Privacy policy 2.0 - UK

Privacy Policy

Introduction and responsibility for the processing of your personal data

We, Bokio Group AB (with company registration number 556873-7877) (referred to as ”Bokio”) are responsible as data controllers for the processing of personal data when we enter into agreements with our customers for the use of our services. We also act as data controllers when we process your data when you visit our website, sign up to our courses, seminars, newsletters or other mailings, when you register an account, fill out our surveys (including statistical surveys), or when you contact us through our customer support or in any other way.

All references made in this privacy policy to “you”, or “yours” are references to an individual who has either concluded an agreement with Bokio (to the extent you act as a sole trader or a partner in a partnership), is a direct user of Bokio services, is a representative of one of our business customers, is visiting our webpage, and/or is a user of our business card service. All references made in this privacy policy to “we”, “us” or “our” are references to Bokio. You can find our contact details at the end of this privacy policy.

We respect your privacy and the protection of your personal data. This privacy policy contains information about the processing of personal data of which Bokio is the data controller and describes e.g., the purposes of the processing of your personal data, which recipients we may share your personal data with, and your rights regarding your personal data.

Parties and responsibility for the processing of your personal data

Bokio is responsible for the processing of personal data set out in this privacy policy. In connection with our services, there may also be additional data controllers responsible for other processing of personal data. The responsible party depends on whether the processing of personal data concerns users of our services, our customer’s employees, or their customers.

a) Users of our services:
Bokio acts as a data controller for the processing of personal data taking place when you are using Bokio, contacting support or you in any other way contact us or enter into an agreement with Bokio.

b) Our customer’s employees, and customer’s own customers:
The customer acts as a data controller for the processing of personal data concerning its employees or the customer’s own customers. In such case, Bokio acts as a data processor and accordingly enters into an agreement with the customer which regulates how Bokio shall process such personal data on behalf of the customer. Such processing of personal data is therefore not covered by this privacy policy.

What categories of personal data do we process, for what purpose, and on what legal basis do we process personal data?

Bokio process the categories of personal data in the manner and for the purposes set out in the following tables below.

For each purpose, Bokio must have a legal basis for the processing. A legal basis could be e.g., (i) your consent to the specific processing activity, (ii) that the processing is necessary in order for the performance of a contract to which you are a party or (iii) through an assessment of whether Bokio or a third party has a legitimate interest overriding your interest in not having your personal data processed (please contact us if you would like further information about this). The tables listed below set out the legal basis that Bokio relies on for its processing, as well as the duration of which we will process your personal data. We do not carry out any automated decision-making using your personal data.

Processing orders and purchase of services
Purpose of the processing: To enable Bokio to carry out your orders and purchases of services.
Processing: Processing relating to payments. Verification of identity and authorisation in order to allow you to use Bokio services. To the required extent, transfers to credit reference agencies and/or anti-fraud authorities, including obtaining credit history and collection of credit reports from such credit reference agency and/or anti-fraud authorities.	Categories of personal data: IP-address. Contact information (name, address, phone number and e-mail address). VAT-number. Payment information including bank account or card details. When required, credit history.
Legal basis: Legitimate interest, or fulfilment of contract The processing is necessary for the legitimate interest of Bokio to provide our services to customers, or if you are a sole trader, for the fulfilment of the contract between you and Bokio.
Retention period: For this purpose, Bokio will process your personal data from the receipt of the order and during the period where the processing is necessary to settle, assert or defend any legal claims that may be made. The personal data included as accounting information, and which is regulated under the Swedish Accounting Act (Sw: bokföringslagen (1999:1078)) will be retained up to the seventh year after the end of the calendar year when the financial year when the last payment was due or made was closed.

Providing services
Purpose of the processing: To enable Bokio to provide our services to you.
Processing: Processing relating to payments. Use of the personal data collected for the creation and administration of your user account and enabling you to use the services. Creation of a login function and verification of you as a user at login. Verification of identity and authorisation to use Bokio services. Processing of user and customer settings. General advice in corporate and tax-related issues.	Categories of personal data: Contact information (name, address, phone number and e-mail address). Pictures you have uploaded. Date and timestamp of pictures uploaded to our services. User data from your account. VAT-number. Accounting events.
Legal basis: Legitimate interest, or fulfilment of contract The processing is necessary for the legitimate interest of Bokio to provide our services to customers, or if you are a sole trader, for the fulfilment of the contract between you and Bokio.
Retention period: For this purpose, Bokio will process your personal data from the receipt of the order and during the period where the processing is necessary to settle, assert or defend any legal claims that may be made. The personal data included as accounting information, and which is regulated under the Swedish Accounting Act (Sw: bokföringslagen (1999:1078)) will be retained up to the seventh year after the end of the calendar year when the financial year when the last payment was due or made was closed.

Surveys and inquiries
Purpose of the processing: To administer and analyse the results of your participation in surveys and inquiries.
Processing: Registration of your application to take part in surveys and inquiries. Administrative measures regarding the results of the surveys and inquiries where you have participated.	Categories of personal data: Contact information (name, address, phone number and e-mail address). Your response to surveys and other feedback you have provided in our inquiries.
Legal basis: Legitimate interest. The processing is necessary for the legitimate interest of Bokio to improve our products and services through surveys and inquiries.
Retention period: For this purpose, Bokio will process your personal data for 3 years from the collection thereof. We may store your response to the surveys for a longer period but will take reasonable measures anonymise the information.

Security purposes
Purpose of the processing: To ensure the safety and security of our services, customers and users.
Processing: Verification of identity and authorisation to use Bokio services. Verification and monitoring of logins to Bokio’s system. Investigation of suspicious activity or infringements of Bokio’s terms and policies.	Categories of personal data: Login information (including hashed password). Digital keys. IP-address. Browser-agent.
Legal basis: Legitimate interest. The processing is necessary for the legitimate interest of Bokio to improve our products and services through surveys and inquiries.
Retention period: For this purpose, Bokio will process your personal data as long as your user account is active and you use Bokio’s services, and thereafter for 1 year or the time necessary to settle, assert or defend any legal claims that may be made. In accordance with the Swedish Anti-Money Laundering Act (Sw. penningtvättslagen (2017:630)), we also store data, documents and other relevant registrations for 5 years from the expiration or completion of the contractual relationship, and 10 years in exceptional cases.

Service and product development
Purpose of the processing: To analyse and improve our products and services.
Processing: Adapting the services to be more user-friendly (such as adjusting the interface to simplify the information flow or highlight features often used by users of our digital channels). Preparing documents for developing and improving our range of services. Preparing documents to improve IT systems for the purpose of improving the security of our business customers and users overall. Analysing the data collected for the purpose. Based on the data we collect, analyses are carried out on an aggregated level, with no connection to you as an individual. The insights from the analyses form the basis for improving our services.	Categories of personal data: Correspondence and feedback regarding our services. Data generated from users and purchases. Technical data relating to used devices and their settings (such as settings regarding language, IP address, web browser, time zone, operational system, screen resolution and platform). Information on how you have interacted with us, i.e. how you have used the service, login method, where and for how long various pages have been visited, response times, download errors, and how you reach and exit the service.
Legal basis: Legitimate interest, consent. The processing is necessary in the legitimate interest of Bokio to assess, develop and improve our services, products and systems. To the extent we use cookies, pixels or other similar technology to collect personal data, we also collect your consent when required by applicable law.
Retention period: For this purpose, we will process your personal data for 3 years from the collection thereof. To the extent we use cookies, pixels or other similar technology, the data will be stored in accordance with the period stipulated in our cookie policy.

Courses and seminars
Purpose of the processing: To manage your participation in Bokio’s courses and seminars.
Processing: Registering your application to participate in Bokio’s courses and seminars. Administrative measures regarding your participation in Bokio’s courses and seminars. Processing relating to payment. Verification of identification at the time of participation.	Categories of personal data: Contact information (name, address, phone number and e-mail address). Payment information including bank account or card details.
Legal basis: Legitimate interest. The processing is necessary for the legitimate interest of Bokio to provide our services to customers.
Retention period: For this purpose, Bokio will process your personal data for the duration of the contractual term, as well as during a period where the processing is necessary to settle, assert or defend any legal claims that may be made. The personal data included as accounting information, and which is regulated under the Swedish Accounting Act (Sw: bokföringslagen (1999:1078)) will be retained up to the seventh year after the end of the calendar year when the financial year when the last payment was due or made was closed.

Marketing
Purpose of the processing: To market our services and products.
Processing: Creating targeted offers and discounts and providing inspirational content. Analysing the collected data for the purpose of categorising you into an appropriate target group that forms the basis for targeted offers, discounts and other customised communication.	Categories of personal data: Contact information (name, address, phone number and e-mail address). Age. Data generated from users and purchases. Business engagement. Your shared customer segment and/or appropriate target group. User and behavioural data collected through cookies, pixels or other similar technology.
Legal basis: Legitimate interest, consent. The processing is necessary for the legitimate interest of Bokio to market our services. To the extent we use cookies, pixels or other similar technology to collect personal data, we collect your consent for such processing.
Retention period: For this purpose, Bokio will process your personal data for 1 year after the end of the contractual time. To the extent we use cookies, pixels or other similar technology, the data will be stored in accordance with the period stipulated in our Cookie policy \| Bokio.

Newsletters
Purpose of the processing: To send newsletters and other mailings from Bokio.
Processing: Registering your application to receive newsletters and other mailings from Bokio. Administrative measures concerning newsletters and other mailings you have requested from Bokio.	Categories of personal data: Contact information (name, address, phone number and e-mail address).
Legal basis: Legitimate interest. The processing is necessary for the legitimate interest of Bokio to market our services.
Retention period: For this purpose, Bokio will process your personal data during the time you subscribe to Bokio’s newsletters and 1 year thereafter.

Customer service
Purpose of the processing: To provide customer service and support.
Processing: Communicating and responding to possible questions to customer service. Identifying you when you contact our customer service. matters relating to support (including technical support). Investigations of and support in relation to complaints connected to the use of our services, for example when we help you solve an issue arising in connection with your purchase of a service from us.	Categories of personal data: Contact information (name, address, phone number and e-mail address). User data from your account. Your correspondence with our customer support. Data generated from users and purchases. Technical data relating to used devices and their settings (such as settings regarding language, IP address, web browser, time zone, operational system, screen resolution and platform).
Legal basis: Legitimate interest, or fulfilment of contract The processing is necessary for the legitimate interest of Bokio to process complaints and matters relating to customer service, or if you are a sole trader, for the fulfilment of the contract between you and Bokio.
Retention period: For this purpose, Bokio will process your personal data until the customer service matter has been closed, and during the period necessary to settle, assert or defend any legal claims that may be made.

From where do we obtain your personal data?

Bokio process personal data collected from the following sources:

- Personal data collected directly from you when you register and sign into our services;
- Personal data that we collect from public registers or your employer, that, if relevant, is provided to us within the framework of anti-money laundering checks and/or credit information procedures; and
- Personal data that you provide to us in connection with matters relating to customer services.

What happens if you do not provide us with your personal data?

In order for us to fulfil the purposes set out in section 3, it is necessary for you to provide us with certain personal data. If you do not provide us with your personal data, it may result in us not being able to provide you with the services and that we may not fulfil our obligations under the agreement in relation to you. We will inform you of what personal data is required in order for us to provide the services to you.

With whom do we share your personal data?

In order to fulfil the purposes listed above, Bokio will share your personal data with the following categories of recipients.

a) Other Bokio Group companies;
b) Providers of IT-systems and other software companies that we retain for the purpose of providing our services;
c) Payment service companies and other financial services providers (for example, for issuing company cards);
d) Acquiring banks;
e) Swedish and foreign authorities as well as courts;
f) Credit-rating agencies and anti-fraud bodies (in applicable cases); and,
g) Providers of cookies, pixels and other similar technology.

Will we transfer your personal data outside the EU/EEA?

Bokio may transfer your personal data to countries outside the EU/EEA. In those cases, we will ensure that there is a legal basis for the transfer and that appropriate safeguards are implemented to protect the personal data. If we transfer personal data to a recipient established in a country that has not been deemed to grant an adequate level of protection by the EU Commission, we will enter into an agreement with the recipient based on the EU Commission’s standard contractual clauses for the transfer of personal data to a country outside the EU/EEA. Depending on the receiving country, we will implement further safeguards for the transfer when required by applicable law or common practice. For more information on whether we have transferred your personal data to a country outside the EU/EEA, which countries your personal data has been transferred to and what safeguards have been implemented for the transfer, please contact us using our contact details listed at the end of this privacy policy.

Will we transfer your personal data outside the EU/EEA?

Below is a summary of the rights you have as a data subject. The exercise of these rights is free of charge and you may exercise the rights by contacting us (see the contact details at the end of this privacy policy). Please do not hesitate to contact us should you have any questions regarding your rights.

Please note that Bokio will always carry out an assessment of a request to exercise a right to determine whether the request is valid. All rights listed below are not absolute and exceptions may apply.

In addition to the rights listed below, you are always entitled to lodge a complaint with a supervisory authority regarding Bokio’s processing of your personal data.

a) Right to access. You are upon request entitled to receive a copy of your personal data that Bokio processes and receive supplementary information regarding Bokio’s processing of your personal data.

b) Right to rectification. You are entitled to have your personal data corrected and/or completed if the personal data is inaccurate and/or incomplete.

c) Right to erasure. You are entitled to request that Bokio erase your personal without undue delay in the following circumstances:

- the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- you withdraw your consent to the processing and there is no other legal basis for the processing;
- you make a valid objection to the processing of your personal data;
- the personal data has been unlawfully processed; or
- the personal data is required to be erased to comply with a legal obligation.

d) Right to restrict the processing. You are entitled to request that the processing of your personal data is restricted in the following circumstances:

- the accuracy of the personal data is under investigation;
- the processing is unlawful or is no longer required for the purposes of the processing, but you oppose the erasure of personal data and request restriction instead;
- Bokio no longer needs the personal data, but you need the personal data in order to establish, exercise or defend any legal claims; or
- you have objected to the processing of your personal data and such objection is under investigation.

e) Right to data portability. Under certain circumstances you are entitled to receive personal data about you, which you have previously provided to Bokio, in a format for transfer to another service provider, if the processing of the personal data is based on your consent or performance of an agreement.

f) General right to object. You are entitled to, at any time, object to the processing of your personal data based on Bokio’s legitimate interests. If you object, we are required to demonstrate our compelling legitimate grounds for such processing or that we need the personal data in order to establish, exercise or defend any legal claims.

g) Right to object to direct marketing. You are entitled to, at any time, object to any processing of your personal data used for direct marketing purposes. If you do this, Bokio will no longer be able to process your personal data for such purposes.
How can you contact us?

You can get in touch with us through the following: Bokio Group AB, Kungsportsavenyen 34, 411 36 Göteborg, SWEDEN, or at support@bokio.co.uk.

Plaid

In the UK, Bokio is an agent of Plaid Financial Ltd., an authorised payment institution regulated by the Financial Conduct Authority under the Payment Services Regulations 2017 (Firm Reference Number: 804718). Plaid provides you with regulated account information services through Bokio as its agent.

We appreciate the chance to address any concerns you may have and encourage you to contact us. In addition, and depending on your jurisdiction, you may have the right to make a complaint at any time to your (data protection) supervisory authority. For end users in the EEA, you can find contact information for the European Data Protection Board (EDPB) on the EDPB's website here. For end users in the UK, you can find contact information for the Information Commissioner's Office (ICO) on the ICO's website here.