Skip to content
Verta Outsourcing
SV EN

Legal

Privacy Policy

Last updated: 2026-04-14

1. Data controller

Verta Outsourcing, a sole proprietorship registered in Sweden, is the data controller for the personal data described in this policy. Contact: info@verta.se.

2. What data we collect

We collect as little personal data as possible, and only when you contact us yourself.

  • Contact form (/en/contact/): name, email address, company (optional), phone (optional) and your message. The submission is delivered via email to info@verta.se and stored in our inbox.
  • Server logs: our web host (Loopia AB, Sweden) retains IP address, User-Agent and requested URLs for up to 30 days for security and operations.
  • Cookies (only after consent): see section 5.

3. Why we process your data

  • To answer your enquiry — legal basis: legitimate interest (GDPR art. 6(1)(f)) and, during active contract discussion, steps prior to entering a contract (art. 6(1)(b)).
  • Abuse protection (honeypot, rate-limit, logs) — legitimate interest.
  • Marketing measurement (Google Ads) — only after your explicit consent (art. 6(1)(a)).

4. How we protect your data

  • All traffic to verta.se goes over HTTPS (TLS 1.2+) with HSTS.
  • The contact form is protected by honeypot, CSRF tokens and rate limiting.
  • Emails are stored at our email provider (Loopia AB, Sweden) behind a password.
  • Form submissions are retained only as long as needed to respond and to meet accounting obligations (typically up to 7 years for business correspondence under the Swedish Bookkeeping Act). Everything else is deleted continuously.
  • No part of this site runs a WordPress admin, a payment flow, or user accounts — the attack surface is intentionally minimal.

5. Cookies and third-party services

On your first visit a consent banner is shown. No tracking or marketing cookies are set until you accept. Strictly necessary cookies (e.g. theme preference) are always set.

Third-party services that may be activated after consent:

  • Google Ads (Google LLC, USA) — measures conversions from ads. Uses cookies on googleadservices.com and doubleclick.net. See Google's privacy policy. Transfer to the USA is covered by the EU Data Privacy Framework (adequacy decision, 2023).
  • Google Tag Manager (Google LLC) — used only as a container for the above; does not set its own tracking cookies.

You can change or withdraw your consent at any time via in the footer.

6. Is data shared with third parties?

  • Email: Loopia AB (hosts our mail server, Sweden/EU).
  • Web hosting: Loopia AB (Sweden/EU) — server logs as above.
  • Google Ads: anonymous conversion data only, and only if you consented to marketing cookies.
  • We never sell personal data and do not share it beyond the parties named above.

7. Customer Google Ads accounts (API access)

This section covers customers who have engaged us to manage their Google Ads account or another Google product, not visitors to this website.

When we deliver our Google Ads management service, we gain access to the customer's Google Ads account through Google's official invitation flow and, where agreed, via the Google Ads API using an OAuth authorisation granted by the customer itself.

Data that we may read and, where the engagement requires it, modify:

  • campaign structure (campaigns, ad groups, ads, keywords);
  • performance metrics (impressions, clicks, CTR, CPC, conversions, CPA);
  • account settings (budgets, bid strategies, audience segments);
  • conversion tracking and attribution configuration;
  • recommendations and Quality Score exposed by the API.

How we handle that data:

  • Only to deliver the service — the data is used for reporting, optimisation and anomaly alerts as agreed with the customer.
  • Limited Use — we comply with the Google API Services User Data Policy, including the Limited Use requirements. We do not sell, transfer or share the data with third parties, do not use it to train general AI models, and do not mix data between customers.
  • Stored within the EU — retrieved data is kept in our internal systems within the EU, behind encryption in transit (TLS) and at rest, with per-person access control and two-factor login.
  • Retention — data is kept for as long as the engagement runs and up to 30 days after it ends (for the handover report). Working copies are then deleted. Invoices and other records required by Swedish law (the Bookkeeping Act) are retained according to that law.
  • Access can be revoked at any time — the customer can disable our access directly at ads.google.com or in their Google account security settings. We then immediately stop making API calls against the account.
  • Data Processing Agreement (DPA) — where the data we handle on the customer's behalf includes personal data, we enter into a separate DPA under GDPR art. 28.

For full contractual terms covering this kind of engagement, see our terms of service.

8. Your rights (GDPR)

You have the right to:

  • request a copy of the personal data we hold about you;
  • have inaccurate data corrected;
  • request erasure ("right to be forgotten");
  • object to processing based on legitimate interest;
  • withdraw consent at any time (without affecting the lawfulness of prior processing);
  • file a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se.

Contact us at info@verta.se to exercise these rights. We respond within 30 days.

9. Changes

We may update this policy when law or our services change. The date at the top reflects the most recent change. Material changes are announced via the consent banner.

Svensk version

  • Navigation
  • Home /en/
  • Services /en/services/
  • About /en/about/
  • Contact /en/contact/
  • Actions
  • Copy email address info@verta.se
  • Call +46 76 369 50 14
  • Open LinkedIn
  • Theme
  • Light theme
  • Dark theme
  • Language
  • Svenska /
↑↓ navigate select esc close
verta.se