Privacy Policy

Effective Date: January 15, 2026
Last Updated: January 15, 2026

Data Controller Information

Things at Web Sweden AB acts as the Data Controller for personal data we collect and process.

Information We Collect

2.1 Personal Information

When you register for Virtual Tour 360, we collect:

• Identity Data: Name, username
• Contact Data: Email address, phone number (optional)
• Business Data: Company name (optional), VAT number (for EU B2B customers)
• Financial Data: Billing address, payment card type and last 4 digits (full payment details processed by Razorpay, not stored on our servers)
• Account Data: Username, password (encrypted), subscription plan details

2.2 Technical and Usage Information

We automatically collect:

• Technical Data: IP address, browser type and version, device information, operating system, screen resolution
• Usage Data: Pages visited, features used, time spent on platform, tour creation statistics, click patterns
• Location Data: Geographic location derived from IP address (country/city level)
• Performance Data: Loading times, errors, feature performance metrics

2.3 Content You Create

• 360 degree images and panoramas
• Virtual tour names, descriptions, and metadata
• Hotspot content (text, images, links)
• Custom styling and branding settings
• Embedded media and assets

2.4 Communications

• Support tickets and customer service correspondence
• Feedback, surveys, and reviews
• Marketing communication preferences

2.5 Special Categories of Data

We do not intentionally collect special categories of personal data (health information, racial or ethnic origin, religious beliefs, biometric data, sexual orientation) unless you voluntarily include such information in your tour content. If you do, you are responsible for obtaining necessary consents and complying with applicable laws.

How We Collect Your Information

• Direct Interactions: When you register, create tours, contact support, or communicate with us
• Automated Technologies: Cookies and similar technologies when you use our platform (see Section 11)
• Third Party Services: Payment processor (Razorpay), analytics providers, hosting services
• Public Sources: Publicly available business information for B2B customers

Legal Basis for Processing (GDPR)

For users in the EU/EEA and UK, we process your personal data based on the following legal grounds:

How We Use Your Information

We use your personal data for the following purposes:

• Provide and maintain Virtual Tour 360 services
• Process subscriptions, payments, and billing
• Authenticate users and manage accounts
• Deliver customer support and respond to inquiries
• Monitor and improve platform performance
• Analyze usage patterns to enhance features
• Detect and prevent fraud, abuse, and security threats
• Comply with legal obligations (tax, accounting, law enforcement)
• Send service notifications (account changes, billing, security alerts)
• Send marketing communications (only with your consent)
• Conduct research and development for new features

Data Sharing and Disclosure

6.1 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

6.2 Service Providers and Processors

We share data with trusted third party service providers who process data on our behalf:

• Payment Processing: Razorpay (India) – processes payment transactions under Standard Contractual Clauses
• Cloud Hosting: AWS, DigitalOcean, or similar (EU/US data centers)
• Email Services: SendGrid, Mailgun, or similar transactional email providers
• Analytics: Google Analytics (with IP anonymization enabled)
• Customer Support: Help desk and ticketing systems
• CDN Services: Content delivery networks for tour hosting

All processors are bound by Data Processing Agreements compliant with GDPR Article 28.

6.3 Legal Requirements

We may disclose your information if required by law, court order, or government request, including:

• Compliance with legal obligations
• Protection of our legal rights
• Prevention of fraud or security threats
• Protection of safety of users or the public

6.4 Business Transfers

In the event of merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and prominent website notice before your data is transferred and becomes subject to a different privacy policy.

6.5 With Your Consent

We may share your information with third parties when you explicitly consent to such sharing.

International Data Transfers

Virtual Tour 360 is operated from Sweden (EU/EEA). However, we may transfer your personal data to countries outside the EU/EEA, including:

7.1 Transfer Safeguards

When transferring data internationally, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs): EU Commission approved clauses (2021 version) with all non-EU processors
• Adequacy Decisions: Transfers to countries deemed adequate by EU Commission
• EU-US Data Privacy Framework: For US service providers certified under the framework
• Additional Safeguards: Encryption (AES-256), access controls, pseudonymization where applicable

7.2 Specific Transfers

• India (Razorpay): Payment processing under SCCs with encryption and limited data scope
• United States: Cloud services and analytics (AWS, Google) under SCCs or Data Privacy Framework

7.3 Transfer Impact Assessments

We conduct Transfer Impact Assessments (TIAs) as required by GDPR to ensure data protection standards are maintained for international transfers.

Data Security

We implement comprehensive security measures to protect your data:

8.1 Technical Measures

• Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
• Access Controls: Role-based access control (RBAC), multi-factor authentication
• Network Security: Firewalls, intrusion detection/prevention systems
• Secure Development: Regular security testing, code reviews, vulnerability scanning

8.2 Organizational Measures

• Staff Training: Regular data protection and security training
• Confidentiality: All employees bound by confidentiality agreements
• Access Limitation: Strict need-to-know access policies
• Incident Response: Documented procedures for security incidents

8.3 Regular Audits

• Annual security audits and penetration testing
• Continuous monitoring and logging
• Regular backup and disaster recovery testing

8.4 No Absolute Security

While we implement industry-standard security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but will notify you promptly of any breach as required by law.

Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this policy:

9.1 Deletion After Retention Period

After the retention period expires, we securely delete or anonymize your personal data unless longer retention is required by law.

Your Rights

10.1 Rights Under GDPR (EU/EEA/UK Users)

You have the following rights regarding your personal data:

• Right of Access: Request copies of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure (Right to be Forgotten): Request deletion of your data (subject to legal retention requirements)
• Right to Restriction: Request limitation of processing in certain circumstances
• Right to Data Portability: Receive your data in structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent: Withdraw consent where processing is based on consent
• Right to Object to Automated Decision-Making: Not be subject to decisions based solely on automated processing (we do not use automated decision-making)

10.2 Rights Under CCPA (California Users)

California residents have additional rights:

• Right to Know: Request disclosure of personal information collected in the past 12 months
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt out of sale of personal information (we do not sell personal information)
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising privacy rights

10.3 How to Exercise Your Rights

10.4 Response Timeline

We will respond to your request within:

• GDPR: 1 month (extendable by 2 months for complex requests)
• CCPA: 45 days (extendable by additional 45 days)

10.5 Identity Verification

We may request additional information to verify your identity before processing rights requests to protect against fraudulent requests.

10.6 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority:

• Sweden (Lead Authority): Integritetsskyddsmyndigheten (IMY), Box 8114, 104 20 Stockholm, Sweden – www.imy.se
• EU/EEA Users: Your local supervisory authority
• UK Users: Information Commissioner’s Office (ICO) – ico.org.uk

Cookies and Tracking Technologies

11.1 What Are Cookies

Cookies are small text files stored on your device when you visit our website. We use cookies and similar technologies (web beacons, pixels) to enhance your experience.

11.2 Types of Cookies We Use

• Essential Cookies: Required for platform functionality (authentication, security, session management). These do not require consent.
• Performance/Analytics Cookies: Help us understand how users interact with our platform (Google Analytics with IP anonymization)
• Functional Cookies: Remember your preferences and settings
• Marketing Cookies: Used to deliver relevant advertising and measure campaign effectiveness (only with your consent)

11.3 Cookie Consent

Upon your first visit, you will see a cookie consent banner. We do not use non-essential cookies until you explicitly consent. You can:

• Accept all cookies
• Reject non-essential cookies
• Customize your cookie preferences
• Change preferences anytime through cookie settings

11.4 Third Party Cookies

Some cookies are placed by third party services that appear on our pages:

• Google Analytics (analytics and performance)
• Payment processor cookies (Razorpay)
• Social media plugins (if you interact with them)

11.5 Managing Cookies

You can control cookies through:

• Browser Settings: Most browsers allow you to refuse/delete cookies
• Cookie Settings Link: Available in website footer
• Opt-Out Tools: Google Analytics opt-out: tools.google.com/dlpage/gaoptout

Note: Blocking essential cookies may affect platform functionality.

11.6 Cookie Duration

Cookie preferences are stored for 12 months. You will be asked to renew consent after this period.

Third Party Links and Services

Virtual Tour 360 may contain links to third party websites, integrations, or services (e.g., social media, external tour destinations). We are not responsible for the privacy practices of these external services. We encourage you to review their privacy policies before providing any personal information.

If you embed Virtual Tour 360 tours on your own website, your website’s privacy policy applies to visitors of that website.

Children’s Privacy

Virtual Tour 360 is not intended for individuals under 16 years old (or the applicable age of digital consent in your jurisdiction, whichever is higher).

Specific Age Requirements:

• EU/EEA: 16 years (unless member state sets lower age 13-16)
• Sweden: 13 years (as per Swedish law)
• US: 13 years (COPPA compliance)
• UK: 13 years

We do not knowingly collect personal data from children below these ages. If you believe we have inadvertently collected information from a child, please contact us immediately at privacy@virtualtour360.ai and we will promptly delete such data.

Data Breach Notification

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will:

14.1 To Supervisory Authorities

• Notify relevant supervisory authority (IMY) within 72 hours of becoming aware of the breach (GDPR Article 33)
• Provide details of the breach, affected data, and mitigation measures

14.2 To Affected Individuals

• Notify you without undue delay if the breach is likely to result in high risk to your rights and freedoms (GDPR Article 34)
• Provide information about: nature of the breach, likely consequences, measures taken to address the breach, recommended protective measures

14.3 Breach Response

Our incident response procedures include:

• Immediate containment and investigation
• Assessment of impact and risk level
• Notification to authorities and affected individuals as required
• Remediation and preventive measures
• Documentation and post-incident review

Data Processing Agreements

When we process personal data on behalf of our clients (as a Data Processor), we enter into comprehensive Data Processing Agreements (DPAs) that comply with GDPR Article 28. These agreements include:

• Clear definition of processing purposes and instructions
• Confidentiality obligations for all personnel
• Security measures and breach notification procedures
• Sub-processor arrangements and approval requirements
• International transfer safeguards
• Assistance with data subject rights requests
• Audit rights for clients
• Data deletion or return upon contract termination

For DPA requests, contact: legal@virtualtour360.ai

Your Responsibilities

When using Virtual Tour 360, you are responsible for:

• Content Compliance: Ensuring your tour content complies with applicable laws, including data protection laws if you include personal data
• Consents: Obtaining necessary consents from individuals whose personal data you include in tours
• Account Security: Keeping your password secure and not sharing account access
• Accurate Information: Providing accurate registration and billing information
• Third Party Data: Complying with privacy laws when embedding tours on your website

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• The updated policy will be posted on this page with a revised “Last Updated” date
• For material changes, we will notify you via email (to your registered email address)
• For material changes, we will provide prominent notice on our website
• The updated policy becomes effective immediately upon posting
• Continued use of Virtual Tour 360 after changes constitutes acceptance of the updated policy

We encourage you to review this policy periodically to stay informed about how we protect your data.

Legal Compliance Framework

This Privacy Policy is designed to comply with:

• EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679
• Swedish Data Protection Act: Dataskyddslagen (2018:218)
• Swedish Accounting Act: Bokföringslagen (1999:1078) – for financial data retention
• EU ePrivacy Directive: Cookie consent requirements
• UK GDPR: Post-Brexit UK data protection law
• California Consumer Privacy Act (CCPA): For California residents
• Other US State Privacy Laws: Virginia CDPA, Colorado CPA, etc. as applicable