Welcome to our privacy policy that contains information regarding how we process your personal data.
We want to clarify our responsibility to protect your rights and your integrity. In this policy we therefore explain how we use the personal data that you share with us in connection to our financial service P.F.C. The policy describes what personal data we collect and how we use it under the rules set out in the EU’s data protection regulation, 2016/679 2016 on the protection of natural persons with regard to the processing of personal data (“GDPR”). For employees, persons applying for a job, there is a separate privacy policy.
PFC Technology AB, registration number 556851-3112 (”P.F.C.” or “we” or “us”) is the controller of the personal data in accordance with GDPR. If you have any questions about the processing of your personal data, you can contact us. Contact details can be found in section 15.
The following terms are used in this policy with the meanings stated below:
Customer or you – the natural person that uses, has used or has expressed a wish or interest in any of our services.
Personal data refers to all types of information that directly or indirectly can be attributed to a natural person who is alive. This could mean name, personal identity number, address etc. Encrypted data and several types of electronic identifiers (such as IP addresses) are also considered personal data if they can be linked to natural persons.
Processing of personal data refers to everything that happens to the personal data. Every action taken with personal data represents processing, irrespective of whether it is performed in an automated manner or not. Examples of common forms of processing are collection, registration, organizing, structuring, adaptation or alteration, transmission and erasure.
Our guiding principle is to anonymize, and pseudonymize personal data. Pseudonymized data cannot be related to any specific individual without additional information. Anonymized data cannot be related to any physical person and is revocable. Processing of anonymized data is not covered by GDPR.
We process data liked to the following, so called, data subjects:
The data we collect can be divided into two categories; data that you share with us and data that we collect from other sources. In some cases the data is collected from you, in some cases data is collected from other sources and in some cases, for example identification of you, data is collected from you and compared with data from other sources (verification with electronic identification). We process the following categories of personal data:
6.1 The services on our website use cookies and other technologies to, inter alia, function correctly. More information on how we use cookies can be found here: getpfc.com/cookies.
6.2 When you download our app P.F.C. on your mobile phone, tablet or other device we need to store and obtain certain technical information from your device to be able to provide and update the service. The processing of this data is a prerequisite for you to be able to use the service and the information is stored to enable P.F.C. to fulfill the agreement with you to provide our services. If you no longer want P.F.C. to store and obtain the technical information, you must uninstall the application. Please note that uninstalling the app does not mean that your business relationship with us will be terminated, i.e., your accounts will not be closed, and subscription services will not be terminated etc.
7.1 We will process your personal data for several purposes based on various legal grounds. We mainly process personal data to provide, administrate, develop and adjust the service and its functionalities, i.e., to fulfill our agreement with you. We process your data for the following purposes:
To be able to verify that you are who you say you are.
Legal basis for the processing: necessary for us to be able to fulfill the contract we have with you. We may also process data based on the necessity for us to comply with a legal obligation, know your customer (KYC).
To manage our customer relationship and perform the services we have committed to perform for you.
Legal basis for processing: necessary for us to be able to fulfill the contract we have with you.
To be able to provide our services and products.
Legal basis for processing: necessary for us to be able to fulfill the contract we have with you if you already are a customer of ours or legitimate interest if you are not a customer of ours. At the evaluation of legitimate interest, we have made an assessment and have determined that our interest, and your interest of being offered our services, have outweighed your right not to have your data processed for this purpose.
To be able to help you in our customer support.
Legal basis for the processing: necessary for us in order to be able to fulfill the contract we have with you if you are already a customer of ours or legitimate interest if you are not a customer of ours but in contact with our customer support.
To be able to perform customer satisfaction surveys and market surveys.
Legal basis for the processing: legitimate interest. At the evaluation of legitimate interest, we have made an assessment and have determined that our interest has outweighed your right.
To be able to ensure security in our systems and services.
Legal basis for the processing: legitimate interest. At the evaluation of legitimate interest, we have made an assessment and have determined that our interest has outweighed your right not to have your data processed. We have also determined that it is in your interest that we can ensure a high security of our products and systems.
To be able to perform risk analysis and prevent fraud.
Legal basis for the processing: necessary for us in order to be able to fulfill the contract we have with you. In some cases, the legal ground for the processing is that it is necessary for us to comply with a legal obligation.
To be able to do risk assessments before a transaction is made.
Legal basis for the processing: legitimate interest. At the evaluation of legitimate interest, we have made an assessment and have determined that our interest has outweighed your right not to have your data processed. We have also determined that it is in your interest that we act to prevent our services from being used for fraud.
To prevent our services from being used for laundering of money or financing of terrorism and to be able to create risk models based on these risks.
Legal basis for the processing: necessary for us to comply with legal obligation.
To be able to make a credit assessment.
Legal basis for the processing: necessary for us to comply with legal obligation.
To be able to make analysis for product development and to be able to evaluate current products.
Legal basis for the processing: legitimate interest. At the evaluation of legitimate interest, we have made an assessment and have determined that our interest has outweighed your right not to have your data processed.
To be able to perform marketing actions.
Legal basis for the processing: legitimate interest. At the evaluation of legitimate interest, we have made an assessment and have determined that our interest has outweighed your right not to have your data processed.
To protect us from legal claims and safeguard our legal rights.
Legal basis for the processing: legitimate interest. At the evaluation of legitimate interest, we have made an assessment and have determined that our interest has outweighed your right not to have your data processed.
To share information to other parties.
Legal basis for the processing: the legal ground for this processing varies depending on what category we are sharing data with, read more under section 8.
To be able to do bookkeeping and accounting and to be able to perform calculations in accordance with the obligations we have as a financial company.
Legal basis for the processing: necessary for us in order to comply with legal obligation and legitimate interest for accounting to partners.
To transfer or sell a claim we have on you.
Legal basis for the processing: legitimate interest. At the evaluation of legitimate interest, we have made an assessment and have determined that our interest has outweighed your right not to have your data processed.
Disposal, if we buy or sell businesses or assets.
Legal basis for the processing: legitimate interest. At each disposal, we will make an evaluation to assess whether our interest outweighs your interest or not. We will only process data for this purpose if we in the evaluation have determined that our interest has outweighed your right not to have your data processed.
To be able to anonymize and pseudonymize your data.
Legal basis for the processing: legitimate interest. At the evaluation of legitimate interest, we have made an assessment and have determined that it is in your interest that we protect your data as far as possible. After the data is anonymized, no further process of personal data is performed.
7.2 If you do not want us to process your personal data for direct marketing, you may announce this to us in writing through the contact information in section 15.
8.1 We may share your personal data to other companies and to authorities. We will however never share more data than necessary for the purpose of the sharing. The receiver of personal data may be responsible to provide information on their processing of data.
We may share data with the following recipients:
8.2 Personal data may be shared if it is necessary for us in order to be able to fulfill the contract we have with you, or necessary in order for us to comply with requirements provided in law or by authorities, in order for us to comply with legal obligations.
8.3 Furthermore, we may share your data to other parties in order to enable the processing of your transaction and to facilitate payments, enable updates of your transaction status and to send offers from us and our partners. This processing is necessary for us in order to be able to fulfill the contract we have with you if you.
8.4 To be able to provide our services, we will share your personal data to partners, such as the issuer of the cards and the processor of card transactions, processing of the transactions for the management of transaction information and card information as well as our partner for crypto investments. The legal basis for the processing is that it is necessary in order for us to be able to fulfill the contract we have with you or legitimate interest when we are blocking cards, managing disputes etc.
8.5 Sharing your data with another account holder or your legal guardian is necessary for us in order to be able to fulfill the contract we have with you.
8.6 Where it is necessary in order for us to be able to offer you our services (to be able to fulfill the contract we have with you), we share your personal data with companies that act as processors for us. A processor is a company that processes the information on behalf of us and in accordance with our instructions. We have processors that assist us with IT-services, as well as companies that we engage to conduct marketing activities on behalf of us. However, we are always responsible for ensuring that your personal data is processed correctly. When your personal data is shared with processors, it is only for purposes that are compatible with the purposes for which we have obtained the information. We verify that all processors can provide sufficient guarantees regarding the security and secrecy of personal data. We always have written agreements with all processors (data processing agreements) under which they guarantee the security of the personal data processed and undertake to fulfill our requirements and instructions on how the processing of personal data shall be performed.
8.7 Occasionally we also share your personal data with certain companies that are independent controllers. The fact that a company is an independent controller means that we do not control how the information that is shared with the company will be processed. Independent controllers with whom we share personal data are, for example, financial and legal advisors, auditors and our partner for crypto investments. When your personal data is shared with a company that is an independent controller, the privacy policy and principles for personal data handling of that company apply.
We always strive for processing within the EU/EEA. Your personal data may however be processed in a country outside the EU/EEA, on the condition that there are appropriate safeguards for the data.
10.1 Your personal data is normally not stored for a longer period of time than what is necessary to fulfill the purposes for which the data was collected. When you terminate your business relationship with us, we will erase or de-identify the data collected that may be traced back to you when you terminate your business relationship with us, except for such information that we are obliged to keep in accordance with law, normally the year it is terminated plus seven years after you have terminated your account. The personal data is stored only to comply with such legal obligations or to protect our legal interests, such as if there is a pending legal process.
10.2 When the business relationship with you is terminated, we normally erase information that is stored in the terminated account within 30 days of the termination of the account, unless the provisions in the section above are applicable.
11.1 You have the right to receive information on how we process your personal data. That is for example made by keeping this policy accessible. We are also happy to provide you with answers if you have any questions.
11.2 You have the right to request erasure of your data, for example if there is no longer a need for it in order for us to provide the services. Please note that we may still need to store some data for legal reasons.
11.3 You have the right to request that we change or correct the personal data if it is inaccurate. You can edit some of your personal data in the app but if you’re not able to change the data there, you can request that we help you change the data.
11.4 You have the right to request that we limit the processing of your personal data. Your request for limitation may mean that you cannot longer be a customer of ours. Limitation can only be made if the legal basis is public interest, legitimate interest or if the processing is for direct marketing purposes.
11.5 If the processing is based on your consent of the processing of personal data, you may at any time withdraw your consent. Withdrawal of consent does not affect the processing we have made during the time that we had your consent.
11.6 You have the right to lodge a complaint to the supervisory data protection authority, see section 15 for more information.
11.7 You have the right to data portability for data that you have shared with us. This means that you can request that the data is transferred to another data controller when technically possible.
11.8 You have the right to request acopy of the personal data undergoing processing. We may charge an administrative fee in case of unfounded or implausible requests (for example if they are made repetitively). You will then be notified about this in advance. We will normally answer your request within one (1) month.
12.1 We have appropriate safeguards designated to protect your information, such as encryption of your data during all processing. We supervise our systems regularly to discover possible weaknesses and attacks. We can, however, not guarantee the security of all information that you provide us. There is no guarantee that information cannot be accessed, exposed, changed or destructed through attacks on our physical, technical or administered firewalls.
12.2 We always limit the use of your personal identity number as far as possible through, when it is sufficient, using a user identification profile that does not contain your birth date, see section 3 for more information.
Profiling means automated processing of personal data used to assess your characteristics. Profiling is used for example in marketing, market analysis, product development, system development and to prevent our services from being used for laundering of money or financing of terrorism. Profiling is also used in automatic decision making as in credit assessments.
Our services are dynamic and we regularly introduce new functions and features which means that we process personal information about you. This policy will be updated and changed to always be updated on how we process your data. If a change requires us to inform you or collect your consent, we will inform you and provide you with the possibility to leave consent. It is important that you regularly read this policy since the processing of personal data may change.
15.1 Do not hesitate to contact us if you have any questions regarding the processing of your personal data or any complaints. Written questions and complaints are primarily directed to:
PFC Technology AB
Box 55983
102 16 Stockholm
E-mail: hello@getpfc.com write “Data protection” as topic.
15.2. In case you are still dissatisfied after contacting us, you can contact the Swedish Authority for Privacy Protection (Sw. Integritetsskyddsmyndigheten), which is the supervisory authority in regard to personal data processing, and to whom you are able to present your complaint.
Integritetsskyddsmyndigheten
Box 8114
104 20 Stockholm
http://www.imy.se
Telephone number: +46 (0) 8 657 61 00
E-mail: imy@imy.se
Last updated 3 February, 2023