1(4)
ZEVOY PRIVACY POLICY
03/2022
At Zevoy we value your privacy. The information we collect will always be processed carefully and
responsibly. This Privacy Policy informs you of our policies regarding the collection, use and disclosure
of Personal information when you use our Services.
1.
Who are we?
We are Zevoy Aktiebolag, company registration number 3147751–4, and we are the data controller
and data processor of your personal data.
We have appointed a data protection officer whose role it is to ensure that we comply with personal
data protection rules. Our data protection officer can be contacted at support@zevoy.com.
2.
Personal data
Personal data means any information directly or indirectly linked to a natural person. This may include
name and identification number, but also other data specific to a person’s physical, physiological,
genetic, mental, economic, cultural or social identity. An IP address can also be considered personal
data, if it can be connected to a natural person.
3.
Processing
Processing means any operation or set of operations which is performed on personal data or on sets
of personal data, regardless of whether this happens automatically or not, such as collection,
recording, storage, alteration and destruction.
4.
Information we collect
We collect information you provide directly or indirectly to us. This could, for example, be information
you provide to us when you fill in any forms, when you enter into an agreement with us, information
we obtain or that emerges when you contact us or information that is generated as part of the use of
our services and products.
We process personal data obtained from selected third parties such as fraud detection agencies, other
financial institutions and other information providers, and from publicly available sources including
population registers, company registration offices and enforcement authorities. In connection with
payment processing, we collect information from third parties such as banks and payment service
providers. We also collect information from sanction lists, registers held by credit-rating agencies and
other commercial information providers.
We collect different types of personal data. The data we collect can be grouped into the following
categories:
Identification information:
This includes information such as national identification number and
name. We are legally required to collect such information. Your username and login
information will also be collected.
Contact information:
This includes information such as phone numbers, addresses and e-mail
addresses.
Financial information:
This includes information such as credit history, information about the
rules that apply to your Zevoy card, information about the payments and transactions you enter
into using the card and information about the type of agreement.
Regulatory information:
This includes information such as customer due diligence, Anti-Money
Laundering requirements, Politically Exposed Persons and Sanctions Checks.
2(4)
5.
Why we collect and process your personal data and the legal basis for doing so
We collect and process your personal data only when we have a legal basis for doing so. There are
different reasons for collecting your personal data.
We may collect your personal data when you have given your consent for it. The consent will contain
information on that specific processing activity. You can always withdraw the consent.
Sometimes we collect your personal data when we have a legitimate reason to use it, and this is
reasonable when balanced against your right to privacy. Personal data is processed in the context of
marketing, product- and customer analysis. Processing personal data enables us to improve our
products and to optimize our customer offerings.
We also collect your personal data in order to document, administer and fulfil agreements we have
with you. We need to collect your personal data for this purpose so we can enter into agreements with
you. We may, for example, process your personal data for granting a card, for customer service during
the agreement period or for legal claims and collection procedures.
In some cases, we need to process your personal data in order for us to meet our legal obligations
and decisions from authorities. This could be, for example:
To meet Know Your Customer requirements
To prevent, detect and investigate money laundering, terrorist financing and fraud
To check personal data against sanctions lists
To report to the Tax Agency, Police, Financial Supervisory Authority or other Finnish or foreign
authorities
To meet comply with legislation related to risk management and payment services.
To meet the requirements of accountancy legislation
6.
How long your personal data is stored
We will store your personal data for as long as it is needed for the purposes for which your data was
collected and processed or required by laws and regulations. We will normally store data for a further
ten years after the ending of an agreement. If we store your data for other purposes than those of the
performance of a contract, we will normally store the data for a maximum of three months. In some
cases, we may need to store the data for a longer time, for example when required by law.
7.
How we protect your personal data
We use technical, organizational and administrative measures in order to keep your personal data safe
and secure. We do our best to protect any information we hold from accidental or unlawful destruction,
loss or alteration, unauthorized disclosure or unauthorized access. We always process personal data in
accordance with applicable laws and regulations. We always aim to not process any more data than
necessary. If someone else processes personal data for us, they must always commit to maintaining
the appropriate level of security and take appropriate protective measures.
8.
How we share your information
Where necessary to fulfil our agreements with you, it is possible that your information will be disclosed
to other companies we are in partnership with. Your information might also be processed by other
companies we are in partnership with on the basis of legitimate interest. This will always take place
pursuant to applicable confidentiality rules. All the recipients of your personal data are required to
take appropriate security measures to protect your personal data. In some cases, we may be legally
obligated to disclose personal data to authorities.
3(4)
In some cases, we may transfer personal data to countries outside of the European Economic Area and
to international organizations. We only make such transfers if any of the following conditions apply;
the EU commission has decided that there is an adequate level of protection in the country in
question;
other appropriate safeguards have been taken, for example the use of standard contractual
clauses or binding company rules;
special authorization from a supervisory authority has been obtained; or
such transfers are permitted in special cases by applicable data protection legislation.
9.
Your rights
In accordance with the General Data Protection Regulation, you as a data subject have rights in respect
of the personal data we hold on you. Please contact us if you want to exercise any of your rights.
You have the right to request access to your personal data.
You have the right to be told about how
we use your personal data. Your right to access may, however, be restricted by legislation. We cannot
give you any personal data about other people.
You have the right to request that we correct personal data about you that is incorrect.
You can also
request that we supplement data concerning you that is incomplete. Before updating the information,
we may need to check the accuracy of the new personal data that you have provided.
You have the right to have your personal data deleted.
This is known as “the right to be forgotten”.
Please be advised that we may not always be able to agree to your request. We are in many cases
obliged to retain personal data on you during your customer relationship, and even after that, e.g., to
comply with a statutory obligation or where processing is carried out to manage legal claims. We will
let you know if we cannot delete your personal data.
In some situations, you are entitled to request that we restrict the processing of your data for a certain
period of time.
This could be, for example, if you have objected to us using your personal data, but
we need to check whether we have an overriding reason to use it. This may also be if you want us to
investigate whether the personal data is accurate or not.
You may object that we process a piece of data about you if we do it on the basis of a legitimate
interest.
We will, however, not accept your request if there is an overriding reason why we need to use
your personal data.
You have the right to have your data transferred to you or another company in a machine-readable
format.
This is known as data portability. This right applies to personal data processed on the basis of
an agreement or declaration of consent. If we are allowed to do so under regulatory requirements, we
will transfer your data.
Your ability to exercise these rights will depend on a number of factors. We may not always be able to
agree to your request. For example, in some cases legal obligations may force us to decline your
request.
If you are unhappy with how we have handled your personal data, you can contact your local data
protection authority.
The servers on which Zevoy processes and stores personal data are located in the territory of the
European Union.
Zevoy does not sell or lease your personal data to third parties.
4(4)
10.
Profiling
Profiling means any form of automated processing of personal data consisting of the use of personal
data to evaluate certain personal aspects relating to a natural person.
We may use profiling to conduct customer analysis for marketing purposes, to improve your
experience when you use our digital services, for automated decisions and for monitoring transactions
in order to detect frauds. When we process personal data for profiling, we do it on the basis of our
legitimate interest in order to fulfil an agreement or with your consent.
11.
Automated decision-making
In some cases, we may use automated decision-making. Automated decision-making means that we
use technology that can evaluate your personal circumstances and other factors to predict risks and
outcomes. This may be done if it is authorized by legislation, if you have explicitly consented to it or if
it is necessary for the performance of a contract. You can always request that an automated decision
is reviewed by a person. Our automated decisions may in some cases be based on profiling.
12.
Our App
We can send information to your device if you have downloaded our app. The information may be
sent in form of push notifications. You can control if the information should be sent or not in the settings
of your device.
13.
Marketing
If you sign up to our services, and where allowed by law, we may contact you with information about
our products, services offers and promotions. In such cases we may use your personal data to tailor
our offers to you. You may at any time request not to receive direct marketing from us by contacting
us.
14.
Cookies
Cookies are small block of data created by a web server while a user is browsing a website and placed
on the user’s computer or other device by the user’s web browser. A cookie is placed on your computer
to collect standard internet log information and visitor use of the website and to compile statistical
reports on website activities.
We use cookies when you visit our website. Using cookies enables us to distinguish you from other
users of our website and to adapt the content of our website to fit your needs. This helps us to provide
you a with good experience when you browse our website and allows us to improve our website. It
also allows us to provide a secure online environment, to manage our marketing and track our website
performance.
You can configure your web browser to accept or refuse cookies. Please note that rejecting cookies
may restrict your access to some functionality and areas of our website or services.
These provisions may be changed from time to time without notice in order for us to be compliant
with the legislation and/or generally accepted practices relating to cookies.
15.
Changes to our Privacy Policy
We may have to change this Privacy Policy from time to time to improve and develop our services.
Your rights under this Privacy Policy or under applicable laws in the jurisdictions in which we operate
will not be diminished. If we change the way we use your personal data, we will update this Privacy
Policy, and if appropriate, provide a more prominent notice.