — are produced by a third-party large language model (Anthropic Claude). In line with EU Regulation 2024/1689 (AI Act) Article 52, every AI-generated output in the app is visibly labelled. AI output is advisory; it is not an automated decision with legal effect for you or your staff (GDPR Article 22). We do not sell your data. We do not use your data for advertising.

5. Data sharing and sub-processors

We share data with the following sub-processors. Each operates under a GDPR-compliant Data Processing Agreement, which we put in place before any production customer data is processed, and each processes data only on our documented instruction. DATABASE — Supabase Inc. Role: Database infrastructure and authentication Data: All customer and business data stored in our platform Location: EU (Frankfurt, Germany) — AWS eu-central-1 Compliance: SOC 2 Type II certified, GDPR compliant (Data Processing Agreement) Privacy: supabase.com/privacy HOSTING — Vercel Inc. Role: Application hosting and edge network Data: Request logs, application code execution Location: EU regions with EU data processing addendum Compliance: SOC 2 Type II, GDPR compliant Privacy: vercel.com/legal/privacy-policy AI PROCESSING — Anthropic PBC Role: AI assistant features, anomaly explanations, weekly briefings, budget suggestions, scheduling recommendations. Data: Aggregated business data — revenue totals, staff-hour totals, cost breakdowns — is sent to Anthropic to generate insight and written commentary. Individual staff personal data (names, employee IDs) is not routinely included; business/financial figures are. Zero Data Retention is enabled before any production customer data is processed, so Anthropic does not retain inputs or outputs beyond the processing window and does not use them to train models. Location: USA. Standard Contractual Clauses are in place as the Chapter V transfer mechanism. Privacy: anthropic.com/privacy · anthropic.com/legal/commercial-terms PAYMENT PROCESSING — Stripe Inc. Role: Subscription billing and payment processing Data: Billing information only — payment card details never stored by us Location: EU with EU data processing addendum Privacy: stripe.com/privacy ERROR MONITORING — Sentry (Functional Software, Inc.) Role: Production error and crash reporting — stack traces, breadcrumbs, session replay on error only. Data: Stack traces, URL of the failing page, user id and organisation id (used for error-by-customer filtering). Sensitive strings (auth cookies, bearer tokens, API keys) are scrubbed by a beforeSend hook before transmission. Customer business data and AI question text never leave our server via Sentry. Location: EU region (ingest.de.sentry.io). Standard Contractual Clauses are in place for any incidental US transfer. Privacy: sentry.io/privacy TRANSACTIONAL EMAIL — Resend (Resend, Inc.) Role: Delivery of transactional emails — account verification, password reset, weekly business digest, alert notifications, onboarding welcome. Data: Recipient email address, subject line, HTML body (may include business name, revenue figures, staff-cost metrics, alert text). No raw staff personal data is transmitted in email bodies. Location: USA. Standard Contractual Clauses are in place as the Chapter V transfer mechanism. Privacy: resend.com/legal/privacy-policy PRODUCT ANALYTICS — PostHog (EU Cloud) Role: Product-usage analytics — which features are used — so we can improve the service. Loads only after you accept analytics cookies; declined by default. Data: Anonymous usage events keyed to your account's user ID (a UUID). Email, name, phone and any business or financial data are stripped client-side and never sent to PostHog. Location: EU (PostHog EU Cloud, Frankfurt) — data does not leave the EU. Privacy: posthog.com/privacy INTEGRATION PARTNERS — data synced on your explicit instruction only Personalkollen (Sweden): Staff scheduling and hours data Fortnox (Sweden): Accounting and invoice data Ancon / Swess / Caspeco: POS and revenue data LEGAL DISCLOSURE — We may disclose data if required by Swedish law, court order or regulatory authority. We will notify you unless legally prohibited from doing so. A full and current list of sub-processors is available on request at privacy@comandcenter.se.

6. Data retention

We retain your data for the following periods: Account and business data: For the duration of your subscription, plus a 30-day grace period after cancellation (to allow reactivation and a final data export), after which it is permanently deleted. This follows the GDPR storage-limitation principle (Article 5(1)(e)). Staff data synced from integrations: While your subscription is active we retain up to 3 years of history to support year-on-year comparison and forecasting. After cancellation it is deleted within the 30-day grace period above. Billing and accounting records: Retained for 7 years where required by the Swedish Bookkeeping Act (Bokföringslagen, 1999:1078). Usage logs: 90 days. After the applicable retention period, data is permanently deleted from our active systems and removed from backups within the backup rotation cycle.

7. Your rights under GDPR

As a data subject you have the following rights: Right of access: Request a copy of all personal data we hold about you. Right to rectification: Request correction of inaccurate data. Right to erasure: Request deletion of your data (subject to legal retention obligations). Right to data portability: Receive your data in a machine-readable format (JSON). Right to restrict processing: Request that we limit how we use your data. Right to object: Object to processing based on legitimate interests. Right to withdraw consent: Where processing is based on consent, withdraw it at any time. To exercise any of these rights, use the Data & Privacy section in your account settings, or contact privacy@comandcenter.se. We will respond within 30 days.

8. Security

We protect your data with: — Encryption at rest and in transit (TLS 1.3) — Row-level security on all database tables — Encrypted storage of API keys and credentials — Access controls limiting staff access to production data — Regular security reviews Despite these measures, no system is completely secure. If you discover a security issue, please report it to security@comandcenter.se.

9. Cookies

We use the following cookies and similar browser storage: Authentication (strictly necessary): A session cookie to keep you logged in. This cannot be disabled. Preferences (strictly necessary): Your selected restaurant and UI preferences, stored in your browser's localStorage. Product analytics (optional — consent required): If you accept analytics in the cookie banner, we use PostHog (EU Cloud) to understand which features are used so we can improve the product. These do not load until you accept, and you can decline or withdraw consent at any time. Analytics events are keyed to an anonymous user ID — we never send your email, name or business data to PostHog. We do not use Google Analytics, Facebook Pixel, or any advertising or cross-site tracking cookies.

10. International transfers

Your data is stored in EU data centres (Supabase Frankfurt region). Where data is processed outside the EU (e.g. Anthropic AI in the USA), we ensure appropriate safeguards are in place including Standard Contractual Clauses as required by GDPR Chapter V.

11. Children

CommandCenter is a business software product intended for use by adults. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, contact us immediately.

12. Changes to this policy

We may update this policy from time to time. We will notify you of significant changes by email and in-app notification at least 30 days before they take effect. The current version is always available at comandcenter.se/privacy.

13. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at imy.se. We would always prefer to resolve concerns directly — please contact privacy@comandcenter.se first.
Cmdcenter AB (org.nr 559591-9753) · CommandCenter · privacy@comandcenter.se · comandcenter.se