Last Updated: November 2, 2025
The Way Technologies AB ("we", "us", "our") is committed to protecting the privacy and security of your personal data. This Privacy Policy outlines how we collect, use, share, and protect information in compliance with the General Data Protection Regulation (GDPR) and Swedish data protection law. It applies to users ("you", "your") of our platform The Shed ("the Service"), where organizations can create and use AI-generated tools.
The Way Technologies AB
Organization Number: 559426-7626
Address: Bergsgatan 59, 112 31, Stockholm, Sweden
Legal Contact: contact@the-way.se
General Contact: contact@the-shed.app
We collect the following types of personal data:
• Personal Identification: Name, email address
• Authentication Data: Login credentials (if you sign in with email/password), or OAuth tokens (if you sign in with Google)
• Organization Data: Organization membership, access permissions, and roles
• Tool Content: AI-generated tools created within your organization, including tool descriptions, configurations, and source code
• AI Prompts: Descriptions and instructions you provide to our AI agents to create or modify tools
• Usage Data: Tool creation and usage activity, feature usage, and interaction logs
• Device Information: IP address, browser type and version, device type
• Session Data: Authentication cookies (essential for service operation)
Note: We do not collect or store payment information. All payment processing is handled by our payment provider, who acts as our Merchant of Record. They collect and process payment data (credit card details, billing address) in accordance with their own privacy policy and PCI-DSS compliance standards.
We process your personal data for the following purposes:
• Service Delivery: Provide and operate the Service, including AI-assisted tool creation and hosting
• Authentication: Manage user accounts and maintain secure session authentication
• Organization Management: Control access to organization data and ensure only authorized members can access their organization's tools and data
• AI Processing: Process your prompts and descriptions through AI models to generate and modify tools
• Communication: Send transactional emails (organization invitations, password resets, service updates)
• Service Improvement: Analyze usage patterns to improve our platform and develop new features
• Security: Prevent fraud, abuse, and ensure platform security
• Legal Compliance: Comply with legal obligations and respond to lawful requests
We process personal data based on the following legal grounds under GDPR:
• Contractual Necessity (Art. 6(1)(b)):Processing is necessary to provide the Service under our Terms and Conditions (account management, tool creation, hosting)
• Legitimate Interests (Art. 6(1)(f)): We process data for security, fraud prevention, service improvement, and sending transactional emails (such as organization invitations)
• Legal Obligations (Art. 6(1)(c)): We process data when required by Swedish or EU law (e.g., tax reporting, court orders)
• Consent (Art. 6(1)(a)): Where explicitly requested, such as for optional features or communications
We do not sell your personal data. We share data only with trusted service providers who process data on our behalf under strict data processing agreements (DPAs) and are GDPR-compliant:
• Payment Processing: Our payment provider acts as Merchant of Record, handling all payment processing, billing, tax compliance, and subscription management
• AI and Code Generation: AI service providers process your tool descriptions and prompts to generate and modify tools
• Hosting and Infrastructure: Cloud hosting providers for database storage, code repositories, and tool deployment
• Communication Services: Email service providers for transactional emails (invitations, password resets)
• Authentication: OAuth providers (e.g., Google) if you choose to sign in with third-party authentication
We may also share data:
• Legal Requirements: To comply with applicable law, legal process, court orders, or government requests
• Business Transfers: If we are involved in a merger, acquisition, or asset sale, your data may be transferred as part of that transaction (you will be notified beforehand)
Some of our service providers are located outside the European Economic Area (EEA). When we transfer data outside the EEA, we ensure it is protected by adequate safeguards:
• EU Standard Contractual Clauses (SCCs): We use SCCs approved by the European Commission with providers in non-EEA countries
• Adequacy Decisions: Where available, we rely on European Commission adequacy decisions
Your data remains subject to GDPR protections regardless of where it is processed.
We retain your personal data only for as long as necessary for the purposes outlined in this policy or as required by law.
User account data (name, email, organization memberships) and organization data (tools, configurations) are retained while your account is active or your organization maintains a subscription.
If your subscription lapses, your account remains accessible with limited functionality, and your data is retained. You can request deletion at any time.
If you request account deletion (contact@the-way.se):
• Your personal data (name, email) will be deleted within 30 days
• Organization data (tools, code) may be retained if other members remain in the organization, but your personal association with that data will be removed
Server logs and analytics data are retained for up to 30 days.
Backups containing your data may be retained for disaster recovery purposes for up to 30 days after deletion request.
As a data subject under GDPR, you have the following rights:
• Right of Access (Art. 15): Request a copy of the personal data we hold about you
• Right to Rectification (Art. 16): Correct any inaccurate or incomplete data
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Right to Restriction (Art. 18): Limit how we process your data
• Right to Data Portability (Art. 20): Receive your data in a structured, commonly used format
• Right to Object (Art. 21): Object to processing based on legitimate interests
• Right to Withdraw Consent (Art. 7): Where processing is based on consent, you can withdraw it at any time
To exercise these rights, contact us at: contact@the-way.se
We will respond to your request within 30 days as required by GDPR.
If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with the Swedish Data Protection Authority:
Integritetsskyddsmyndigheten (IMY) / Swedish Authority for Privacy Protection
Website: www.imy.se
Email: imy@imy.se
We implement industry-standard technical and organizational measures to protect your data:
• Encryption: Data in transit is encrypted using TLS/SSL; data at rest is encrypted by our hosting providers
• Access Controls: Strict organization-level access controls ensure only authorized members can access their organization's data
• Authentication: Secure session management and OAuth integration
• Monitoring: Security logging and monitoring for unauthorized access attempts
However, no system is completely secure. While we strive to protect your data, we cannot guarantee absolute security.
We use only essential cookies that are strictly necessary for the Service to function. These cookies are used for:
• Session Authentication: Maintain your logged-in state and secure your session
• Security: Prevent cross-site request forgery (CSRF) attacks
These cookies expire after 30 days or when you explicitly log out. Under GDPR, essential cookies do not require explicit consent as they are necessary for the service you requested.
We do not use:
• Analytics or tracking cookies
• Advertising cookies
• Third-party cookies (except OAuth during sign-in if you use Google login)
The Service is intended for business use and not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at contact@the-way.se.
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes by:
• Updating the "Last Updated" date at the top
• Posting a notice in the application or sending an email for material changes
Your continued use of the Service after changes constitutes acceptance of the updated policy.
If you have questions about this Privacy Policy, wish to exercise your GDPR rights, or have privacy concerns:
Legal/Privacy Requests: contact@the-way.se
General Inquiries: contact@the-shed.app