How we handle your data

HEIMLANDR AB, registered in Sweden, is the personuppgiftsansvarig (data controller) under GDPR Article 4(7). See /imprint for statutory contact details.

• Backers and newsletter subscribers: email address only. No name, no postal address, no phone, no demographics.
• Tip submitters: the tip content and any files you upload. We strip uploaded-file metadata (EXIF, document author). No IP address logged, no cookies set, no fingerprinting on tip submission routes.
• Payment records: payment amount, currency, payment-provider receipt ID, paid status. We never store card numbers, security codes, or billing addresses; those remain with the payment provider.
• Operational logs: minimal request logs without personal data. We do not log IP addresses for tip submission or audit-feed access.

• Contract performance (GDPR Art. 6(1)(b)): for backer subscriptions, newsletter delivery, and tip credit issuance. You pay; we deliver.
• Journalistic purposes (Dataskyddslagen 1 kap 7 §; GDPR Art. 85): the investigative content we publish is for journalistic purposes and is exempted from most GDPR data-processing rules, including for special-category data where the public-interest justification is documented per piece. The exemption applies regardless of utgivningsbevis status; MOBILIZR currently relies on it without the YGL umbrella, with the public-interest test assessed per publication and documented in the audit trail.
• Legal obligation (Art. 6(1)(c)): bookkeeping under Bokföringslagen.

• Subscriber email addresses: until you opt out, then deleted within 30 days. Audit records retain a one-way hash, not the email itself.
• Tip content: stored encrypted; retained until the investigation closes; then either incorporated anonymously into the cluster's research memory or destroyed.
• Payment records: 7 years (Bokföringslagen requirement).
• Audit log: append-only, indefinite. Contains pseudonymous identifiers and event types; no personal data.

You have the right to:

• Access the data we hold about you (Art. 15)
• Correct inaccurate data (Art. 16)
• Delete your data, subject to journalistic-purpose carve-outs for already-published content (Art. 17)
• Restrict processing (Art. 18)
• Portability — for the data we hold under contract performance (Art. 20)
• Object to processing (Art. 21)
• Complain to IMY (Integritetsskyddsmyndigheten), imy@imy.se

For most actions, the opt-out link in any email we send you is sufficient. For other requests, write to info@heimlandr.com from the email address on file.

MOBILIZR uses session cookies only where strictly necessary for authentication. All backer and newsletter flows are email-token-based — no cookies needed. No analytics cookies. No advertising cookies. No cross-site trackers. No third-party scripts that profile you.

Data may be processed in EU/EEA countries (where our servers are based) and the United States (where the payment provider operates). All transfers rely on adequacy decisions or Standard Contractual Clauses under GDPR Art. 46.

MOBILIZR is not directed at children under 16. We do not knowingly accept subscriptions, tips, or proposals from anyone under 16.

Material changes are noted in the public audit feed and emailed to active subscribers. We do not pull tricks here.