Privacy Policy
Last updated: July 2025
This privacy policy describes how Sista steget collects, uses, and protects your personal data when you sign in with Google. We respect your privacy and process your data in accordance with the EU General Data Protection Regulation (GDPR).
1. Data Controller
Sista steget (sole trader), Sweden. If you have questions about how we handle your data, please contact us via the contact form on the website.
2. What Data We Collect
When you sign in with Google, you grant us access to the following information from your Google account:
- Email address
- Name (first and last name)
- Profile picture
- Unique Google account ID
We never store your Google password — sign-in is handled entirely through Google's own security systems.
3. Why We Process Your Data
We process your personal data based on your consent (you actively choose to sign in with Google). Your data is used to:
- Create and manage your account on Sista steget
- Save your progress on practice questions
- Provide a personalised experience of the service
4. How Long We Retain Your Data
Your data is retained for as long as your account is active. If you have not logged in for 12 months, the account may be deleted. You can request deletion of your account and all associated data at any time.
5. Third-Party Services
Google (Login)
Google acts as the sign-in provider via OAuth 2.0. Google's handling of your data is governed by Google's own privacy policy (policies.google.com).
Google Analytics
Google Analytics is used to understand how visitors use the website (page views, traffic sources, device information). Data is anonymised and aggregated. You can opt out via the Google Analytics opt-out browser add-on (tools.google.com/dlpage/gaoptout).
Google AdSense
Google AdSense is used to display advertisements on the website. AdSense sets cookies to show relevant ads based on your previous visits to this and other websites. You can manage your ad preferences via Google's Ad Settings page (adssettings.google.com).
Supabase
Supabase is used to store account data and authentication tokens. Data is stored on servers within the EU (Frankfurt). Supabase is SOC 2 Type II certified and GDPR compliant.
6. Your Rights
Under GDPR, you have the following rights regarding your personal data:
- Right of access – you can request a copy of the data we hold about you
- Right to rectification – you can request that incorrect data be corrected
- Right to erasure – you can request that your account and all your data be deleted
- Right to data portability – you can request your data in a machine-readable format
- Right to withdraw consent – you can withdraw your consent at any time
To exercise your rights, contact us via the contact form on the website.
7. Cookies and Sessions
We use a session cookie to keep you signed in during your visit. This cookie contains no tracking information and is used solely for authentication. The cookie is deleted when you sign out or when the session expires.
We use Google Analytics cookies to understand how the website is used. These cookies collect anonymised statistics about page views and visitor behaviour. They are only active if you have accepted analytics cookies in our cookie banner.
Google AdSense places advertising cookies to show personalised ads. These cookies track your interests based on your browsing behaviour. They are only active if you have accepted advertising cookies in our cookie banner.
How to manage cookies
You can change your cookie preferences at any time via our cookie banner. You can also manage or delete cookies directly in your browser settings. To opt out of Google's personalised ads, visit adssettings.google.com. To opt out of Google Analytics, install the browser add-on at tools.google.com/dlpage/gaoptout.
8. Changes to This Policy
We reserve the right to update this privacy policy. For significant changes, the date at the top of this page will be updated. Continued use of the service after a change means you accept the updated policy.
9. Contact
Do you have questions about how we handle your personal data? Contact us via the contact form on the website. You also have the right to file a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se.
Sista steget is operated as a sole trader and is an independent educational service with no connection to Swedish authorities.