Co. Society AB’s Privacy Policy

Co Society Data and Security

Overview

Our SaaS product is built around three major components, each designed to work seamlessly together to deliver a secure and user-friendly experience:

Dashboard – A single-page web application (SPA) that allows users to manage their account settings, book meetings, and configure organizational preferences. This interface is designed for ease of use and administrative control.
App – A browser-based Unity WebGPU application that provides an interactive 3D virtual environment where users can meet, communicate, and collaborate in real time. The app runs as a static web page and connects to backend services as needed.
Backend – A secure and scalable .NET-based backend service that handles core functionality such as meeting scheduling, user management, and persistent data storage. It is connected to a relational database and exposed via a RESTful API.  All components are fully hosted within Microsoft Azure, in a European datacenter, ensuring that data residency requirements are met and benefiting from the built-in scalability, availability, and compliance of the Azure platform

Client-Side Operation

Co. Society runs entirely in the browser, following a standard Software-as-a-Service (SaaS) model. Users do not need to install any software on their devices—everything is delivered via web technologies, including our Unity-based 3D app and the admin dashboard. Modern browsers may temporarily cache parts of the application, such as static assets, to improve performance and reduce load times for repeat visits. This caching is handled entirely by the browser and does not involve persistent local storage or manual installation.

User Authentication

We use Azure Active Directory B2C to handle user authentication, ensuring that sign-up and login processes are secure, scalable, and compliant with modern security standards. Azure B2C supports strong authentication methods, including username/password with multi-factor authentication, as well as federated logins via Microsoft 365 and Google accounts. This not only provides a smooth experience for end users but also allows organizations to enable Single Sign-On (SSO) with their existing identity providers. Built on Microsoft’s trusted cloud infrastructure, Azure B2C includes protection against common threats like brute force attacks, and benefits from continuous security monitoring and updates.

Client – Server communication

Once a user is authenticated, our web application communicates securely with our backend via REST APIs. Both the frontend and the backend are hosted in Microsoft Azure, and all communication is encrypted using HTTPS (TLS 1.2 or higher) to ensure data is protected in transit. Access to the APIs is secured using Azure B2C-issued tokens (JWT), which are validated server-side to authenticate and authorize each request. This setup ensures that only authenticated users can access protected resources, and that all data transferred between the frontend and backend is encrypted and tamper-proof.

Audio, Video, and Text Communication

For real-time voice and text communication, we use Vivox, an industry-standard solution developed by Unity and trusted by leading online games and virtual platforms. Vivox provides reliable, low-latency audio and chat functionality. Importantly, no audio or text messages are stored, recorded, or analyzed, ensuring user conversations remain private and ephemeral. For video communication—such as webcam streaming and screen sharing—we integrate Odin by 4Players. Odin enables users to share their video feed or screen with others in the virtual environment. Like Vivox, Odin is designed for real-time performance and privacy, without storing or processing video data beyond the live session.

Data Storage

In addition to using Azure B2C for secure user authentication, we use MongoDB for persistent data storage. The only user-related information we store is the email address, first and last name, booked meetings, and a link to the user’s avatar (the avatar is stored separately, see below). We intentionally keep stored data minimal to reduce risk and comply with privacy best practices.

Access to the database is tightly controlled. Even for internal access—such as by developers or administrators—we use IP whitelisting via Azure, ensuring that only approved machines can connect, and typically only for temporary maintenance or debugging purposes.

User avatars are stored separately in Azure Blob Storage, which is configured for secure access and restricted permissions, ensuring that files are protected both at rest and during transfer.

Network

Co. Society uses Coherence.io to network entities. This is mainly for user avatar positions and animations and no personal data is being transmitted this way.

Asset storage

All Co Society assets, such as repository for code and graphical assets, are hosted in Microsoft Azure, on European servers.

Content

What is personal data and what is processing of personal data?
Personal data is any information about a living natural person that can be directly or indirectly linked to that person. This may include names and social security numbers, but also images, e-mail addresses and IP addresses. Processing of personal data means all forms of handling of personal data. It can be an operation or a combination of measures such as collection, registration, structuring, storage, processing and transfer of personal data.
Who is responsible for the personal data we collect?
Co. Society AB (org.nr 559325-9012) with address Norrlandsgatan 10, 111 43 Stockholm, is the data controller for the company’s processing of personal data. If you have any questions about the personal data that we process please contact us at privacy@cosociety.co.
Sensitive data
In our service we don’t process any data that could be classified as sensitive in accordance with the data protection regulation. If any such data would be communicated with us we immediately make sure that this information is deleted.
From which sources do we collect your personal data?
We mainly collect information about you when the company where you are employed at chooses to sign an agreement with us for the use of our platform and you as an employee are either appointed as administrator/superuser of the service or use it as part of your daily work. In connection with conducting tests for the development of the platform, the data is collected from the data subject. For marketing and communication about our service, we either collect your data from public sources or from you after initial contact,
Who may we share your personal data with?
Personal data assistants. In cases where it is necessary for us to be able to offer our service/product, we share personal data with companies that are personal data processors for us. A personal data processor is a company that processes personal data on our behalf and in accordance with our instructions. When personal data is shared with data processors, it is only for purposes that are compatible with the purposes for which we initially collected the data. We conduct ongoing checks of all personal data processors to ensure that they can provide sufficient guarantees regarding the security and confidentiality of personal data. We have written agreements with all personal data processors through which they guarantee the security of the personal data processed. More information about which personal data processors we use can be found in the appendix to this privacy policy.
Where do we process your personal data?
We always strive to process your personal data within the EU/EEA. For system support and maintenance, we may be required to transfer certain personal data to a country outside the EU/EEA. This may be the case if we share your personal data with a personal data processor who is established or stores information in a country outside the EU/EEA through an approved subcontractor. In such a case, the personal data processor may only access information that is relevant to the specific situation. For the transfer of your personal data to a country outside the EU/EEA, these countries may have laws that gives the public authorities the right to request personal data stored in the country for the purpose of fighting crime or defending national security. Regardless of whether it is we or one of our suppliers who process your personal data, we will ensure a high level of protection in the event of a transfer of these and that appropriate safeguards have been taken in accordance with applicable data protection regulations. Such safeguards include, among other things, ensuring: If the EU Commission has decided that the country outside the EU/EEA to which your personal data is transferred achieves an adequate level of protection equivalent to the level of protection provided by the GDPR. That the EU Commission’s standard contractual clauses between us and the company that is the recipient of the personal data outside the EU/EEA. This means that the recipient guarantees that the protection that the personal data receives is the same as the requirements set out in GDPR. Information regarding which countries that are considered to have an adequate level of protection of personal data in their regulation is found on the EU commissions website. More information regarding standard contractual clauses can be found here.
How long do we save your personal data?
We never save your personal data longer than is necessary for each purpose. The identified necessary storage time for each processing activity are specified in more detail under the respective purposes/processing above.
What are your rights as a data subject?
As a data subject, you have a number of rights under the data protection regulation (GDPR) that give you control over your own personal data, including obtaining information directly from us about how we process your personal data. If you want to know more about your rights or get in touch with us to use any of your rights, the easiest way to do it is to send an email on privacy@cosociety.co. As a data subject, you have the following statutory rights: Right to be forgotten (Right to have information deleted)In some cases, you have the right to have your personal data deleted. This right applies to:in the event that the data processed about you is no longer necessary for the purposes for which it was collected. If the processing is based on your consent and you withdraw it. If the processing takes place for direct marketing and you object to the processing of the data.If you have objected to personal data processing that we based on legitimate interest and your reason for objection outweighs our legitimate interest.  If the personal data must be deleted in order to comply with a legal obligation to which we are subject. If the personal data is processed unlawfully. Keep in mind that we may deny your request to be forgotten if there are legal obligations for us to save your information for a certain statutory period of time. Right to informationYou have the right to receive information about how we process your personal data, both when the data is collected and when you request more information about the processing. We provide this partly by providing this data protection information, but also by answering questions from you. Right to access your personal data – Register extractYou have the right to find out if we process your personal data and to receive a copy of what personal data we handle, a so-called register extract. This information shows what personal data we process, the purpose of the processing of your personal data, which recipients, if any, may receive your personal data, how long we save your personal data, where the information about you was collected and whether there is any automatic decision-making regarding your personal data. Keep in mind that the right to receive a copy of your personal data does not mean that you always have the right to receive the actual document where your personal data exists, but you are provided with a summary of the personal data that exists so that you can check the accuracy and legality of the data. If we receive a request for a register extract we may request additional information to ensure effective handling of your request and to ensure that the information is provided to the right person. Right to access and to move your personal data – Data portabilityYou can request a copy of the data we process about you in a machine-readable format in order to be able to move your personal data to another recipient. You can only request this right if we process your personal data for the purpose of fulfilling a contract or based on your consent. Right to rectificationYou have the right to request that we correct incorrect information that we process about you and that we supplement the information we already have in case it is incomplete. Right to restriction of processingYou have the right to request that our processing of your personal data be restricted. You can do this if you believe that the information we have about you is not correct, that our processing is contrary to law or that we do not need the information for a specific purpose. You also have the right to request that we do not process your personal data while we control this. Right to object to our processing of your personal dataYou have the right to object to our processing of your personal data if it is based on our legitimate interest. In addition, you always have the opportunity to object to direct marketing from our side.

What are cookies and how do we use them?

To provide an optimal experience, we use cookies and similar tracking technologies which are stored on your browser or device. On cosociety.co we use the following cookies:Session cookies (a temporary cookie that expires when you close your browser or device)Persistent cookies (cookies that remain on your computer until you delete them yourself or the time for them has expired)Third-party cookies (cookies set by a third-party website)More information about our handling of cookies can be found in our cookie policy.

How do we protect your personal data?

When processing your personal data, we have implemented special security measures to protect your personal data against unlawful or unauthorized processing by protecting the confidentiality, integrity and access to your personal data. Only those persons who actually need to process your personal data in order for us to fulfill our stated purposes have access to the data. If you want to know more about how we protect your personal data you are welcome to contact us at privacy@cosociety.co.

Complaints

If you have questions about how we process your personal data, you are always welcome to us at privacy@cosociety.co. If you wish to send a request or receive information regarding the processing of personal data, please indicate that your message relates to data protection.

Changes to the Privacy Policy

The Swedish Authority for Privacy Protection is responsible for monitoring and reviewing compliance with the rules in the area of data protection (GDPR). If you think that we are processing your personal data incorrectly, you can file a complaint with the Swedish Authority for Privacy Protection.

Changes to the Privacy Policy

We may make changes to our privacy policy. The latest version of the privacy policy is always available here on the website. In the event of updates that are of significant importance for our processing of personal data, including changes in the purpose of our processing of personal data, information will be published on our website and by e-mail if we have this information in good time before the updates take effect. Privacy policy last updated 2023-08-23

What personal data do we collect about you and why?

1. Customer relationship management including ongoing support
Processing activity: Establishment of administrator account for customers
Creation of an account for users of the service
Support in case of problems with the service
Categories of personal data:First and last name
Contact information (email and telephone number)
Workplace title
User information for the service
Legal basis:
Agreement. This processing of personal data is carried out in order for us to fulfill our contractual obligations to our customers and provide employees with user accounts in the service so that they can access and use the service in accordance with the agreement.
Storage period:
Data about users is deleted in connection with the termination of the contractual relationship or the termination of employment by a person employed by the customer of the data controller.

2. Processing of personal data for supplier contact management
Processing activity:
Necessary handling for fulfillment of the company’s legal obligations under legal requirements, such as the Accounting Act, processing of personal data for payment of invoices.Categories of personal data:
First and last name
Email
Business connection
Title
Legal basis:
Legal obligation. This collection of personal data is required by law. If the data cannot be collected and processed, we cannot fulfill our legal obligation to pay invoices and prepare accounting in accordance with the law.Storage period:
The data is stored in accordance with the requirements of external regulations for 7 years plus the current year.

3. To be able to evaluate, develop, and improve our services and systems
Processing activity:
Troubleshooting IT solutions
Testing of the service
Development of the service
Categories of personal data:First and last name
Email
Age range
Occupation
Information from interviews
Behavioral data
Legal basis:
Legitimate interest. The processing is necessary in order to satisfy our and our customers' legitimate interest in evaluating, developing, and improving our services and systems. It is based on an assessment that our interest outweighs your right not to have your personal data processed for this purpose. Some processing related to the development of our platform takes place with the legal basis of consent.Storage period:
Test data obtained with legal consent is stored for 6 months from the time the data is collected. Personal data stored under legitimate interest is kept for 90 days.

4. For marketing and sales of our service
Processing activity:
Communication with and transmission of marketing materials
Communication of information about Co. Society and our service
Categories of personal data:
First and last name
Email
Age range
Occupation
Workplace
Information from interviews
Behavioral data
Legal basis:
Legitimate interest. We base our processing regarding marketing and sending newsletters on the balance of interests carried out by Co. Society. If you have given your consent for us to process your personal data for marketing purposes or for communicating our product in the form of sales, we process your data based on consent.
Storage period:
If you have given consent, we process your data until you withdraw it.
Without consent, we process your data until a possible agreement with us is terminated and for 15 months thereafter.
If you do not work for a company that is our customer, we process your data until you notify us that you are not interested in our service or at most for 24 months.

Co. Society AB, Stockholm, Sweden
Privacy PolicyContact Us
©2025 All Rights Reserved. Co.Society® is a registered trademark.