Privacy Policy

Privacy Policy

Welcome to our privacy policy that contains information regarding how we process your personal data.

We want to clarify our responsibility to protect your rights and your integrity. In this policy we therefore  explain how we use the personal data that you share with us in connection to our financial service P.F.C. The policy describes what personal data we collect and how we use it under the rules set out in the EU’s data protection regulation, 2016/679 2016 on the protection of natural persons with regard to the processing of personal data (“GDPR”). 

1. General information
1.1 PFC Technology AB (publ.), corporate identity number 556851-3112 (”P.F.C.” or “we” or “us”) is the controller of the personal data in accordance with GDPR. 

For employees, persons applying for a job, there is a separate privacy policy. If you use our webshop, there is a specific privacy policy for the webshop.

2. Terminology and definitions 
The following terms are used in this policy with the meanings stated below:

Customer or you – the physical person that use, have used or has expressed a wish or interest in any of our services

Personal data refers to all types of information that directly or indirectly can be attributed to a natural person who is alive. This could mean name, personal identity number, address etc. Encrypted data and several types of electronic identifiers (such as IP addresses) are also considered personal data if they can be linked to physical persons.

Processing of personal data refers to everything that happens to the personal data. Every action taken with personal data represents processing, irrespective of whether it is performed in an automated manner or not. Examples of common forms of processing is collection, registration, organizing, structuring, adaptation or alteration, transmission and erasure.

3. General information about how we process personal data 

Our guiding principle is to anonymize, and pseudonymize personal data. Pseudonymized data cannot be related to any specific individual without additional information. Anonymized data cannot be related to any physical person and is revokable. Processing of anonymized data is not covered by GDPR. 

4. Categories of data subjects

4.1 We process data liked to the following, so called, data subjects: 

  • Customers
  • Persons of which have been invited to be customers of P.F.C. 
  • Contacts at suppliers or authorities.

5. Data we collect

The data we collect can be separated into two categories; data that you share with us and data that we collect from other sources. In some cases the data is collected from you, in some cases data is collected from other sources and in some cases, for example at identification of you, data is collected from you and compared with data from other sources (verification with electronic identification). We process the following categories of personal data: 

  • Identification and contact information: name, birthdate, personal identity number, mail address, occupation, mobile number, e-mail address
  • Connections to other customers: if you are the legal guardian of any of our customers or if your leal guardian is a customer of ours, if you have a joint account with any of our customers.
  • Information about how you use our services: which services you use, what terms and conditions you have accepted, transactions made with your P.F.C.-card or from any of your accounts etc. 
  • Information about your economy: information about your income and occupation, possible credits, payment history, credit statements
  • Information about how you use our services: which services you use and how you use them.
  • Technical information generated through the use of our services: response time for different pages, downloading problems and information about when and how you used the page or service.
  • Information about your contacts with customer support and our department for complaints: chat conversations, e-mail conversations, notifications of phone calls or complaints that you have sent us. 
  • Unit information: proxy server, operational systems, browser and additions, date and time, internet service provider or mobile phone provider, IP-address, place, language setting, web browser setting, time zone, platform and similar information about the unit you use when you contact us or use our services. 
  • Information about so called PEP-lists and sanction lists: name, birth date, birth place and the reason that the person is listed
  • Sensitive personal data: data included in the definition in GDPR, article 9 point 1, e.g. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, sex life or sexual orientation. Sensitive personal data will only be processed of you choose to share that information with us which we do not recommend you to do. We will never ask you to leave this information to us. 


6.  Cookies, web beacons and similar technologies
6.1 The services on our website use cookies and other technologies to function correctly. More information on how we use cookies can be found here: getpfc.com/cookies.

6.2 When you download our app P.F.C. on your mobile phone, tablet or other device we. need to store and obtain certain technical information from your device to be able to provide and update the service. The processing of this data is a prerequisite for you to be able to use the service and the information is stored to enable P.F.C. to fulfil the agreement with you to provide to service. If you no longer want P.F.C. to store and obtain the technical information, you must uninstall the application. Please note that uninstalling the app does not mean that your business relationship with us will be terminated, i.e., your accounts will not be closed, and subscription services will not be terminated etc. 

7. This is how we use your data
7.1 We will process your personal data for several purposes based on various legal grounds. We mainly process personal data to provide, administrate, develop, and adjust the service and its functionalities, i.e., to fulfil our agreement with you. We process your data for the following purposes:  

To be able to verify that you are who you say you are.

Legal basis for the processing: necessary for us to be able to fulfill the contract we have with you. We may also process data based on the necessity for us to comply with a legal obligation, know your customer (KYC). 

To manage our customer relationship and perform the services we have committed to perform for you. 

Legal basis for processing: necessary for us to be able to fulfill the contract we have with you. 

To be able to provide our services and products. 

Legal basis for processing: necessary for us to be able to fulfill the contract we have with you if you already are a customer of ours or legitimate interest if you are not a customer of ours. At the evaluation of legitimate interest, we have made an assessment and have determined that our interest, and your interest of being offered our services, have outweighed your right not to have your data processed for this purpose. 

To be able to help you in our customer support. 

Legal basis for the processing: necessary for us in order to be able to fulfill the contract we have with you if you are already a customer of ours or legitimate interest if you are not a customer of ours but in contact with our customer support. 

To be able to perform customer satisfaction surveys and market surveys.

Legal basis for the processing: legitimate interest. At the evaluation of legitimate interest, we have made an assessment and have determined that our interest, have outweighed your right.

To be able to ensure security in our systems and services.  

Legal basis for the processing: legitimate interest. At the evaluation of legitimate interest, we have made an assessment and have determined that our interest, have outweighed your right not to have your data processed. We have also determined that it is in your interest that we can ensure a high security our or products and systems. 

To be able to perform risk analysis and prevent fraud. 

Legal basis for the processing: necessary for us in order to be able to fulfill the contract we have with you. In some cases, the legal ground for the processing is it is necessary for us to comply with a legal obligation. 

To be able to do risk assessments before a transaction is made. 

Legal basis for the processing: legitimate interest. At the evaluation of legitimate interest, we have made an assessment and have determined that our interest, have outweighed your right not to have your data processed. We have also determined that it is in your interest that we act to prevent our services of being used for fraud. 

To prevent our services from being used for laundering of money or financing of terrorism and to be able to create risk models based on these risks. 

Legal basis for the processing: necessary for us to comply with legal obligation. 

To be able to make a credit assessment. 

Legal basis for the processing: necessary for us to comply with legal obligation.

To be able to make analysis for product development and to be able to evaluate current products.

Legal basis for the processing: legitimate interest. At the evaluation of legitimate interest, we have made an assessment and have determined that our interest, have outweighed your right not to have your data processed.

 

To be able to perform marketing actions.

Legal basis for the processing: legitimate interest. At the evaluation of legitimate interest, we have made an assessment and have determined that our interest, have outweighed your right not to have your data processed. 

To protect us from legal claims and safeguard our legal rights. 

Legal basis for the processing: legitimate interest. At the evaluation of legitimate interest, we have made an assessment and have determined that our interest, have outweighed your right not to have your data processed. 

To share information to other parties. 

Legal basis for the processing: the legal ground for this processing varies depending on what category we are sharing data with, read more under section 8.

To be able to do bookkeeping and accounting and to be able to perform calculations in accordance with the obligations we have as a financial company. 

Legal basis for the processing: necessary for us in order to comply with legal obligation and legitimate interest for accounting to partners. 

To transfer or sell a claim we have on you. 

Legal basis for the processing: legitimate interest. At the evaluation of legitimate interest, we have made an assessment and have determined that our interest, have outweighed your right not to have your data processed. 

Disposal, if we buy or sell businesses or assets. 

Legal basis for the processing: legitimate interest. At each disposal, we will make an evaluation to assess weather our interest outweighs your interest or not. We will only process data for this purpose if we in the evaluation have determined that our interest have outweighed your right not to have your data processed. 

To be able to anonymize and pseudonymize your data. 

Legal basis for the processing: legitimate interest. At the evaluation of legitimate interest, we have made an assessment and have determined that it is in your interest that we protect your data as far as possible. After the data is anonymized no further process of personal data is performed. 

7.2 If you do not wish for us to process your personal data for direct marketing, you may announce this to us in writing through the contact information in section 15.

8. This is how we share your personal data
8.1 We may share your personal data to other companies and to authorities. We will however never share more data than necessary for the purpose of the sharing. The receiver of personal data may be responsible to provide information on their processing of data.

We may share data with the following recipients: 

  • Authorities, for example police, tax authority, enforcement authority and other legal enforcing authority, and authorities supervising us.
  • Partners, that we use to be able to execute the services we have committed to perform for you, for example the issuer of our cards
  • Service providers, for example IT-services, data base services and services to administer our communication with you
  • Credit monitoring institutions and companies
  • Debit collection companies
  • Buyers of claims
  • Participants and partners related to national, Europe and international payment systems, for example Mastercard and suppliers of digital wallets.
  • Other account holders (only if you have a joint account as a part of Duo) 
  • Legal guardian (as a part of the service Junior)

8.2 Personal data may be shared if it is necessary for us in order to be able to fulfill the contract we have with you, or necessary in order for us to comply with requirements provided in law or by authorities, in order for us to comply with legal obligations.

8.3 Furthermore, we may share your data to other parties in order to enable the processing of your transaction and to facilitate payments, enable updates of your transaction status and to send offers from us and our partners. This processing is necessary for us in order to be able to fulfill the contract we have with you if you.

8.4 To be able to provide our services, we will share your personal data to partners, such as the issuer of the cards and the processor of card transactions processing of the transactions for the management of transaction information and card information. The legal basis for the processing is that it necessary in order for us to be able to fulfill the contract we have with you or legitimate interest when we are blocking cards managing disputes etc. 

8.5 Sharing your data with another account holder or your legal guardian is necessary for us in order to be able to fulfill the contract we have with you if you. 

8.6 Where it is necessary in order for us to be able to offer you our services (to be able to fulfill the contract with have with you), we share your personal data with companies that act as processors for us. A processor is a company that processes the information on behalf of us and in accordance with our instructions. We have processors that assist us with IT-services, as well as companies that we engage to conduct marketing activities on behalf of us. However, we are always responsible for ensuring that your personal data is processed correctly. When your personal data is shared with processors, it is only for purposes that are compatible with the purposes for which we have obtained the information. We verify that all processors can provide sufficient guarantees regarding the security and secrecy of personal data. We always have written agreements with all processors (data processing agreements) under which they guarantee the security of the personal data processed and undertake to fulfil our requirements and instructions on how the processing of personal data shall be performed.

8.7 Occasionally we also share your personal data with certain companies that are independent controllers. The fact that a company is an independent controller means that we do not control how the information that is shared with company will be processed. Independent controllers with whom we share personal data are, for example, financial and legal advisors and auditors. When your personal data is shared with a company that is an independent controller, the privacy policy and principles for personal data handling of that company apply.

9. Location of the processing of personal data
We always strive for processing within the EU/EEA. Your personal data may however be processed in a country outside the EU/EEA, on the condition that there is appropriate safeguards for the data. 

10. Information about storage

10.1 Your personal data is normally not stored for longer period of time than what is necessary to fulfil the purposes for which the data was collected.  When you terminate your business relationship with us, we will erase or de-identify the data collected that may be traced back to you when you terminate your business relationship with us, except for such information that we are obliged to keep in accordance with law, normally the year it is terminated plus seven years after you have terminated your account. The personal data is stored only to comply with such legal obligations or to protect our legal interests, such as if there is a pending legal process. 

10.2 When the business relationship with you is terminated, we normally erase information that is stored in the terminated account within 30 days of the termination of the account, unless the provision in the section above are applicable. 

11. Your choices and rights
11.1 You have the right to receive information on how we process your personal data. That is for example made by keeping this policy accessible. We are also happy to provide you with answers if you have any questions. 

11.2 You have the right to request erasure of your data, for example if there is no longer a need for it in order for us to provide the services. Please note that we may still need to store some data for legal reasons. 

11.3 You have the right to request that we change or correct the personal data if it is inaccurate.  you can edit some of your personal data in the app but if you’re not able to change data there, you are able to request that we help you change the data. 

11.4 You have the right to request that we limit the processing of your personal data. Your request for limitation may mean that you cannot longer be a customer of ours. Limitation can only be made if the legal basis is public interest, legitimate interest or if the processing is for direct marketing purposes. 

11.5 If the processing is based on your consent of the processing of personal data, you may at any time withdraw your consent. Withdrawal of consent does not affect the processing we have made during the time that we had your consent. 

11.6 You have the right to lodge a complaint to the supervisory data protection authority, see section 15 for more information. 

11.7 You have the right to data portability for data that you have shared with us. This means that you can request that the data is transferred to another data controller when technical possible. 

11.8 You have the right to request a copy of the personal data undergoing processing. P.F.C. may charge an administrative fee in case of unfounded or implausible requests (for example if they are made repetitively). You will then be notified about this in advance. P.F.C. will normally answer your request within one (1) month. 


12. Other important information
12.1 We have appropriate safeguards designated to protect your information, such as encryption of your data during all processing. We supervise our systems regularly to discover possible weaknesses and attacks. We can, however, not guarantee the security of all information that you provide us. There is no guarantee that information cannot be accessed, exposed, changed or destructed through attacks on our physical, technical or administered firewalls.

12.2 We always limit the use of your personal identity number as far as possible through, when it is sufficient, using a user identification profile that does not contain your birth date, see section 3 for more information. 

13. Profiling and automated decisions
Profiling means automated processing of personal data used to assesses your characteristics. Profiling is used for example in marketing, market analysis, product development, system development and to prevent our services for being used laundering of money or financing of terrorism. Profiling is also used in automatic decision making as in credit assessments. 

14. Updating this privacy policy

Our services are dynamic and we regularly introduce new functions and features which means that we process personal information about you. This policy will be updated and changed to always be updated on how we process your data. If a change requires us to inform you or collect your consent, we will inform you and provide you with the possibility to leave consent. It is important that you regularly read this policy since the processing of personal data may change. 

15. Contact information 

15.1 Do not hesitate to contact us if you have any questions regarding the processing of your personal data or any complaints. Written questions and complaints are primarily directed to:

PFC Technology AB
Box 55983 
102 16 Stockholm

E-mail: hello@getpfc.com write “Data protection” as topic.

15.2. In case you are still dissatisfied after contacting us, you can contact the Swedish Authority for Privacy Protection (Sw. Integritetsskyddsmyndigheten), which is the supervisory authority in regard to personal data processing, and to whom you are able to present your complaint.

Integritetsskyddsmyndigheten
Box 8114
104 20 Stockholm

http://www.imy.se
 

Telephone number: +46 (0) 8 657 61 00
E-mail: imy@imy.se

Last updated July 13, 2021