End User Facing Privacy Policy

Trustly Group AB, reg. no. 556754-8655 (“Trustly”, “we”, “us” or “our”) is a Swedish payment institution providing a bank-independent payment solution supporting the execution of transactions from bank accounts in a number of banks in a selection of countries (the “Service”). The Service allows you (the "User") to execute payments through your online banking service in a simplified manner to an online supplier providing you a product or service (the "Supplier"). This means that you can pay for goods and services directly from your bank account. Moreover, we can reverse the flow of funds, allowing you to log into your online bank and choose which bank account your Supplier shall send funds to in case you e.g. want to return the goods you have purchased.

We have a license from the Swedish Financial Supervisory Authority to conduct our activities.

We collect information relating to your identity such as your name.

When using our Service, information about you, available in various parts of the online banking interface (including name, address, telephone number, e-mail address, sending bank account number, account balance, personal identity number and, where applicable, passport number/identity card number) will be gathered by us during the payment session.

We will also store information on the IP-number you use and what kind of device and operating system you use.

We collect and process the information for the purposes of initiating your payment to the Supplier, registering your transaction with your bank and otherwise carrying out a secure payment. In short, we need the information gathered to make the payment. In addition to performing the payment, we process your personal data to meet legal requirements regarding anti-money laundering and counter terrorism financing as well as in order to prevent fraud and other criminal acts.

In order to provide as good a service as possible we may also use the data you provide us with to troubleshoot the Service if it does not function properly and to improve the Service’s functionality.

We will undertake necessary measures to protect your data from otherwise being passed on to third parties and undertakes not to pass on your data for advertising purposes.

Necessary for performance of a contract

The personal data will be provided to us by yourself as a consequence of you entering into an

agreement with us. This is the case when you register a direct debit mandate allowing us to debit funds from your bank account in accordance with your instructions. We will process your personal data to perform our obligations under that agreement. Furthermore, providing us with this personal data is necessary in order for you to be able to subscribe to our direct debit service.

Legal obligations on us

As a licensed payment institution, we have several legal obligations to comply with (for example, legislation in relation to direct debits) and for that purpose we may need to collect and process your personal data. The situations in which we do so are the following:

● Complying with legal and regulatory requirements in relation to our license: We are obliged to monitor the payments processed by us. For that purpose, we may keep a record of transactions that we deem may constitute fraudulent transactions and similar criminal acts.

● Complying with legal and regulatory requirements in relation to our anti-money laundering obligations: We are also obliged to comply with requirements to prevent anti-money laundering. For this reason we also have to monitor the transactions processed by us. In other words, we need to know who uses the Service.

Necessary in our legitimate interests or those of a third party

We also process your personal data where the benefits of doing so are not outweighed by your fundamental rights or freedoms. This is called that we have a legitimate interest of processing your personal data.

Where we rely on this legal ground for processing your personal data, the benefits being pursued by us are:

● Helping to prevent and detect crime such as fraud and money laundering: Fraud and money laundering cost the society a lot of money every year and by helping to avoid e.g. fraud, we participate in preventing this from happening. We also assist other companies in preventing and detecting fraud and may assist your Supplier with complying with obligations to prevent money laundering. This means that we provide your personal data to your Supplier if your Supplier has legal obligations to verify your identity in order to prevent e.g. money laundering.

● Troubleshooting the Service and analyzing/improving its functioning: Sometime our Service does not function as good as we want it to. Therefore, we may need to review transactions carried out by us to e.g. figure out why they are taking longer to execute than usual. We also continuously make improvements to our Services to improve the overall user experience.

● Complaint and dispute resolution: In case we receive queries and complaints from a Supplier or user, we will need to use User data in order to investigate and answer to those matters.

Your Supplier

For the purpose of the Supplier verifying the transaction in order to be able to e.g. release the good purchased by you, or top-up your account held with the Supplier, we provide the Supplier with information on the transaction (including your name, account number, and the amount transferred).

In addition to that, your address, telephone number, e-mail address, personal identity number and/or passport number/identity card number may be forwarded to the Supplier in order for the Supplier to verify your identity as a measure to prevent money laundering, fraud or other criminal act as well as to meet potential legal requirements imposed on the Supplier.

Whenever your personal data is shared with the Supplier, we make sure to use safe communication channels and we contractually bind the Supplier to only process your personal data in accordance with the objectives set out in this privacy policy.

Authorities and your bank

We may also need to share your personal data and information on your transactions to police authorities and other relevant authorities, and possibly your bank. This is done when necessary to investigate payment transactions for the purposes of preventing and disclosing breaches against anti-money laundering legislation, fraudulent use of the Service and other criminal acts.

Third parties with who we collaborate

We may also need to share your personal data with collaboration partners such as electronic identity verification service providers and providers of similar services, in order to confirm your identity and address. In the same way as in relation to your Supplier, we make sure to use safe communication channels whenever your personal data is shared with collaboration partners, and we contractually bind such partners to only process your personal data in accordance with the objectives set out in this privacy policy.

We store your personal data on servers located in Sweden. We have undertaken necessary measures to protect your personal data and maintain physical, electronic, and procedural safeguards to protect it.

We restrict access to your personal data to those employees, and third parties, who need to know that information to provide the Service or, as regards third parties, the products or services you want to buy from that Supplier.

We always protect your information when being sent over the Internet by using secure web server technologies. Data in transit is encrypted with state of the art encryption protocols in order to safeguard the information during its journey across the Internet.

We will keep your personal information for as long as we need it to comply with our legal obligations. In particular, our obligations to maintain records of the transactions we process and the identity of the individual carrying out the transactions. We also store your personal data for any potential disputes or questions that you may have regarding transactions carried out by you. The amount of time we keep your personal information for may vary from one piece of information to another depending on the requirements we have to store that particular piece of information.

However, no information is stored for a longer period of time than seven years.

We have offices in Sweden, Germany, the UK, Spain, Finland and Malta. Employees in these countries may, in case their job descriptions/tasks require so, access your personal information. Any personal data accessed from these locations is protected by EU data protection standards and is always encrypted when sent over the Internet.

The Suppliers with whom we share personal data need to have our approval if they want to process your personal data outside of the European Economic Area (EEA).

In relation to the personal data collected by us about you, you have certain rights. These rights are:

- Access to your information: You can get information from Trustly about what of your personal data that we have gathered, why we have gathered it, etc.

- Rectification: If any of your personal data that we process is inaccurate, you are entitled to have it corrected.

- Erasure: You can request that Trustly erase personal data that we have gathered about you. Trustly will, under certain circumstances, be obliged to remove it.

- Restriction on processing: You can request that Trustly restricts the processing of your personal data under certain circumstances, e.g. if you contest the accuracy of the personal data processed by us. We must then restrict the processing while verifying the accuracy of your request.

- Objection to processing: You can object to processing that Trustly carries out whereby we must assess if we can continue to process that personal data.

- Portability: You can request that Trustly provides you all the information that Trustly processes about you. In some cases we are obliged to comply with that request and provide you with the personal data processed about you.

- Lodge a complaint: If you are unhappy with our handling of your personal data you can lodge a complaint to the Swedish Data Protection Authority which is the lead supervisory authority in relation to Trustly. You can also lodge a complaint with the data protection authority in your home country in the EU.

We have a Support team and a Data Protection Officer that you can contact if you have questions about this Privacy Policy and our handling of your personal data

We are a so-called “data controller” in relation to the personal data that you provide us with. This means that you can contact us if you want to exercise your rights explained above. You can contact us by sending a request to our Support team by completing this online form https://trustly.com/en/feedback-form/.

If you want to you can also contact our Data Protection Officer at dpo@trustly.com.

Please check the Privacy Policy every time you make a payment using our Service, as updates may include information on additional processing activities we intend to perform going forward.