Privacy Policy – VaccinKoll
Last updated: 2026-04-22 | Version: 1.2
1. Data controller
Vaccinkoll is a service operated by:
Leonin AB
Registration number: 559578-2375
Email: privacy@vaccinkoll.se
Website: https://vaccinkoll.se
Leonin AB is the data controller for the personal data processing described in this policy.
2. What data we collect and why
2.1 Account information
Data: Name, email address, password (hashed), phone number, country, preferred language, account type, date of last login.
Purpose: Creating and managing your user account, authentication, and service-related communications.
Legal basis: Contract (Article 6(1)(b) GDPR) — processing is necessary to perform the contract formed when you register an account.
2.2 Vaccination records (health data)
Data: Vaccine name, manufacturer, dose number, date of administration, healthcare provider, batch number, clinic or hospital name, country of administration, notes, and uploaded vaccination certificates (images or PDF files).
Purpose: Storing and displaying your vaccination history, sending reminders for upcoming doses, and enabling export of your records.
Legal basis: Explicit consent (Article 9(2)(a) GDPR). Vaccination records constitute health data and are a special category of personal data under Article 9 GDPR. We process this data only after you have given your explicit consent at registration. You may withdraw your consent at any time, which will result in us ceasing processing and deleting your health data (see Section 7).
2.3 Family profiles (premium feature)
Data: Family members' names, relationship type, access level, and their respective vaccination records.
Purpose: Allowing a primary account holder to manage vaccination records on behalf of family members who have their own Vaccinkoll accounts.
Legal basis: Explicit consent (Article 9(2)(a) GDPR) for health data. You are responsible for ensuring you have the right to register data about family members, and where applicable that their consent has been obtained.
2.4 Dependent profiles (children and others without their own account)
Data: First name, last name, year of birth, optional date of birth, encrypted notes, guardian consent timestamp, and associated vaccination records (same fields as Section 2.2).
Purpose: Allowing an account holder to log and manage vaccination records for children or other dependents who do not have their own Vaccinkoll account — for example infants and young children.
Legal basis: Explicit consent (Article 9(2)(a) GDPR) for health data. When creating a dependent profile you confirm that you hold parental responsibility or other legal authority to manage that person's health data. The timestamp of this confirmation is stored. You may delete a dependent profile at any time, which permanently removes all associated records. Deleting your account also permanently removes all dependent profiles and their data. Data exports (JSON, CSV, PDF) include all dependent profiles and their vaccination records, clearly labeled per dependent.
2.5 Payment and subscription
Data: Subscription plan, payment status, Stripe customer ID, Stripe subscription ID. We do not store card numbers or full payment details — these are handled exclusively by our payment provider Stripe.
Purpose: Managing your premium subscription and processing payments.
Legal basis: Contract (Article 6(1)(b) GDPR).
2.6 Reminders and notifications
Data: Reminder type, due date, delivery status, email address.
Purpose: Sending reminders for upcoming vaccinations or booster doses.
Legal basis: Contract (Article 6(1)(b) GDPR) and your consent to health data processing (see 2.2).
2.7 Technical logs and security
Data: IP address, timestamps for actions (e.g. login, record creation and deletion, data export), device type (only where needed for debugging).
Purpose: Security, debugging, and fulfilling our obligation to document the processing of sensitive data.
Legal basis: Legitimate interest (Article 6(1)(f) GDPR) — maintaining the security of the service and protecting users.
3. How long we retain your data
| Category | Retention period |
|---|---|
| Account information | For as long as the account is active. Deleted within 30 days of account closure. |
| Vaccination records | For as long as the account is active. Deleted immediately on individual record deletion, or within 30 days of account closure. |
| Uploaded files (certificates) | Same as vaccination records. |
| Payment records | 7 years after subscription end, in accordance with Swedish accounting law. |
| Reminder history | Deleted within 30 days of account closure. |
| Security and access logs | 12 months. |
4. Who we share your data with
We never sell your personal data. We engage the following data processors to operate the service, with whom we have signed Data Processing Agreements (DPAs):
| Processor | Service | Location |
|---|---|---|
| Supabase, Inc. | Database, authentication, file storage | EU (Frankfurt, Germany) |
| Fly.io, Inc. | Web application and server hosting | EU (Stockholm, Sweden) |
| Stripe, Inc. | Payment processing | USA (with Standard Contractual Clauses, see Section 5) |
| Resend, Inc. | Transactional email and vaccination reminders | EU region |
| Proton AG | Business email inboxes | Switzerland (EU-adequate country) |
| Sentry (Functional Software, Inc.) | Error monitoring and logging | EU region |
We may also disclose data where we are legally required to do so (e.g. by court order or regulatory authority).
5. Transfers to third countries
Stripe is a US-based company. The transfer of payment-related data to Stripe is based on the EU Standard Contractual Clauses (SCCs, Article 46(2)(c) GDPR) incorporated into Stripe's Data Processing Agreement. Stripe is PCI DSS certified and does not process full card details on our behalf.
Supabase and Fly.io process all personal data within the EU/EEA.
6. Security
We implement technical and organisational measures to protect your data, including:
- Encryption of data at rest (AES-256) and in transit (TLS 1.2+).
- Application-level encryption of the most sensitive fields (e.g. notes, batch numbers, healthcare provider names).
- Row Level Security (RLS) in the database — you can only read and write your own data.
- Private file storage with short-lived signed URLs for vaccination certificates.
- Audit logging of sensitive operations (creation, deletion, export).
- Regular security reviews.
7. Your rights
As a data subject you have the following rights under GDPR:
Right of access (Article 15): You may request a copy of the personal data we process about you. You can also export your data directly under Settings in the service.
Right to rectification (Article 16): You may request that inaccurate data be corrected or incomplete data completed. You can also do this directly within the service.
Right to erasure (Article 17): You may request that we delete your data. You can delete individual vaccination records directly within the service, or close and delete your entire account under Settings. We delete all personal data within 30 days, except for data we are legally required to retain (e.g. accounting records).
Right to withdraw consent (Article 7(3)): You may withdraw your consent to health data processing at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. Withdrawal means we will delete your health data and that you will no longer be able to use the core features of the service.
Right to restriction of processing (Article 18): You may request that we restrict processing of your data in certain circumstances.
Right to data portability (Article 20): You may request your data in a machine-readable format (JSON, CSV, or PDF) directly from the service under Export data, or via a written request to us.
Right to object (Article 21): You may object to processing based on legitimate interest.
To exercise your rights, contact us at privacy@vaccinkoll.se. We respond to requests within 30 days.
8. Complaints
If you believe we are processing your data in violation of data protection law, you have the right to lodge a complaint with the Swedish supervisory authority:
Integritetsskyddsmyndigheten (IMY)
Box 8114, SE-104 20 Stockholm, Sweden
imy@imy.se
www.imy.se
9. Changes to this policy
We may update this privacy policy. For material changes, we will notify you by email or a prominent notice within the service before the change takes effect. The date of the last update is always shown at the top of this document.
10. Contact
If you have questions about how we process your personal data, please contact us: