Privacy Policy

Purple Flower

Privacy Policy

for Capable


Last updated: 19th of Nov 2025


This Privacy Policy explains how Capable Agents AB, reg. no. 559504-0444 (“Capable”, “we”, “us”, “our”) collects and uses personal data when you interact with us, including when you:

  • visit our websites or landing pages,

  • communicate with us, or

  • use our AI agent services as a business customer or as an authorised user of a customer (together, the “Services”).

Our Services are designed for business-to-business (B2B) use. This Privacy Policy is primarily aimed at business contacts and users in a professional context.


When we process personal data on behalf of a customer inside the Services, that processing is also governed by our Data Processing Agreement (DPA) with the customer. In case of conflict between this Privacy Policy and the DPA for those processing activities, the DPA prevails.


You can contact us at:

Capable Agents AB

Email: hello@capable.run


1. Roles under data protection law

Depending on the context, Capable may act as:


1.1 Data controller


We act as data controller when we decide how and why personal data is processed, for example:

  • when you visit our website or landing pages,

  • when we manage relationships with prospects, customers and partners,

  • when we manage customer admin accounts and authorised users,

  • when we manage our own suppliers and service providers, and

  • when we manage billing and payments (together with our payment service provider).


1.2 Data processor


We act as data processor when we process personal data on behalf of a customer within the Services, for example when:

  • a customer uploads or connects CRM or GTM data,

  • authorised users provide prompts, files or other content to agents,

  • we run managed or manually implemented agents for a customer during a pilot or roadmap engagement.

In these cases, we process personal data only on the customer’s documented instructions, as set out in our DPA and the customer’s configuration of the Services.


2. Personal data we collect


The types of personal data we collect depend on how you interact with us.


2.1 Account and workspace data (B2B customers)


When a company becomes a customer, or when you are invited as an authorised user, we may process:

  • Identification and contact details

     name, role, company, email address, billing contact details where relevant.

  • Account and workspace data

     login identifier, organisation/workspace membership, roles and permissions, agent configurations you create, clone or use, settings and preferences.

  • Customer-provided content

     prompts, context and other content you submit to agents, data files or snippets you provide so that agents can perform tasks (e.g. extracts from CRM systems, meeting notes, pipeline data), feedback and ratings of agents or outputs.

2.2 Usage and technical data

When you use our websites or Services, we may automatically collect:

  • Technical and log data

     IP address, browser type, device type, operating system, date and time of access, basic interaction data (pages visited, buttons clicked), crash reports and error information.

  • Service usage data

     which features and agents are used, frequency and volume of usage, performance metrics.

We typically collect this via server logs, monitoring tools (for example Better Stack) and privacy-friendly analytics (for example Plausible).


2.3 Communication and support data


When you contact us, we may process:

  • Communication data

     the content of emails, contact form submissions, chat messages or meeting notes, your contact details and related metadata (time of contact, channel used).

  • Support data

     screenshots, sample data or logs you choose to share for troubleshooting, information about incidents or bugs you report.

We ask you not to share more personal data than needed in support channels.


2.4 Website and marketing data


If you sign up for newsletters, download material or attend events, we may process:

  • name, company, role and email address,

  • your stated interests or preferences,

  • interaction with our emails (opens, clicks),

  • information about which content you engaged with.

You can opt out of marketing communications at any time (see section 9).


2.5 Payment and billing data

When your company purchases a paid plan, we (and our payment service provider) may process:

  • billing contact details (name, company, email, address, VAT number),

  • subscription details (plan, term, status),

  • payment-related information and transaction history.

We use Stripe to process payments. Stripe collects and processes payment card details directly on our behalf. We do not store full card numbers or CVV codes in our systems.


3. Special categories and high-risk data


Our Services are not intended for processing sensitive or high-risk personal data.

We do not intentionally collect and we ask you not to send us:

  • payment card data outside of Stripe’s secure payment forms (e.g. full card numbers or CVV codes by email or chat),

  • special categories of personal data under the GDPR, such as data revealing:

    • racial or ethnic origin,

    • political opinions,

    • religious or philosophical beliefs,

    • trade union membership,

    • genetic data,

    • biometric data used to uniquely identify a person,

    • health data, or

    • data concerning a person’s sex life or sexual orientation,

  • personal data relating to children under the age where parental consent is required, unless explicitly agreed in writing with the customer and appropriately covered by a DPIA and our DPA.

If you believe we are processing such data inappropriately, please contact us so we can assess the situation and, where appropriate, delete or restrict that data.


4. Purposes and legal bases for processing


We process personal data only where we have a valid legal basis under applicable data protection law. Below we describe the main purposes and legal bases.


4.1 Providing and operating the Services


Purpose:

To create and manage customer accounts and workspaces, provide access to and deliver the Services (including managed and manually implemented agents), and handle customer requests.


Examples of data:

Account and workspace data, customer-provided content, usage data, communication and support data.


Legal basis:


  • Performance of a contract with the customer (Art. 6(1)(b) GDPR), and

  • Our legitimate interest in delivering and improving B2B services to our customers (Art. 6(1)(f) GDPR).


4.2 Improving and developing the Services


Purpose:

To monitor performance, understand how features are used, improve agent quality, and develop new features.


Examples of data:

Usage data, technical logs, aggregated statistics, anonymised or pseudonymised data about interactions with agents.


Legal basis:

Our legitimate interest in improving, securing and developing our Services (Art. 6(1)(f) GDPR). Where feasible, we use aggregated or pseudonymised data for this purpose.


4.3 Communicating with you

Purpose:

To respond to enquiries, provide support, send important information about the Services (e.g. changes to this Policy or our Terms of Service), and manage the relationship with your company.


Examples of data:

Contact details, communication content, support data.


Legal basis:

  • Performance of a contract with the customer (Art. 6(1)(b) GDPR), and

  • Our legitimate interest in operating our business and maintaining relationships with customers and prospects (Art. 6(1)(f) GDPR)

    .

4.4 Marketing and events


Purpose:

To send you information about our Services, features, events or content that may be relevant to your role, and to follow up on leads.


Examples of data:

Contact details, preferences, interaction with our emails and website.


Legal basis:

Our legitimate interest in promoting and growing our business (Art. 6(1)(f) GDPR), or your consent where required by law (e.g. for certain electronic marketing).


You can withdraw your consent or opt out of marketing at any time.


4.5 Billing and payments


Purpose:

To manage subscriptions, process payments, issue invoices and handle related accounting and tax obligations.


Examples of data:

Billing contact data, subscription details, transaction history, limited payment-related data (Stripe handles full card details).


Legal basis:

  • Performance of a contract with the customer (Art. 6(1)(b) GDPR), and

  • Compliance with legal obligations (for example accounting and tax laws) (Art. 6(1)(c) GDPR).


4.6 Security, compliance and legal obligations


Purpose:

To protect the security and integrity of the Services, prevent abuse, detect and investigate incidents, and comply with legal obligations (such as responding to lawful requests from public authorities).


Examples of data:

Logs, security alerts, account and usage data, incident-related information.


Legal basis:

  • Our legitimate interest in securing our Services and business (Art. 6(1)(f) GDPR), and

  • Compliance with legal obligations (Art. 6(1)(c) GDPR).


5. AI providers and automated processing

When you or your company use our AI agents, some personal data may be processed by third-party AI providers to generate outputs (for example text summaries, suggestions or insights).

We:

  • select providers that offer appropriate contractual and technical safeguards,

  • configure providers, where possible, not to use Customer Data to train their public models,

  • apply access controls and retention limits to prompts, outputs and related logs, and

  • minimise the personal data included in prompts and contexts where feasible.


AI agents may involve forms of automated processing such as analysing text or patterns in data. We design the Services so that AI agents support and augment human work, rather than replace human judgement. Customers remain responsible for applying appropriate human oversight, especially where outputs are used to support decisions about people, deals or other business outcomes.


Outputs are generated automatically and may be inaccurate, incomplete or outdated. They should be reviewed before being used in a business context.


Our approach to AI governance and the EU AI Act is described in more detail in our internal AI Governance & EU AI Act Note.


6. Processors and sub-processors


We use trusted third-party service providers (“processors” and “sub-processors” when we act as processor) to help us provide the Services, run our business and support customers.

We distinguish between:

  • processors we use when we act as controller (for example our own website, marketing, CRM and internal tools), and

  • sub-processors we use when we act as processor on behalf of customers inside the Capable service.

We only engage providers under written agreements that include appropriate data protection terms (for example a DPA including Standard Contractual Clauses where required). We assess their security and privacy posture before onboarding and periodically thereafter.


6.1 Processors when we act as controller


When we act as controller (for example for our website, marketing and own CRM), we may use providers such as:

  • Google Workspace – email, calendar, document storage and collaboration.

  • Slack – internal team communication.

  • Notion – internal documentation, processes, light CRM/project tracking and compliance documentation.

  • Stripe – subscription management and payment processing for customers.

  • Plausible – privacy-friendly analytics for website and product usage with minimal personal data.

  • Better Stack – monitoring and logging which may include metadata relating to Capable staff or customer contacts.

  • Make.com – automation for internal workflows (for example syncing data between our tools).


These providers process personal data about our own users, customers, prospects, vendors and team members on our behalf.


6.2 Sub-processors when we act as processor


When we act as processor for customers, we may engage sub-processors to support the Capable service, including:

  • Infrastructure and hosting – for example Heroku (EU region) and its underlying cloud infrastructure to host the Capable application and databases.

  • Identity and authentication – for example Auth0 / Okta Customer Identity Cloud, which stores user identity and auth metadata.

  • AI platform provider – for example OpenAI, which provides large language model services used by Capable agents. We configure these services to minimise personal data in prompts and, where available, to avoid using Customer Data to train public models.

  • Monitoring and loggingBetter Stack, which collects logs and metrics from our production environment to help us keep the service reliable and secure.

  • Automation and integrations Make.com, where certain customer-related workflows or integrations are implemented (for example synchronising data with CRM systems).

  • Payments and invoicingStripe, where customers purchase paid plans or add payment methods.


We limit sub-processor access to what is strictly necessary for them to deliver their services, and we do not allow them to use Customer Personal Data for their own independent purposes.


A current list of our main processors and sub-processors, including their roles and primary processing locations, is maintained in our internal Vendor & Sub-processor Register and described in our Vendor & Sub-processor Security Procedure. We can provide an up-to-date overview to customers on request at hello@capable.run, and may publish a public version at a dedicated URL.


7. International transfers


We are based in Sweden and aim to store and process personal data within the EU/EEA where reasonably possible. For example, our primary hosting environment is configured to use EU regions.


Some of our processors and sub-processors are located, or may process data, outside the EU/EEA (for example providers based in the United States). Where personal data is transferred outside the EU/EEA and the destination country does not benefit from an adequacy decision under Article 45 GDPR, we ensure that an appropriate transfer mechanism is in place, such as:

  • an adequacy decision by the European Commission,

  • Standard Contractual Clauses (SCCs) approved by the European Commission, and/or

  • additional contractual, organisational and technical measures (for example encryption, access controls, logging).


We only use providers that commit contractually to GDPR-level protection and that implement appropriate technical and organisational measures to safeguard personal data.

You can contact us if you would like more information about international transfers and the safeguards used in connection with the Services.


8. Data retention


We retain personal data only for as long as necessary for the purposes described in this Privacy Policy or as required by law.

Retention periods vary depending on the data and context, for example:


  • Account and workspace data: for the duration of the customer relationship and for a limited period thereafter (for example to allow reactivation or to handle potential disputes).

  • Billing and transaction data: for the period required by accounting and tax laws.

  • Logs and technical data: for shorter periods, typically weeks or months, unless longer retention is needed for security or legal reasons.

  • Marketing data: until you unsubscribe or we determine that the data is no longer relevant.


We maintain more detailed retention rules internally in our Data Retention & Deletion Policy. When personal data is no longer needed, we will delete or anonymise it in accordance with that policy and our contractual commitments.


9. Your rights


Depending on our role (controller or processor) and applicable law, you may have the right to:

  • Access your personal data and obtain a copy;

  • Rectify inaccurate or incomplete data;

  • Erase your personal data in certain circumstances;

  • Restrict processing in certain circumstances;

  • Object to certain processing, for example direct marketing;

  • Data portability, where technically feasible and applicable.

When we act as a processor on behalf of a customer, we may be legally required to refer your request to the relevant customer (the controller). In such cases, we support the customer in responding to your request in accordance with our DPA and our Data Subject Rights Procedure.


To exercise your rights, please contact us at hello@capable.run. We may need to verify your identity before responding. We aim to respond within the time limits set by applicable law.

You also have the right to lodge a complaint with a competent supervisory authority if you believe that our processing of personal data infringes applicable data protection law.


10. Marketing communications


If you receive marketing communications from us (such as product updates, newsletters or event invitations), you can opt out at any time by:

  • clicking the unsubscribe link in the email, or

  • contacting us at hello@capable.run.

Even if you opt out of marketing, we may still send you service-related or administrative messages where necessary (for example updates to this Privacy Policy or changes to your subscription).


11. Cookies and similar technologies


Our websites and Services may use cookies and similar technologies to:

  • enable core functionality,

  • remember your preferences,

  • analyse how the Services are used.

We use privacy-friendly analytics tools such as Plausible, which by default do not rely on invasive tracking or third-party cookies.

Where required by law, we will ask for your consent before setting non-essential cookies or similar technologies. You can adjust your cookie settings in your browser and, where available, through our cookie banner or settings.


12. Security


We take appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

Our security controls are described in more detail in our Information Security Policy, Access Control & Identity Management Policy, Business Continuity & Disaster Recovery (incl. Backups), Incident Response Plan, and related documents under Security and compliance.

While no system is completely secure, we work continuously to maintain and improve the security of our Services and review our controls regularly.


13. Changes to this Privacy Policy


We may update this Privacy Policy from time to time, for example to reflect changes in our Services, legal requirements or internal practices. The updated version will be published with a new “Last updated” date.

If we make material changes, we will seek to inform you via the Services, by email, or by other reasonable means. Your continued use of the Services after the updated Policy takes effect will constitute acceptance of the changes.


14. Contact


If you have any questions about this Privacy Policy or how we process personal data, you can contact us at: hello@capable.run

‹ Information Security Policy