Banking-as-a-Service Privacy Policy (Consumers)

What is personal data?

In legal jargon, ‘personal data’ is any information relating to an identified or identifiable natural person, the ‘data subject’ and the laws regulating personal data in the European Union is the general data protection regulation, the GDPR. According to the GDPR, any information that can be used to identify a person or be linked to that person is personal data. Examples of personal data are name, identification number, contact information, online identifiers such as IP address, or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.

1. Who are we

We are Intergiro Intl AB (publ), a Swedish fintech company licensed and supervised by the Swedish Financial Supervisory Authority (Sw. Finansinspektionen) as an electronic money institution with the authority to issue electronic money and to provide payment services.  Our company registration number is 556965-3537, our VAT number is SE556965353701 and our license number is 48003. Our registered address is Box 3093, 103 61 Stockholm, Sweden.

We have partnered with an innovative company (we refer to the “Partner”) who provides you with a first class app and/or website portal (as applicable) (we refer to the “Partner Platform”) to jointly provide you with the best services possible. Intergiro provides payment services and the Partner provides you with the Partner Platform through which you access and use the payment services. 

You sign up with the Partner and using the Partner Platform you apply to become a customer of Intergiro to utilise the payment services, generally you are provided with a payment account and a payment card. You can read more about the payment services in the Payment Services General Terms and Conditions. You need to accept the Payment Services Terms and Conditions and if you are onboarded as a customer of Intergiro in accordance with such terms and conditions, you will be able to access and use the payment services using the Partner Platform. 

When you use the payment services within the Partner Platform, Intergiro will process your personal data. Intergiro is the controller and responsible for the processing of your personal data when you use the payment services, as further described in this privacy policy. Please reach out to our privacy team on privacy@intergiro.com if you have any questions regarding our privacy work or the processing of your personal data. 

The Partner may also provide other services within the Partner Platform. The Partner is the controller of any personal data processed for such other services. Please refer to the Partner’s privacy policy to understand how the Partner may process your personal data for such other services. 

2. When we collect your personal data

Intergiro will start processing your personal data when you sign up to use the payment services via the Partner Platform.

3. How we collect your personal data

We collect personal data about you from different sources, including: 

(i) personal data received from you, such as when you sign up for the payment services in the Partner Platform, including contact information and identification information (collected through API requests and responses); 
(ii) personal data about you received from external sources, e.g. address registers;
(iii) personal data that accumulates from your use of the payment services, such as transaction data (API requests and responses); and
(iv) personal data that is shared with us by the Partner, mainly customer support information which we need to be able to assist with customer support matters.

4. What personal data do we collect

We have divided the personal data we process into the following categories:

  1. Contact information - such as name and other information about yourself (e.g. address, telephone number, e-mail address, etc.);
  2. Information about how you interact with Intergiro - for example how you use the payments services;
  3. Device information - for example, IP address, language settings, browser settings, time zone, operating system, platform and screen resolution;
  4. Identification documentation - e.g. social security number, passport copy or copies of any other documents you have provided for identification purposes (including your picture/selfie or video with sound recording), nationality, date of birth, proof of residence (such as a utility bill) etc. We may also collect and compare information from sanction lists and lists of so-called PEP (Politically Exposed Persons). These lists contain information such as name, date of birth, place of birth, occupation or position and the reason why they are on the list in question;
  5. Transaction data - such as account numbers/IBAN, payment orders, date of payment order, name of payor and payee, transaction history and similar information when you use the payment services via the Partner Platform;
  6. Verification data - when you confirm the execution of for example a payment transaction we apply so called strong customer authentication to verify your identity before we execute the payment, so we know that it was you that authorised the transaction. We will log how you verified your identity (e.g. Bank-ID or password combined with SMS verification code), timestamps and status of the transaction (requested, approved or rejected);
  7. Details of your payment card - including the card number, expiry date and CVC (which is the last three digits of the number on the back of your card);
  8. Complaints management - information you provide to us via email to complaints@intergiro.com, if you would like to make a formal complaint regarding the payment services; and
  9. Customer support information - information that you provide to the Partner’s customer support so we can assist with resolving your enquiries. 

Biometric information
In addition, we use third-party providers for identity verification and fraud prevention purposes. These biometric information service providers, acting as our data processors, may collect a copy of your passport, scan of the picture on your ID, selfie or video with sound recording for identification purposes (“biometric information”) and employ facial recognition technology to verify your identity. These biometric information services provide us with a confirmation as to whether your identity has been validated or not."

Proof of Address alternative

As an alternative to asking you to provide us with a utility bill, we use your IP address in order to confirm that the country and region where you are located corresponds with the residential address information you provided during the onboarding process.

5. Why we process your personal data

According to the GDPR we need to have a purpose and a legal basis for the processing of your personal data. Read more about our purpose for processing your personal data below.  

At Intergiro, the legal basis for processing your personal data is either:

  1. the agreement you have, or is about to enter into, with us by accepting the Payment Services Terms and Conditions in the Partner Platform or, the agreement you have, or is about to enter into, with the Partner by accepting the Partner’s terms and conditions;
  2. legal obligations we are bound by, such as anti-money laundering regulations; or
  3. our legitimate interest, such as providing customer support or keeping you informed about product updates.

In very rare cases we may also process your personal data if we have received your explicit consent to do so. In such case you can always withdraw your consent at any time. 

We use the personal data we collect for the following purposes: 

  • the administration and management of our relationship with you, such as reviewing your application to become Intergiro’s customer, setting up your payment account on our payment services platform and keep you informed about product updates, managing your queries and solving any issues you experience if any during the performance of payment services provided by Intergiro
    ○ The legal basis for such processing is (i) the agreement you have entered into, or is about to enter into, with us or (ii) our legitimate interest since our view is that keeping you up to date of the products and services available to you creates meaningful knowledge you
  • provision of payment services, including execution of payment orders submitted by you through the Partner Platform, issuance of a payment card to you and processing of card payments you make using your payment card
    ○ The legal basis for the provision of payment services is the agreement you have entered into with us
  • accounting and auditing requirements 
    ○ The legal basis for such processing is mandatory law, such as the Swedish accounting act (Sw. bokföringslagen) and the Swedish annual reports act (Sw. årsredovisningslagen)
  • business development, such as compiling statistics and analyze the data in order to improve our services 
    ○ The legal basis for such processing is our legitimate interest in maintaining our relationship with you and to improve our services. Our view is that you as our customers benefit from improvements to the services
  • compliance with legal requirements, such as obligations regarding anti-money laundering, sanctions checks, PEP checks, transaction monitoring and screening, and identity verification as well as other legal and regulatory requirements 
    ○ The legal basis for such processing is mandatory law, such as the Swedish act to prevent money laundering and terrorist financing (Sw. lag om åtgärder mot penningtvätt och finansiering av terrorism) and the Swedish Payment Services Act (Sw. lag om betaltjänster)
  • assess or defend legal claims against us or to protect ourselves from fraud and in connection with a reorganisation, transfer of business, merger, IPO or acquisition.
    ○ The legal basis for such processing is our legitimate interest to defend us against legal claims, to protect our company from fraud and to be able to reorganise or scale-up our business
  • verify that your actual residential address corresponds with the information provided by you during the onboarding process
    ○ The legal basis for such processing is our legitimate interest to protect our company from fraud and to comply with applicable laws

    In addition, the Partner provides first line customer support to you in respect of Partner's own services and acts as the data controller in those cases for the personal data processed in connection with the customer support. Please refer to the Partner’s privacy policy for more information.

6. How we work with automated decision-making

We are using automated decision-making when you apply to become a customer of Intergiro through the Partner Platform. Automated decision-making enables us to provide both a more consistent and fair decision making process where the risk of potential human errors are reduced and a faster review of your application and onboarding process. The automated decision is based on both (i) data provided directly by you (such as answers to our questions) and (ii) derived or inferred data such as risk scoring.

We will automatically reject your application if you are below the age of 18 and otherwise we only use automated decision-making to approve your application. If required, your application will be referred for manual review by our onboarding team. 

In addition, you can always request a manual decision-making process instead, express your opinion or contest decisions based solely on automated processing. If you want to exercise your rights, please contact our data privacy team at privacy@intergiro.com.

7. With whom we share your personal data

As electronic money institutions are subject to statutory requirements for professional secrecy and confidentiality, we only share your personal data in certain specific cases. 

In order to provide the payment services to you we share personal data with our trusted partners that process personal data on our behalf. We will therefore share personal data with the Partner, who acts as our processor, in order for you to access and use the payment services in the Partner Platform and for the purposes of providing the first line customer support to you. 

We also share data with our other trusted third party service providers, who act as our processors: 

  • Suppliers of payment processing services
  • Payment card personalisation bureau (if you have applied for a physical payment card) 
  • Suppliers of identification services
  • Suppliers of screening services to prevent anti-money laundering, fraud and similar crimes
  • Suppliers of IT systems and cloud services

We have carefully reviewed our service providers and secured that their processing of your personal data is compliant with EU standards and the GDPR. 

Your personal data will also, when applicable, be shared with the following parties which themselves are data controllers of the processing of personal data: 

  • the Partner, for any specific purpose as further described in the Partner’s terms & conditions and the Partner’s privacy policy 
    ○ The legal basis is the agreement you have entered into with the Partner
  • our correspondent banks, for example regarding execution of pay-outs to beneficiaries, holding client funds and to safeguard legal interests
    ○ The legal basis is the agreement you have entered into with us
  • card schemes, such as VISA (if you have applied for a physical payment card)
    ○ The legal basis is the agreement you have entered into with us
  • authorities, such as the Financial Police and the Financial Supervisory Authority, if such a disclosure is prescribed by law
    ○ The legal basis is our obligations under mandatory law

If Intergiro engages in a merger, acquisition, reorganisation or sale of some or all of Intergiro’s assets or shares, financing, initial public offering or similar transactions or proceedings, or steps in contemplation of such activities (such as due diligence), Intergiro may share personal data with third parties, subject to standard confidentiality arrangements.

8. For how long?

We store your personal data for the purposes set out above during the term of our contractual relationship with you, for as long as we otherwise have a meaningful contact with you or as may otherwise be required by law. API requests and responses will be stored for a period of one (1) year.

When the purpose for which your personal data was collected is no longer relevant, we will stop processing your personal data and either delete or anonymise it in a secure manner. We may retain your personal data for a longer period of time to the extent required by law, by our automated disaster recovery backup systems or if we deem it necessary to assess or defend legal claims or to protect ourselves from fraud.

Under mandatory law, we are required to keep your personal data due to:

  • Anti-money laundering and anti-terrorism legislation for a minimum of five and a maximum of ten years
  • Payment service legislation, for a period of three years
  • Bookkeeping legislation, for a period of seven years

If you terminate your agreement regarding payment services with us, we are required under mandatory law to keep your personal data for a minimum period of five years. 

Please note that if you have submitted an application to use the payment services but for any reason do not become a customer with us (irrespective of if you withdraw or we reject your application), we are required under mandatory legislation to keep your personal data for a minimum period of five years.

9. Your rights

  • Access - You have the right to request an extract of the personal data we process about you. 
  • Rectification - You have the right to request that we correct or complete any information you believe is inaccurate or incomplete. 
  • Erasure - Depending on the legal basis used for the processing of your personal data, you can ask us to delete your personal data, if (i) there is no good reason for us to continue using it, (ii) you gave us consent (permission) to use your personal data and you have now withdrawn that consent, (iii) you have objected to us using your personal data, (iv) we have used your personal data unlawfully, or (v) the law requires us to delete your personal data. However, in most cases we will be required to deny your request in full or in part due to our obligations under mandatory law.
  • Restrict - You have the right to request that we restrict the processing of your personal data, e.g. when you consider that the information is inaccurate and has requested rectification. 
  • Objection - You have the right to object to our processing of your personal data with legitimate interests as a legal basis. If you object to the processing in such cases, we may only continue to process your data if it can be shown that there are decisive legitimate reasons why the data must be processed that outweigh your interests, rights and freedoms or if the processing takes place to determine, exercise or defend legal claims.
  • Data Portability - With regard to personal data that you have provided to us, you may have the right to request a transfer to another provider. If you want to request such a transfer, please contact privacy@intergiro.com. 

10. Contacts and Complaints

Please do not hesitate to reach out to the Partner’s customer support team in case you have any questions regarding the processing of your personal data. 

You are also welcome to contact our data privacy team directly on privacy@intergiro.com if you have any concerns regarding data privacy or our processing of your personal data. 

Intergiro has appointed a Data Protection Officer (“DPO”), Helene Cedertorn, who is responsible for monitoring our compliance with applicable data protection legislation. If you want to reach out to our DPO specifically, please email dpo@intergiro.com.

Please be informed that you have the possibility to lodge a complaint with the Swedish Authority for Data Protection (Sw. Integritetsskyddsmyndigheten) if you are not satisfied with our processing of your personal data.

Information how to lodge a complaint is available on the website of the Swedish Authority for Data Protection:  

https://www.imy.se/en/privatperson/forms-and-e-services/file-a-gdpr-complaint/

Contact Information to the Swedish Authority for Data Protection:

Integritetsskyddsmyndigheten, 
Box 8114, 104 20 Stockholm, Sweden

Email: imy@imy.se 
Telephone no: +468 657 61 00

11. Changes to this privacy policy

We may need to change this privacy policy, for example when we add features to the services, because of changes in law or regulations or due to evolving industry standards. When this privacy policy is changed we will let you know by updating the date at the top of this privacy policy. You may also be informed through information in the Partner Platform or on our website www.intergiro.com. Please revert to this privacy policy on a regular basis to stay up-to-date about our data processing practices and your rights.