1. Introduction

Welcome to Kunskapsstjärnan! We take your privacy seriously and comply with the EU General Data Protection Regulation (GDPR). This privacy policy explains how we collect, use, store and protect information depending on whether you are logged in or visiting the site as a guest.

2. What information is collected?

There is a clear distinction between what is recorded depending on whether you visit the site without an account (guest) or are logged in with an account.

3. How is the information used?

👤 Not logged in – guest

The visit counter logs three anonymous data points: which page was visited, which language is selected, and whether the visitor stayed on the page for more than 20 seconds. None of this data is linked to a specific person, IP address, or device. The information is used solely to understand which parts of the website are used, in order to improve the content.

🔐 Logged-in user

We use your personal data to:

• Create and manage your user account
• Provide our educational services
• Track your learning progress and personalise your experience
• Send important messages about your account and the service
• Protect against abuse and security risks
• Improve and develop our services
• Comply with legal requirements

4. Cookies and local storage

👤 Not logged in – guest

We do not set any tracking or marketing cookies for non-logged-in visitors. Your language preference and any exercise data are stored only in your browser's localStorage on your own device. This data never leaves your device and is deleted if you clear your browser's stored data.

🔐 Logged-in user

We use essential cookies for:

• Session cookie: Keeps you logged in during your visit
• Security cookie: CSRF protection and secure authentication
• Language preference: Remembers your selected language

We do not use cookies for tracking, third-party behavioural analysis, or profiling.

5. Google Ads and third-party advertising

Kunskapsstjärnan uses Google Ads to display advertisements on the website. Google may use cookies and similar technologies to show ads based on your previous visits to this and other websites.

What does Google collect?

Google may collect information via advertising cookies, including:

• Your IP address (anonymised)
• Browser type and device type
• Pages you have visited on this and other websites
• Your approximate geographic location
• Interactions with ads (clicks, impressions)

Purpose

The information is used by Google to display relevant ads, measure ad effectiveness, and prevent ad fraud. Kunskapsstjärnan does not receive personally identifiable information from Google in this context – we only see aggregated, anonymous advertising statistics.

Your choices regarding Google Ads

• Opt out of personalised ads: Visit adssettings.google.com
• General opt-out from Google Analytics advertising: Install the Google Analytics opt-out browser add-on
• Google's privacy policy: policies.google.com/privacy

We have entered into a Data Processing Agreement (DPA) with Google in accordance with GDPR requirements to ensure that any processing takes place lawfully.

5b. About localStorage – security and responsibility

What is localStorage?

localStorage is an area in your browser where websites can save data locally on your device. Data is never sent to Kunskapsstjärnan's servers and is not accessible to us or any other external party. You as the user own and control this data.

Security and your responsibility

Since data in localStorage stays on your device, its security is directly linked to how well your device and browser are protected. This means, among other things:

• Shared device: If you share a computer, tablet or phone with others, they could potentially view your localStorage data via the browser's developer tools. Log out and clear browser data if you are using a shared device.
• Device protection: If your device is password-protected and up to date, localStorage is as secure as any other local data on the device.
• Malware: Malicious software on your device could theoretically access localStorage. Keep your operating system and antivirus software updated.
• XSS protection: Kunskapsstjärnan protects the website against cross-site scripting (XSS) to prevent external scripts from reading your localStorage data.
• Deleting data: You can delete all localStorage data at any time via your browser settings (Settings → Privacy → Clear site data).

🏫 GDPR, schools and localStorage

Schools and pre-schools that use Kunskapsstjärnan as a teaching tool are affected by GDPR in a particular way, especially regarding pupils under the age of 16.

When pupils use the website without an account (guest):

• No personal information is sent to Kunskapsstjärnan's servers. All data stays in the browser's localStorage on the school's device.
• Since no personal data is processed by us, schools generally do not need to obtain parental consent solely because pupils visit the website as guests.
• It is, however, the school's responsibility to ensure that the devices (computers, tablets) in use are properly configured and that localStorage is cleared regularly, particularly on shared devices.

When pupils create an account (logged in):

• Personal data (name, email, etc.) is then processed by Kunskapsstjärnan. Pupils under 16 require parental or guardian consent in accordance with GDPR Article 8.
• If the school administers accounts on behalf of pupils, the school acts as a data processor and should enter into a Data Processing Agreement (DPA) with Kunskapsstjärnan. Contact us at daniel@kunskapsstjarnan.se to set up such an agreement.
• The school is responsible for informing parents and guardians about how pupil data is handled, in accordance with GDPR's transparency requirements.

6. Storage and security

👤 Not logged in – guest

No personal information is stored on our servers. The anonymous visit statistics — page, language preference and whether the visit exceeded 20 seconds — contain no information that can be linked to you as a person, your IP address or your device, and are stored in aggregated form only.

🔐 Logged-in user

We protect your data through:

• Encryption: All passwords are encrypted using the Argon2id algorithm
• HTTPS: All communication takes place via a secure SSL/TLS connection
• SQL protection: Prepared statements prevent SQL injections
• Rate limiting: Protection against automated attacks
• Session security: Secure session cookies with HTTPONLY and SECURE flags
• Regular updates: The system is kept up to date with security patches

Retention periods (logged-in users)

• Active account: For as long as the account is active
• Inactive account: Deleted after 24 months of inactivity (after warning)
• Deleted account: Data is permanently deleted within 30 days
• Security logs: Retained for 12 months

7. Sharing of data

👤 Not logged in – guest

No personal data is collected and therefore no personal data is shared with third parties. See section 5 for how Google Ads handles information independently of us.

🔐 Logged-in user

Your data is shared only:

• With your consent: When you explicitly approve sharing
• To fulfil the service: E.g. email provider for sending verification emails
• Under legal obligation: If we are legally required to disclose data
• In the event of a security threat: To protect our users and services

Third-party services we use:

• Email service: PHPMailer via Websupport.se SMTP (email filtering handled by Halon Security AB, Sweden)
• Web hosting: Websupport.se – see below for details
• Advertising: Google Ads (see section 5)

🖥️ About Websupport as web host

Kunskapsstjärnan is hosted on servers at Websupport.se, which is part of the European team.blue group, together with the Swedish company Loopia AB. Below is relevant information about how Websupport handles data:

• Server location: Websupport always strives to process data within the EU/EEA. In some cases, data may be transferred to and processed in countries outside the EU/EEA, for example via sub-processors. In such cases, Websupport guarantees that processing is carried out with appropriate safeguards (e.g. standard contractual clauses).
• Security: Websupport operates a multi-level security system with logical network constraints, access controls and intrusion protection, and works in accordance with the "Privacy by design" principle.
• Data Processing Agreement (DPA): Websupport offers a DPA to all its customers in accordance with GDPR. Such an agreement governs how Websupport as a data processor handles the data stored on their servers.
• Sub-processors: Websupport itself uses a number of sub-processors, some of which are located outside the EU (e.g. Microsoft and Google for internal systems). A full list is available at Websupport's registry of processors.
• Websupport's privacy policy: websupport.se/en/about-websupport/data-protection/

8. Your rights under GDPR

👤 Not logged in – guest

Since we do not collect personal data about you as a guest, there is no data to request, correct or delete with us. Data in your browser's localStorage can be deleted by you directly via your browser settings.

If you wish to limit Google Ads data collection, see the options in section 5.

🔐 Logged-in user

You have the right to:

• Right of access (Art. 15): Receive information about what data we store about you and how it is used.
• Right to rectification (Art. 16): Correct inaccurate or incomplete data.
• Right to erasure – "the right to be forgotten" (Art. 17): Request that we delete your personal data.
• Right to restriction of processing (Art. 18): Request that the processing of your data be restricted.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to object (Art. 21): Object to the processing of your personal data.
• Right to withdraw consent (Art. 7): Withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

9. Children's privacy

Kunskapsstjärnan may be used by children under the age of 16, but a registered account requires the consent of a parent or guardian. As a guest (not logged in), no personal information is collected whatsoever, meaning children can use the website without registering without providing any data.

If we discover that we have collected personal data from children under the age of 16 without parental consent, we will take immediate steps to delete the data.

10. Changes to this privacy policy

We may update this policy as needed. Significant changes will be communicated by email (to logged-in users) and/or on the website at least 30 days before they take effect. The most recent update date is always shown at the top of this page.

11. Complaints to the supervisory authority

If you believe that we are processing your personal data incorrectly, you have the right to lodge a complaint with: