Find My Factory horizontal logo black - supplier sourcing platformPlus icon for expanding content sections
Product+
Platform OverviewSpeyaSourceEnrichEngageSecurity
Solutions+
RetailIndustrialPharmaceuticalMedical DevicesAutomotiveManufacturingDirect SpendIndirect SpendConsulting
PricingCustomersAboutContact

Privacy Policy

Last updated: 2026-04-27

1. Introduction

FindMyFactory AB (reg. no. 559355-9585), Hästholmsvägen 32, SE-131 30 Nacka, Sweden ("Find My Factory", "we", "us") respects your privacy and is committed to protecting your personal data.

This Privacy Policy explains how we collect, use, store, and protect personal data when you interact with Find My Factory, including through our website, platform, and communications.

2. Personal Data We Collect

We collect and process a limited amount of personal data.

2.1 Data Collected

The personal data we may collect includes:

  • Email address
  • Company name
  • Phone number
  • Information about how you found or heard about us (e.g. referral, search engine, social media)
  • Account authentication data (such as passwords), which are processed and stored securely by our authentication provider (Auth0) and are never stored or accessible in plain text by Find My Factory

We do not intentionally collect:

  • Payment information
  • Sensitive personal data

2.2 Platform Usage & Behavioral Data

  • Usage analytics (pages visited, features used, session data) collected via Mixpanel (hosted in the EU)
  • Customer engagement and account activity data processed via Planhat.
  • Content you submit to the platform (e.g., search queries, supplier lists, vetting criteria)

2.3 Google User Data (Gmail Integration)

If you choose to connect your Google account to send supplier emails through Find My Factory, we access and process a limited set of Google user data via the Gmail API. This integration is optional and requires your explicit consent in-platform before any data is accessed.

Data accessed

We request the gmail.send scope only. This is a send-only scope that allows Find My Factory to send messages from your Gmail address on your behalf. We do not request, access, or have the ability to read your Gmail inbox, drafts, sent folder, labels, or any other mailbox content.

In addition to the OAuth scope itself, we collect:

  • Your Google account email address and display name (used as the sender on outgoing messages)
  • OAuth access and refresh tokens issued by Google (used to authorize sending)

Data we store from messages you send

For each message you send via Find My Factory using the Gmail integration, we store:

  • Recipient addresses (To and Cc)
  • Subject, body, and attachments
  • Message metadata (timestamps, message IDs, thread IDs)
  • Replies received in the relevant Gmail thread to messages you have sent through Find My Factory, and their metadata, whenever you include our reply-to address.

How we use this data

Google user data accessed through this integration is used solely to:

  • Send the supplier messages you initiate from within Find My Factory
  • Display sent messages and replies inside your Find My Factory account so you can track supplier engagement
  • Provide message-history context to features you use within the platform (e.g., follow-up suggestions, engagement analytics)

We do not use Google user data to train machine learning models, for advertising, or for any purpose unrelated to providing the email-sending feature you initiated.

Data sharing

Google user data obtained via the Gmail API is not sold, rented, or shared with third parties for their own purposes. It is shared only with our infrastructure subprocessors strictly to operate the service:

  • Google LLC — as the provider of the Gmail API used to send each message
  • Google Cloud Platform (EU region) — for storage of message bodies, metadata, and attachments
  • Other infrastructure subprocessors listed in Section 7, only to the extent necessary to deliver the service

We do not transfer Google user data to advertisers, data brokers, or analytics providers.

Storage and protection

Message content, metadata, and OAuth tokens linked to the Gmail integration are stored in Google Cloud Platform within the EU region. Tokens are encrypted at rest and in transit. Access within Find My Factory is restricted to the authenticated user's own account, and internally limited to authorized personnel under our ISO 27001:2022-certified information security program.

Retention and deletion

  • Messages sent via the Gmail integration, their replies, and associated metadata are retained for the lifetime of your Find My Factory account, so that you can review your supplier communication history.
  • Revoking consent stops outgoing mail immediately and removes our ability to send further messages from your account. You can revoke at any time from Settings → Email → Disconnect, or directly from your Google Account permissions.
  • You may request deletion of stored Gmail-integration data at any time by emailing dpo@findmyfactory.eu. Deletion will be completed without undue delay.

Limited Use disclosure

Find My Factory's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

2.4 Microsoft User Data (Microsoft 365 / Outlook Integration)

If you choose to connect your Microsoft 365 account to send supplier emails through Find My Factory, we access and process a limited set of Microsoft user data via the Microsoft Graph API. This integration is optional and requires your explicit consent in-platform before any data is accessed. Where required by your organization, your Microsoft 365 tenant administrator may also need to grant consent on behalf of your tenant.

Data accessed

We request the Mail.Send scope only. This is a send-only scope that allows Find My Factory to send messages from your Microsoft 365 mailbox on your behalf. We do not request, access, or have the ability to read your Outlook inbox, drafts, sent folder, calendar, contacts, files, or any other mailbox or tenant content.

In addition to the OAuth scope itself, we collect:

  • Your Microsoft 365 account email address and display name (used as the sender on outgoing messages)
  • OAuth access and refresh tokens issued by the Microsoft identity platform (used to authorize sending)
  • Your tenant ID, where required to route requests to the correct Microsoft 365 environment

Data we store from messages you send

For each message you send via Find My Factory using the Microsoft 365 integration, we store:

  • Recipient addresses (To and Cc)
  • Subject, body, and attachments
  • Message metadata (timestamps, message IDs, conversation/thread IDs)
  • Replies received in the relevant Outlook thread to messages you have sent through Find My Factory, and their metadata, whenever you include our reply-to address.

How we use this data

Microsoft user data accessed through this integration is used solely to:

  • Send the supplier messages you initiate from within Find My Factory
  • Display sent messages and replies inside your Find My Factory account so you can track supplier engagement
  • Provide message-history context to features you use within the platform (e.g., follow-up suggestions, engagement analytics)

We do not use Microsoft user data to train machine learning models, for advertising, or for any purpose unrelated to providing the email-sending feature you initiated.

Data sharing

Microsoft user data obtained via the Microsoft Graph API is not sold, rented, or shared with third parties for their own purposes. It is shared only with our infrastructure subprocessors strictly to operate the service:

  • Microsoft Corporation — as the provider of the Microsoft Graph API and Microsoft identity platform used to send each message
  • Google Cloud Platform (EU region) — for storage of message bodies, metadata, and attachments on Find My Factory's side
  • Other infrastructure subprocessors listed in Section 7, only to the extent necessary to deliver the service

We do not transfer Microsoft user data to advertisers, data brokers, or analytics providers.

Storage and protection

Message content, metadata, and OAuth tokens linked to the Microsoft 365 integration are stored in Google Cloud Platform within the EU region. Mailbox data accessed via Microsoft Graph remains in the data residency region of your Microsoft 365 tenant, as determined by Microsoft. Tokens are encrypted at rest and in transit. Access within Find My Factory is restricted to the authenticated user's own account, and internally limited to authorized personnel under our ISO 27001:2022-certified information security program.

Retention and deletion

  • Messages sent via the Microsoft 365 integration, their replies, and associated metadata are retained for the lifetime of your Find My Factory account, so that you can review your supplier communication history.
  • Revoking consent stops outgoing mail immediately and removes our ability to send further messages from your account. You can revoke at any time from Settings → Email → Disconnect, or by removing Find My Factory from your account at https://myaccount.microsoft.com/ (or, for tenant-wide consent, via your Microsoft 365 admin center under Enterprise Applications).
  • You may request deletion of stored Microsoft 365-integration data at any time by emailing dpo@findmyfactory.eu. Deletion will be completed without undue delay.

Compliance disclosure

Find My Factory's use of Microsoft Graph and the Microsoft identity platform adheres to the Microsoft APIs Terms of Use and applicable Microsoft identity platform terms, and is limited to providing the user-facing functionality described above.

3. How We Collect Personal Data

We collect email addresses when you:

  • Sign up for our platform or services
  • Request access to our tools or Trust Center
  • Contact us via email or forms
  • Subscribe to updates or communications

4. Purpose of Processing

We process personal data solely for the following purposes:

  • To provide access to our services and platform
  • To communicate with users regarding our services
  • To respond to inquiries and support requests
  • To understand how users find us and improve our marketing and outreach
  • To send service-related or security-related information
  • To improve and develop our platform, including by training machine learning models on aggregated, de-identified user content
  • To monitor product usage and customer health metrics

We do not sell or rent personal data.

5. Legal Basis for Processing (GDPR)

We process personal data based on one or more of the following legal grounds:

  • Consent – when you voluntarily provide your email address
  • Contract – when processing is necessary to provide access to our services
  • Legitimate interest – to communicate with users and operate our business securely, analyse usage/behaviours, and train AI/ML models on de-identified content produced on our platform for improving our product.

6. Data Retention

We retain email addresses only for as long as necessary to:

  • Fulfil the purposes described in this policy, or
  • Comply with legal or regulatory obligations

We retain

  • Account data: retained for the duration of the business relationship + any legal retention period
  • Platform usage data in third-party services: may be retained for up to 30 days in accordance with subprocessor agreements
  • De-identified training data: retained indefinitely as it no longer constitutes personal data under GDPR

You may request deletion of your email address at any time.

7. Data Sharing

We do not share personal data with third parties except:

  • When required by law or regulatory authorities
  • With trusted subprocessors, including analytics providers, customer engagement platforms, and AI infrastructure providers, under data processing agreements compliant with GDPR

8. International Data Transfers

We do not intentionally transfer personal data outside the EU/EEA. If such transfers occur, appropriate safeguards will be applied in accordance with GDPR.

9. Data Security

Find My Factory is ISO 27001:2022 certified

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or misuse.

User authentication is handled by Auth0, a trusted third-party identity and access management provider. Passwords are:

  • Encrypted and hashed using industry-standard security practices
  • Never stored or accessible in plain text by Find My Factory
  • Managed in accordance with applicable security and compliance standards

10. Your Rights

Under GDPR, you have the right to:

  • Access your personal data
  • Request correction or deletion
  • Object to or restrict processing
  • Withdraw consent at any time
  • Lodge a complaint with a supervisory authority

11. Contact Information

If you have questions about this Privacy Policy or how we process personal data, please contact us:

Email: info@findmyfactory.eu
Company: FindMyFactory AB

12. Changes to This Policy

We may update this Privacy Policy from time to time. The latest version will always be available on our website.

1. Introduction

FindMyFactory AB (reg. no. 559355-9585), Hästholmsvägen 32, SE-131 30 Nacka, Sweden (“Find My Factory”, “we”, “us”) respects your privacy and is committed to protecting your personal data.

This Privacy Policy explains how we collect, use, store, and protect personal data when you interact with Find My Factory, including through our website, platform, and communications.

2. Personal Data We Collect

We collect and process a limited amount of personal data.

2.1 Data Collected

The personal data we may collect includes:

  • Email address
  • Company name
  • Phone number
  • Information about how you found or heard about us (e.g. referral, search engine, social media)
  • Account authentication data (such as passwords), which are processed and stored securely by our authentication provider (Auth0) and are never stored or accessible in plain text by Find My Factory

We do not intentionally collect:

  • Payment information
  • Sensitive personal data

2.2 Platform Usage & Behavioral Data

  • Usage analytics (pages visited, features used, session data) collected via Mixpanel (hosted in the EU)
  • Customer engagement and account activity data processed via Planhat
  • Content you submit to the platform (e.g., search queries, supplier lists, vetting criteria)

3. How We Collect Personal Data

We collect email addresses when you:

  • Sign up for our platform or services
  • Request access to our tools or Trust Center
  • Contact us via email or forms
  • Subscribe to updates or communications

4. Purpose of Processing

We process personal data solely for the following purposes:

  • To provide access to our services and platform
  • To communicate with users regarding our services
  • To respond to inquiries and support requests
  • To understand how users find us and improve our marketing and outreach
  • To send service-related or security-related information
  • To improve and develop our platform, including by training machine learning models on aggregated, de-identified user content
  • To monitor product usage and customer health metrics

We do not sell or rent personal data.

5. Legal Basis for Processing (GDPR)

We process personal data based on one or more of the following legal grounds:

  • Consent — when you voluntarily provide your email address
  • Contract — when processing is necessary to provide access to our services
  • Legitimate interest — to communicate with users and operate our business securely, analyse usage/behaviours, and train AI/ML models on de-identified content produced on our platform for improving our product

6. Data Retention

We retain email addresses only for as long as necessary to:

  • Fulfil the purposes described in this policy, or
  • Comply with legal or regulatory obligations

We retain:

  • Account data: retained for the duration of the business relationship + any legal retention period
  • Platform usage data in third-party services: may be retained for up to 30 days in accordance with subprocessor agreements
  • De-identified training data: retained indefinitely as it no longer constitutes personal data under GDPR

You may request deletion of your email address at any time.

7. Data Sharing

We do not share personal data with third parties except:

  • When required by law or regulatory authorities
  • With trusted subprocessors, including analytics providers, customer engagement platforms, and AI infrastructure providers, under data processing agreements compliant with GDPR

8. International Data Transfers

We do not intentionally transfer personal data outside the EU/EEA. If such transfers occur, appropriate safeguards will be applied in accordance with GDPR.

9. Data Security

Find My Factory is ISO 27001:2022 certified.

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or misuse.

User authentication is handled by Auth0, a trusted third-party identity and access management provider. Passwords are:

  • Encrypted and hashed using industry-standard security practices
  • Never stored or accessible in plain text by Find My Factory
  • Managed in accordance with applicable security and compliance standards

10. Your Rights

Under GDPR, you have the right to:

  • Access your personal data
  • Request correction or deletion
  • Object to or restrict processing
  • Withdraw consent at any time
  • Lodge a complaint with a supervisory authority

11. Contact Information

If you have questions about this Privacy Policy or how we process personal data, please contact us:

Email:info@findmyfactory.eu
Company: FindMyFactory AB

12. Changes to This Policy

We may update this Privacy Policy from time to time. The latest version will always be available on our website.