Privacy Policy
Last updated: 21 April 2026
This policy explains how MSET (operating as Kifarkis Nätsäkerhet) collects, uses, and protects personal data. It applies to our website mset.se, our client engagements, and any other interaction where we process personal information.
We take data protection seriously — as a consultancy whose work centres on IT security and regulated-industry compliance, we hold ourselves to the same standards we advise our clients on. This policy is written to be readable; if anything is unclear, contact us and we will explain.
1. Who we are
Data controller:
Kifarkis Nätsäkerhet
Skåne, Sweden
Email: info@mset.se
We trade under the name MSET. Kifarkis Nätsäkerhet is the legal entity responsible for the processing of your personal data under the EU General Data Protection Regulation (GDPR) and the Swedish Data Protection Act.
2. What personal data we collect
2.1 Contact form submissions
When you submit the contact form on our website, we collect:
- Your first name and last name
- Your email address
- Your company name (optional)
- The service area you are interested in
- The content of your message
We do not collect any other data through the contact form. We do not require you to create an account, and we do not ask for information beyond what is needed to reply to your enquiry.
2.2 Client engagements
During consulting engagements, we may process personal data belonging to you, your employees, or your clients — depending on the nature of the work. For most engagements, this processing is governed by a separate Data Processing Agreement (DPA) that we sign with you, in which we act as a data processor on your behalf. We only process such data for the purposes defined in that agreement.
2.3 Website analytics
We use Google Search Console to understand how our site performs in search. Search Console does not place cookies on your browser and does not track individual visitors. It reports aggregated search performance to us only.
We do not use Google Analytics, Facebook Pixel, or any other behavioural tracking on this website. No cookies are set for analytics or advertising.
2.4 Technical data
Our web host automatically records standard server logs for security and operational purposes (IP address, browser type, pages visited, timestamp). These logs are retained for a maximum of 30 days and are not used to profile visitors.
3. Legal basis for processing
Under Article 6 of the GDPR, our processing relies on one of the following legal bases:
- Your consent (Art. 6(1)(a)) — when you voluntarily submit the contact form.
- Performance of a contract (Art. 6(1)(b)) — when processing is necessary to deliver a consulting engagement you have commissioned.
- Legitimate interest (Art. 6(1)(f)) — for server security logs, fraud prevention, and protection of our systems.
- Legal obligation (Art. 6(1)(c)) — where required by Swedish or EU law (for example, accounting and tax records).
4. How we use your data
We use personal data only for the purposes for which it was collected. Specifically:
- To respond to enquiries submitted through our contact form
- To deliver consulting services we have agreed to provide
- To invoice clients and meet accounting obligations
- To comply with regulatory and legal requirements applicable to us
We do not sell personal data. We do not use personal data for marketing purposes unrelated to your original enquiry. We do not enrich your data from third-party sources.
5. Third-party processors
We share personal data only with the following processors, and only to the extent strictly necessary:
Formspree (contact form handling)
Contact form submissions are processed by Formspree Inc. (USA). Formspree stores submissions and forwards them to our email address. Formspree is contractually bound as a data processor under the EU Standard Contractual Clauses. Retention on the Formspree platform is governed by their own policy; we routinely delete submissions from Formspree after we have actioned them.
Email provider
Replies to enquiries are sent from our Swedish email provider. Copies of correspondence are stored in our mailbox for as long as the business relationship is active, plus any retention period required by applicable accounting law.
Google Search Console
Google LLC (USA) provides aggregated search-performance data to us via Search Console. No identifiable personal data about individual site visitors is transferred to us through this service.
6. International transfers
Where personal data is transferred outside the European Economic Area (for example, to US-based providers such as Formspree or Google), we rely on the EU Standard Contractual Clauses, adequacy decisions where available, and additional safeguards as required by Chapter V of the GDPR.
7. How long we keep data
- Contact form submissions: up to 12 months after last contact, unless a client relationship has started.
- Client engagement data: for the duration of the engagement plus 7 years (to comply with Swedish accounting legislation), or as specified in the Data Processing Agreement.
- Server logs: 30 days.
- Newsletter or marketing lists: not applicable — we do not operate any.
8. Your rights under GDPR
You have the following rights regarding your personal data:
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — ask us to correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — ask us to delete your data, subject to legal retention obligations.
- Right to restrict processing — ask us to limit how we use your data.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interest.
- Right to withdraw consent — withdraw any consent you have previously given.
- Right to lodge a complaint — complain to the Swedish data protection authority (Integritetsskyddsmyndigheten) if you believe your rights have been violated.
To exercise any of these rights, email us at info@mset.se. We will respond within 30 days. There is no charge for a first request.
9. Data security
We take appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, alteration, or disclosure. These include encryption in transit (HTTPS), access controls on systems holding personal data, and staff awareness training. Our approach aligns with ISO/IEC 27001 principles.
If a data breach affects your personal data and presents a risk to your rights, we will notify the Swedish data protection authority within 72 hours, and notify affected individuals without undue delay where the risk is high.
10. Cookies
This website does not set tracking cookies. No cookies are used for analytics, advertising, or behavioural profiling. Your browser may retain a small preference value if you use our language switcher or dismiss the privacy notice banner — these are strictly functional and do not identify you.
11. Children's data
Our services and website are intended for business use. We do not knowingly collect personal data from children under 16. If you believe a child has submitted data through our website, please contact us and we will delete it.
12. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top reflects the most recent substantive change. For material changes affecting how we process your data, we will notify active clients by email.
Questions about your data?
We are happy to explain anything in this policy or help you exercise your rights. Email us at info@mset.se with "Privacy enquiry" in the subject line and we will respond within one business day.