Privacy Policy

Last updated: May 7, 2026

Nordalster AB (559279-8002), hereafter "staik", is committed to protecting your privacy. This policy describes how we collect, use, and protect your personal data when you visit api.staik.se.

1. Data Controller

Nordalster AB (559279-8002) Email: customercare@staik.se

2. Data We Collect

We collect the following data depending on how you use the service:

  • Email address: when registering for an API key or Early Adopter slot
  • Payment details: handled by Stripe (we never store card details)
  • API usage data: token count and requests per day
  • Web analytics: anonymized page views via Google Analytics (GA4), only if you accept cookies

3. Cookies

We use the following cookies:

  • Essential cookies: required for the site to function (no consent needed)
  • Analytics cookies (Google Analytics): _ga, _ga_*. Only set after your explicit consent. Used to understand how the site is used. Data is anonymized and not shared with third parties.

You can change your cookie settings at any time via "Cookie settings" in the footer.

4. How We Use Your Data

  • Provide and improve the API service
  • Send operational emails (token warnings, account information)
  • Comply with applicable laws and accounting requirements

5. Data Storage and Sub-processors

We never store prompts or responses from the API. Traffic passes through our gateway servers in Sweden at HostUp (Obehosting AB) in Älvsjö and is forwarded to GPU nodes in Sweden for inference, but neither prompts, responses, nor other request payloads are persisted to disk or database. What we do store in Sweden is usage statistics (token count, model, timestamp), account information and payment metadata. To operate the service we engage the following sub-processors that handle different parts of personal data:

  • HostUp (Obehosting AB), Sweden: hosting of gateway VPS and object storage for blog images. Processes API traffic in transit and stores usage statistics, account information and payment metadata.
  • BunnyWay d.o.o, Slovenia (EU): authoritative DNS for the staik.se zone. Processes IP addresses associated with DNS lookups against our zones. Slovenian company within EU/EEA, no CLOUD Act exposure.
  • Stripe Payments Europe Ltd, Ireland: payment processing. Processes email addresses and payment information (card data is never stored with us).
  • Scaleway SAS (Iliad group), France (Paris): transactional email via Transactional Email Manager. Processes email addresses and message content within the EU. French parent company, no CLOUD Act exposure.
  • Google LLC (Google Analytics 4), USA: anonymized web analytics. Activated only with your consent. Processes IP address, cookie ID and page views.
  • Google LLC (Indexing API), USA: pings Google to index new blog pages. Processes only public URL strings, no personal data.

Our stated intention is to use Swedish and European providers wherever it is practically possible. Our core infrastructure (gateway, GPU inference, databases, payments, email, mesh network, DNS) sits within the EU/EEA. Our mesh control plane and DERP relay run on Headscale (open source, BSD-3) on a dedicated Swedish VPS, and DNS on BunnyWay in Slovenia. Where we still use US-based providers (Google for analytics and indexing) we have made a trade-off between functionality and data sovereignty, and we continuously evaluate European alternatives so we can replace them over time.

During 2026 we have systematically phased out US-based sub-processors from our operational stack: AWS → HostUp (April), Tailscale → Headscale (7 May), Resend → Scaleway TEM (12 May), Cloudflare → BunnyWay (14 May). The remaining US sub-processors are Google Analytics 4 (opt-in, only activated with your consent) and Google Indexing API (public URLs only, no personal data). Traffic is encrypted in transit and we store neither prompts nor responses, so there is no such data on our side to disclose, regardless of jurisdiction.

Want copies of our Data Processing Agreements (DPA) with the providers listed above? Email customercare@staik.se and we will send them.

6. International Transfers

Several of our sub-processors are established outside the EU/EEA, primarily in the US. For these transfers we apply the following safeguards under GDPR art. 46:

  • EU Commission Standard Contractual Clauses (SCC) as the legal basis for the transfer.
  • Technical safeguards: TLS encryption in transit and data minimization (no prompts or responses are stored with us).
  • Data minimization: only metadata, email addresses and IP addresses are sent to third countries. Prompts and responses from the API are not stored at all and are only forwarded to our GPU nodes in Sweden.

Affected providers for third-country transfer: Google (GA4, Indexing API). Stripe processes payments within the EU (Ireland) but has a US parent company. Transactional email (Scaleway TEM, France), DNS (BunnyWay, Slovenia) and other core infrastructure are handled entirely within the EU/EEA.

7. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR) you have the right to:

  • Access your personal data
  • Request correction of inaccurate data
  • Request deletion of your data ("right to be forgotten")
  • Object to processing
  • File a complaint with the Swedish Authority for Privacy Protection (IMY)

You can delete your account and all data directly from your Dashboard.

8. Contact

Questions about how we handle your personal data? Contact us at customercare@staik.se.