Privacy Notice for Brite’s services
Last updated: May 2022
1. About us
Brite AB, corp. ID no. 559116-1632, (‘Brite’, ‘we’, ‘us’), is a payment service provider that provides payment initiation and account information services. Brite is licensed by and subject to the supervision of the Swedish Finansinspektionen (Swedish Financial Supervisory Authority).
Brite is the controller for our processing of your personal data when Brite is providing you with our payment initiation and account information service.
2. Our Privacy Notice
You are welcome to contact us at support@britepayments.com if you have any questions about this Privacy Notice, our use of your personal data or if you wish to exercise your rights.
3. What personal data do we collect?
- Personal and contact information: name, personal identity (ID) number, date of birth, postal address, IP address, gender and customer-ID
- Financial information: bank, bank account number, source of funds and amounts related thereto.
- Work related data: such as employer and title.
- Geographical information: County.
- Transaction and correspondence history.
- Device data: such as IP-number.
4. Why do we process your personal data?
We process your personal data so that we can, in the best possible way, provide you with the services we offer for the following overall purposes. More information is provided under each purpose that you can read to find about, among other things, what personal data we use to achieve the purpose, the way in which we use the personal data and how long we will process the personal data for the purpose in question.
Your personal data is used for the following overall purposes, which are further explained below:
- For the provision of our services to you.
- For the administration and provision of support and customer services to you.
- To enable us to perform Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) checks.
- Administration in conjunction with corporate acquisitions, restructuring, etc.
- To defend and attend to legal claims.
- To market and sell our services to you.
We do not use your personal data for any other incompatible purpose and we will not sell your personal data to any other party.
Providing us with your personal data is voluntary, but necessary to enable you to use our service. It will not be possible to execute payments if you do not provide personal data.
Administration and provision of our services to you
What we do
We process the following personal data about you to enable us to execute payments initiated by you, and also to be able to provide and administer our services in accordance with our conditions of use. This includes, for example, verifying that you are over the age of 18 and identifying you before a transaction is executed. We obtain the following information to enable us to determine the identity of our users, contact them if required, and also the financial information required to be able to provide the services.
Personal data
- Personal and contact information: name, e-mail, phone number and personal identity (ID) number and customer-ID.
- Financial information: Account information.
Legal basis
We are entitled to use your data to perform our contract with you.
Storage period
Two years from when Brite’s service was last used.
Administration and provision of support and customer services to you
What we do
We process your personal data in order to provide administrative support if you for example contact us with any questions regarding our services through any channel. Such contact may occur through e.g. e-mail to one of our specified e-mail addresses (dataprotection@britepayments.com and support@britepayments.com), through our chatbox or through the contact forms on our website.
You have the right to object to processing of your personal data based upon a legitimate interest as legal basis. Please see section 10 below for more information about your rights.
Personal data
- Personal and contact information: name, e-mail, phone number and customer-ID.
- Work related data, such as employer and title.
- Geographical information: County.
- Transaction and correspondence history.
- Device data, such as IP-number.
- Any other information provided to us by you.
Legal basis
After a balancing of interests, we have assessed that Brite’s interest of processing your personal data in order to administer the provision of our support and customer services overrides your interest of protection of your privacy. Hence, the legal basis is legitimate interest.
Storage period
Two years from the date when Brite collected your data or the date when you last contacted us, whichever is later.
To market and sell our services to you
What we do
We process your personal data to market Brite and our services. We may use your data to e.g. send our newsletter or directly contact you after the completion of one of our forms on our website (britepayments.com). The purpose of our marketing measures is to send you direct advertisements as well as to contact you with information about our services.
You have the right to object to processing of your personal data based upon a legitimate interest as legal basis. When our processing of your personal data is based on your consent, you have right to withdraw your consent at any time. Moreover, you can easily opt-out from any direct marketing performed by Brite, e.g. if we send our newsletter to you. Information on how to opt-out will be provided in each communication to you and is further explained in section 10 below, together with more information regarding your rights.
Personal data
- Personal and contact information: name, e-mail and phone number.
- Work related data, such as employer and title.
- Financial information: Account information.
- Device data, such as IP-number.
- Any other information provided to us by you.
Legal basis
After a balancing of interests, we have assessed that Brite’s interest of offering its product and services that meet the needs and desires of its customers overrides your interest of protection of your privacy. Hence, the legal basis is legitimate interest.
In relation to direct marketing, we base our processing on your consent.
Storage period
Two years from the date when Brite collected your data or the date when you last contacted us, whichever is later. You may at any time object to our processing of your personal data for the purpose of direct marketing. If you object, you will no longer receive direct marketing. For more information about your rights, see section 10 below.
To enable us to perform Customer Due Diligence (CDD) and Enhanced Customer Due Diligence (EDD) checks
What we do
We process the following personal data about you to enable us to perform CDD and EDD checks as applicable, including anti-money-laundering checks and checks against sanctions and PEP lists. CDD or EDD checks of you are only performed in certain cases when our services are used.
Personal data
- Personal and contact information: Name, personal identity (ID) number, date of birth, postal address, gender and customer-ID.
- Financial information: Account information, source of funds and amounts related thereto, as provided by you.
Legal basis
We have a legal obligation in accordance with the Measures against Money Laundering and Terrorism Financing Act (2017:630) to perform these checks.
Storage period
Your personal data will be processed for this purpose for up to ten years, in accordance with legal requirements.
Administration in conjunction with acquisitions, restructuring, etc.
What we do
If Brite were to be restructured, for example split into several different operations, or if an external party were to acquire Brite or parts of our operation, Brite will transfer your personal data together with the personal data of other users to the acquiring company. This company will, in such cases, continue to use your personal data for the same purposes as specified by us in this Privacy Notice unless you receive other information in conjunction with the transfer.
Personal data
All of the personal data we process about you in accordance with this Privacy Notice, with the exception of sensitive personal data that will not be transferred, might be processed for this purpose depending on the circumstances.
Legal basis
We are entitled to use your data on the basis of a balance of interests as we consider that our interest in facilitating an acquisition or restructuring process outweighs your interest in protecting your personal data. However, a precondition for this is that the acquiring company conducts an operation similar to Brite.
Storage period
If Brite ceases to exist (e.g. owing to a merger, liquidation or bankruptcy), we will erase your personal data unless we need to save it in order to fulfil statutory requirements.
If Brite is bought by an acquiring company or is split up in conjunction with restructuring, we will continue to save and use your personal data in accordance with the provisions of this Privacy Notice, unless you receive other information in conjunction with the transfer.
Defend and deal with legal claims
What we do
If a dispute arises, we are entitled to use your data for the purpose of establishing, defending or exercising the legal claim.
Personal data
- All of the personal data we process about you in accordance with this Privacy Notice might be processed for this purpose depending on the circumstances.
Legal basis
We are entitled to use your data on the basis of a balance of interests.
Storage period
The data is saved for the entire contractual relationship and for up to 12 months following termination of the contract. The data may be saved for longer if it is required to establish, defend or exercise a legal claim.
5. How do we collect your personal data?
We mainly collect your personal data directly from you when you use our service, although we may also use a third party to collect your personal data.
The personal data we collect from a third party is forename, surname, address, date of birth, gender, information about source of funds and amounts related thereto and transaction history. Data is collected from a third party the first time you use Brite’s payment client or as part of the transaction monitoring as applicable. We will also screen you against PEP/RCA and sanctions lists. We may collect personal data from the merchant from which you buy goods or services. Other third parties we use depend on the country in which you are registered in the population register. We use the following:
Roaring Apps AB – corp. ID no.: 559067-2613, Propellervägen 4, 183 62, Täby, Sweden
Suomen Asiakastieto Oy – corporate registration number 0111027-9, Hermannin rantatie 6, Box 16, 00581 Helsinki, Finland
Finnish Trust Network (FTN) through Telia Finland Oyj – corporate registration number 1475607-9, Teollisuuskatu 15, 00510 Helsinki, Finland
Softtronic AB (publ) – corp. ID no. 556249-0192, SE-120 32, Stockholm, Sweden (for sanctions list storage)
6. For how long do we store your personal data?
The period for which we store your personal data varies depending on the purpose of the processing. This period may either be determined by other rules or depending on the contract we have concluded with you. However, we always strive to minimise the period for which we store your personal data and we never store your personal data for longer than necessary.
7. To whom do we disclose your personal data?
In order to be able to collect personal data from a third party as referred to above, we will need to share some information with them. As a rule, it is the name and/or personal identity (ID) number that are shared with them. We also share personal data with companies that provide cloud services for IT operations and the like. A third party may be a processor, which is a company that processes personal data for us in accordance with our instructions.
We may also disclose your data to a third party to enable them to perform CDD checks, including checks to prevent money laundering and checks against sanctions lists.
If and when we share your personal data with a processor, your personal data will only be processed in accordance with the purposes for which we collected your personal data in the first place. This means that a processor cannot process your personal data for additional or their own purposes. We have a processor agreement in place with all of our processors to ensure that your personal data is protected in the same way as if we were processing your personal data ourselves.
Our processors
Roaring Apps AB – corp. ID no.: 559067-2613, Propellervägen 4, 183 62, Täby, Sweden
Softtronic AB (publ) – corp. ID no. 556249-0192, SE- 120 32, Stockholm, Sweden
Google Cloud EMEA Limited – corporate registration number 368047, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland
Klarna Bank AB (publ) – corp. ID no. 556737-0431, Sveavägen 46, 111 34 Stockholm, Sweden
Zendesk – 1019 Market Street, San Francisco, CA 94103
FinTecSystems GmbH – Gottfried-Keller-Str. 33, 81245 Munich
Paysolut UAB – corporate registration number 305217021, GynÄ—jų g. 4-333, LT-01109 Vilnius, Lithuania
We may also share your personal data with other third parties, for example governmental authorities, the Swedish Authority for Privacy Protection, Finansinspektionen, the Swedish Tax Agency and other public authorities when this is applicable according to law.
8. Where do we process your personal data?
We will always strive to process your personal data within the EU/EEA. Your personal data may be processed outside the EU/EEA in exceptional cases; for example if a processor, either themselves or through another processor, is established outside the EU/EEA. Regardless of the country in which your personal data is processed, we always take the measures necessary to ensure that your personal data is as safe as if it were being processed within the EU/EEA.
We use the EU Commission’s standard contractual clauses for transferring personal data to countries outside the EU/EEA for transfers to a country outside the EU/EEA that is not encompassed by an adequate level of protection for personal data. You will find these here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en
9. How do we use cookies?
We may put cookies on your device (computer, tablet, Smartphone, etc.) to automatically enter your personal information into the standard forms required to initiate a transaction. This means that you can save your contact information, such as name, address, telephone number, email address, date of birth and personal identity (ID) number, with Brite.
We use cookies to collect the information referred to above when you use our services on the same device. We then automate the filling in of your information for standard forms when you are using Brite’s services.
We explain in more detail how we use cookies and what options you have for our cookies in our cookie notice.Â
10. Your rights
You have several rights relating to the processing of your personal data. You are entitled to receive information about what personal data we use about you and what we do with this data and also, to a certain extent, to check your data. You are thus entitled in certain cases to receive data or have it rectified, erased, blocked or moved. You are also entitled to object to certain kinds of use of your data or revoke your consent to it being used. You are always entitled to file a complaint with the Swedish Authority for Privacy Protection if you think that we have used your data in an unpermitted way.
You can find out more about your rights under each heading below.
You can contact us at any time if you wish to exercise your rights by contacting us on dataprotection@britepayments.com.
Our responsibility for your rights
We are obliged to respond to your request to exercise your rights within one month from being contacted by you. We are entitled to extend this period by a further two months if your request is complicated or if we have had a large number of enquiries.
If we consider that we cannot do what you want us to do, we are obliged to notify you, no later than within one month from receipt of your request, of why we cannot do what you want us to do and inform you that you are entitled to file a complaint with the supervisory authority.
All information, communication and all of the measures that we implement are free of charge for you. However, we are entitled to levy an administrative charge to provide you with the information or implement the measure requested, or to refuse to accommodate your request, if what you have asked is manifestly unfounded or unreasonable.
Right of access
You are entitled to ask for a register extract relating to our use of your personal data. You are also entitled to receive a copy of the personal data that we use free of charge. We are entitled to levy an administration charge for any additional copies. If you make a request in an electronic format (e.g. by email), we will give you the information in a commonly used electronic format.
Right to rectification
We will, at your request or on our own initiative, rectify, de-identify, erase or supplement data that we discover to be inaccurate, incomplete or misleading. You are also entitled to supplement it with additional data if anything of relevance is missing.
Right to erasure
You are entitled to ask us to remove your personal data if there are no longer any acceptable reasons for us to use it. The data shall therefore be erased if:
- the personal data is no longer necessary in relation to the purposes for which it was collected,
- we are using your data on the basis of your consent and you revoke this,
- you object to our use of your data which has been used following a balance of interests and we do not have important interests that override your interests or rights,
- we have used the personal data in an unpermitted way,
- we have a legal obligation to erase the personal data, or
- you are a child and we have collected the personal data in conjunction with an offer of information society services.
However, there may be a statutory requirement or other substantially compelling reason that means that we cannot immediately erase your personal data. We will then stop using your personal data for purposes other than to comply with legislation or that are not necessary for any other substantially compelling reason.
Right to restriction of processing
You are entitled to request restriction of our processing when:
- you consider that your data is inaccurate and you have requested rectification, during the period when we are investigating the accuracy of the data,
- the use is unlawful and you do not wish to have the data erased,
- we, as controllers, no longer need the personal data for our purposes of use, but you need it to be able to establish, exercise or defend a legal claim, or
- you have objected to its use, pending a check about whether our important interests outweigh your interests.
Right to object
You are entitled to object to such use of your personal data that we do on the basis of a balance of interests or a general interest. If you object to such use, we will only continue to use the data if we have important reasons to continue to use it that outweigh your interests.
Right to data portability
You have a right to data portability. This means a right to receive some of your personal data in a structured, commonly used and machine-readable format and be able to transfer this data to another controller. You only have a right to data portability when the use of your personal data is automated and we base our use on your consent or on a contract between you and us. This means that you, for example, are entitled to receive and transfer all of the personal data input by you to create your user account with us.
Your right to complain to a supervisory authority
You are entitled to lodge a complaint about our processing of your personal data to the Swedish Authority for Privacy Protection, which is the supervisory authority for Brite. You can also file a complaint with the data protection authority in your homeland within the EU.
11. Do you have a complaint relating to our processing of personal data?
Please contact dataprotection@britepayments.com if you wish to file a complaint relating to our processing of your personal data. You can also file a complaint with the Swedish Authority for Privacy Protection. The Swedish Authority for Privacy Protection is the Swedish national supervisory authority as regards the processing of personal data according to, for example, GDPR. Visit https://www.imy.se/ in order to file a complaint with the Swedish Authority for Privacy Protection.
12. Amendments to this Privacy Notice
We are entitled to amend this Privacy Notice when required. When we make amendments that are not purely linguistic or editorial, and the changes affect personal data previously collected, you will receive clear information about the amendments and what they entail for you before they start to apply.
Amendments will not apply for you if we need your consent to implement the amendments and you do not accept them.