Privacy Policy

At Kreditz, safeguarding your personal data is a cornerstone of our operations. This Privacy Policy outlines how we collect, use, and protect your information, ensuring transparency and compliance with applicable regulations, including GDPR and PSD2.

Kreditz is fully committed to protecting the individual rights and keeping personal data safe. In this Privacy Policy we describe the collection, usage, storage and sharing practices of personal data. This policy also refers to detailed Privacy Notices tailored to each data subject category (e.g., customers, employees, and partners), which specify the scope, purpose, and legal basis for each processing activity.

This privacy policy describes how Kreditz as a Data Controller and Data Processor processes personal data and other information about data subjects, according to the definition set out in the General Data Protection Regulation (GDPR) of the European Union and the E-Privacy Directive.

1.1. What is personal data and what does processing of personal data mean?
Personal data include any kind of information that can be associated with a living person. For instance, they can be names, addresses, photos, audio recordings, IP numbers, and personal identity numbers, but also any other information that can be associated with a living person. Processing of personal data includes everything that personal data are used for, both actively and passively. This can be collection, registration, storage, and erasure, for example.

1.2 Who is responsible for the personal data processing?
Kreditz AB, with registration number 559148-2400 and registered address Vendevägen 87, Danderyd, Sweden is the personal data controller for the processing of personal data performed within the framework of Kreditz’s operations. Kreditz has appointed Richard Wachtmeister as the Kreditz Data Privacy Officer (privacy@kreditz.com or +46(0)708475334).

1.3. What does the Kreditz do with personal data?
Please note that multiple purposes can be applicable to a certain form of personal data processing, such as book-keeping and membership management.

The purpose of this Privacy Policy is to regulate how Kreditz process personal data. This privacy policy sets the data protection and security standards within Kreditz and is based on the European Union’s principles on data protection.

Kreditz’s provision of finance management and account information all involve Kreditz being required to access and process personal data, making processing of personal data a core part of Kreditz’s business model. As a result, this make data privacy one of our core pillars. Kreditz is committed to carrying out the operations in a fair, honest and transparent manner, abiding by Applicable Laws and Regulations.

Our employees are obliged to adhere to this privacy policy. Activities that concern processing of data and information that is not personal data, are not covered by this policy.

Data privacy is part of the risk and consequence mapping prepared for and presented to the board on a quarterly basis. The board shall be informed of and consulted on data privacy matters on an ongoing basis, as needed.

Further, this policy is complemented by Kreditz’s Data Processing Records, in which all Kreditz’s processing of personal data, as a data processor, respectively, are recorded.

The principles of processing personal data as a sub processor are set forth in the relevant Data Processing Agreement, Applicable Laws and Regulations and are ensured by Kreditz applying the following measures.

Kreditz ensures that it has at least one legal basis for the processing of the personal data, which is fair in respect of the interests of the data subject and made transparent to it by appropriate information notices informing the data subject of the processing. Kreditz conduct Data Protection Impact Assessments (DPIAs) for all high-risk processing activities.

Kreditz ensures that the above mentioned information notices include specified purposes and that personal data collected by Kreditz is not used for other purposes than those for which the personal data was collected.

Kreditz protects personal data against unauthorised or illegal use and against loss, destruction or accidental damage and has for this purpose implemented appropriate technical and organisational measures.

Kreditz ensures that it has set up a framework for ensuring adherence to applicable provisions of Applicable Laws and Regulations and having appointed responsible persons for maintaining compliance therewith. Further, Kreditz communicates its responsibilities in its various privacy notices and provides the data subjects with appropriate information on where to turn to for assistance as well as for making a complaint.

Kreditz collects personal data mainly either from or at the explicit instruction of the data subject itself or for other legitimate purposes, and only a minor part from a limited number of recognized third parties, to ensure the accuracy of the personal data. Where instructed by a data subject, Kreditz will to the extent reasonably possible update the personal data of the data subject to ensure accuracy of the processed personal data.
Kreditz does not knowingly process data of individuals under the age of 18. Where such data is inadvertently collected, we promptly delete it unless verifiable parental consent is obtained.

Kreditz ensures that the design of the various means for the collection of personal data does not allow for collection of personal data that is not necessary for the purposes for which the data collected is to be processed, but that the data collected is adequate and relevant.

The types of personal data we collect when available, are:

• Name

• Organization / Social Security Number

• Contact details (address, e-mail address and telephone number)

• Bank, account and Financial Data

• Employee information

• Internet activity data

• Customer representative’s personal data (name, contact details)

The main purpose of our processing of personal data is to collect, verify, and process personal data prior to giving an offer and entering into contracts or fulfilling legal obligations which includes documenting, administering and completing tasks for the performance of contracts or other legal or regulatory obligations.

We hire external service providers who act as personal data sub processors to Kreditz and provide services related to, for example, data aggregation. When providing such services, external service providers may access and/or process the end-user’s personal information. Kreditz ensures that we take technical and organizational security measures to ensure the protection and security of all personal data. All processors engaged by Kreditz are subject to written Data Processing Agreements (DPAs) aligned with Article 28 GDPR. We assess sub processors for security, data protection, and contractual compliance, and reserve audit rights.

In accordance with applicable privacy laws, we may transfer personal data to regulatory authorities, other public entities, legal advisors, external consultants and partners. In the event of a merger or acquisition of a company, personal data may be transferred to third parties involved in the merger or acquisition.

The respective relationships between Kreditz and its data controllers are regulated in data aggregation agreements. Data aggregation agreements are subject to Kreditz’s contract management process. This enables Kreditz to ensure that the agreements fulfil the requirements on data aggregation agreements under Applicable Laws and Regulations as well as security requirements and evaluation of commercial terms thereof.

As a general principle, Kreditz aims at performing its processing operations within the EU/EEA. In the event this is not preferable in a certain situation, due to various circumstances, personal data may, however, be transferred to a third country. Where a transfer of personal data outside of the EU/EEA is to be carried out, Kreditz will always ensure to have in place appropriate and adequate security mechanisms for such transfers, as prescribed by Applicable Laws and Regulations. Where personal data is transferred to third countries, Kreditz applies one or more of the following safeguards:
- Transfers to countries with EU adequacy decisions;
- Standard Contractual Clauses (SCCs) approved by the European Commission;
- Transfer Impact Assessments (TIAs) to evaluate privacy risks and legal protections.

We may process personal data on the following legal basis:

• consent to processing personal data for one or more specific purposes;

• the processing is necessary to fulfil an agreement between Kreditz and the data subject (directly or indirectly) or to take action to requests prior to the conclusion of an agreement;

• The treatment is necessary in order to fulfil a legal or regulatory obligation;

• the treatment is necessary to protect interests that are of fundamental importance to Kreditz or our data subjects;

• the processing is necessary for purposes of our or third party’s legitimate interests, unless the interests or fundamental rights and freedoms of the data subject weigh heavier and require the protection of personal data;

• other legal grounds for processing personal data in accordance with national law.

Our data retention policies are designed to minimize the retention of personal data to only what is necessary for the intended purposes. We review and update the data retention to ensure compliance with legal requirements and privacy principles.

Retention periods align with the purpose of collection and applicable legal requirements (e.g., 7 years for financial data per Bokföringslagen). Anonymisation or pseudonymisation is applied where appropriate to reduce risk.

Kreditz will retain the personal data based on the customer’s intructions. Kreditz shall adhere to set data retention policies that are designed to minimize the retention of personal data to only what is necessary for the intended purposes. We review and update the data retention to ensure compliance with legal requirements and privacy principles. We leverage privacy-enhancing technologies wherever possible to minimize the collection and processing of personal data. This includes techniques such as anonymization, differential privacy, and data minimization.

Where a data subject requests access to their personal data to obtain information on personal data concerning him or her processed by Kreditz, Kreditz will provide the data subject with information on the data processed.

Data subjects may exercise their rights via privacy@kreditz.com or through our dedicated privacy request portal. Kreditz will respond within one month of receipt of the request, with a possible two-month extension for complex requests, in accordance with Article 12 GDPR.

17.2. Rectification, restriction and erasure
The data subject is entitled to request correction of personal data and to provide supplementary information, and will be provided information on the actions taken by Kreditz.

If personal data of a data subject remains incorrect, or there is another qualifier for the limitation of Kreditz’s processing, as described in Applicable Laws and Regulations, Kreditz will limit the processing of the personal data at the data subject’s request.

If the data subject requests and qualifies for the right to be forgotten, Kreditz will delete the data subject’s personal data, with the exception of such data that Kreditz is obligated to keep in accordance with Applicable Laws and Regulations. For example, Kreditz is required to keep information collected and processed to fulfil requirements under bookkeeping or to evidence its compliance with Applicable Laws and Regulations.

If the data subject has consented to a certain type of processing, the data subject has the right to withdraw their consent.

Upon a request on data portability, Kreditz will provide the data subject with a copy of the data processed in a structured, commonly used and machine-readable format. The format will vary depending on the data processing operations relevant for the respective data subjects that request data portability.

If a data subject objects to further processing being carried out based on a legitimate interest of Kreditz, Kreditz will no longer process the personal data if not being able to present compelling legitimate grounds for the processing overriding the interests of the data subject.

We implement multi-layered organizational, technical and administrative measures that are designed to protect the personal data under our control. These include, among other things: limiting access to data; using technology measures like firewalls, encryption, malware protection and intrusion detection; maintaining policies that are aligned to a wide variety of legal requirements; and holding our associates accountable for maintaining safe data-handling practices and adhering to our internal policies. We have a team of qualified data security professionals and engage in regular system testing and updating of our controls to keep pace with changing technology and security threats.

We conduct DPIAs for all new projects, products, or significant changes to existing systems. This involves a systematic assessment of the potential privacy impacts of the processing activities, ensuring that appropriate safeguards are implemented from the outset.

We provide training to all employees on data protection best practices, including the principles of Privacy by design and Privacy by default where applicable. This ensures that everyone understands their responsibilities in safeguarding personal data and integrating privacy considerations into their daily work.

In addition to formal policies and procedures, Kreditz shall encourage informal practices that promote a privacy-conscious culture. This includes fostering open communication channels for reporting privacy concerns, promoting a "privacy-first" mindset in decision-making processes, and regularly reviewing and updating our practices in response to emerging privacy risks and regulatory changes.

Security incidents and personal data breaches are handled in accordance with Kreditz’s Information Security Policy and Instruction for Incident Management. We have incident reporting procedures in place to handle data breaches, ensuring that they are reported to the controller within the local regulatory timelines. These procedures outline the steps to be followed in the event of a data breach, including the notification process and any necessary escalation protocols. While we refer to these as incident reporting procedures, they effectively serve the purpose of reporting data breaches in accordance with GDPR. If the controller has specific expectations regarding reporting timelines, we can discuss aligning our procedures to meet those expectations while ensuring compliance with regulatory obligations.

All data subjects shall be given the option to make a complaint to the Integritetsskyddsmyndigheten (Swedish Authority for Privacy Protection) about Kreditz personal data processing.

Data Subjects may be entitled to damages if they have suffered a loss because our processing of personal data has taken place in violation of the law. The data subject can then request damages from us or institute proceedings at a court.

We do not store personal data in a form that allows data subjects to be identified for a longer period of time than is necessary for the purposes for which the personal data is handled. When personal data is no longer required for those purposes, we delete or make them unidentifiable. To ensure that personal data is not saved longer than necessary, we have retention periods and routines for deletion.

This Data Privacy Policy may be updated by Kreditz. If there are significant amendments to this Data Privacy Policy, we may notify or data subjects by informing them in an appropriate way.

Complaints shall be made to Kreditz Data Protection Officer using the email privacy@kreditz.com and Kreditz shall reply in due course in accordance with applicable laws and regulations.

We collect data to provide our services securely and effectively. This may include:

• Personal information: Name, contact details, and other identifiers.
• Financial data: Bank transaction data and account information, processed only with your consent.
• Usage data: Information about your interaction with our website or tools.

Your data is processed securely and only for legitimate purposes, such as enabling smarter credit decisions.

We only share your data with trusted partners when necessary to deliver our services, and only with your consent or when legally required. Kreditz does not sell your personal information to third parties.

As a user, you have the right to:

• Access Your Personal Data.
• Correct or Update Inaccuracies.
• Withdraw Consent or Request Data Deletion.
• For any privacy-related concerns or requests, please contact us directly.

We may update this Privacy Policy periodically to reflect changes in regulations or services. We encourage you to review it regularly to stay informed.

For questions about this policy or how your data is handled, please contact us.