Privacy Policy for Okapi Sweden AB
Last updated 18 October 2019
Introduction and responsibility for personal data
Your right to have your personal privacy protected is important to Okapi. We value the trust you place in us to provide you with our services and we will do so while respecting and protecting your personal privacy. As a payment institution, Okapi is also bound by professional secrecy by law.
This Privacy Policy constitutes information for data subjects and has been drawn up in accordance with Articles 13 and 14 of the General Data Protection Regulation (GDPR).
The data controller for the personal data processing described in this Privacy Policy is Okapi Sweden AB, corp. ID no. 559157-3026, address Pilgatan 8 C, SE-721 30, Västerås, Sweden. As a data controller, we always process your personal data in accordance with our Privacy Policy. You are welcome to contact us at any time if you have any questions regarding your personal data. You can send an e-mail to info@okapiswap.com or call us on +46 (0) 733 31 10 14. You can also contact Okapi’s data protection officer on gdpr@okapiswap.com.
1. Scope
This Privacy Policy covers personal data processing executed by Okapi and concerning the following categories of natural persons:
- Existing or prospective customers of Okapi,
- Individuals who contact Okapi, and
- Visitors to Okapi’s website.
2. What personal data is processed by Okapi?
We describe the categories of personal data we process below. We will collect only the personal data that is strictly necessary to fulfil the purpose of processing.
Authentication data: Udata relating to authentication methods, issue date and term of validity. If an electronic signature is used, data about the issuing bank is also saved.
Agreement data: Udata relating to the services, your agreement with us, the contract date and contractual parties.
Cookie: a small text file that is sent from our web server and stored by your browser. We use as few cookies as possible on our website for our purposes. There are two types of cookie: “regular” cookies and session cookies. Session cookies disappear when you close your browser without being saved while regular cookies are stored on your computer. By understanding how the website is used, we can develop and improve it. As a user, you can turn off your browser’s ability to store cookies on your computer in your browser settings. Visit the Swedish Post and Telecom Authority website (www.pts.se) for further information.
Device information: data about which device and model have been used, e.g. IP address and UDID (Unique Device ID).
Identity data: data that identifies you as an individual, such as your full name, personal identity number and unique Okapi customer number.
ID document: a document that links photos with an identity so that an individual’s identity can be verified. The document states, for example, gender, citizenship, place of birth, name, personal identity number, date of birth and ID number.
Proof of address: We require that you submit a document as proof of your address. It can be a utility bill, bank statement or a government letter stating your name and address clearly. This document should not be older than 90 days.
Information in communications between us: information that we receive in connection with communication between us, personal data sent to us by e-mail, via your user account or by regular post, or information we receive over the phone or otherwise. Please note that we receive all information you send to us. This information may include details of your dealings, a course of events, dissatisfaction and complaints.
Use of the Internet: this category includes information about browser type and version, installed plugins, date and time of traffic/access, previously visited websites, IP address, UDID and cookies.
Contact details: information that makes it possible to contact you, e.g. address, phone number and e-mail address.
Card details: information about card brand, card number, expiry date and card holder. The security code (CVC/CVV) is collected when you carry out a transaction, but it is never saved.
Customer choices: personal choices that you have made, e.g. which services you have chosen, direct marketing, consent for cookies and selected language.
Location information: information about the geographic location of your device.
Transaction history: log of submitted payment orders and executed payment orders (transactions), times, dates and device information.
3. How is my personal data collected?
From you and the information you submit to us. Most of the personal data we process is submitted by you, for example when you create a user account with us, execute a payment transaction or contact us.
From public and private information registers. We collect data about you from public and private registers such as SPAR (Statens personadressregister), private sources that act as sellers, the Swedish Tax Agency and sanctions lists that may be public or provided by a private source.
From partners and companies in our group. Okapi is part of a group of companies. Some functions are performed centrally and sometimes we therefore collect personal data that you have submitted to another Okapi company.
Through your use of our services and website. When you use our services, additional information is created that can be linked to you, such as a history of transactions executed, logs of logins and use of the user account along with choices you make within the framework of our services.
We also collect data from devices, such as your mobile phone, tablet, and computer, about how you interact with our services, website and application by picking up information that can recognize and associate your activity. This information includes device-specific identifiers and information such as IP address, cookie information, mobile device and advertising identifiers, browser version, type and version of operating system, mobile network information, device settings and software data. We use the tool Google Analytics.
4. How and why do we process your personal data?
Personal data processing within the framework of a customer relationship
We need to process personal data about our customers so that we can offer our services. Below we describe our personal data processing based on our main purposes.
|
Providing and managing our services, fulfilling the agreement with you
|
|
Purpose and legal basis:
|
|
|
• To provide and facilitate the use of our payment services digitally.
• To manage applications to use the services.
• To confirm the identity of the user.
• To manage the customer relationship, any customer queries including complaints/complaint cases, troubleshooting and support. And in addition to keep you informed of
important updates and activities.
• To ensure that the services function properly and to detect and correct incorrect information and processes.
• To be able to take measures if the account or services are misused.
If you use our services via our mobile application, we will use push notifications to communicate with you, provided that you have enabled this on your device.
We process your personal data based on our agreement. We are required to process your personal data in order to fulfil our agreement with you and execute the services.
Furthermore, we process your personal data on the basis of our legitimate interest in handling complaints, managing customer services and ensuring the proper processing
and correct execution of the services. If you have chosen to share your location information with us by using our website or mobile application, this information may also
be used in the provision of the services. In this case, processing is based on consent.
|
|
Personal data:
|
|
|
• Identity data
• Contact details
• Card details
• ID documents
• Agreement data
|
• Information in communications between us
• Transaction history
• Device information
• Authentication data
• Location information, where applicable
(can always be disabled by you via your mobile device)
|
|
Fulfilling our obligations as required by laws and regulations
|
|
Purpose and legal basis:
|
|
|
• To check and verify your identity.
• To study and analyse your use of our services in order to detect misuse/fraud and money laundering and to create statistics and report to the authorities, such as
Finansinspektionen (Sweden’s financial supervisory authority) and the Swedish Tax Agency.
• To manage guidelines on requirements for secure identification in connection with executing transactions.
• To store documents in accordance with law.
Your personal data is processed to enable us to fulfil our legal and regulatory obligations relating to bookkeeping and accounting requirements, requirements in
accordance with money laundering regulations and our licence. The basis for this processing is the fulfilment of the company’s legal obligations.
|
|
Personal data:
|
|
|
• Identity data
• Contact details
• ID documents
• ID-handling
• Agreement data
• Device information
|
• Information in communications between us
• Transaction history
• Card details
• Authentication data
|
|
Managing and defending legal claims and safeguarding our legal rights
|
|
Purpose and legal basis:
|
|
|
Where applicable, your personal data may be processed in order for us to:
• Investigate, respond to and defend a legal claim.
• Safeguard our legal rights and interests, such as to demonstrate regulatory compliance or to fulfil audit obligations, as well as to provide information in connection
with an acquisition, merger, or sale of our business (de-personalized or pseudonymized data is used as far as possible).
• When necessary, investigate our customers’ compliance with the agreement between us.
Your personal data will be used only to the extent necessary in the individual case in order to satisfy this purpose. Processing takes place on the basis of our legitimate
interest in defending ourselves against or managing a legal claim, as well as in safeguarding our rights, provided that our interests outweigh yours.
|
|
Personal data:
|
|
|
• Identity data
• Contact details
• Card details
• ID documents
• Information in communications between us
• Transaction history
|
• Device information
• Agreement data
• Card details
• Authentication data
• All data that is necessary for the purpose, which depends on the individual case.
|
|
Evaluating and developing our business and following up customer relationships
|
|
Purpose and legal basis:
|
|
|
We create aggregate statistics on, for example, customer types, sales, and responses to and the use of promotions, and we conduct surveys with the aim of analysing
and evaluating the services and the business. When generating statistics and reports, your personal data is used in aggregate form in that the data does not identify
you as a person.
This processing is based on our legitimate interest in improving and developing our business.
|
|
Personal data:
|
|
|
• Identity data and contact details
• Customer choices
• Agreement data
|
|
Marketing our products and informing people about our business
|
|
Purpose and legal basis:
|
|
|
• To inform people via direct marketing about our products and promotions that we feel are relevant to existing customers.
• To inform people in general about our business and activities that we organize or participate in.
Processing takes place on the basis of our legitimate interest in marketing and informing people about our business, tending to our customer relationships and encouraging
existing customers to choose to use our services again.
If we send you offers and other marketing by e-mail, it is based on your consent (opt in). We obtain consent in accordance with the Swedish Marketing Act. You can opt out
at any time by following the instructions in the e-mail you receive from us or contact us at
gdpr@okapiswap.com
|
|
Personal data:
|
|
|
• Identity data and contact details
• Customer choices
|
• Information about how you have received and read direct marketing
|
When you contact Okapi
If you contact us by using a form on our website or sending a letter or an e-mail, we have to collect and store personal data in order to handle your enquiry.
Please note that unencrypted e-mails can pose security and confidentiality risks. An e-mail should be likened to a postcard. Therefore, we ask that you do not provide information in an e-mail that you do not want a third party to acquire. Never disclose sensitive information or information that could be used for unwelcome purposes if acquired by a third party.
|
Handling enquiries and communicating with you
|
|
Purpose and legal basis:
|
|
|
• To receive, respond to and otherwise manage questions from stakeholders, customers and visitors to our digital channels.
This processing is based on our legitimate interest in responding to queries and running the business. If the question is from one of our customers, the information may be
added to our system along with other information about the customer relationship. This information is usually deleted within six months of the matter being properly
addressed and closed. The retention period may, however, be extended if we believe that the correspondence has content that we need in order to manage and defend a legal
claim, comply with a legal or contractual obligation or protect our legal rights.
|
|
Personal data:
|
|
|
• Identity data and contact details
• Information in communications between us
|
• Device information
• Internet use
|
When you visit our website or other digital channels
While you visit our website or other digital channels, we collect certain information that will be used to identify you in some cases. Your own browser and device settings affect what information we can collect from your visit. Please read our Cookie Policy to obtain the full picture.
|
Informing people about our business and analysing interest
|
|
Purpose and legal basis:
|
|
|
• To inform people about our business and our products.
• To inform people about activities that we organise or participate in.
• To analyse interest in our business/use of the website.
• To provide a channel for getting in contact with us.
In addition, we use personalization in our social media and web advertising communications on other websites. We use cookies and analytical tools for personalization
and to analyse usage patterns.
This processing is based on our legitimate interest in carrying out business activities and increasing interest in our business. We obtain your consent for some processing,
such as processing of cookies and location information.
|
|
Personal data:
|
|
|
• Device information
• Internet use
• Cookies (to the extent that you accept cookies)
|
• Location information (if you permit this)
• Identity data and contact details (if you ask us a question)
|
5. How long do we process your personal data?
Your personal data is processed by Okapi for as long as necessary to fulfil the purposes of the processing. Personal data is always stored during the period that you are our customer. Afterwards, certain data needs to be saved for seven (7) years to satisfy bookkeeping, accounting and reporting requirements set by the Swedish Tax Agency. Some personal data needs to be stored for between five (5) and a maximum of ten (10) years to satisfy obligations regarding anti-money laundering and terrorist financing measures. Furthermore, your personal data is saved for five (5) years to comply with the Swedish Payment Services Act. For marketing measures, your personal data is processed for one (1) year after the end of the customer relationship because naturally we want to encourage you to become a customer again. Remember that you can always decline marketing, in which case we will stop processing your personal data immediately.
If you have contacted us but do not have a customer relationship with us, your personal data will usually be saved for six (6) months from the time the matter is clearly addressed and managed.
The estimated retention periods above do not apply to individual cases where we judge that your personal data needs to be processed so that we can assert, determine or defend ourselves against a legal claim.
6. Who do we share your personal data with?
To run our business, we need to work with other parties and in some cases this means we have to share your personal data with a third party. As our business is bound by professional secrecy by law, we may disclose your personal data only if this is clearly supported in law or when it is a condition for fulfilling the terms and conditions of our agreement with you.
Our employees and consultants who work at Okapi. Your personal data may be shared with people who work at Okapi, but only those who need access to the data in order to do their work. Some tasks have been outsourced to the Okapi group’s central IT department and marketing, so their staff may also access your data. Everyone who works at Okapi signs a non-disclosure agreement.
Business partners. To enable us to execute the payment services, we have to share your data with parties who are part of the payment transaction, such as card issuers, banks and payment brands (such as Visa and Master card).
Suppliers. Your personal data may need to be transferred to or shared with companies that contribute to our service delivery. In order for us to provide our services and secure our business, we need these companies’ services:
- Suppliers of systems/applications to provide and support e-mail and websites/platforms.
- Server hosting partner.
- Suppliers for managing direct marketing mailings and information related to use of the services.
- Suppliers of information registers in connection with when we collect data about you to confirm and verify your identity and in connection with analyses and investigations into crime, misuse and money laundering.
- Insurance companies where applicable.
- External advisors such as lawyers where applicable.
Public authorities. Sometimes we are obliged to disclose necessary information, including your personal data, to public authorities and the police. We do this only if required in order to fulfil our legal obligations or otherwise comply with the law or government decisions.
Courts, counterparties and legal representatives. In connection with disputes, we need to disclose the data that is relevant to the case.
7. Is your data processed outside of the EU/EEA?
In some cases, we will transfer or share your personal data with parties in a country outside of the EU/EEA. This happens mainly if you want to send money to a recipient in a country outside of these borders. The transfer is then made on your behalf and with agreements as the foundation for the transfer. The Okapi group is established in countries outside of the EU/EEA. In some cases, we may be required to disclose personal data to public authorities outside of the EU/EEA (provided that this is supported in law or by decisions regarding this matter). If we do not have an agreement with you that supports the transfer of your personal data, we will take steps to ensure that the appropriate level of protection can be maintained for your personal data. This could be achieved by, for example, us entering into standard contract clauses (from the EU) with the recipient or by the country to which the transfer shall be made having been judged as having its own legislation that ensures an appropriate level of protection for individuals’ personal data.
8. Information about your rights under GDPR
Access to your personal data. You are entitled to request confirmation of whether we process your personal data, and if we do you are entitled to access the data together with information about how it is processed (called a register extract).
Transfer your data/data portability. You are entitled to receive the personal data that you have provided to us in an electronic format and, if technically feasible, have the data transferred to another data controller. This right applies if we process personal data on the basis of your consent or fulfilling a contract with you.
Correcting incorrect data. You are entitled to request that incorrect personal data be rectified. Furthermore, you are entitled to supplement incomplete personal data.
Erasing data. In some cases, you are entitled to request that your personal data be erased if it is no longer necessary for the purpose for which it was collected, if there is no legal basis for its processing or if our processing is on the basis of your consent.
Revoking your consent. If we process your personal data on the basis of your consent, you may revoke this consent at any time. Your revocation does not affect the legality of our processing up to the point of your revocation.
Objecting to processing. You are entitled to object to the processing of your personal data for legitimate interests. In such cases, we must either prove that we have legitimate reasons to process your personal data that outweigh your interests or cease the processing of your personal data. You are welcome to contact us at any time for more information regarding this balance of interests.
Limiting the use of data. You are entitled to request that the processing of your personal data be limited until incorrect data is rectified or an objection from you has been investigated.
Declining direct marketing. You always have a right to opt out of marketing from us. Please contact us for assistance if you have consented to electronic mailings, you can use the unsubscribe link in the e-mail to opt out.
Okapi does not carry out processing and does not make decisions based solely on automated processing, including profiling.
If you are dissatisfied with how your personal data is processed, you can submit a complaint to a supervisory authority, which in Sweden is the Swedish Data Protection Authority
(www.datainspektionen.se).
