Privacy Notice

Privacy and information security are of very high priority to Sitoo. We comply with the General Data Protection Regulation (GDPR) giving you control of your personal data.

Effective Date: 2024-02-23 

Table of Contents 


Sitoo is a world-leading Unified Commerce platform with a point of sale (POS) for global retailers. Providing cost-effective, game-changing technology, enabling retailers to unify all in-store and online sales channels, in real time. The result is streamlined inventory management, empowered store associates, exceeded customer expectations and never-missed sales. Sitoo is trusted by brands and retail chains in Europe, Middle East, Asia-Pacific and North America. Sitoo is a fast-growing Swedish tech company with HQ in Stockholm. 

We understand that you are aware of and care about your own personal privacy interests, and we take that seriously. This privacy notice describes the Sitoo policies and practices regarding the collection and use of your personal data and sets forth your privacy rights. We recognize that information privacy is an ongoing responsibility, so we will sometimes update this Privacy Notice as we undertake new personal data practices or adopt new privacy policies. 
Please note that this Privacy Notice may be updated periodically to reflect changes in our personal data practices or relevant laws. We encourage you to review it regularly. 

Who is covered by this Policy?

This Privacy Notice is applicable to: 

  • Individuals who visit Covering visitors to our official website. 

  • Participants in sales processes: Including potential customers engaging with the Sitoo sales team. 

  • Social media interactions: Extending to those visiting our pages on third-party social media platforms. 

Importantly, this Notice does not cover the usage of the Sitoo Unified Commerce platform itself. For privacy practices related to the platform, please refer to the specific privacy documentation provided upon engagement. 

Information we collect 

The types of information we receive and collect depend on your use of our website and services. 

Information You Provide Voluntarily: 

Types of Personal Information:  

This includes your name, contact details, and any other information you provide when filling out forms on our website or interacting with our sales department. 

Use of Information: 

We use this information to deliver services to prospects and customers, and for marketing purposes. 

Transparency in Data Collection:  

If we request additional personal information, the purpose will be clearly communicated at the point of collection. 

Information Collected Automatically 

Third-Party Access:  

Certain third-party vendors and sub-processors may access your information as part of our service delivery. 

Automatic Data Collection: 

This includes details such as device information, browser type, IP address, location data, and website usage patterns, collected through cookies and other tracking technologies. 

Comprehensive Cookie Notice: 

For detailed information on cookies and tracking technologies, please refer to our Cookie Declaration. 

Information Third Parties Provide About You 

Source of Information:  

We may occasionally receive or retrieve personal data about individuals from third-party sources. 

Types of Information:  

This typically includes details about your employer, industry, or professional role. 

Third-Party Websites:  

For instance, we might collect your personal data from professional networking sites like LinkedIn. 

Transparency in Use:  

We use this information for sales, to enhance our understanding of our customer base, and to tailor our services accordingly. 

Sharing Information with Third Parties 

Data Hosting and Processing: 

The personal data we collect is stored in databases hosted by third parties, some of which are in the United States. We ensure that these third parties adhere to strict data protection and privacy standards. 

Third-Party Engagement for Communication: 

Occasionally, we engage third parties to communicate with you about our products, services, and events. 

Interactions with Social Media Services: 

Our website allows interactions with services like Facebook, LinkedIn, Instagram, and X (formerly Twitter). If you choose to share information from our site through these platforms, it is advised to review their privacy policies. Remember, if you are a member of these services, they might link your activities on our site to your personal data based on their policies. 

Services we use 

HubSpot – Customer Relationship Management and Email Marketing  

We utilize HubSpot as a key tool in our customer relationship management (CRM) and email marketing strategies. HubSpot aids in organizing, tracking, and nurturing our business relationships and communications with clients and potential customers. The platform streamlines our email marketing campaigns, allowing us to send tailored emails, track engagement, and manage subscriber lists effectively. 

Data Shared with HubSpot  

The types of data shared with HubSpot primarily include information sourced from LinkedIn and data entered by our Sales team. This data consists of contact details (like names, email addresses, company names), professional information (such as job titles and roles), and engagement history (including email interactions and website visits). It is important to note that all data acquired and shared with HubSpot is gathered through open sources and in compliance with applicable data protection laws. 

To ensure the protection of this data, we adhere to strict data privacy and security measures. This includes access controls to safeguard the data from unauthorized access or disclosure. 

HubSpot's Privacy Policy  

For more detailed information on how HubSpot handles and protects personal data, we encourage you to review their Privacy Policy. This policy provides comprehensive insights into HubSpot’s data processing practices, security measures, and your rights as a data subject.  

Google Analytics  

Our website employs Google Analytics, a widely used web analytics service provided by Google. This tool is instrumental in helping us understand how visitors interact with our website. It tracks and reports website traffic, providing valuable insights that guide our marketing strategies and website improvements. 

Data Collected by Google Analytics  

Google Analytics collects several types of data to help us understand visitor behavior. This includes information such as which pages you visit, how much time you spend on each page, and how you navigate through our site. It may also gather data related to your device and browser, such as your device type, operating system, and geographic location (based on IP address). Importantly, this data is processed in a way that does not personally identify you.  

Protection and Privacy  

We take your privacy seriously and have implemented measures to ensure that data collected through Google Analytics is handled securely and responsibly. Google also provides robust privacy protections, and you can read more about their practices in their Privacy Policy.  

Opting Out of Google Analytics  

If you prefer not to have your data collected by Google Analytics, Google offers an opt-out browser add-on, which you can access here. This add-on prevents Google Analytics JavaScript (ga.js, analytics.js, and dc.js) from sharing information with Google Analytics about visit activity.  

LinkedIn - Marketing and CRM Data Gathering  

We leverage LinkedIn for our marketing and customer relationship management (CRM) activities. This professional networking platform allows us to engage with potential clients and partners, promote our services, and enhance our brand visibility. Additionally, LinkedIn provides valuable insights and tools for targeting and reaching our desired audience effectively.  

Data Shared with LinkedIn  

When using LinkedIn for marketing purposes, we may share certain information such as job titles, industry sectors, and professional interests to tailor our marketing campaigns more effectively. This ensures that our content and advertisements are relevant to the audience. Also, LinkedIn is used to gather CRM data, which might include publicly available professional information like names, job titles, company details, and professional achievements. This information aids in refining our customer engagement strategies and business development efforts. 

Data Protection and LinkedIn's Privacy Practices  

The protection of your data is a priority for us. When handling data on LinkedIn, we adhere to stringent security and privacy standards to safeguard your information. LinkedIn also has its own robust data protection measures, as outlined in their Privacy Policy. We encourage you to review this policy for a comprehensive understanding of how LinkedIn handles personal data.  

Your Rights and Choices  

LinkedIn supplies various privacy settings and options, allowing you to control the visibility of your professional information and manage the types of data shared for marketing purposes. You can adjust these settings directly on your LinkedIn profile to suit your privacy preferences.  

Salesforce - Advanced CRM and Business Process Management  

Our organization utilizes Salesforce, a leading customer relationship management (CRM) and business process management tool. Salesforce plays a crucial role in managing and enhancing our interactions with customers and streamlining our business processes. It provides us with advanced features for tracking customer interactions, managing sales pipelines, and automating various business workflows. This integration helps us in delivering more personalized and efficient services to our clients.  

Data Shared with Salesforce  

The data shared with Salesforce includes detailed customer information, such as contact details (names, email addresses, phone numbers), account history, transaction records, and service interactions. We also use Salesforce to store and manage business-related data, including sales forecasts, opportunity tracking, and performance metrics. This information is critical for our sales and service teams to effectively manage customer relationships and business opportunities.  

Commitment to Data Security and Privacy  

We are committed to maintaining the highest standards of data privacy and security when using Salesforce. This commitment involves implementing stringent security measures, such as data encryption, access control, and regular security audits, to ensure the protection of sensitive customer information. Our team is trained in data privacy best practices to handle customer data responsibly.  

Salesforce's Privacy and Security Measures  

Salesforce is known for its robust security and privacy framework. For more detailed information about how Salesforce protects personal data, we encourage you to review their Privacy Policy. This policy provides insights into Salesforce's data processing practices, security protocols, and the rights you have concerning your data.  

Your Rights and Control Over Your Data  

We recognize and respect your rights regarding your personal data. In line with this, Salesforce offers various tools and settings that allow you to control how your data is managed and used within their platform. These tools enable you to view, manage, and request deletion of your data in accordance with applicable data protection laws.  

For further information on Salesforce's privacy practices or to understand how to exercise your data rights, please visit Salesforce's Privacy Center

How and Why We Process Your Information and Our Legal Basis for Processing 

Sales Department 

Information Categories Used 

  • Your Name 

  • Job Title 

  • Employer Name  

  • Work Address 

  • Email 

  • Phone Number 

Why and How We Process This Information 

To manage and maintain our business relationships and communications. 

Legal Basis for Processing 

Legitimate Interests initially;  

Consent upon contact initiation 

Through cookies on the website 

Information Categories Used 

  • IP Addresses 

  • Region or General Location 

  • Browser Type 

  • Operating System 

  • Website Usage Information (e.g., page views, navigation patterns) 

Why and How We Process This Information 

To improve website design, user experience, diagnose server issues, analyze trends, track movements, gather demographic information. 

Legal Basis for Processing 

Consent (specific types based on user preferences) 

Log Files for website usage information 

Information Categories Used 

  • Website Usage Information 

  • Analytics Services Data (from Google, DoubleClick, LinkedIn, HubSpot, Facebook) 

  • IP Information for Performance Monitoring 

Why and How We Process This Information 

For analyzing website usage and performance. 

Legal Basis for Processing 



Information Categories Used 

  • LinkedIn Events 

  • Static Registration 

Why and How We Process This Information 

To engage with attendees, promote our services, and enhance networking opportunities. 

Legal Basis for Processing 


Business Intelligence and Analytics 

Information Categories Used 

Business Intelligence and Analytics 

Why and How We Process This Information 

For improving customer support, marketing research, and protecting against litigation and policy violations. 

Legal Basis for Processing 

Legitimate Interests 

Data from Existing Customers (Sales) 

Information Categories Used 

Data from Existing Customers (Sales) 

Why and How We Process This Information 

To maintain and enhance relationships with current customers, and for ongoing business development. 

Legal Basis for Processing 


Protection of Vital Interests 

Information Categories Used 

Protection of Vital Interests 

Why and How We Process This Information 

For compliance, fraud prevention, and safety. 

Legal Basis for Processing 

Protection of Vital Interests 

You have the right to object to, and seek restriction of, this processing. To exercise your rights, visit the Data Subject rights section of this Privacy Notice. 

Transferring Personal Data to the U.S.

The Sitoo Operations and Data Processing: 

Sitoo, headquartered in Stockholm, Sweden, processes information about you in the United States. 

By using our services, you acknowledge the processing of your personal data in the U.S. 

Compliance with EU-US Data Privacy Framework: 

We transfer personal data to the U.S. in compliance with the European Commission's Implementing Decision of July 10, 2023. 

This decision recognizes the adequate level of personal data protection under the EU-US Data Privacy Framework (EU-US DPF). 

About the EU-US DPF: 

It is a certification system where U.S. organizations commit to privacy principles set by the U.S. Department of Commerce. 

These principles ensure lawful and fair processing, purpose-specific data collection, and use compatible with the processing purpose. 

Safeguards for Data Transfers: 

We only transfer data to U.S. organizations that adhere to the EU-US DPF principles, ensuring adequate data protection. 

Processing is limited to original collection purposes or as authorized by you. 

Contractual safeguards are in place for any onward data transfer, ensuring U.S. processors act on our instructions and help us uphold your rights under the EU-US DPF. 

Importance of Data Transfer: 

Transferring data to the U.S. is essential for providing and improving our services. 

If you have questions or concerns about these transfers, please contact our Data Protection Manager at

Data Subject Rights 

Sitoo services are business-to-business and when submitting Data Subject Access Request or Consumer Requests you should direct your request to the merchant/retailer that uses Sitoo. 

GDPR (General Data Protection Regulation) 

Under the General Data Protection Regulation (GDPR) and other privacy laws, you have certain rights regarding your personal data. These include: 

Right to Access: 

Request access to the specific personal data we hold about you, which we will provide in a user-friendly format. 

Right to Know: 

Understand what personal data we have, its sources, the purposes for holding it, and any parties it has been shared with. 

Right to Deletion: 

Ask us to delete your personal data. We aim to comply unless legal or business obligations require us to retain it. 

Right to Opt-Out of Sales and Sharing for Advertising: 

Choose not to allow the sale or sharing of your personal data for advertising purposes, which can be done via your settings or by contacting us. 

Right to Object to Processing: 

Object to the processing of your data, including profiling. Any previously given consent can be withdrawn at any time. 

Right to Correct Your Data: 

Request corrections if you find inaccuracies in your data. 

Right to Exercise Rights Without Discrimination: 

Be assured that exercising these rights will not result in unfair treatment. 

Limitations and Representation: 

Some rights may be limited by law or technology. If your data is held on behalf of another entity, you may need to contact them directly. 

To exercise your rights, contact us with sufficient proof of your identity. You may also designate an authorized representative, provided we receive verifiable proof of their authorization. 

Access and Responses: 

We provide reasonable access to your data at no cost. If immediate access is not feasible, we will specify when it will be provided. If access is denied, we will explain why. 

Queries and Complaints: 

For questions or complaints about your data processing, contact us at If in the EU, you may also approach the European Data Protection Supervisor or your national data protection authority. 

California Consumer Privacy Act (CCPA) Compliance 

Consumer Rights Under CCPA:  

As a California resident, you have specific rights regarding your personal information under the California Consumer Privacy Act (CCPA). These rights include: 

  • The right to know what personal information is being collected about you. 

  • The right to request the deletion of your personal information. 

  • The right to opt-out of the sale of your personal information. 

  • The right to non-discrimination for exercising your privacy rights. 

To exercise your rights under the CCPA, you may contact us at

Virginia Consumer Data Protection Act (VCDPA) Compliance

Consumer Rights Under VCDPA:  

If you are a resident of Virginia, the Virginia Consumer Data Protection Act (VCDPA) grants you the following rights concerning your personal data: 

  • The right to access and correct your personal data. 

  • The right to delete your personal data. 

  • The right to opt-out of the processing of your personal data for purposes of targeted advertising, the sale of personal data, or profiling. 

  • The right to data portability. 

Colorado Privacy Act (CPA) Compliance

Consumer Rights Under CPA:  

For residents of Colorado, under the Colorado Privacy Act (CPA), you possess the following rights: 

  • The right to access, correct, or delete your personal data. 

  • The right to opt-out of the processing of personal data for targeted advertising or the sale of personal data. 

  • The right to appeal to a business’s decision about your request concerning your personal data. 

Universal Opt-Out Mechanism: 

We are committed to facilitating your rights under the CPA and will implement universal opt-out mechanisms once they become available. 

Children's Online Privacy Protection Act (COPPA) Compliance

Children’s Privacy:  

Our services are not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will take steps to delete the information as soon as possible. 

Security of Your Information 

Commitment to Data Security: 

At Sitoo, we are committed to safeguarding the confidentiality and integrity of your personal data. We employ a range of security measures to protect your information against unauthorized access, alteration, disclosure, or destruction. 

Security Measures: 

Our security measures include, but are not limited to, the use of encryption, firewalls, secure server facilities, and implementation of access control policies. We regularly update and test our security technology to ensure the ongoing safety of your information. 

Employee Training and Awareness: 

Our staff are trained to understand the importance of data security and to handle your personal data responsibly and in accordance with our security protocols and strict standards of confidentiality. 

Compliance and Certifications: 

Sitoo adheres to internationally recognized standards and frameworks for data security and privacy. Sitoo utilizes the ISO 27001 Information Security framework to identify and maintain the assets, technologies, and processes needed to protect Sitoo services to our customers and their information to help ensure the confidentiality, integrity, availability, and privacy of customer data and supporting services. 

We regularly review our compliance with these standards and continually strive to meet or exceed the best practices in data security and privacy. 

Please visit for more information. 

Ongoing Monitoring and Improvement: 

We conduct regular reviews and audits of our security measures and protocols to identify and rectify any potential vulnerabilities. 

Our approach to data security is proactive, and we are committed to adapting and improving our practices in response to new challenges and threats. 

Data Breach Notification 

Breach Notification Protocol:  

In case of a data breach, we will promptly notify affected individuals and regulatory authorities, as required by law. Our notification will include details of the breach, types of data involved, and measures taken in response. 

Data Storage and Retention 

Where Your Data is Stored: 

Sitoo stores your personal data on its servers and those of cloud-based database management services we engage with, some of which are in the United States. 

Retention of Service Data: 

Service data is retained for the duration of your business relationship with Sitoo. Following this, we retain the data for a period to analyze for our operations and for historical and archiving purposes related to our services. 

Retention of Prospect Data: 

Data relating to potential customers (prospects) is kept until it no longer holds business value, after which it is purged from our systems. 

Data Deletion: 

Upon a verified request from you or your authorized agents, we will delete personal data that Sitoo controls. This is in line with your rights as Data Subjects under applicable privacy laws. 

Rights of Erasure and Portability: 

For detailed information about how long your personal data is stored, and for exercising your rights of erasure and data portability, please contact us at

Questions, Concerns, or Complaints 

If you have any questions, concerns, complaints, or wish to exercise your data protection rights, we encourage you to reach out to us. Our team is here to assist you and address any issues you may have regarding your personal data. 

Contact Details: 

Address: Kungsgatan 18, 111 35 Stockholm, Sweden 
Phone: +46 (0)8 500 093 00 

We are committed to addressing your queries promptly and effectively and ensuring your rights are fully respected.