TRUSTLY’S PRIVACY POLICY

4.1. When you use our Service

Providing our Service

Trustly’s proprietary, bank independent, online payment solution enables execution of account to account bank transfers online (the/our “Service”). The Service consists of several different features which allows you to:

(a) execute payments from your online bank in a fast, simple and secure manner to an online supplier providing you with a product or service (the “Merchant”), meaning that you can pay for goods and services directly from your bank account (“Pay-in”);

(b) receive payments from the Merchant directly to your bank account in case you e.g. want to return purchased goods (“Pay-out”);

(c) register a direct debit mandate that will allow us to execute payments directly from your bank account (“Direct Debit Payment”) without the need for you to login to your bank for each purchase; and/or

(d) authenticate yourself towards a Merchant and/or register an account with the Merchant when making a payment transaction where the Merchant has such identification requirements (“Identity Verification”); and/or

Below we will describe how we process your personal data when using the different features of the Service.

Purpose of the processing Legal basis Personal data processed
To initiate and process a convenient and secure Pay-in to your Merchant. Contractual obligation.

Identifying Information, Order Identifying Information, Financial Information, Device Information.

To initiate and process a convenient and secure Pay-out to you from your Merchant. Contractual obligation.

Identifying Information, Order Identifying Information, Financial Information, Device Information.

To set up a direct debit mandate in a convenient way and to conduct a Direct Debit Payment to your Merchant. Contractual obligation.

Identifying Information, Order Identifying Information, Financial Information, Device Information.

To verify your identity and/or update your contact information when the Service is used for Identity Verification, i.e. as a means for you to verify your identity towards your Merchant. Contractual obligation.

Identifying Information.

To refresh your Identifying Information in case of Identity Verification (will be made on a 90-day interval). Pursue our legitimate interest of providing you with the Service.

Identifying Information.

To verify your bank account when the Service is used for Account Verification. Contractual obligation.

Identifying Information, Financial Information.

Comply with legal and regulatory obligations

As a licensed payment institution, Trustly is obliged to follow a set of laws and regulations relating to its processing of payment transactions. Some of the data we collect about you when you use our Service will be used to fulfil these legal and regulatory obligations.

For more detailed information on what data we use for legal and regulatory compliance purposes, see the table below.

Purpose of the processing Legal basis Personal data processed
To fulfil our legal obligations under applicable money laundering regulations to monitor the payments processed by us and to report suspicious payments to the police or similar authorities. Comply with legal obligations.

Identifying Information, Order Identifying Information, Financial Information, Device Information.

To fulfil our legal obligations to report statistics to authorities on inter alia fraudulent transactions. Comply with legal obligations.

Identifying Information, Order Identifying Information, Financial Information, Device Information.

To fulfil our legal obligations to contact you if a situation would arise that may affect your financial interests or, if you use our Direct Debit Payment service, to inform you about changes to our terms for use of this service. Comply with legal obligations.

Identifying Information.

To fulfil our legal obligations to conduct know your customer checks on you when you use our Direct Debit Payments service including screening your personal information against lists of politically exposed persons (“PEP”) and lists of persons subject to sanctions. Comply with legal obligations.

Identifying Information and when applicable copies of your passport and other documents validating your identity and/or address.

To fulfil our legal obligations under bookkeeping law pursuant to which we are obliged to store your personal data relating to a payment. Comply with legal obligations.

Identifying Information, Order Identifying Information, Financial Information.

Performance and business development

At Trustly, we always strive to provide you with the best possible user experience. In order to achieve this, we will process your personal data to make sure that our Service works properly and to fix any problems that may occur in the Service. We also use your personal data to ensure that the Service is presented to you in the most compelling manner and to understand how we can develop our Service to create even better products.

For more detailed information on what data we use for these performance and business development purposes, see the table below.

Purpose of the processing Legal basis Personal data processed
To troubleshoot the Service in case of lack in performance. Pursue our legitimate interest of troubleshooting the Service in order to provide you with a working Service.

Identifying Information, Order Identifying Information, Financial Information, Device Information, Behaviour Information.

To perform analysis on how you use our Service. Pursue our legitimate interest of developing our organisation in order for us to continue offering the best possible products and services to you.

Identifying Information, Order Identifying Information, Financial Information, Device Information, Behaviour Information.

To adapt the presentation of the interface, such as the type of language and appearance of our Service, through which we communicate with you, depending on what type of device you use. Pursue our legitimate interest of adapting the presentation of the Service to you.

Device Information and Identifying Information.

Incident management and security

To mitigate the risk that the Service is being used for fraudulent and other illicit actions, we may process your personal data for these types of purposes.

For more detailed information on what data we use for this incident management and security purpose, see the table below.

Purpose of the processing Legal basis Personal data processed
To verify your identity for the purpose of preventing that our Service is being used for frauds and/or similar illicit actions. Comply with legal obligations and pursue our legitimate interest to prevent and detect crime such as frauds.

Identifying Information, Order Identifying Information, Financial Information, Device Information.

To keep your personal data safe and to prevent the Service from being targeted by external cyber-attacks (such as DDoS attacks). Pursue our legitimate interest of keeping your personal data safe as well as ensuring that our Service is working as intended in case of a cyber-attack.

Identifying Information, Order Identifying Information, Financial Information, Device Information.

To fulfil our contractual obligations to inform of incidents. Contractual obligation.

Identifying Information, Order Identifying Information, Financial Information, Device Information.

To fulfil our legal obligations to report certain incidents to the Swedish Financial Supervisory Authority and the Swedish Data Protection Authority. Comply with legal obligations. Identifying Information, Order Identifying Information, Financial Information, Device Information.
To establish, exercise and/or defend Trustly against legal claims. Pursue our legitimate interest of establishing, exercising and/or defending legal claims. Identifying Information, Order Identifying Information, Financial Information, Device Information.

Cookies

When you are using our Service, we may set cookies on your device. The data generated from the cookies is used to provide you with a better user experience.

Please read our cookie policy available here for more information on our use of cookies.

For more detailed information about how we use the data generated from the cookies when you use our Service, see the table below.

Purpose of the processing Legal basis Personal data processed
To create a fast and convenient payment experience, Trustly has developed a so called “remember me function” which allows us to remember you and how you like to use our Service. If you choose to activate this functionality, we will remember you on the device you used for the purpose of providing you with a faster payment experience next time you choose to pay with Trustly. In addition, you will also, when you activate the functionality, give us your consent to communicate to your bank that you, for a period of 90 days, allow us to fetch your account balances. We will only use this access when you have initiated a payment with Trustly to check which bank accounts that have sufficient balance to make your requested payment. We will also allow you to be able to view your balances, should you choose to enable this view. Your consent. If you want to withdraw your consent and thus disable the functionality, the easiest way is if you click [Change] whenever you make a payment with Trustly and then click [Remove]. Alternatively, you can contact our Support function here and they can assist you.

Device Information, Behaviour Information.

How do we collect your personal data when using the Service?

When using our Service, we collect your personal data directly from you, as well as from your online banking interface (i.e. online bank) or via an API provided by your bank in accordance with our agreement. In addition, we also collect personal data from your Merchant and, depending on for which purpose the Service is used, from external third-party sources. For example, the latter can occur when we need to verify your identity and/or update/supplement contact information via official identity verification service providers or similar providers. Our payment system will in addition generate personal data such as an order id number when you use our Service.

Trustly also resells payment services provided by third party payment service providers. When reselling such payment services, Trustly will obtain personal data about you from such providers. For more information about which personal data a third-party payment service provider shares with Trustly, please contact relevant provider.

4.2. When you are a customer representative

Trustly process personal data of representatives for our customers being the Merchants or another payment service provider that resells our Service via their channels. This processing is mainly done to administrating the business relationship and fulfil our legal obligations to conduct so called know your customer checks on our customers.

In this section, you can find more specific information on how we process your data in case you are a customer representative.

Purpose of the processing Legal basis Personal data processed
To enter into, or maintain, a business relationship with the company you represent and to communicate important information regarding our Service that is not considered marketing. Contractual obligation and pursue or legitimate interest of communicating and maintaining contact with you and to verify that the information we have about you is up to date or if we need to communicate information to you about our Service that we assess is important for you to be aware of.

Identifying Information.

To improve our Service, we may send out customer satisfaction surveys to you. In such surveys, we will ask you to inter alia evaluate us and/or our Service. Pursue our legitimate interest of improving our Service in order to be able to provide a better Service or develop new services based on the answers to the survey.

Identifying Information.

To market our Service in case you show interest in our Service by e.g. visiting our websites (see more under section 4.3 for more information). There is always an opportunity to opt-out from marketing in an easy and convenient way, e.g. by clicking “unsubscribe” to the emails we or our advertising agencies might send or by objecting to the processing of your personal data for this specific purpose. Pursue our legitimate interest of marketing our Service for commercial purposes and to offer our Service or new services that we think you as a current and/or potential customer representative would be interested in.

Identifying Information, Behaviour Information.

To fulfil our legal obligations to conduct know your customer checks on our customer, including screening of your personal information against PEP-lists and lists of persons subject to sanctions. Comply with legal obligations.

Identifying Information and when applicable copies of your passport and other documents validating your identity and/or address.

How do we collect your personal data when you are a customer representative?

When you contact us for the purpose of entering into a potential business relationship regarding our Service, we will collect the personal data that you provide us with, such as contact details from emails and agreements. We will also collect personal data provided by you if you, for example, give us your contact details in relation to campaigns you want to take part of or white papers you wish to receive.

When conducting know your customer checks on our customer, we will ask the customer to provide information, such as passport copies on e.g. its ultimate beneficial owners and directors.

In addition to the information that we receive from you, we will also collect personal data about you through cookies if you visit our websites (see more under section 4.3 for more information).

4.3. When you visit our websites or contact our support and/or complaints service

We value your feedback and we want to understand what we can do to improve our Service. Therefore, Trustly has a customer support platform available where you can get in contact with us. When you do this, we will collect certain personal data about you.

Trustly also uses cookies on our websites in order to deliver well-functioning, personalized and user- friendly experience. Please read our cookie policy available here for more information on our use of cookies.

In this section, you can find more specific information on how we process your data in case you are an individual contacting our support and/or complaints service or if you are a website visitor.

Purpose of the processing Legal basis Personal data processed
To assist you with your question or concern in case you contact our support and/or complaints service, either through our websites or by emailing us. Pursue our legitimate interest of interacting with you in case of e.g. questions or complaints.

Identifying Information.

To set cookies on your device when you visit and interact with our websites. We use the data generated from cookies for several purposes, such as to make the websites work properly, to gather statistics of how you use and interact with our websites in order to improve its functionality as well as for business to business marketing purposes. Pursue our legitimate interest of providing you with working and functional websites as well as to gather web statistics for commercial reasons. In addition, we pursue our legitimate interest of marketing our Service to potential customers.

Device Information, Behaviour Information.

How do we collect your personal data when you contact our support and/or complaint service or visit our websites?

If you contact us, we will process your personal data by collecting your contact details through the media you choose to contact us, i.e. via e-mail, post or any other way. Similarly, when visiting our websites, we will process your personal data by setting cookies on your device and thus collect information in accordance with our cookie policy.

4.4. Other situations

Regardless of who you are, personal data about you may also be processed by us for the purpose of fulfilling your rights as a data subject under the GDPR and to establish, exercise and defend ourselves against legal claims. For more information, please see below.

Purpose of the processing Legal basis Personal data processed
To cater to your rights in accordance with the GDPR and other applicable data protection legislation. If you, as a data subject, contacts us and asks us to provide you with the information we have collected about you, we will ask you to verify yourself in order to prevent disclosure of personal data to the wrong person. Comply with legal obligations and pursue our legitimate interest of verifying your identity in order to prevent disclosure of personal data to the wrong person.

Identifying Information, Order Identifying Information, Financial Information, Device Information.

To handle any complaints or establish, exercise and/or defend Trustly against legal claims. Pursue our legitimate interest of handling complaints or establish, exercise and/or defend legal claims.

Identifying Information, Order Identifying Information, Financial Information, Device Information.

5.1. General

Trustly Group

Regardless of who you are, your personal data may be shared with companies that form part of the Trustly Group, when needed to fulfil the purpose the data was collected for. This sharing of data is carried out on the basis that we have a legitimate interest of sharing data within our group for commercial, compliance and organisational reasons.

5.2. When you use our Service

Your Merchant

For the purpose of your Merchant verifying payments in order to be able to e.g. release any purchased goods, we provide the Merchant with information on the payments. What type of information we send to your Merchant depends on the type of transaction and how the Merchant integrate the Service in their system.

Identifying Information and/or Financial information may also be forwarded to your Merchant in order for the Merchant to verify your identity when the Service is used for Identity Verification and/or Account Verification. We share this information with the Merchant if the Merchant is legally obliged to verify your identity as a measure to prevent money laundering, fraud or other criminal act or to meet other potential legal and/or regulatory requirements imposed on the Merchant. In certain situations, we may also share your personal data if the Merchant has a legitimate interest to verify your identity or that you indeed are the actual holder of a bank account. For example, identifying Information may be shared to a Merchant in order for the Merchant to offer you a better user experience by prefilling information on shipping address in the Merchant’s cashier.

The sharing of your personal data with the Merchant is carried out on the basis of that it is necessary for us to fulfil our contractual obligations as well as our legitimate interest to carry out the transaction and the Merchant’s legitimate interest or legal obligation of verifying payments and/or your identity. In addition, our legitimate interest of sharing your personal data with your Merchant is sometimes based on your wish to share your personal information to your Merchant in order for you to verify your identity, bank account and/or use your Merchant’s service, which we provide a simple and convenient solution for.

Third party payment service providers

When offering our Services, other third-party payment service providers that we collaborate with may be involved. In such case, we will share your personal data with such third-party providers for the purpose of the provider forwarding the data to your Merchant. If we do not share data with such third-party payment service provider when such is part of the payment chain, you will not be able to complete the transaction.

This sharing of your personal data with a third-party payment service provider is carried out on the basis that it is necessary for us to fulfil our contractual obligations, as well as our legitimate interest, to carry out the transaction.

For more information about which personal data a third-party payment service provider shares with Trustly, please contact relevant provider.

Authorities and banks

To carry out a transaction when using our Service, we need to transfer some of your personal data to your bank and other banks that are part of the payment chain. This processing is carried out on the basis that it is necessary to fulfil our contractual obligations, as well as our legitimate interest, to carry out the transaction and for the purpose of troubleshooting payments.

We may also need to share your personal data and information on payments to police, tax and other relevant authorities, and possibly your bank and/or other banks that are part of the payment chain. This is done when necessary to investigate payment transactions for the purposes of preventing and disclosing breaches against anti-money laundering legislation, fraudulent use of the Service and other criminal acts. When sharing your personal data for these purposes with authorities, this is carried out on the basis of our obligation to comply with legal obligations to which we are subject. When sharing your personal data for these purposes with your bank and/or other banks that are part of the payment chain, this is carried out on the basis of our legitimate interest to prevent frauds and other criminal acts.

Other third parties with whom we collaborate

To carry out a transaction when using our Service, we may need to share your personal data with collaboration partners such as official identity verification service providers and similar service providers in order to confirm your identity and/or update/supplement your contact information. The sharing of personal data with such third parties is carried out on the basis that it is necessary to fulfil our contractual obligations, our legitimate interest to carry out the transaction, our legal obligation to verify your identity if you use our Direct Debit Payment service, and, sometimes, your Merchant’s legal obligation to verify your identity.

If you use our Direct Debit Payment service, we may also need to share your personal data with providers of sanctions or PEP lists in order to screen your personal data against such list. The sharing of personal data is then carried out on the basis that it is necessary in order to comply with our legal obligations.

In addition, we may from time to time also need to share your personal data with cloud-based service providers, such as providers of technical server capacity or CRM providers. This is done for the purpose of providing the Service and/or to improve the Service, for example by data analysing and testing. Furthermore, we may also share your personal data to other third-party providers such as for IT-security purposes.

When your personal data is shared with such third party, the third party will typically act as data processor in relation to your personal data, meaning that it will process your personal data on our behalf and in accordance with our instructions.

5.3. When you are a customer representative

If you are a customer representative, we may need to share your personal data with providers of sanctions or PEP lists in order to screen your personal data against such list. The sharing of personal data is then carried out on the basis that it is necessary in order to comply with our legal obligations.

In addition, we may from time to time also need to share your personal data with cloud-based service providers, such as providers of technical server capacity. This is done for the purpose of providing the Service and/or to improve the Service, for example by data analysing and testing.

Furthermore, we may also share your data to third-party providers such as external advertising agencies. We share this information on the basis that we have a legitimate interest of marketing, through professional advertising agencies, to you regarding products and services that you have shown an interest in.

5.4. When you visit our websites or contact our support and/or complaints service

Your personal data may be shared with third-party providers such as external advertising agencies. We share this information on the basis that we have a legitimate interest of marketing, through professional advertising agencies, to you regarding products and services that you have shown an interest in. We may also share your personal data to other third-party providers of analytical tools based on our legitimate interest of providing you with a pleasant user experience when interacting with our websites.

In addition, we may from time to time also need to share your personal data with cloud-based service providers, such as providers of technical server capacity.

8.1. When you use our Service

When providing our Direct Debit Payment service to you, we may use automated decision making and/or profiling for the purpose of assessing risks related to payments. When you use this service, the value of the Direct Debit Payments that you can request during a certain period of time is limited to a set amount. In case this limit is reached, we will instead automatically process your payment as a standard Pay-in. In addition, we may use automated decision making, including profiling, for the purpose of fulfilling legal requirements in relation to our anti-money laundering obligations to monitor your payments processed by us. The processing of your personal data in this automated decision making is carried out on the basis of that it is necessary in order for us to fulfil our contractual obligations towards you to carry out payments or to comply with legal requirements, as the case may be.

8.2. When you are a customer representative

We may use profiling by evaluating potential customer leads, for example by setting scores on you based on how much interest you have shown in Trustly, such as number of website visits, if you have signed up for information material on our websites, etc. The processing of your personal data in this profiling is based on our commercial legitimate interest of reaching out to potential or current customers of ours that have shown interest in Trustly and our Service.

8.3. When you visit our websites or contact our support and/or complaints service

We do not conduct any Profiling or Automated decision making when you visit or interact with our websites.