ZEVOY PRIVACY POLICY

03/2023

At Zevoy (“Zevoy” or “We” or “Us”) we value your privacy. The personal data we collect will always be processed carefully and responsibly. This Privacy Policy informs you of how, when, and why Zevoy collects, processes, stores, and shares personal data. Within the Zevoy Group, the data controller will be Zevoy Aktiebolag (3147751-4) and/or the Zevoy company(ies) you have your relationship with.

Unless otherwise defined in this Privacy Policy, terms used in this Privacy Policy have the same meanings as in our Terms and Conditions that can be found at www.zevoy.com.

1.    Who are we?

We are Zevoy Aktiebolag, company registration number 3147751–4, and we are the data controller and data processor of your personal data.

We have appointed a data protection officer whose role it is to ensure that we comply with personal data protection rules. Our data protection officer can be contacted at dpo@zevoy.com.

2.    Personal data

Personal data means any information that directly or indirectly can be linked to a natural person. This includes name and identification number, but may also include other data specific to a person’s physical, physiological, genetic, mental, economic, cultural or social identity. An IP address can also be considered personal data if it can be connected to a natural person.

3.    Processing

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, regardless of whether this happens automatically or not, such as collection, recording, storage, alteration, and destruction.

4.    Information we collect

We collect information you provide directly or indirectly to us. This could, for example, be information you provide to us when you fill in any forms, when you enter into an agreement with us, information we obtain or that emerges when you contact us or information that is generated as part of the use of our services and products. Calls and electronic conversations with you may be recorded and logged for documentation, and for quality and improvement purposes.

We also collect additional information that is required to keep information up to date or to verify information we collect. We process personal data obtained from selected third parties such as fraud detection agencies, other financial institutions, and other information providers, and from publicly available sources including population registers, company registration offices, enforcement authorities and tax authorities. We also collect personal data from sanction lists, registers held by credit-rating agencies, and other commercial information providers. In connection with payment processing, we collect information from third parties such as banks, payment service providers, shops, and remitters.

We collect different types of personal data. The data we collect can be grouped into the following categories:

·       Identification information: This includes information such as national identification numbers and names. We are legally required to collect such information. Authentication information will also be collected.

·       Contact information: This includes information such as phone numbers, addresses, and e-mail addresses.

·       Communication information: This includes communication with us such as emails, telephone calls, and information when you contact us via our App or Website.

·       Behavioral and tracking information: This includes information from your use of our App and Website. We might store your IP address or your geographical location for the purpose of improving our Service for you.

·       Financial information: This includes information such as credit history, information about the rules that apply to your Zevoy card, information about the payments and transactions you enter into using the card, and information about the type of agreement.

·       Regulatory information: This includes information such as information related to customer due diligence, Anti-Money Laundering requirements, Politically Exposed Persons and Sanctions Checks.

 

5.    Why we collect and process your personal data and the legal basis for doing so

We collect and process your personal data only when we have a legal basis for doing so. There are different reasons for collecting your personal data. We are often required by law or as a consequence of our contractual relationship with our Customers to collect certain personal data. We also collect personal data to provide you with offers, advice, and services.

Consent

We may collect your personal data when you have given your consent for it. The consent will contain information on that specific processing activity. If you provide us with your consent to process and store your personal data, you can always withdraw the consent at any time.

Legitimate interest

We collect your personal data when we have a legitimate reason to use it, and this is reasonable when balanced against your right to privacy. Personal data is processed in the context of marketing, product‑, process-, business- and system-development, and customer analysis. Processing personal data enables us to improve our products and to optimize our customer offerings.

Performance of a contract

The main purpose of our processing of personal data is to collect, control and process personal data prior to, and when entering into an agreement with you, as well as to document, administer and perform what is required to fulfil agreements. For example, we process your personal data when you are applying for a card, accounts or other services, customer service during the agreement period and for establishing, asserting, or defending legal claims and debt.

Legal obligation

In some cases, we need to process your personal data in order for us to fulfil our obligations under law, other regulations and decisions from authorities. This could be, for example:

·       Know Your Customer requirements

·       Preventing, detecting and investigating money laundering, and terrorist financing

·       Activities relating to financial crime, fraud, tax evasion, and corruption

·       Sanctions screening

·       Reporting to tax authorities, police authorities, enforcement authorities, supervisory authorities or other Finnish or foreign authorities

·       Bookkeeping authorities

·       Requirements of accountancy legislation

·       Risk management obligations such as credit performance and quality, and capital adequacy

·       Payment service requirements and obligations

·       Other obligations related to service or product specific legislation

 

6.    How long your personal data is stored

We will store your personal data for as long as it is needed for the purposes for which your data was collected and processed or required by laws and regulations. Your personal data will be anonymized or deleted once it is no longer relevant for the purposes for which it was collected. We keep your data for as long as necessary for the performance of a contract and as required by retention requirements in laws and regulations. If we keep your data for other purposes than those of the of the performance of a contract, such as anti-money laundering purposes, bookkeeping and regulatory capital adequacy requirements, we keep the data only if necessary and/or mandated by laws and regulations for the respective purpose.

The data retention obligations will differ within the Zevoy Group subject to applicable local law.

See below for examples of the retention periods that we apply:

·       Preventing, detecting, and investigating money laundering, terrorist financing, and fraud: minimum five (5) years after termination of the business connection or the performance of the individual transaction

·       Bookkeeping regulations: up to ten (10) years

·       Payment service requirements and obligations: five (5) years

·       Details on performance of an agreement: up to ten (10) years after end of customer relationship to defend against possible claims

The above is only for explanatory purposes and the retention times may differ from country to country.

7.    How we protect your personal data

We use technical, organizational, and administrative measures in order to keep your personal data safe and secure, and to protect any information we hold from accidental or unlawful destruction, loss or alteration, unauthorized disclosure or unauthorized access. We always process personal data in accordance with applicable laws and regulations. We always aim to not process any more data than necessary. If someone else processes personal data for us, they must always commit to maintaining the appropriate level of security and take appropriate protective measures.

8.    How we share your information

We may share your personal data with other Zevoy group companies, authorities, and external recipients. We will always ensure that we respect relevant financial industry secrecy obligations. We need to disclose information about you to fulfil services and agreement and in order to fulfil legal obligations.

External recipients and Zevoy group companies

We may share personal information with members of the Zevoy group for the purposes set out in this Privacy Policy.

We will share personal data about you with service providers. We have entered into agreements with carefully vetted suppliers, which include processing of personal data on behalf of us. Examples include suppliers of IT maintenance, hosting and support as well as suppliers supporting Us with marketing and customer support. Personal data is shared, for example, when we authenticate you in different channels (Signicat AS), when we produce cards (Evry Card Services Oy) and for processing transactions (Enfuce Financial Services Oy). Personal data is also shared with ReceiptHero Oy, to generate electronic receipts. If you apply for or use a digital wallet such as Apple Pay or Google Pay, we will be transferring data including your card information to the digital wallet provider to enable use of the digital wallet. When we share your personal data with external recipients we only share them for purposes compatible with the purposes for which we have collected the data. All the recipients of your personal data are required to take appropriate security measures to protect your personal data. We have written agreements in place with all external recipients through which they guarantee the security and the confidentiality of the personal data that they process on our behalf.

Authorities

We share personal data about you with authorities and institutions where required or requested and where we are permitted to do so by law, regulation, supervisory or similar authority or court order.

Third countries

In some cases, we may transfer personal data to organizations in countries outside of the European Economic Ares (third countries). In those cases, we will comply with all applicable laws in respect of such transfer and ensure that appropriate safeguards are in place to ensure there is adequate protection. We only transfer data to third countries if any of the following conditions are met:

·       The European Commission has decided that there is an adequate level of protection in the country in question.

·       We have taken other appropriate protective measures, for example the use of Standard Contractual Clauses or Binding Corporate Rules.

·       Special authorization from a supervisory authority has been obtained.

·       Such transfers are permitted in special cases by applicable data protection legislation.

 

9.    Your rights

In accordance with the General Data Protection Regulation, you as a data subject have rights in respect of the personal data we hold on you. Please contact us if you want to exercise any of your rights.

You have the right to request access to your personal data. You have the right to be told about how We use your personal data. Your right to access may, however, be restricted by legislation. We cannot give you any personal data about other people.

You have the right to request that we correct personal data about you that is incorrect. You can also request that we supplement data concerning you that is incomplete. Before updating the information, we may need to check the accuracy of the new personal data that you have provided.

You have the right to have any or all your personal data deleted. This is known as “the right to be forgotten”. Please be advised that we may not always be able to agree to your request. We are in many cases obliged to retain personal data on you during your customer relationship, and even after that, e.g., to comply with a statutory obligation or because this is still necessary for its original purpose, and we still have a legal basis for processing it. We will let you know if we cannot delete your personal data.

In some situations, you are entitled to request that we restrict the processing of your data for a certain period. This could be, for example, if you have objected to Us using your personal data, but we need to check whether we have an overriding reason to use it. This may also be if you want us to investigate whether the personal data is accurate or not.

You may object that we process a piece of data about you if we do it based on a legitimate interest. We will, however, not accept your request if there is an overriding reason why we need to use your personal data.

You have the right to have your data transferred to you or another company in a machine-readable format. This is known as data portability. This right applies to personal data processed on the basis of an agreement or your consent. If we are allowed to do so under regulatory requirements and if it is technically possible, you have the right to have the data transferred to another party.

Your ability to exercise these rights will depend on a number of factors. We may not always be able to agree to your request. For example, in some cases legal obligations may force us to decline your request.

If you have any questions or concerns regarding our Privacy Policy, you can contact our customer service. We have appointed a Data Protection Officer that you can contact by sending a message to dpo@zevoy.com.

If you are unhappy with how we have handled your personal data, you can contact your local data protection authority in any of the countries where we provide services to you.

Zevoy does not sell or lease your personal data to third parties.

10.  Profiling

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person.

We may use profiling to conduct customer analysis for marketing purposes, to improve your experience when you use our digital services, for automated decisions and for fraud prevention, to find and act on fraud behaviors. Profiling may also be used for combating money laundering and terrorist financing to fulfil our legal obligations. When we process personal data for profiling, we do it on the basis of our legitimate interest.

11.  Automated decision-making

In some cases, we may use automated decision-making. Automated decision-making means that we use technology that can evaluate your personal circumstances and other factors to predict risks and outcomes. This may be done if it is authorized by legislation if you have explicitly consented to it or if it is necessary for the performance of a contract. You can always request that an automated decision is reviewed by a person. Our automated decisions may in some cases be based on profiling. Automated decision-making may, for example, be used when you apply for our services.

12.  Our App

We can send information to your device if you have downloaded our app. The information may be sent in form of push notifications. You can control if the information should be sent or not in the settings of your device.

13.  Marketing

If you sign up to our services, and where allowed by law, we may contact you with information about our products, services offers and promotions. In such cases we may use your personal data to tailor our offers to you. You may at any time request not to receive direct marketing from us by contacting us.

14.  Cookies

Cookies are small block of data created by a web server while a user is browsing a website and placed on the user’s computer or other device by the user’s web browser. A cookie is placed on your computer to collect standard internet log information and visitor use of the website and to compile statistical reports on website activities.

We use cookies when you visit our website. Using cookies enables us to distinguish you from other users of our website and to adapt the content of our website to fit your needs. This helps us provide you with a good experience when you browse our website and it allows us to improve our website. It also allows us to provide a secure online environment, to manage our marketing and track our website performance.

You can configure your web browser to accept or refuse cookies. Please note that rejecting cookies may restrict your access to some functionalities and areas of our website or services.

These provisions may be changed from time to time without notice in order for us to be compliant with the legislation and/or generally accepted practices relating to cookies.

15.  Changes to our Privacy Policy

We may have to change this Privacy Policy from time to time to improve and develop our services. Your rights under this Privacy Policy or under applicable laws in the jurisdictions in which we operate will not be diminished. If we change this Privacy Policy, and if the changes are more significant, we will provide a more prominent notice. Please review this Privacy Policy from time to time to stay updated on any changes.