What is personal data?
In legal jargon, ‘personal data’ is any information relating to an identified or identifiable natural person, the ‘data subject’ and the laws regulating personal data in the European Union is the general data protection regulation, the GDPR. According to the GDPR, any information that can be used to identify a person or be linked to that person is personal data. Examples of personal data are name, identification number, contact information, online identifiers such as IP address, or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.
1. Who are we
We are Intergiro Intl AB (publ), a Swedish fintech company licensed and supervised by the Swedish Financial Supervisory Authority (Sw. Finansinspektionen) as an electronic money institution with the authority to issue electronic money and to provide payment services. Our company registration number is 556965-3537, our VAT number is SE556965353701 and our license number is 48003. Our registered address is Box 3093, 103 61 Stockholm, Sweden.
We have partnered with an innovative company (we refer to the “Partner”) who provides you with a first class app and/or website portal (as applicable) (we refer to the “Partner Platform”) to jointly provide you with the best services possible. Intergiro provides payment services and the Partner provides you with the Partner Platform through which you access and use the payment services.
You sign up with the Partner and using the Partner Platform you apply to become a customer of Intergiro to utilise the payment services, generally you are provided with a payment account and a payment card. You can read more about the payment services in the Payment Services General Terms and Conditions. You need to accept the Payment Services Terms and Conditions and if you are onboarded as a customer of Intergiro in accordance with such terms and conditions, you will be able to access and use the payment services using the Partner Platform.
2. When we collect your personal data
Intergiro will start processing your personal data when you sign up to use the payment services via the Partner Platform.
3. How we collect your personal data
- personal data received from you, such as when you sign up for the payment services in the Partner Platform,including contact information and identification information;
- personal data about you received from external sources, e.g. address registers;
- personal data that accumulates from your use of the payment services, such as transaction data; and
- personal data that is shared with us by the Partner, mainly customer support information which we need to be able to assist with customer support matters.
4. What personal data do we collect
We have divided the personal data we process into the following categories:
- Contact information - such as name and other information about yourself (e.g. address, telephone number, e-mail address, etc.);
- Information about how you interact with Intergiro - for example how you use the payments services;
- Device information - for example, IP address, language settings, browser settings, time zone, operating system, platform and screen resolution;
- Identification documentation - e.g. social security number, passport copy or copies of any other documents you have provided for identification purposes (including your picture/selfie), nationality, date of birth, proof of residence (such as a utility bill) etc. We may also collect and compare information from sanction lists and lists of so-called PEP (Politically Exposed Persons). These lists contain information such as name, date of birth, place of birth, occupation or position and the reason why they are on the list in question;
- Transaction data - such as account numbers/IBAN, payment orders, date of payment order, name of payor and payee, transaction history and similar information when you use the payment services via the Partner Platform;
- Verification data - when you confirm the execution of for example a payment transaction we apply so called strong customer authentication to verify your identity before we execute the payment, so we know that it was you that authorised the transaction. We will log how you verified your identity (e.g. Bank-ID or password combined with SMS verification code), timestamps and status of the transaction (requested, approved or rejected);
- Details of your payment card - including the card number, expiry date and CVC (which is the last three digits of the number on the back of your card);
- Complaints management - information you provide to us via email to firstname.lastname@example.org, if you would like to make a formal complaint regarding the payment services
- Customer support information - information that you provide to the Partner’s customer support so we can assist with resolving your enquiries.
In addition, we use third-party providers for identity verification and fraud prevention purposes. These biometric information service providers, acting as our data processors, may collect a copy of your passport and a scan of the picture on your ID for identification purposes (“biometric information”) and employ facial recognition technology to verify your identity. These biometric information services provide us with a confirmation as to whether your identity has been validated or not."
5. Why we process your personal data
According to the GDPR we need to have a purpose and a legal basis for the processing of your personal data. Read more about our purpose for processing your personal data below.
At Intergiro, the legal basis for processing your personal data is either:
- the agreement you have, or is about to enter into, with us by accepting the Payment Services Terms and Conditions in the Partner Platform or, the agreement you have, or is about to enter into, with the Partner by accepting the Partner’s terms and conditions;
- legal obligations we are bound by, such as anti-money laundering regulations; or
- our legitimate interest, such as providing customer support or keeping you informed about product updates.
In very rare cases we may also process your personal data if we have received your explicit consent to do so. In such case you can always withdraw your consent at any time.
We use the personal data we collect for the following purposes:
- automated decision-making, which enables us to both provide a more consistent and fair decision-making process where the risk of potential human errors are reduced and a faster review of your application.
- ○ The legal basis for such processing is the agreement you have entered into, or is about to enter into, with us
The legal basis for such processing is the agreement you have entered into, or is about to enter into, with us
- the administration and management of our relationship with you, such as reviewing your application to become Intergiro’s customer, setting up your payment account on our payment services platform and keep you informed about product updates
- ○ The legal basis for such processing is (i) the agreement you have entered into, or is about to enter into, with us or (ii) our legitimate interest. Our view is that keeping you up to date of the products and services available to you creates meaningful knowledge you
- provision of payment services, including execution of payment orders submitted by you through the Partner Platform, issuance of a payment card to you and processing of card payments you make using your payment card
- ○ The legal basis for the provision of payment services is the agreement you have entered into with us
- accounting and auditing requirements
- ○ The legal basis for such processing is mandatory law, such as the Swedish accounting act (Sw. bokföringslagen) and the Swedish annual reports act (Sw. årsredovisningslagen)
- business development, such as compiling statistics and analyze the data in order to improve our services
- ○ The legal basis for such processing is our legitimate interest in maintaining our relationship with you and to improve our services. Our view is that you as our customers benefit from improvements to the services
- compliance with legal requirements, such as obligations regarding anti-money laundering, sanctions checks, PEP checks, transaction monitoring and screening, and identity verification as well as other legal and regulatory requirements
- ○ The legal basis for such processing is mandatory law, such as the Swedish act to prevent money laundering and terrorist financing (Sw. lag om åtgärder mot penningtvätt och finansiering av terrorism) and the Swedish Payment Services Act (Sw. lag om betaltjänster)
- assess or defend legal claims against us or to protect ourselves from fraud and in connection with a reorganisation, transfer of business, merger, IPO or acquisition.
- ○ The legal basis for such processing is our legitimate interest to defend us against legal claims, to protect our company from fraud and to be able to reorganise or scale-up our business
The legal basis for such processing is our legitimate interest in providing our customers with customer support. Our view is that our provision of customer support creates a meaningful service to you, such as resolving any queries you may have in relation to the payment services
6. How we work with automated decision-making
We are using automated decision-making when you apply to become a customer of Intergiro through the Partner Platform. Automated decision-making enables us to provide both a more consistent and fair decision making process where the risk of potential human errors are reduced and a faster review of your application and onboarding process. The automated decision is based on both (i) data provided directly by you (such as answers to our questions) and (ii) derived or inferred data such as risk scoring.
We will automatically reject your application if you are below the age of 18 and otherwise we only use automated decision-making to approve your application. If required, your application will be referred for manual review by our onboarding team.
In addition, you can always request a manual decision-making process instead, express your opinion or contest decisions based solely on automated processing. If you want to exercise your rights, please contact our data privacy team at email@example.com.
7. With whom we share your personal data
As electronic money institutions are subject to statutory requirements for professional secrecy and confidentiality, we only share your personal data in certain specific cases.
In order to provide the payment services to you we share personal data with our trusted partners that process personal data on our behalf. We will therefore share personal data with the Partner, who acts as our processor, in order for you to access and use the payment services in the Partner Platform.
We also share data with our other trusted third party service providers, who act as our processors:
- Suppliers of payment processing services
- Payment card personalisation bureau (if you have applied for a physical payment card)
- Suppliers of identification services
- Suppliers of screening services to prevent anti-money laundering, fraud and similar crimes
- Suppliers of IT systems and cloud services
We have carefully reviewed our service providers and secured that their processing of your personal data is compliant with EU standards and the GDPR.
Your personal data will also, when applicable, be shared with the following parties which themselves are data controllers of the processing of personal data:
- the Partner, for the purposes of providing the first line customer support to you
○ The legal basis is the agreement you have entered into with the Partner
○ The legal basis is the agreement you have entered into with the Partner
- our correspondent banks, for example regarding execution of pay-outs to beneficiaries, holding client funds and to safeguard legal interests
○ The legal basis is the agreement you have entered into with us
- card schemes, such as VISA (if you have applied for a physical payment card)
○ The legal basis is the agreement you have entered into with us
- authorities, such as the Financial Police and the Financial Supervisory Authority, if such a disclosure is prescribed by law
○ The legal basis is our obligations under mandatory law
If Intergiro engages in a merger, acquisition, reorganisation or sale of some or all of Intergiro’s assets or shares, financing, initial public offering or similar transactions or proceedings, or steps in contemplation of such activities (such as due diligence), Intergiro may share personal data with third parties, subject to standard confidentiality arrangements
8. For how long?
We store your personal data for the purposes set out above during the term of our contractual relationship with you, for as long as we otherwise have a meaningful contact with you or as may otherwise be required by law.
When the purpose for which your personal data was collected is no longer relevant, we will stop processing your personal data and either delete or anonymise it in a secure manner. We may retain your personal data for a longer period of time to the extent required by law, by our automated disaster recovery backup systems or if we deem it necessary to assess or defend legal claims or to protect ourselves from fraud.
Under mandatory law, we are required to keep your personal data due to:
- Anti-money laundering and anti-terrorism legislation for a minimum of five and a maximum of ten years
- Payment service legislation, for a period of three years
- Bookkeeping legislation, for a period of seven years
If you terminate your agreement regarding payment services with us, we are required under mandatory law to keep your personal data for a minimum period of five years.
Please note that if you have submitted an application to use the payment services but for any reason do not become a customer with us (irrespective of if you withdraw or we reject your application), we are required under mandatory legislation to keep your personal data for a minimum period of five years.
9. Your rights
- Access - You have the right to request an extract of the personal data we process about you.
- Rectification - You have the right to request that we correct or complete any information you believe is inaccurate or incomplete.
- Erasure - Depending on the legal basis used for the processing of your personal data, you can ask us to delete your personal data, if (i) there is no good reason for us to continue using it, (ii) you gave us consent (permission) to use your personal data and you have now withdrawn that consent, (iii) you have objected to us using your personal data, (iv) we have used your personal data unlawfully, or (v) the law requires us to delete your personal data. However, in most cases we will be required to deny your request in full or in part due to our obligations under mandatory law.
- Restrict - You have the right to request that we restrict the processing of your personal data, e.g. when you consider that the information is inaccurate and has requested rectification.
- Objection - You have the right to object to our processing of your personal data with legitimate interests as a legal basis. If you object to the processing in such cases, we may only continue to process your data if it can be shown that there are decisive legitimate reasons why the data must be processed that outweigh your interests, rights and freedoms or if the processing takes place to determine, exercise or defend legal claims.
- Data Portability - With regard to personal data that you have provided to us, you may have the right to request a transfer to another provider. If you want to request such a transfer, please contact firstname.lastname@example.org.