1. General

1.1 Thank you for downloading and installing the Intergiro Mobile App (the “App”). Intergiro highly values privacy and is committed to upholding your data protection rights. This Mobile App Privacy Policy (the “Privacy Policy”) sets out how Intergiro, the data controller, processes your personal data via the App and the applicable App Services (as defined below).

1.2 Intergiro’s contact details are the following: Intergiro Intl AB (publ), with registration number 556965-3537 and registered address at Regeringsgatan 59, 9tr 111 56 Stockholm, Sweden. You can contact us via the online messaging system available at https://intergiro.com/.

1.3 In order to be able to download and use the App, a company being a banking customer to Intergiro, having subscribed with the account package allowing for the use of the App, has registered you as a user with us (the “Intergiro Customer”). This might be because you are an employee, director etc. of the Intergiro Customer.

1.4 The Intergiro App allows you, to the extent permitted by your user permissions set by the Intergiro Customer and in line with the Intergiro Customer’s account package, to amongst other services to place payment orders with Intergiro, view transaction history and to use and manage virtual or physical Cards (as defined below) (the “App Services”).

1.5 Intergiro’s processing of personal data not directly relating to personal data collected or processed via the App or the App Services is set out at https://intergiro.com/privacy-policy.

2. Processing of personal data

2.1 In order to provide you with the App and the App Services, Intergiro, to the extent applicable, will process personal data relating to you as described in this Privacy Policy.

3. Categories of personal data collected via the App and the App services

3.1 We collect and process, to the extent necessary to provide the applicable App Services, the following categories of personal data relating to you:

  1. User account data: your user identifiers (e.g. user name), permissions (administrator, “account user” etc.) with Intergiro, contact details necessary for providing the services (e.g. phone number for two-factor authentication), information, values relating to your use of the App and the App Services (the “User Account Data”).
  2. Customer service data: this category of personal data includes information relating to your communication with Intergiro customer service team via the App, including the content of the messages you send via the App (the “Customer Service Data”). In the event you provide personal data which was not not requested by us or which is not necessary for the processing purposes set out in this Privacy or, if applicable, in the Intergiro privacy policy (https://intergiro.com/privacy-policy), we will delete such personal data.
  3. Transaction data: we process the limited amount of personal data relating to the transactions you via the App and the App Services make on behalf of the Intergiro Customer in accordance with the App User Agreement and the Intergiro Business Terms and Conditions, such as transaction dates and the fact that you have placed the payment order (the “Transaction Data”).
  4. Card data: we process the limited amount of personal data relating to the debit card you hold and use via the App Services and the App Services on behalf of the Intergiro Customer in accordance with the Intergiro Business Terms between Intergiro and the Intergiro Customer (the “Card”), such as the card number and card holder information (the “Card Data”).
  5. Offline biometric identification information: certain values and parameters regarding offline biometric identification. Please note that this category of personal data does not contain your actual biometric information as such identification is processed entirely offline, within your device only. Intergiro only receives the approval or rejection values in respect of any given of the biometric identification taking place on your device (the “Offline Biometric Identification Information”).
  6. Analytics and crash reports data: this category include data such as unique identifiers, App usage data, App error data. We use Google Analytics for Firebase and Firebase for these purposes (the “Analytics and Crash Reports Data”).

3.2 The provision of the above-mentioned categories personal data is a contractual requirement. Apart from the categories of personal data being processed based on your consent where the processing is optional (see section 4.1 e) f)), if you are not willing to provide the personal data we will not be able to provide the App and the App Services.

4.1 We collect and process, to the extent necessary to provide the applicable App Services, the personal data (as set out in section 3.1 above) for the following purposes and based on the following legal grounds:

  1. User Account Data: we process this category personal data in order to be able to provide the App and the App Services to you in accordance with the App User Agreement. The applicable legal ground for this processing is performance of the contract (namely the App User Agreement) between you and Intergiro. Certain User Account Data may be stored due to our legal obligations, see section 6 on retention periods.
  2. Customer Service Data: we process this category of personal data in order to ensure that your queries relating to the App or the App Services are resolved. The applicable legal ground for this processing is legitimate interest. The legitimate interest pursued by Intergiro is to be able to provide corporate banking services to the Intergiro customer by operating customer service. The legitimate interest pursued by the Intergiro Customer is to be able to use Intergiro’s corporate banking services. Certain Customer Service Data may be disclosed to competent authorities (see section 5.2) and stored both due to our legal obligations being the legal ground for such processing (see section 6 on retention periods).
  3. Transaction Data: we process this category of personal data in order to display historic transactions and to execute transactions regarding payment orders you place via the App and the App Services on behalf of the Intergiro Customer in accordance with the Intergiro Business Terms and Conditions. The applicable legal ground for this processing is legitimate interest. The legitimate interest pursued by Intergiro is to be able to provide corporate banking services to the Intergiro Customer, in particular to receive, process, manage and store (i) payment orders and (ii) card transactions for Intergiro Customer. The legitimate interest pursued by the Intergiro Customer is to be able to use Intergiro’s corporate banking services. Certain transaction data may be disclosed to competent authorities (see section 5.2) and stored both due to our legal obligations (see section 6 on retention periods).
  4. Card Data:we process this category of personal data in order to display information and provide services relating to the Card. The applicable legal ground for this processing is legitimate interest. The legitimate interest pursued by Intergiro is to be able to provide corporate banking services to Intergiro Customer, in particular to be able to process and store data relating to debit cards held by Intergiro Customers. The legitimate interest pursued by the Intergiro Customer is to be able to use Intergiro’s corporate banking services. Certain Card Data may be stored and disclosed (see section 5.2) due to our legal obligations, see section 6 on retention periods.
  5. Offline Biometric Identification Information: we process this category of personal data in order to allow you to use biometrics identification instead of two factor verification. The applicable legal ground for this processing is your consent during your use of the App to use of the “Use fingerprint” (or as may be otherwise worded) biometric identification functionality. You can withdraw such consent at any time, without affecting the lawfulness of the processing based on consent before its withdrawal, by turning the function off via visiting the “Security” submenu in the “More” menu of the App (or as may be otherwise worded).
  6. Analytics and Crash Reports Data: we process this category of personal data in order enable us to improve the App and the App Services. This data enables us to understand how our users use the App and the App Services and to understand any technical issues or faults. The applicable legal ground for this processing is your consent provided in the App separately for analytics and for crash reports (crashlytics) which you can withdraw any time, without affecting the lawfulness of the processing based on consent before its withdrawal, via visiting the “About” submenu in the “More” menu in the App. Please read more about Google’s data processing at www.google.com/policies/privacy/partners/.

5. Recipients of personal data

5.1 To protect our customer’s personal data, Intergiro only ever engages trusted third party service providers, whose services we secure via appropriate contractual terms. We may share personal data collected and processed in accordance with this Privacy Policy with the following recipients:

  1. Our chat service provider relating to Customer Service Data in the U.S., where the third country data transfer is safeguarded by the EU-U.S. Privacy Shield Framework, see the following links: https://www.intercom.com/legal/eu-us-privacy-shield-policy https://www.privacyshield.gov/participant?id=a2zt0000000TNQvAAO&status=Active.
  2. Our two-factor SMS verification service provider in the U.S., where the third country data transfer is safeguarded by the EU-U.S. Privacy Shield Framework, see the following link: https://www.privacyshield.gov/participant?id=a2zt0000000TNLbAAO&status=Active.
  3. Our cloud service provider limited to EU/EEA region.
  4. Google Firebase with regards to the Analytics and Crash Reports Data if you have provided consent for such Analytics and Crash Reports Data to be collected by Intergiro. The processing of such data is limited to the EU/EEA.
  5. Our engineering team in Belarus, where the third country data transfer is safeguarded by means of entering into the standard contractual clauses issued by the European Commission https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en (you may request a redacted copy of this document by contacting us).
  6. Our payment processor and card scheme partners regarding Card Data limited to the EU/EEA region. You acknowledge that Mastercard may use the Card Data and Transaction Data for its own purposes as data controller.

5.2 We are required by law to investigate and report suspicious transactions to the competent authorities. The further processing of personal data relating to such investigation and disclosure would be based on and limited to our relevant legal obligations.

6. Retention period

6.1 Intergiro will process the personal data collected and processed in accordance with this Privacy Policy for no longer than the period necessary for the purposes of the processing as set out in Section 4.

6.2 Personal Data contained in the App on your device will be deleted based on the applicable logics of your operation system or if allowed by the App on an on-demand basis.

6.3 Certain User Account Data, Customer Service Data, Transaction Data and Card Data (as each defined in section 3.1) may be kept for as long as

6.3.1 required by applicable laws such as anti-money laundering and anti-terrorism financing legislation (minimum 5 years and maximum 10 years), payment services legislation (3 years), bookkeeping legislation (7 years); and

6.3.2 necessary for Intergiro’s provision of the services to the Intergiro Customer in accordance with the Intergiro Business Terms (minimum 5 years which may be extended in case of a dispute or other similar legal reasons).

6.4 Offline Biometric Information is stored on your device and is deleted (i) on first launch after the App is (re)installed, (ii) after you as a current user sign in again with email and password, (iii) after you add/remove biometry verification. As explained above, we do not access the actual biometric information, it is stored in your phone’s OS and we only receive information whether the biometry identity verification was successful or not. We save such information in our systems as long as necessary to secure and prove due to including fraud reasons that account actions and transactions verified with biometry were executed in order.

6.5 Analytics data are stored for a period necessary for the purposes specified in section 4.1 f) above. Crash Reports Data are anonymised after collection and stored in an anonymous manner.

7. Data Security

7.1 We aim to store as little data as possible on device. Whenever possible we store any data securely using encrypted persistent storages provided by the OS of your device. We have implemented best practice measures in terms of app security according to OWASP recommendations.

7.2 A prerequisite to Intergiro being permitted to process card payments was obtaining our PCI compliance certificate. Card Data is processed under the PCI standards assuring an especially high level of IT security for such data.

8. Your data protection rights.

8.1 You may contact us (see above section 1.2) to exercise any of your rights available pursuant to the General Data Protection Regulation as detailed below:

8.2 We will do everything we reasonably can in order to answer your data protection related queries. Should you not be satisfied with the way we manage your queries or for any other reasons, you are entitled to file a complaint with the Swedish Data Protection Authority (Datainspektionen - https://www.datainspektionen.se/).