Privacy notice

The Build Nordics quality-pipeline demo is operated by the consortium — Aixia (Swedish AI integrator, controller of record), evroc (sovereign EU compute provider, processor for inference), and Opper AI (agentic orchestration provider, processor for agent state).

Three categories of data:

• Email address— used to send the magic-link sign-in token and to identify your session. Lawful basis: legitimate interest in restricting demo access to invited consortium partners. We never use it for marketing.
• Uploaded photos and inspection state— if you upload a photo or run an inspection, the image and the resulting analysis are stored on the demo's persistent volume in EU-NORTH-1 so you can resume the session later.
• Product-analytics signals— collected via Umami, a self-hosted analytics tool running on the same Aixia EU-NORTH-1 cluster as the demo. Two tiers:
  • Page views & clicks(default, no consent needed) — cookieless, in-browser fingerprint scoped to this origin only. Lawful basis: legitimate interest in measuring whether the consortium's pitch lands.
  • Session replay(opt-in only, via the banner on first visit) — masked at “moderate” level (form-input values redacted) and capped at 5 minutes per session. Replays are retained no longer than the demo program. Lawful basis: explicit consent. Decline at any time by clearing site data in your browser, which removes the consent flag.

Everything is processed on evroc's sovereign EU-NORTH-1 region. The session database and photo storage are inside Aixia's Kubernetes cluster on the same substrate. No data leaves the EU. Magic-link emails are sent via Aixia's Microsoft 365 tenant (also EU-resident).

Session state and uploads are retained for the duration of the demo program, then deleted. You can request earlier deletion of your account and all associated data at any time.

No third-party processors beyond the consortium and the infrastructure providers above. No advertising networks, no remarketing. The only non-page script loaded is Umami— analytics and session replay, self-hosted by Aixia at analytics.kube.aixia.se, running on the same EU-NORTH-1 cluster. Data never leaves the cluster. Verifiable in the Content-Security-Policy header (only origins listed in script-src and connect-src).

Under the GDPR you can request access, correction, deletion, restriction, portability, or object to processing. Contact: support@aixia.se. If you believe processing is unlawful, you may also lodge a complaint with the Swedish data-protection authority IMY.

Strictly necessary only: an Auth.js session cookie set after sign-in (HTTP-only, SameSite=Lax, Secure). The Umami recorder does not set tracking cookies — it uses anonymous in-browser fingerprints scoped to this origin only. Since no third-party tracking cookies are placed, no consent banner is required under EU e-Privacy guidance.