BEYONDLUNA PRIVACY NOTICE

1 (12)

BEYONDLUNA PRIVACY NOTICE

1. Introduction

This Privacy Notice contains information about the Processing of Personal data performed by Mond

Digital Solutions AB, incorporated, and registered in Sweden with company registration number

559152-9705, whose registered office is at Hamngtatan 26A, 652 25 Karlstad, hereinafter referred to as

"BeyondLuna" and referred to as "we", "our", "us". References to "you" or "your" refer to the Data

subject whose Personal data we Process.

We provide the Platform "BeyondLuna" for schools, to be used by teachers, student health staff and

students. This Privacy Notice is mainly relevant to teachers and other staff in schools and municipalities

that use our Services. Our Processing of Personal data about students within the scope of the Service is

not covered by this Privacy Notice. Such Processing is instead regulated by a data processing agreement

entered between us and the school (or the municipality) in its capacity of a "Service Recipient".

This Privacy Notice covers our Processing of Personal data that we conduct as Controllers, among other

things:

• how we Process Personal data;

• which Personal data we Process;

• the purpose and legal basis of the Processing;

• where the Personal data is stored;

• to whom Personal data may be shared;

• what rights the Data subject has according to the GDPR; and

• other information about our Processing of Personal data in our capacity of Controller.

2. Definitions

The following definitions used in this Privacy Notice shall have the meanings set forth below when they

are indicated with a capital letter, regardless of whether they are used in the plural or singular, in definite

or indefinite form:

Account: refers to an identity in the Platform that identifies the Service Recipient and gives the Service

Recipient and its Users access to the Platform's features.

Affiliate: means any entity that directly or indirectly is controlled by, controls, or is under common

control with the Service Recipient, whereby “control” means the possession, directly or indirectly, of

the power to direct, or cause the direction of the management and policies of such person, whether by

contract, through the ownership of voting securities, or otherwise.

Controller: refers to the person/entity who determines the purpose of a particular Processing of Personal

data and how the Processing is to be carried out. Natural persons, legal persons, authorities, institutions,

or other bodies may be Personal data Controllers.

Data subject: refers to the natural person who can be identified through the Personal data.

GDPR: refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April

2016 on the protection of natural persons about the processing of personal data and on the free movement

of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

BEYONDLUNA PRIVACY NOTICE

2 (12)

Personal data: refers to all data that, directly or indirectly, alone, or together with other data, can be

linked to an identified or identifiable physical living person. Common examples of Personal data are the

following: name, telephone number, address, email address, user ID, credit card number, etc.

Platform: refers to the platform beyondluna.com.

Processing: refers to everything that is made with Personal data, automated or otherwise. Processing

can take place through an individual measure or through a combination of different measures, such as

but not limited to storage, erasure, sharing, usage, registration, copying, collection, organization, use,

adjustment, destruction, etc.

Processor: refers to the one who Processes Personal data on behalf of a Personal data Controller and

according to the Controller's instructions.

SCC: refers to Commission implementing decision (EU) 2021/914 of 4 June 2021 on standard

contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU)

2016/679 of the European Parliament and of the Council, or later updated version.

Service Recipient: refers to the entity that has entered into an agreement with BeyondLuna regarding

the use of the Platform.

Service: has the meaning set forth in the Service Agreement entered between the Service Recipient and

BeyondLuna and may also include the Platform.

Service Agreement: refers to the agreement entered into between the Service Recipient and

BeyondLuna regarding the Services and any other agreement or terms referring to the Service

Agreement, such as for example, but not exclusively: Orders incorporated by reference, the applicable

Third party: refers to someone other than the Controller (and the persons who are authorized to Process

the Personal data), the Data subject or the Processor (and the persons who are authorized to Process the

Personal data). A Third party may be a legal person or a natural person, institution, authority, or other

body.

User: refers to the Service Recipient and/or its Affiliates, staff and students who use the Service.

Website: refers to beyondluna.mond.com.

Any other GDPR-related terms not defined herein shall have the same meaning in this Privacy Notice

as set forth in Article 4 of the GDPR.

3. Controller and Processor

We are the Controller regarding all Processing of Personal data that is performed by us or on our behalf,

insofar as we determine the means and purpose of the Processing (according to the principle of liability).

All our Processing of Personal data takes place in accordance with the GDPR (and SCC where

applicable), as well as with the data protection principles.

When we Process Personal data in our capacity as Processor and the Service Recipient is the Controller,

we only Process the Personal data in accordance with the instructions given to us by the Service

Recipient in the data processing agreement, in practice to provide the Service. We are the Processor,

and the Service Recipient is the Controller, in for example the following situations:

BEYONDLUNA PRIVACY NOTICE

3 (12)

● When the User’s register Personal data in the Platform. The Service Recipient is responsible for

ensuring that all Personal data that its Users Processes within the Platform are accurate and that

the Processing is made in accordance with applicable data protection regulation. The Service

Recipient is also responsible for supplying information about its Processing of Personal data to

the Data subjects in question. We may also register Personal data belonging to a Data subject

according to the Service Recipient’s instructions, for example in accordance with a support

matter.

● When the Service Recipient or its User requests support for the Platform from us, which means

that the Processing of Personal data within the support case takes place in accordance with the

Service Recipient's instructions stated in the DPA.

The Service Recipient and its Users must comply with all at any time applicable data protection

legislation when using the Platform, and the Service Recipient is responsible for its User’s use of the

Platform.

Unless otherwise stated in this Privacy Notice, we are the Controller for the Processing described.

4. Third-party websites, applications, and integrations

If you provide information to us through a Third-party website or platform, the information you provide

may be collected separately by such Third-party that provides that website or platform. Such information

is subject to the Third-party's privacy notices and terms. This means, among other things, that the privacy

settings you have made on the Third-party website or platform do not affect our processing of data that

we collect directly through our Services/Platform/Website.

There may be links in our Services/Platform/Website that lead to other Third-party websites,

applications, content, or other integrations, which may allow such Third-parties to collect or share

Personal data about you. We do not control or own such Third-party websites, applications, content or

other integrations and we are not responsible for the Processing of Personal data carried out by anyone

else or for the privacy rules, notices, or terms of such Third-parties.

For these reasons, we would like to encourage you to pay attention when you leave our

Services/Platform/Website and to request details of and read the privacy notices and terms of such Third-

parties, who may collect and Process Personal data belonging to you.

5. How we access Personal data that we Process

We may access, collect and Process your Personal data when you for example:

● enter into an agreement with us,

● create an Account to the Platform,

● contact us or give us feedback,

● enter a survey or promotion,

● request marketing to be sent to you,

● use and access our Services,

● provide any Personal data through our Platform,

● in-person events and on our website.

We may also Process your Personal data if it is provided to us by someone else, for example:

● the Service Recipient or its Users,

BEYONDLUNA PRIVACY NOTICE

4 (12)

● Third-party service providers which you have linked your use of the Platform, such as social

media accounts,

● Payment service provider,

● Advertising networks,

● Analytics providers,

● Our business partners.

The information which we receive from such Third-parties depends on your and our respective

relationships with the Third-party and their policies.

6. Categories of Personal data that we Process

In accordance with the principle of data minimization, we only process Personal data in our capacity as

a Controller that is adequate, necessary, and relevant to fulfill the purposes for which it was collected.

We mainly Process the categories of Personal data listed below:

● Identification information: first name, last name, profile picture.

● Contact information: email address, phone number, address, employer.

● User information: User-ID, username, password (encrypted), IP-address.

● Other information: school affiliation, grade, class, gender.

● Other Personal data: any other Personal data that is provided to us, such as those that are

registered in the Platform by the User or that is provided to us in a message.

7. Legal basis and purpose for our Processing of Personal data

In accordance with the principle of purpose limitation, we only Process Personal data in our capacity as

Controller for special, explicitly stated, and justified purposes. In addition, all Processing is legal in

accordance with the provisions of the GDPR.

We Process Personal data primarily with the support of one of the following legal bases:

1) Contract: means Processing of your Personal data where it is necessary for the performance of

a contract to which the Data subject or Service Recipient is a party or to conduct processing at

request before entering such a contract, for example the performance of our agreement to make

the Services available.

2) Consent: means Processing of Personal data based on the Data subjects active and voluntarily

given consent to it. You may for example consent to a certain Processing of your Personal data

by ticking a checkbox for it through the Platform and/or our Website.

3) Legitimate interest: means our business interests in conducting and managing our business to

enable us to provide the User and our customers the best service/product and a secure

experience. When a Processing of Personal data is conducted by us based on legitimate interest

as the legal basis, our assessment is that the Processing does not constitute an infringement of

the Data subject's right to privacy and integrity. We have come to this conclusion, after having

made a balance between on the one hand what the Processing in question means for the Data

subjects interests and right to privacy, and on the other hand the legitimate interest in the

Processing in question (our, your and/or a Third-party’s legitimate interest).

4) Legal obligation: means Processing of Personal data where it is necessary for compliance with

a legal obligation.

BEYONDLUNA PRIVACY NOTICE

5 (12)

You may have to provide your Personal data to be able to enter into an agreement with us, get the

Services you have ordered or to comply with legal or contractual obligations. In some cases, it is optional

for you to supply your Personal data. However, if you do not give your Personal data, for instance, we

might not be able to provide the requested services or support. Unless otherwise stated, you will not

suffer any negative legal repercussions if you do not submit your Personal data.

When data Processing is based on your consent, you have the right to withdraw the consent at any time,

without affecting the lawfulness of Processing based on consent before its withdrawal.

Below you can read more about the legal basis and purpose of our Processing of Personal data that we

conduct in our capacity of Controller. Where appropriate, we have also identified what our legitimate

interests are.

1) When you visit the Website and/or use the Platform:

Our Website and Platform uses cookies. The use of non-necessary cookies takes place only if you give

your consent to it. Legal basis for the Processing of Personal data: Consent.

In our Cookie Notice, you can read more information about how we use cookies on the Website and

Platform and how you can manage the storage of cookies. The Cookie Notice is published on the

Website and the Platform.

2) When you contact us through email or telephone:

We Process your Personal data that we get access to when you contact us through email or telephone,

such as your name, telephone number, email, and the message content.

The purpose of the Processing is to enable us to know who we are talking to and to stay connected in

the matter. We have concluded that both we and you have a legitimate interest in the Personal data being

Processed by us for the purpose stated above. The provision of Personal data for the purpose stated

above is not a statutory or contractual requirement, and you are not obliged to provide the Personal data,

but the possible consequences of failure to provide your Personal data that we request and/or need in

order to respond to you, is that we may not be able to provide you with the support or Platform that you

request.

Legal basis for the Processing of Personal data: Legitimate interest.

If we Process Personal data as part of a support related case in the capacity of a Processor, the Processing

takes place in accordance with the instructions given by the Service Recipient that is the Controller, and

the data processing agreement that we have entered with the Service Recipient. We will get access to

all Personal data that appears in connection with the support related matter in question, and all

information that the User provides to us and that is registered within the Account that the User belongs

to. The possible consequences of failure to provide the Personal data is that we can not provide support

to the User in accordance with the Service Agreement.

Legal basis for the Processing of Personal data: Contract.

BEYONDLUNA PRIVACY NOTICE

6 (12)

3) When you contact us through the contact form on the Website:

You can contact us by sending us a message through the contact forms available on the Website. We

then get access to the following categories of Personal Data: name, email address, telephone number

and any other Personal Data that you include in the message.

The provision of name, email address, completion of the subject line and a message is mandatory in the

contact form, for the message in question to be sent to us.

However, the provision of your Personal Data through the contact form is not a statutory or contractual

requirement or a requirement necessary to enter a contract with us, and you are not obliged to provide

the Personal Data. However, the possible consequences of not providing such information are that the

message will not be able to be sent to us.

Before the message is sent to us, you give your active consent to our Processing of your Personal Data

in accordance with the above, by ticking a checkbox for approval.

Legal basis for the Processing of Personal data: Consent.

4) When you receive newsletters from us:

You can consent to receive newsletters from us by providing your active consent for us to Process your

email address in order to send you newsletters. Providing your email address to us for this purpose is

voluntary, which means that it is not a legal or contractual requirement or a requirement necessary to

enter into a contract with us, and you are under no obligation to provide your email mailing address, but

the possible consequences of not providing your email address to us is that we will not send you our

newsletters.

Legal basis for the Processing of Personal data: Consent.

Unsubscribe from newsletters

If you unsubscribe from the newsletters, you will be removed from the email list of recipients of the

newsletters, but your email address will remain in the database with a block for receiving newsletters.

The purpose of this is to ensure that you do not receive any more newsletters from us. In our assessment,

both we and you have a legitimate interest in the Personal Data being Processed for this purpose. The

Processing is necessary for a purpose related to a legitimate interest, and that your interest in the

protection of your Personal Data is not outweighed. Our assessment is that the Processing in question

does not infringe your fundamental rights and freedoms.

If you want your email address to be deleted from the block list as well, you can contact our support by

email and request this. You are hereby informed that if your email address is deleted from the block list,

it means that you can receive newsletters from us again if you or someone else registers your email

address to receive newsletters again.

Legal basis for the Processing of Personal data: Legitimate interest.

5) When a Service Recipient completes a purchase of a subscription:

When a Service Recipient completes a purchase of a subscription for the Platform, we get access to

Personal data that is provided to us in connection with the purchase process. The Service Recipient must

provide the following Personal data and information in connection with the purchase being completed:

BEYONDLUNA PRIVACY NOTICE

7 (12)

the Service Recipient's signatory/contact person's first name, last name, telephone number, email

address, and the Service Recipient's company name, registration number, VAT-number and other billing

information.

The provision of the above-mentioned information in connection with the purchase is necessary for us

to Process, for us and the Service Recipient to be able to enter into the purchase agreement, and for us

to be able to charge for the subscription. The possible consequences of such information not being

provided to us is that we will not be able to enter into the agreement or fulfill the agreement.

Legal basis for the Processing of Personal data: Contract.

6) When we provide access to the Platform

To register a User of and/or provide access to the Services, the following types of data are Processed:

Username/Email address, Password, Name, Phone number (optional), Profile picture (optional),

Sociogram/Self assessment answers, Seating plans with associated rules, Department/Unit/Area of

operation or other corresponding functional description that shows which part of the business a user

belongs to. IP-address and information about your computer or mobile unit such as: language settings,

browser. City and country of the User creating the tenant. The Processing is necessary for the

performance of a contract. Legal basis for the Processing of Personal data: Contract.

We also Process information about how the Users are using our Services (including response times), in

order for us to improve our Services including the Platform. We have concluded that we have a

legitimate interest in the information being processed for the purposes stated above and that our

legitimate interest does not constitute an infringement of the User’s right to privacy and integrity. Legal

basis for the Processing of Personal data: Legitimate interest.

7) When we have a legal obligation to the Processing:

If law, court, or authority decision obliges us to Process certain Personal data, the Processing takes place

based on a Legal obligation as a legal basis. In such cases, the Processing takes place only to the extent

that it is necessary for us to fulfill our legal obligations and then we only process the necessary Personal

data, for as long as the law requires it (in accordance with the principle of storage limitation). The

Processing is made due to statutory provisions.

For example, we store invoices, receipts, and other accounting documents that we are obliged to Process

in accordance with current legislation, such as the Swedish Accounting Act (1999:1078) and in

accordance with the Swedish Tax Agency's requirements. Accounting documents, invoices and

vouchers may in some cases contain Personal data, such as name, address, order information and any

other contact information regarding the Service Recipient and/or the Service Recipient’s signatory,

contact person, employee etc. Such Personal data is stored for as long as the law requires it. Legal basis

for the Personal data Processing: Legal obligation.

If we are obliged by applicable law to notify you about changes to our Privacy Notice or terms, we may

Process Persona data to the extent necessary. The Processing is necessary to comply with a legal

obligation. Legal basis for the Processing of Personal data: Legal obligation.

8) Other purposes for our Processing of Personal data

Based on our legitimate interest, we may process Personal data to:

BEYONDLUNA PRIVACY NOTICE

8 (12)

• protect our rights and property,

• make recommendations or suggestions to you about services available through the Platform that

may be of interest to you,

• ensure the technical functionality of the Service,

• use data analytics to improve our marketing, products/services, partner and user relationships

and experiences,

• collect anonymous statistics, performance measurements, etc. regarding the Platform.

We have concluded that we have a legitimate interest in the Personal data being processed for the

purposes stated above and that our legitimate interest does not constitute an infringement of your right

to privacy and integrity.

8. Storage location and international transfers

We strive to store all Personal data that we Process in our capacity as a Controller within the EU/EEA-

area, in accordance with the principle of integrity and confidentiality.

If Personal data is transferred to or stored in a country outside the EU/EEA-area, we shall ensure that

such a storage site ensures an adequate level of protection in accordance with the provisions of the

GDPR and SCC.

9. Data retention

Personal data that we Process will only be retained for as long as they are reasonably necessary to fulfill

the purposes for which they were collected, including for satisfying any legal obligations, such as any

tax, accounting, regulatory or reporting requirements.

When the Personal data no longer needs to be retained, it is either erased, deidentified or anonymized,

in accordance with the principle of storage limitation.

Invoices, receipts, and other accounting documents that we Process as a Controller, are stored for up to

seven (7) years after payment has been made for the subscription or Services. They may contain

identification information and contact information. These are stored for us to be able to manage any

complaint matters and to be able to match a payment against an invoice while we are obliged to store

such accounting documentation in accordance with current legislation.

If a claim can be made against our company, we can store the relevant Personal data until the statutory

limitation period has expired. In the event of an existing dispute, relevant Personal data is stored until

the dispute has been settled.

When we Process Personal data as a Processor, it is the Service Recipient that decides for how long such

Personal data shall be stored in the Platform. Terms regarding the storage duration and erasure of such

Personal data is regulated in the data processing agreement that we have entered with the Service

Recipient.

We follow internal guidelines and written routines regarding our Processing of Personal data as

Controllers, such as for example regarding erasure of Personal data and documentation of any Personal

data breaches, to ensure that the Processing of Personal data takes place in accordance with the GDPR.

BEYONDLUNA PRIVACY NOTICE

9 (12)

10. Disclosure of Personal data

We may disclose Personal data to the recipients stated below, to achieve the purposes, set out in the

section above regarding “Legal basis and purpose for our Processing of Personal Data”.

Legal authorities: Personal data may be disclosed to legal authorities in response to legal inquiries or

if necessary, to prevent, detect, prevent, or investigate criminal activity and to protect our interests and

our property.

Service providers: We may also disclose Personal data to engaged service providers, for example to:

- safeguard our legal interests,

- fulfill our contractual and legal obligations,

- detect and prevent technical, operational or safety problems, and

- provide, improve, and maintain the Platform (software maintenance).

Examples of service providers that we engage in their capacity as our Processors are developers, IT and

system administrators, providers of our cloud services, payment method provider, billing system,

consultants etc.

Before we disclose any Personal data to such service providers, we enter into a data processing

agreement with them in accordance with the provisions of the GDPR (alternatively SCC if the Personal

data Processor is in a country outside the EU/EEA-area). This is made to ensure a secure and correct

Processing of the Personal data.

Other Third parties: We may disclose Personal data to regulatory authorities, other public entities,

legal advisors, bankers, external consultants, and partners, in accordance with applicable privacy laws,

if it is made for us to comply with legal obligations or in order to fulfill our legitimate interest.

In connection with or during negotiations of a transfer of company assets, merger, sale, financing or

acquisition of all or part pf our business, we may disclose your Personal data to the Third-parties engaged

in the business transaction.

Our disclosure of Personal data in our capacity as a Processor, is regulated by the data processing

agreement entered with the Controller in question.

12. Data subjects' rights according to GDPR

Data subjects have, under certain circumstances, the following rights under the GDPR in relation to their

Personal data:

Right of access: You have the right to information about whether we Process your Personal data or not,

as well as the right to access your Personal data that we Process and information about how the Personal

data is used. If we Process your Personal data, you have the right to receive a copy of the Processed

Personal data in the form of a compilation of the Personal data that we Process about you. You also have

the right to receive information about, among other things: which categories of Personal data we Process,

the purpose of the Processing, the duration of the Processing, how we have collected the Personal data,

who has received the Personal data, etc. The purpose of the compilation is for you to be able to check

the legality and accuracy of the information. However, this does not mean that you have the right to

obtain the actual documents that contain the Processed Personal data.

● Exemption from the right of access: There may be situations where the disclosure of certain

information would entail disadvantages for other persons, that other legislation or other

BEYONDLUNA PRIVACY NOTICE

10 (12)

exceptions prevent the disclosure of certain information or extract from the records of

Processing activities. In such situations, we may not disclose the information in question and

there may therefore be Personal data and/or other information about you that you do not have

the right to access.

Right to rectification: We are responsible for ensuring that Personal data that we Process is accurate

and updated over time. However, Personal data may be incorrect or incomplete. If we were to process

Personal data about you that is incorrect or incomplete, you have the right to contact us to have your

Personal data rectified. After we have corrected the information, we will notify you of this, if it is not

proved to be impossible or would involve excessive effort.

Right to erasure: We will erase your Personal data at your request if the data is no longer needed for

the purposes for which it was collected. This is also called the "right to be forgotten". In addition, there

are more occasions when we erase your Personal data that we Process. For example, when they are no

longer necessary for the purpose for which they were collected, when the legal basis is consent and you

revoke the consent, in your objection to direct marketing, if the Processing is not legal, etc. When we

erase the Personal data at your request, we will inform you after the deletion has been performed,

provided that it is not proved to be impossible or would involve excessive effort.

● Exemption from the right to deletion: However, we have the right to continue to Process your

Personal data, and thus not delete the Personal data despite your request, if the Processing is

necessary to: a) satisfy the right to freedom of expression and freedom of information, b) to

fulfill a legal obligation, c) to perform a task carried out in the public interest or in the exercise

of official authority, d) to defend, establish or assert legal claims, e) archiving purposes of public

interest or statistical, historical or scientific purposes, or f) for reasons of public interest in the

field of public health.

Right to limitation of Processing: In some cases, you have the right to demand that our Processing of

your Personal data shall be limited. This means that the Personal data may only be Processed in the

future for certain limited purposes. An example of when this right is applicable to you is if your Personal

data that we Process is incorrect and you ask us to rectify it, you may request that our Processing of the

Personal data in question shall be limited until the accuracy of the data has been investigated.

Right to transfer your Personal data: In some cases, you might have the right to request that we

transfer your Personal data that we Process to you or any other third party. This right is also called the

right to "data portability". We hereby inform you that this right only applies if the Processing of Personal

data is performed automatically, and only if our Processing takes place to implement an agreement in

which you are a party to a contract or based on your consent. Also, the transfer of Personal data to

another company only takes place if it is technically possible. If you have the right to data portability,

we will at your request move your Personal data and/or provide your Personal data in a structured,

commonly used, machine-readable format.

Right to object: You have the right to object when your Personal data is Processed to perform a task of

public interest, as part of the exercise of authority or when it is Processed after a balancing of interest

has been made. If you object to our Processing according to this right, we will cease the Processing,

unless our interest outweighs your interests, rights, and freedoms. If this is the case, we will inform you

about the balance of interests we have made and our interests. However, if we Process Your Personal

data for the purpose of performing direct marketing on the legal basis of legitimate interest, you have

an absolute right to request that we discontinue the Processing of your Personal data for that purpose.

In such cases, we will also inform you when we have deleted the Personal data, if you request it.

Rights regarding automated decision-making, including profiling: In short, automated decisions are

about Processing that is automatic, for example through algorithms, where Personal data is Processed

to assess and analyze a person's personal characteristics. Automated decisions can have legal

consequences for the Data subject or affect the Data subject in other significant ways, and if this

happens, the Data subject has the right not to be the subject of the automated decision. If an automated

decision has been made, with or without profiling, you have the right to have the automated decision

reviewed or to challenge it. We do not conduct any form of automated decisions, with or without

profiling.

BEYONDLUNA PRIVACY NOTICE

11 (12)

13. How to exercise the rights

You are welcome to contact us through the contact information listed below, if you would like to invoke

any of the above rights in your capacity of a Data subject, regarding your Personal data that we Process

as Controller.

Exercising the rights is free of charge, provided that your requests are not exaggerated, repeated or

unfounded. In such cases, we have the right to charge a reasonable fee to process your request or the

right to refuse the execution of your request.

Before we process or respond to your request, we may request additional information from you if it is

necessary to enable us to verify your identity.

We will inform you of our processing of your request without delay, and no later than within one (1)

month after we receive the request. If the request is complex or if, for example, we have received many

requests, this time can be extended by another two (2) months. In such cases, we will notify you of the

extension within the first month after we receive your request.

If we are unable to comply with your request due to applicable law or other exceptions, we will notify

you and inform you of the reasons why we are unable to comply with your request with the limitations

imposed by law.

14. Personal data breaches

We follow the provisions of the GDPR regarding the handling, reporting and documentation of Personal

data breaches. When required by the GDPR, we will report Personal data breaches to the supervisory

authority within 72 hours and notify the Data subjects affected by the Personal data breach.

15. Amendments

We review the content of this Privacy Notice as needed and at least once a year, to ensure that the

information is up to date and correct. The contents of this Privacy Notice may be updated from time to

time, without prior notice. For example, if it is necessary to clarify something, due to changed or new

legislation or if our Processing of Personal data changes. You are responsible for reading the contents

of this Privacy Notice and keeping up to date on any changes. We will provide notice to you in

accordance with applicable law if we make material changes. The applicable version is always published

on our Website and the Platform.

16. Questions or complaints

If you have any questions about this Privacy Notice or our privacy practice, or if you are dissatisfied

with our Processing of your Personal data, you are always welcomed to contact us. Below are our

company and contact information:

Company: Mond Digital Solutions AB

Company reg. no.: 559152-9705

Email: info@beyondluna.com

BEYONDLUNA PRIVACY NOTICE

12 (12)

Phone: +46 722 291 642

Postal address: Hamngatan 26A, 652 25 Karlstad, Sweden

Our contact person for Personal data matters

Name: Kristofer Wiklund

Email: kristofer.wiklund@mond.se

Supervisory Authority

You also have the right to contact and/or to submit a complaint regarding our Processing of your

Personal data to our lead EU Supervisory Authority in Sweden: The Swedish Authority for Privacy

Protection.

Name: Integritetsskyddsmyndigheten (IMY).

Phone: 08-657 61 00.

Email: imy@imy.se.

Postal address: Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm.

You may also direct your complaint or concern to your local data protection authority.

You can find the different EU Member States Supervisory Authorities through the following link:

https://edpb.europa.eu/about-edpb/about-edpb/members_en