Privacy notice

This notice applies from 6 September 2022

This privacy notice applies to the services provided by Plexian AB (publ), org.nr: 559109-0559, ("Plexian" or "we") at plexian.se, through the mobile application Edge and where applicable, other digital channels (collectively referred to as "Edge"). It also applies to personal data processing when in contact with us for other purposes than as a user of our services in Edge, for example when signing up for a newsletter or when you are in contact with us on behalf of a supplier

Plexian is the data controller for the processing of personal data that takes place in the context of your use of Edge, our provision of the services and in othercontact with us. In this privacy notice, we describe how we process your personal data and what rights you have in relation to your personal data under the European Data Protection Regulation and supplementary Swedish legislation ("GDPR").

Plexian values your personal integrity and works in a structured way through both technical and organizational security measures to ensure that your personal integrity is not violated. We process your personal data in accordance with the GDPR. We are keen that you feel safe in your contact with us.

Collection of personal data

This section describes the types of personal data we collect or create.

Upon registration

When you register as a user in Edge, we collect and store your user information, including your full name, social security number and your email address.

Linking Edge cards

When your card application is approved, your Edge card is linked to your user account in Edge. This is done by receiving an ID number from the card issuer that can be linked to your user account in Edge. However, we do not have access to your card details.

Transaction data

When you use the services in Edge, we collect transaction data from the card issuer that includes the purchases that you make with your Edge card. The information consists of, for example, purchase amount and point of sale.

Transmitted information and data created by you

We collect information from you when you register or transmit data through forms in Edge, such as settings and whether you would like to receive marketing from us as well as any communications to our support team.

Other information

We may also collect technical information in connection with your use of the service or when otherwise in contact with us, such as browser information, websites from which you have been referred, pages you visit in the Service, and your IP address.

Contact for other purposes than Edge

When contacting us for other purposes than as a user of the services in Edge, for example when signing up for a newsletter or as a contact person för a supplier, we process the personal data that is necessary for this purpose. It is usually limited to name and email address.

Why we collect this data and how long we keep it

Plexian uses the personal data for the purposes set out below.

Fulfillment of agreement

The main purpose of our collection and processing of personal data as described above is to document, administer and fulfill our contractual obligations to you within the framework of our service (Art. 6.1 b GDPR). This means that in the event that you do not provide us with this data, we cannot deliver services in accordance with our agreement with you.

After the termination of the agreement, we will continue to process the data if it is necessary to be able to assist with, counteract or defend legal claims, but never beyond until a dispute is terminated or any claim becomes obsolete. The general limitation period under the statute of limitations act is currently three years. The deadline can be extended but never longer than ten years.

Legal obligation

We also process your personal data to fulfill any legal obligations incumbent on Plexian as a data controller (Art. 6(1)(c) GDPR).

The storage of personal data for accounting purposes must be kept for seven years from the end of the financial year. Personal data obtained in connection with customer due diligence and investigations of suspicious transactions are stored to identify and manage the risk of money laundering and terrorist financing. The personal data is stored for this purpose for five years from the date of termination of the contractual relationship or the date of the relevant transaction.

Legitimate interest

We may use your personal data based on a legitimate interest. Legitimate interest is a legal basis for the processing of personal data, which means that the processing is permitted provided that we have in each case weighed Plexian's interest in processing the personal data against your right to privacy (Art. 6.1 f GDPR).

We may process your contact information to inform you about offers and campaigns from us or our partners. In that case, you will first have been given the opportunity to opt out or, if required, actively consent to this processing. You can also contact us later and let us know that you do not want this type of marketing, by calling or sending an email to our customer service. Contact information can be found at the end of the document.

We may also process your personal data to ensure network and information security. We further use them in the development of our services including for testing purposes but in these cases the data is usually pseudonymized to ensure your privacy.

We may also process your personal data if you are a contact person for one of our suppliers or similar.

Processing of personal data as described above is valid as long as there is an active agreement between Plexian and you or, as applicable your employer, and for a limited time after the agreement has ended.

Consent

We may also process your personal data based on consent (Art. 6.1 a GDPR). This is the case for example if you sign up for a newsletter or ask us to contact you for other purposes. We process your personal data as long as the consent is valid and if it is necessary in order to fulfil the purpose of the processing.

Transfer of personal data to third parties

We share your personal data with third parties only if required by applicable law, if it is necessary to fulfill our services and fulfill our contractual obligations to you as a user of our services /or it is based on a legitimate interest. We have suppliers and partners who provide services to us and who help us process your personal data in a secure manner.

When we share your personal data, we ensure that the recipient processes it in accordance with the GDPR. For example, we have so-called data processing agreements in place with our suppliers. When sharing your personal data with partners, they may process your data in accordance with their own privacy notice but only for the purpose for which the data has been shared. Any further use of the data by these recipients is excluded. As far as possible, the data will be disclosed in anonymized form.

Plexian will not share, sell, transfer, or otherwise disclose your personal data to any other third party.

Transfer of personal data to third countries

Plexian strives to process your personal data within the EU/EEA. However, in certain situations, such as when we share your personal data with a supplier or subcontractor with operations outside the EU/EEA, it may be that your personal data is transferred outside the EU/EEA. We ensure an appropriate level of protection for your personal data, even when the data is transferred outside the EU/EEA. Your rights to the data (which you can read more about in section 7) are also not affected by the data being transferred outside the EU / EEA.

If you want more information about our protective measures, you can always contact us. Contact information can be found at the end of the document.

Links to external websites

For you as a user of Edge to be able to take part of offers and information from our network of merchants, material from third parties is published in Edge. In this material there may be links to external websites or similar. Please note that Plexian is not responsible for the personal data processing that may occur on such websites or similar, but for such processing, the respective third party's privacy notice applies.

Your rights

You as a user of Edge or who is in contact with us in another capacity, have the right to receive information about what personal data is processed by us and thus have the right to receive a register extract. You are entitled to this information free of charge and without giving reasons once a year. You also have the right to turn to us to;

Contact details for making a request as above can be found at the end of the document. Your request and/or objection as described above will be examined by us on a case-by-case basis, which in some cases may result in us not being able to accommodate your request. We cannot delete data or restrict the processing of your personal data if the data needs to be saved due to a contractual relationship or due to legislation.

If you believe that the processing of your personal data to any extent violates the GDPR, you have the right to file a complaint with the Swedish Authority for Privacy Protection (IMY) File a complaint under the GDPR | IMY Please find contact information to IMY below.

Postal address: Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm

Phone: 08-657 61 00

Email: imy@imy.se

How we use cookies and other tracking technology

To provide a customized experience, Plexian may use cookies and similar tracking technologies in our various interfaces, such as our website. You can find information about the tracking technology that Plexian uses, and information about how to accept or decline the tracking technology, in our [Cookie notice] and in the respective interfaces.

Contact us

To exercise your rights under this privacy notice, to lodge a complaint or if you have any other questions, please contact us as set out below:

Plexian AB (publ), Gustav Adolfs Torg 8B, SE-211 39 Malmö, Sweden

Phone: 040-602 54 15

Email: support@plexian.se

Privacy Policy

This policy explains when and why we collect personal information about you, how we use it, the conditions under which we may disclose it to others and how we keep it secure.

We are committed to safeguarding the privacy of your information. By “your data”, "your personal data”, and “your information” we mean any personal data about you which you or third parties provide to us.

We may change this Policy from time to time so please check this page regularly to ensure that you’re happy with any changes.

Who are we?

Transact Payments Malta Limited (“TPML”, “we”, “our” or “us”) is the issuer of your cardand is the Data Controller for the personal data which you provide to us in relation to the cardonly. TPML is not the Data Controller in relation to any use of your personal data to send marketing or promotional material to you. TPML is an e-money institution, authorised and regulated by the Malta Financial Services Authority. Our registered office address is Vault 14, Level 2, Valletta Waterfront, Floriana, FRN 1914, Malta and our registered company number is C91879.

Enfuce is the Program Manager of your card and Plexian AB is authorised to act on its behalf in relation to certain activities. Enfuce is a Data Processor of the personal data which you provide to us in relation to the card.

How do we collect your personal data?

Information is collected from you when you apply in person, online or via a mobile application for a payments card which is issued by us. We also collect information when you use your card to make transactions. We may also process information from Enfuce, Plexian and other third party payment partners and service providers. We also obtain information from third parties (such as fraud prevention agencies) who may check your personal data against any information listed on an Electoral Register and/or other databases. When we process your personal data we rely on legal bases in accordance with data protection law and this privacy policy. For more information see: On what legal basis do we process your personal data?

On what legal basis do we process your personal data?

Contract

Your provision of your personal data and our processing of that data is necessary for each of us to carry out our obligations under the contract (known as the Cardholder Agreement or Cardholder Terms & Conditions or similar) which we enter into when you sign up for our payment services. At times, the processing may be necessary so that we can take certain steps, or at your request, prior to entering into that contract, such as verifying your details or eligibility for the payment services. If you fail to provide the personal data which we request, we cannot enter into a contract to provide payment services to you or will take steps to terminate any contract which we have entered into with you.

Legal/Regulatory

We may also process your personal data to comply with our legal or regulatory obligations.

Legitimate Interests

We, or a third party, may have a legitimate interest to process your personal data, for example:

What type of personal data is collected from you?

When you apply for, and use, a card, we, or our partners on our behalf, collect the following information from you: Full name, address, date of birth, email address, Social Security Number (SSN), phone number, account balances, transactional and cryptographic data, IP address and card data.

When you use your card to make transactions, we store that transactional and financial information. This includes the date, amount, currency, card number, card name, account balances and name of the merchant, creditor or supplier (for example, a supermarket or a retailer). We also collect information relating to the payments which are made to/from your account.

How is your personal data used?

We use your personal data to:

Who do we share your information with?

When we use third party service providers, we have a contract in place that requires them to keep your information secure and confidential.

We may receive and pass your information to the following categories of entity:

Sending personal data overseas

To deliver services to you, it is sometimes necessary for us to share your personal information outside the European Economic Area (EEA), e.g.:

These transfers are subject to special rules under European and Malta data protection law.

These non-EEA countries do not have the same data protection laws as Malta and EEA. We will, however, ensure the transfer complies with data protection law and all personal information will be secure. We will send your data to countries where the European Commission has made an adequacy decision, meaning that it has ruled that the legislative framework in the country provides an adequate level of data protection for your personal information. You can find out more about this here.

Where we send your data to a country where the European Commission has not made an adequacy decision, our standard practice is to use standard data protection contract clauses that have been approved by the European Commission. To obtain a copy of those clauses, please go to the European Commission’s website.

If you would like further information please contact our Data Protection Officer on the details below.

How long do we store your personal data?

We will store your information for a period of at 5 years after our business relationship ends in order that we can comply with our obligations under applicable legislation such as anti-money laundering and anti-fraud regulations. If any applicable legislation, or changes to this, requires us to retain your data for a longer or shorter period of time, we shall retain it for that period. We will not retain your data for longer than is necessary.

Your rights regarding your personal data?

You have certain rights regarding the personal data which we process:

How is your information protected?

We implement security policies and technical measures in order to secure your personal data and take steps to protect it from unauthorised access, use or disclosure.

While we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems. Where we have given (or where you have chosen) a password which enables you to access certain parts of our websites, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

Complaints

We hope that our Data Protection Officer can resolve any query or concern you may raise about our use of your personal information.

The General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in Malta is the Office of the Information and Data Protection Commissioner. Their contact details are as follows:

IDPC
Floor 2, Airways House, Triq il-Kbira, Tas-Sliema, SLM1549, Malta.
(+356) 23287100 / info@idpc.org.mt

The supervisory authority in Sweden is:

Integritetsskyddsmyndigheten (IMY)
Box 8114
104 20 Stockholm
Phone number: 08-657 61 00
Email: imy@imy.se

Other websites

Our website may contain links to other websites. This privacy policy applies only to our website‚ so we encourage you to read the privacy statements on the other websites you visit. We cannot be responsible for the privacy policies and practices of other sites even if you access them using links from our website.

Changes to our Privacy Policy

We keep our Privacy Policy under review and we regularly update it to keep up with business demands and privacy regulation. We will inform you about any such changes. This Privacy Policy was last updated on 7th June 2022.

How to contact us

If you have any questions about our Privacy Policy or the personal information which we hold about you or, please send an email to our Data Protection Officer at DPO@transactpaymentsltd.com.

version: 3.0