Privacy policy.
Version 1.0
Finshark AB (Finshark) org. no. 559203-3855 is a licensed payment institution that helps businesses to take advantage of the new financial scenario and deliver premium services tailored to their customers’ expectations and needs.
1. What personal data we collect and why we collect it
This Privacy Policy explains how we gather and use your personal data in compliance with the EU’s Regulation 2016/679 on General Data Protection (GDPR) and other applicable/supplementary legislation.
In this Privacy Policy, we describe what personal data we collect and process about:
- End-users who are using our payment service
- Representatives of our current or potential customer/s
- Testers that test our payment services
- Website visitors interact with our websites, contact our support and/or submit complaints.
- Job applicants (If you apply for a job with us, please read our policy for job applicants which you can find in connection with submitting your application)
It is important to us that you acquaint yourself with, and understand this Privacy Policy, and feel comfortable with our processing of your personal data. You are always welcome to contact us if you have any questions.
2. What is personal data and what does the processing of personal data mean?
Personal data refers to any kind of information that can be directly or indirectly related to an identified/identifiable natural person. The processing of personal data covers all operations that are performed on the personal data, whether actively or passively, for the means of e.g., collection, registrations, storage, alteration, erasure etc (cf Art 4 (2) GDPR).
3. Who is responsible for the personal data processing?
Finshark AB is the data controller that is responsible for the processing of your personal data for the purpose of delivering our Products and Services to you. We need to collect information about you to communicate our products, deliver our services, and meet our legal obligations relating to payment services.
For example, Finshark may collect information directly from you to perform KYC on you in accordance with our legal obligation under the Anti-Money Laundering and Terrorism Financing Act. See section 5 below for more information.
Most of our customers are business entities, which means that Finshark may in such circumstances act as a data processor. In processing your personal information on behalf of our customers, we ensure that such processing is carried out in accordance with our contractual obligations and applicable legislation.
4. What do we do with your personal data?
The following points provide a list of data categories, purposes, and storage periods for which Finshark processes personal data and information on a legal basis are provided below.
The purpose of processing your personal information depends on in which capacity you interact with us.
For instance, Finshark is required to follow and comply with rules under the European Union Directive 2015/2366 on Payment Services (PSD2), Swedish Payment Services Act (2010:751), Anti-Money Laundering and Terrorism Financing laws and may therefore request more information about you and other relevant financial information.
Here’s an overview of how we process your personal data and for what purposes:
| Personal information you provide. | Area | Purpose of processing | Legal basis |
|---|---|---|---|
| Account Information | In general | In terms of our Services and Products, our business customers integrate our solutions as an option for payment or to take out loans for instance. This means that you as the end user permit us to process and collect information about you. This includes information needed to communicate with your bank or a service provider. We also collect certain data such as address information and that is required for the Service to work. This information includes: • Identifying Information: name, date of birth, email, billing address, mobile number etc. • Order Information • Account information • Device Information | Processing your personal data is necessary to fulfil our contractual obligations towards our customers, but we also have a legitimate interest in processing your information to fulfil our obligation of preventing money laundering and countering terrorist financing. See our Terms and Conditions to know more about how our Account Information works and what personal data we collect for KYC purposes. |
| Payment, and/or Financial Information | We collect this type of personal information e.g., to carry out direct transactions or to initiate payments upon request. This information that we collect about you may include but not limited to, name, date of birth, address, social security number etc. We must also collect information about you directly from your bank for our Services to work – including information about your account, your transactions and other financial information. Please note that we only collect information about you from your bank with your express consent. | For our Services to work, we must collect information about you directly from your bank – which is also a necessary step to fulfil our contractual obligations. However, do note that we only collect information about you from your bank with your express consent. | |
| Information you provide through our platforms and support channels | The Services also include our customer support, where you may choose to submit information regarding a problem you are experiencing with a Service. Whether you designate yourself as a technical contact, open a support ticket, speak to one of our representatives directly or otherwise engage with our support team, you will be asked to provide contact information, a summary of the problem you are experiencing, and any other documentation, screenshots or information that would be helpful in resolving the issue. With your permission, we may also use this information to contact you about our Services, promotions, newsletters, and enhancement to your engagement with us. | To deal with enquiries and complaints made by or about you relating to our website, services, and/or personal data processing, we are obliged to process your information so that we can help you. For personal data requests and complaints, we rely on our statutory obligations for the processing of your information. | |
| Website visits, cookies and browsing behaviour | Such as device and/or behaviour information, including but not limited to: • IP-address • Operating systems and browser details • Type of device • Interactions with our websites We collect this type of information for two different reasons: a) We automatically collect information that is necessary for enabling basic functions like page navigation and access to secure areas of our platforms. b) With your given consent, we can collect additional information about you when you use our Services, including browsing our websites and taking certain actions within the Services, features you use and the duration of time you spend on our website/platform. Our third-party contractors, such as for advertising and analytics, use cookies and other tracking technologies (e.g., web beacons, device identifiers and pixels) to provide functionality and to recognize you across different Services and devices. For more information, please see our Cookie policy. | The processing of such personal information is based on our legitimate interest in offering our Services to you and communicating news or updates on our products and business. Additionally, this information will also help us to administer, personalize and improve our website for you. | |
| Sensitive information | Depending on the information you provide to us in relation to the purposes of the processing, as set out in this Privacy Policy, Finshark may collect sensitive personal information as defined in Article 9 of the GDPR. Finshark may also process such sensitive information in relation to, for example, the purpose of checking your personal information against lists of politically exposed persons (“PEP”) and lists of persons subject to sanctions. Such sensitive information may include personal information that reveals racial or ethnic origin, religious beliefs, political or philosophical opinions, trade union membership, or information about health or sexual orientation. | Sensitive information is collected and processed to comply with our statutory obligations as a payment service provider. |
Please note that we may process your personal data for other means and purposes than those described in this Privacy Policy. If this is the case, we ensure to provide you with a separate privacy statement informing you about such processing and for what purposes.
5. How long do we store your personal data?
We will only process and store your personal data for as long as we need to fulfil the purpose for which the data was collected. The duration of time we retain your information depends on who you are and which services you use. For example,
- Personal data will generally not be stored for a period longer than seven (7) years to fulfil accounting obligations.
- Another example is Finshark’s Anti-Money Laundering obligation to document information regarding transactions, and from our ‘Know Your Customer’ processes for five to ten (5-10) years;
- Cookies and similar data are kept as you use the same device or until you opt-out from the use of cookies and similar technologies.
- Other personal data collected for research or statistical purposes may be kept for as long as you permit us, you’re a customer to us, and/or so long as Finshark has a legitimate interest.
Finshark has implemented various technical and organisational measures, such as automated deletion of data and access restriction to systems where personal data is stored, to ensure that the data is not used for a longer period than necessary to fulfil the respective purpose the data was collected for.
6. Who do we share your personal data with?
We mainly share your personal information with our customers whose services you use and to whom you have instructed us to share your data. Personal information we share with our customers is only such as is required for us to be able to deliver the service to you.
In some situations, we may share your information with third parties. When we share your personal data with a personal data processor, your personal data will only be processed in accordance with the purposes for which we collected your personal data in the first place. This means that a personal data processor cannot process your personal data for additional or personal purposes. We have a personal data processor agreement in place with these parties to ensure that your personal data is protected in the same way as if we processed your personal data ourselves.
We may also share your personal information with authorities to comply with our obligations related to preventing crimes and money laundering.
7. Where do we process and store your personal data?
Finshark processes and stores your personal data primarily within the EU/ EES. Our company is based in Sweden and has a subsidiary in Bosnia which means that we’re mainly operating within Europe.
In exceptional cases, your personal data may be processed outside the EU/EES. For example, if our personal data processor, either individually or through another personal data processor/sub-processor, is established outside the EU/EES.
Regardless of the country in which your personal data is processed, we undertake necessary measures to ensure that your personal data is protected with a high level of security that is appropriate to the risks associated with the processing and maintain physical, electronic, and procedural safeguards to protect it.
8. What rights do you have regarding your personal data?
You, as the data subject, have several rights that you can at any time exercise by using the Finshark’s contact information provided below. The following points provide an overview of your legal rights (cf. Chapter 3 GDPR):
8.1 Right to access
You have the right to access your personal data. This means that you have the right to get an extract from the register detailing Finshark’s processing of your personal data. Finshark shall, upon request of an extract from the register, provide you with a copy of the processed personal data and information about the processing.
8.2 Right to rectification/correction
You have the right to get your personal data corrected if it is inaccurate, incomplete, or misleading, and the right to restrict processing of the personal data until it is changed.
8.3 Right to restriction of processing
You have the right to request that the processing of personal data be limited only to processing for certain specific purposes. Such right to restriction of processing applies in the following cases:
- If the personal data is incorrect and Finshark needs time to verify the accuracy of the data.
- If you object to the processing or request the restriction of the use performed by Finshark, in which case the processing shall be limited until the justification for your objection and Finshark’s compelling reasons have been assessed.
- If the personal data is no longer needed for Finshark’s activities, you request that it continues to be stored in case it is needed to make legal claims.
If you believe that Finshark should delete your personal data but Finshark for some reason is unable to accommodate your request.
8.4 Right to object and erasure
Under certain circumstances, you have the right to object to our processing of your personal data and to have your data erased.
8.5 Right to data portability
You have the right in some cases to retrieve the personal data you provided to us and transfer data to another controller, where technically feasible.
8.6 Right to complain to the Supervisory Authority
If you have questions regarding our personal data processing, you can send them to contact@finshark.io (kindly provide ‘GDPR request: your name’) as the subject of your email.
In case you consider that the processing of personal data has been unlawful, as a data subject, you have the right to file a complaint with the supervisory authority. In Sweden, the Swedish Authority for Privacy Protection is the supervisory authority that is responsible for monitoring how your personal data are processed.
The Swedish Authority for Privacy Protection
Phone: +46 (0)8-657 61 00
Email: imy@imy.se
Postal address: Integritetsskyddsmyndigheten (Box 8114) 104 20 Stockholm
9. Contact Information
Finshark is responsible for the processing of your personal data. You are welcome to send questions or to exercise your legal rights according to GDPR by sending an email to contact@finshark.io (kindly provide ‘GDPR request: your name’) as the subject of your email.
10. Changes to Privacy Policy
Finshark AB reserves the right to make changes to this Privacy Policy. The latest version of this Privacy Policy will be found here on the website.