Cookie Policy

This Cookie Policy (the "Policy") explains how OmhuAI AB, a company registered in Sweden ("BondGovernance", "we", "us"), uses cookies and functionally equivalent technologies on the BondGovernance website at bondgovernance.com and the related governance-infrastructure service (collectively, the "Service").

The Policy is issued in accordance with the Swedish Electronic Communications Act (lag (2022:482) om elektronisk kommunikation), which implements Directive 2002/58/EC (the "ePrivacy Directive"), and should be read together with the BondGovernance Privacy Notice and Terms of Use.

A cookie is a small text file placed on a user's device by a website or service in order to store information that can be read on subsequent requests. References in this Policy to "cookies" include other client-side storage mechanisms of equivalent function, such as local storage, session storage, pixel tags and similar identifiers.

BondGovernance is designed on a data-minimisation basis. The Service relies on the following categories of cookies and equivalent technologies:

• Strictly necessary — required to deliver the Service requested by the user, including session integrity, authentication state, load balancing, secure form submission and protection against abuse. These cookies are set on the basis of Article 6(1)(b) and 6(1)(f) GDPR and the exemption in the ePrivacy framework for strictly necessary storage; no consent is required.
• Security and audit — used to detect and mitigate unauthorised access, credential abuse and anomalous request patterns, and to maintain the defensible audit trail required by the institutional customer agreement.
• Preferences — used, where present, to remember non-sensitive interface preferences such as language or display density. These are set on the basis of legitimate interest in providing a consistent professional experience.
• Privacy-preserving analytics — used, where deployed, on an aggregated and pseudonymised basis to understand usage patterns at a population level. No cross-site tracking, advertising identifiers or behavioural profiling are used.

BondGovernance does not use advertising cookies, third-party behavioural tracking, social-media tracking pixels or fingerprinting-based identifiers.

A limited number of vetted infrastructure providers (including hosting, identity, content delivery and observability providers) may set cookies or read equivalent identifiers strictly to deliver the underlying service to BondGovernance. Such providers act as processors under written agreements compliant with Article 28 GDPR and are not permitted to use the data for their own purposes.

Session cookies are erased automatically when the browser session ends. Persistent cookies, where used, are retained only for the period necessary to fulfil the purpose for which they were set, and in any event for no longer than is proportionate having regard to the function concerned. Audit and security records derived from cookie-based events are retained in accordance with the BondGovernance Privacy Notice.

Strictly necessary cookies are placed in reliance on the exemption in section 9, chapter 6 of the Swedish Electronic Communications Act for storage that is strictly necessary to deliver a service expressly requested by the user. Where any cookie falls outside that exemption, it is set only on the basis of the user's prior, freely given, specific, informed and unambiguous consent within the meaning of Article 4(11) GDPR, which the user may withdraw at any time without affecting the lawfulness of prior processing.

Most modern browsers allow users to inspect, restrict or delete cookies through their settings, including the ability to block all cookies, block third-party cookies or be notified before a cookie is set. Disabling strictly necessary cookies will impair core functionality of the Service, including authentication and session integrity, and may render the Service unusable.

Where a consent mechanism is presented in the Service, the user may adjust their choices at any time through that mechanism.

Where cookie-related personal data is transferred outside the European Economic Area, such transfer is carried out on the basis of an adequacy decision under Article 45 GDPR or, in its absence, appropriate safeguards under Article 46 GDPR, including the European Commission's Standard Contractual Clauses (Decision 2021/914), supplemented by transfer impact assessments and, where required, additional technical and organisational measures.

BondGovernance may update this Policy from time to time to reflect changes in the Service, in applicable law or in operational practice. The version published on this page is the version in force. Where changes are material, we will take reasonable steps to bring them to the attention of affected counterparties.

Enquiries in relation to this Policy should be addressed to OmhuAI AB, Stockholm, Sweden, via the channels listed on the Contact page, marked for the attention of the Data Protection contact.