Privacy Policy

Last updated: April 15, 2026

Dibbla AB (“Dibbla,” “we,” “us,” or “our”), registered in Sweden, operates the Dibbla platform — including the web application at app.dibbla.com, the Dibbla CLI, the Dibbla Desktop App, and related APIs (collectively, the “Service”). This Privacy Policy (“Policy”) explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have.

By using the Service you acknowledge and agree to this Policy. If you do not agree, please discontinue your use of the Service.

1. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person, as defined in the EU General Data Protection Regulation (GDPR).
  • “Customer Data” means the workflows, configurations, and content you create or upload within the Service. Customer Data is processed solely to provide the Service.
  • “Service Data” means operational data such as error logs, uptime metrics, and aggregate usage statistics. Service Data is used for security, reliability, and product improvement and is not Personal Data.

2. Data Controller

Dibbla AB is the data controller for Personal Data processed through the Service. You can reach us at privacy@dibbla.com.

3. Personal Data We Collect

Authentication data

When you sign in with Google or Microsoft, we receive and store:

DataPurpose
Email addressAccount identification, login, and communication
Display nameShown in the application UI
Provider user IDLinking your identity to your Dibbla account
OAuth refresh tokenMaintaining your session and accessing APIs you have authorised (encrypted at rest)

Your profile picture URL is retrieved during sign-in for display purposes but is not stored in our database.

Automatically collected data

  • Account activity — last login timestamp, organisation membership, and assigned roles.
  • Session data — a secure, HTTP-only authentication cookie.
  • Log data — operational telemetry such as error codes, request timestamps, and performance metrics, used for debugging and security monitoring. Personally identifiable information is not written to logs by default.

Contact forms

If you submit a contact or demo request form on our marketing website, we collect your name and email address. This data is forwarded by email only and is not stored in a database.

Sensitive data

We do not intentionally collect special-category or sensitive Personal Data, and we instruct users not to upload such information to the Service.

4. Google API Scopes and Limited Use

When you sign in with Google, we request only the permissions necessary to verify your identity and retrieve your basic profile information (email address and display name). If you connect Google Workspace integrations within a workflow, additional permissions may be requested at that time. You can revoke access at any time from your Google Account permissions page.

Google API Services User Data Policy: Dibbla's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only use Google user data to provide and improve the features you have explicitly authorised.
  • We do not use Google user data for serving advertisements.
  • We do not sell Google user data to third parties.
  • We do not use Google user data for purposes unrelated to the Service.
  • We do not allow humans to read Google user data unless we have your affirmative agreement, it is necessary for security purposes, to comply with applicable law, or the data is aggregated and anonymised for internal operations.

5. How We Use Your Data

We process Personal Data for the following purposes:

  • Providing and operating the Service — authentication, account management, and workflow execution.
  • Organisation management — associating you with the correct organisation and enforcing access control.
  • Third-party integrations — accessing connected services on your behalf when you have authorised them.
  • Security — detecting unauthorised access, validating sessions, and preventing fraud or abuse.
  • Service improvement — understanding usage patterns to improve reliability and features.
  • Communication — responding to support requests and sending essential service notifications.
  • Legal compliance — meeting regulatory and record-keeping obligations.

We do not use your Personal Data or Customer Data to train general-purpose AI models. We do not engage in automated decision-making that produces legal or similarly significant effects on individuals.

6. Legal Basis for Processing (GDPR)

  • Contract performance (Art. 6(1)(b)) — processing necessary to provide the Service.
  • Legitimate interest (Art. 6(1)(f)) — security monitoring, fraud prevention, and service improvement, where not outweighed by your privacy rights.
  • Consent (Art. 6(1)(a)) — for optional integrations and non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Legal obligations (Art. 6(1)(c)) — where required by applicable law.

7. Data Storage and Security

All user data is stored on servers located in the European Union. We implement industry-standard security measures including:

  • Encryption of sensitive data at rest and all data in transit (TLS).
  • Secure, HTTP-only authentication cookies with CSRF protections.
  • Short-lived access tokens cached in memory only — never persisted to disk.
  • Role-based access control with organisation-level data isolation.
  • Immediate session invalidation on logout.

In the event of a data breach that poses a risk to your rights, we will notify affected users and the relevant supervisory authority within 72 hours, as required by the GDPR.

8. Data Sharing

We do not sell, rent, or share your Personal Data for marketing or advertising purposes. Data is shared only in these limited circumstances:

  • Infrastructure and service providers — we use third-party providers for hosting, network security, and email delivery. These providers act as data processors under appropriate contractual safeguards.
  • Third-party APIs — when you authorise an integration (e.g. Google Workspace), your tokens are used to communicate with that provider's APIs on your behalf.
  • Legal obligations — we may disclose data if required by applicable law, regulation, or court order.

We do not use third-party analytics or tracking within the application. Our marketing website uses cookies for B2B visitor identification — see our Cookie Policy for details.

9. International Data Transfers

Your Personal Data is stored within the EU. Where data is transferred to providers outside the EU/EEA, we rely on EU Standard Contractual Clauses (SCCs) or equivalent safeguards recognised under the GDPR. We do not transfer Google user data outside the frameworks permitted by the Google API Services User Data Policy.

10. Data Retention and Deletion

We retain Personal Data only as long as necessary to fulfil the purposes outlined in this Policy or as required by law.

  • Account data — retained while your account is active. Upon deletion request, all personal data is removed within 30 days, including OAuth connections, API tokens, and organisation memberships.
  • Session and token data — short-lived and automatically expiring. Access tokens are held in memory only and never persisted to disk.
  • Contact forms — forwarded by email only and not stored in a database.

To request deletion, contact us at privacy@dibbla.com.

11. Your Rights

Under the GDPR you have the right to: access, rectify, erase, restrict, or port your Personal Data; object to processing based on legitimate interest; and withdraw consent for optional processing at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@dibbla.com. We will verify your identity and respond within 30 days. If you believe your request has not been satisfactorily resolved, you may lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or your local supervisory authority.

12. Cookies

The application uses a single, essential authentication cookie to keep you signed in. It is HTTP-only, Secure, and SameSite. We do not use tracking, advertising, or non-essential cookies within the application. For cookies on our marketing website, see our Cookie Policy.

13. Third-Party Services

The Service may link to or integrate with third-party services not controlled by Dibbla. Your interactions with those services are governed by their own privacy policies. We encourage you to review them before sharing Personal Data.

14. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect Personal Data from children. If you believe a child has provided us with Personal Data, please contact us and we will delete it promptly.

15. Changes to This Policy

We may update this Policy from time to time. For material changes that reduce your rights or expand our processing, we will provide advance notice via email or through the Service. The “Last updated” date at the top reflects the most recent revision.

16. Severability

If any provision of this Policy is found to be unlawful or unenforceable, it will be severed and the remaining provisions will remain in full force and effect.

17. Contact Us

Dibbla AB
Email: privacy@dibbla.com
Website: dibbla.com

© 2026 Dibbla AB. All rights reserved.