Zimpler AB, org.no 556887-9984, with registered address at Wallingatan 2, 111 60 Stockholm (”Zimpler”, “we”, “us” or “our”) is an authorised payment institution that offers payment services under the supervision of the Swedish Financial Supervisory Authority.
Zimpler cares about your privacy and we want you to feel safe in our processing of your personal data, which we need to do in different ways when we perform our services to you. In this policy you will learn about the personal data we collect, how we use it, your rights and how you can invoke them and the measures we take to keep your personal data safe. We continuously work to ensure that your data is processed and protected in accordance with the General Data Protection Regulation (EU) 2016/679 (the “GDPR”) and other applicable legislation.
If you apply for a job at Zimpler, to get information on our processing of personal data visit this page.
- Business Representative – means a natural person who work for, e.g., a service provider that we have hired or a Merchant that has chosen or is considering Zimpler as its payment service provider.
- End User – means a natural person who uses our payment service, or any related service provided by us, for payments to or from Merchants.
- Merchant – means goods or service providers that use us as their payment service provider for the purpose of making payment transactions to or from their customers (End Users).
- Pay-In – means payment initiation or direct debit whereby a payment transaction is made from an End User’s bank account to a Merchant’s bank account, enabling End Users to pay directly for goods and services from their bank account.
- Pay-Out – means payment transactions from a Merchant’s bank account to End User’s bank account, enabling quick and safe, e.g., refunds for returned goods.
- Website visitor – means individuals who visit our website or contact our customer support or sales team.
Zimpler is the data controller for the personal data we process to perform our business
activities, which includes your use of our payment service. Please note that your payment
account provider (normally the bank where you hold the account used for payment transactions
initiated through Zimpler) and the Merchant you are transacting with are separate and
independent controllers for the processing of personal data in connection with their business
activities and the products and/or services they provide to you. For information on their
processing of your personal data, please contact them directly.
In accordance with the GDPR you have several rights regarding our processing of your personal data, which you can read about below. If you wish to exercise any of your rights, please contact us by sending an e-mail to our support team at email@example.com.
You can read more about your rights at the Swedish Authority for Privacy Protection’s website.
3.1. Right to information and access
You have the right to know if we process personal data about you. If we do, you also have the right to receive information about the personal data we process and why we do it. You also have the right to receive a compilation of all personal data we have about you.
If you are interested in specific information, please indicate so in your request. For example, you can specify if you are interested in a certain type of information (e.g., what contact and identification information we have about you) or if you want information from a certain time period.
3.2. Right to have erroneous data corrected
If the data we have on you is incorrect, you have the right to have it corrected. You also have the right to supplement incomplete information with additional information that may be needed for the information to be correct.
Once we have corrected your data, or it has been supplemented, we will inform those we have shared your data with about the update, if it is not impossible or too cumbersome. If you ask us, we will also tell you who we have shared your data with.
If you request to have data corrected, you also have the right to request that we limit our processing during the time we investigate the matter.
3.3. Right to have data deleted
n some cases, you have the right to have your data deleted. You have the right to have your data deleted if:
- The date is no longer needed for the purposes for which we collected it,
- You withdraw your consent, provided that the processing is based on your consent,
- You oppose the use that is based on our legitimate interest and we cannot show compelling grounds that outweigh your interests,
- The personal data has been used illegally, or
- Deletion is required to fulfil a legal obligation.
If we delete data following your request, we will also inform those we have shared your data with, if it is not impossible or too cumbersome. If you ask us, we will also tell you who we have shared your data with.
3.4. Right to restriction
In some cases, you have the right to request restriction of our use of your personal data. Restriction means that the data may only be used for certain limited purposes. The right to restriction applies:
- When you believe the data is incorrect and you have requested correction. If so, you can also request that we limit our use while we investigate if the data is incorrect or not,
- If the use is illegal but you do not want the data to be deleted,
- When we no longer need the data for the purposes for which we collected it, but you need it to be able to establish, assert or defend legal claims, or
- If you object to the use. If so, you can request that we limit our use while we investigate if our interest in processing your data outweighs your interests.
Even if you have requested that we restrict our use of your personal data, we have the right to use it for storage, if we have obtained your consent to use it, to assert or defend legal claims or to protect someone’s rights. We may also use the information for reasons relating to an important public interest.
We will let you know when the restriction expires. If we limit our use of your data, we will also inform those we have shared your data with, if it is not impossible or too cumbersome. If you ask us, we will also tell you who we have shared your data with.
3.5. Right to access and request a transfer of your personal data to another recipient (“Data portability”)
You may request to have your data transferred to another actor in a commonly used machine-readable format. This is also known as data portability. You can request data portability if we have collected the data from you and our processing is based on your consent, or if it is processed to enter or fulfil an agreement with you.
3.6. Right to object
You have the right to object to processing that is based on our legitimate interest. If you object to the use, we will, based on your particular situation, evaluate if our interests in using the data override your interests, rights and freedoms. If we are unable to provide compelling legitimate grounds that outweigh yours, we will stop using the data you object to – provided we do not have to use the data to establish, exercise or defend legal claims. If you object to the use, you also have the right to request that we restrict our use during the time we investigate the matter.
You also have the right to object to processing of your personal data for direct marketing purposes, whereby your personal data will no longer be processed for such purpose.
3.7. Right to object against an automated decision-making/profiling
You have the right not to be subject of a decision that is only based on some form of automated decision-making, including profiling, if the decision can have legal consequences for you or in a similar way affect you to a considerable degree.
Automated decision-making is when automated means without human intervention are used formaking a decision in relation to you as an individual. In our business this could mean, e.g., automated verifying of your identity. Profiling is when personal data is automatically processed for the purpose of evaluating personal aspects relating to you as an individual, e.g., your economic situation or personal preferences. Automated decisions can be made with or without profiling and contrariwise, profiling can be used without this leading to an automated decision.
3.8. Right to withdraw consent
You have the right to withdraw your consent for a specific processing at any time, whereby we will no longer perform the processing, provided that the applicable processing is based on your consent. Your withdrawal will not affect processing that has already been carried out.
If you have any complaints regarding how we process your personal data even after you have notified us of this, you are always entitled to submit your complaint to the relevant data protection authority in the country where you reside, work or where you believe an infringement of data protection laws have taken place.
In Sweden, the relevant data protection authority is the Swedish Authority for Privacy Protection and you can submit your complaint here.
Zimpler’s payment services consist of Pay-In and Pay-Out. In addition, Zimpler offers a compliance solution for Merchants where we assist in performing regulatory controls in accordance with applicable anti-money laundering legislation.
When using our payment service, we collect personal data directly from you, as well as from your online banking interface (i.e., online bank) or via an API provided to us by your bank. In addition, we also collect personal data from the applicable Merchant and, depending on for which purpose the service is used, from external third-party sources (i.e., when we need to verify your identity and/or update/supplement your contact information via official identity verification service providers or similar providers). Our system will in addition generate personal data such as a user id number when you use our service.
In the table below we describe how we process your personal data when you as an End User use our payment service.
Zimpler also processes personal data regarding Business Representatives of existing and potential Merchants in accordance with what is set out in the table below.
Zimpler may process personal data when you visit our website as well as when you contact us through our customer support or sales team.
How long we store your personal data is stated in the tables above and is dependent on the following factors:
- The purpose for which we collected the personal data.
- The type of relationship we have with you.
- Any legal obligations to store the personal data for a certain amount of time.
In general, personal data used for the performance of the contractual relationship between you and Zimpler is stored by us for as long as the agreement is valid and thereafter for a maximum of ten years due to rules on limitation. Personal data that we must save due to applicable legislation, such as anti-money laundering and bookkeeping rules and regulations, is normally stored for five and seven years, respectively.
Please note that not all data will be stored for the maximum time as provided above. Different time periods apply depending on the purpose the data was collected for. For instance, some information such as your contact information will be processed for several purposes and may for some purposes be processed only for a very short period but for other purposes for longer periods of time. The personal data that we do not need to keep for the purpose it was collected will be deleted.
Zimpler does not sell your personal data to third parties and we do not share your personal data with just anyone. However, in some cases we need to share your personal data with selected and trusted third parties to perform our business. If so, we make sure that the transfer of personal data is safe to protect your privacy.
Here you can read more about the categories of recipients with whom we share personal data with in regard to our End Users, Business representatives, Websites visitors and individuals contacting our customer support or sales team.
8.1. End Users
Suppliers and sub-suppliers
To provide our payment service to you we need to collaborate with third parties in terms of functions which we cannot provide ourselves, such as software and data storage suppliers, business consultants and official identity verification service providers. The sharing of personal data with such third parties is carried out on the basis that it is necessary to fulfil our contractual obligations with you, our legitimate interest to carry out the transaction and our legal obligation to verify your identity. When you use our payment service we may also need to share your personal data with providers of sanctions or PEP lists in order to screen your personal data against such list. The sharing of personal data is then carried out on the basis that it is necessary for us to comply with our legal obligations. Additionally, we need to share personal data with software and data storage suppliers which is done for the purpose of providing and improving our services in accordance with our contractual obligations with you.
When your personal data is shared with such third party, the third party will typically act as data processor in relation to your personal data, meaning that it will process your personal data on our behalf and only in accordance with our instructions. We have entered into data processing agreements with all our data processors guaranteeing a high level of safety for the personal data and, where applicable, the European Commission’s standard contractual clauses (please see more information in section 9 below regarding transfers to third countries).
Information regarding your identity as well as information on transactions may be shared with the applicable Merchant in order for the Merchant to be able to verify your identity, account and transactions. We share this information with the Merchant when the Merchant is legally obliged to verify your identity and/or transaction as a measure to prevent money laundering, fraud or other criminal act or to meet other potential legal and/or regulatory requirements imposed on the Merchant. The sharing of your personal data with the Merchant is also carried out to fulfil our contractual obligations with the Merchants.
To carry out a transaction when using our payment service, we need to transfer some of your personal data to your bank as well as other banks that are part of the payment chain. This processing is carried out on the basis that it is necessary to fulfil our contractual obligations with you and the applicable banks. We may also need to share your personal data and information on payments to your bank and/or other banks that are part of the payment chain to investigate payment transactions, for the purposes of preventing and disclosing breaches against anti-money laundering legislation, fraudulent use of our payment service and other criminal acts. When sharing your personal data for this purpose with your bank and/or other banks, this is carried out based on our legitimate interest to prevent frauds and other criminal acts.
Zimpler may need to share personal data with authorities, such as the Swedish Financial Supervisory Authority, the police as well as tax and other relevant authorities. This is done for the purpose of preventing and disclosing breaches against anti-money laundering and terrorism financing legislation, by suspicion of fraudulent use of the service or other criminal acts. When sharing your personal data for these purpose with authorities, this is carried out to fulfil our legal obligations.
8.2. Business Representatives
If you are a Business Representative, we may share your personal data with providers of sanctions or PEP lists to screen your personal data against such list. The sharing of personal data is carried out on the basis that it is necessary for us to comply with our legal obligations. We may also need to share your personal data with cloud-based service providers which is done for the purpose of providing and improving our services to you as well as to provide you with marketing regarding our services. The sharing of personal data is carried out based on our legitimate interest in providing you with the services and marketing thereof.
8.3. Websites visitors and individuals contacting our support or sales team.
We may share your personal data to other third-party providers of analytical tools based on ourlegitimate interest of providing you with a pleasant user experience when interacting with our websites. We may also need to share your personal data with cloud-based service providers, which is done for the purpose of providing and improving our services to you as well as to provide you with marketing regarding our services.
Zimpler takes all reasonable measures to only process personal data within the EU/EEA. However, for some parts of our business, as described above, data may be transferred to third parties located outside of EU/EEA. This is namely the US, which is the location of hosting for some of our service providers. Regardless of if the data is transferred and processed within or outside of the EU/EEA, we will take all reasonable measures to ensure that your data is processed with a high level of security with an adequate level of protection maintained, and that suitable safeguards are adopted in line with the GDPR.
Your rights, as described above, will never be affected by where the personal data is processed.
The safeguard we use in our business is the implementation of the European Commission’s standard contractual clauses (the “SCC”), which can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
By entering the SCC, Zimpler and the recipient of the personal data guarantee that the protection of your personal data provided by the GDPR also applies outside of the EU/EEA. In this regard we also assess whether there is legislation in the recipient country that affects the protection of your personal data. When so is required, we implement necessary technical, organizational and contractual measures to ensure that the data is protected with a high level of security that is appropriate to the risks associated with the processing and transfer to the recipient country. What is necessary is assessed on a case-by-case basis and if you wish to know more, please feel free to contact us.
Zimpler sometimes uses profiling and automated decision-making when providing our services to you as an End User. For instance, we use automated decision-making for the purpose of risk management of you and your transactions, to verify your identity, assess your financial information and to ensure that you reside in a country where we offer our service. This is done for the fulfilment of our legal obligations to conduct know your customer checks in relation to our anti-money laundering obligations.
As a Business Representative, we may use profiling and automated decision making for the purpose of screening your personal information against sanctions or PEP lists on the basis on fulfilling our legal obligations to conduct know your customer checks.
Postal address: Wallingatan 2, 111 60 Stockholm
E-mail address: firstname.lastname@example.org
Zimpler has appointed a Data Protection Officer (DPO) who is responsible for monitoring our compliance with applicable data protection legislation. If you have any questions to us, or feel you need any part of this policy explained, please contact us by sending an e-mail to our support team at email@example.com, or to our DPO Karin Schurmann at firstname.lastname@example.org.