Last updated: 30 April 2025
Xoala is committed to protecting the privacy and security of your Personal Data.
The privacy notice (“notice”) explains the types of personal data we collect and how we use and share it. It also tells you about your rights and choices you can make about how we process your personnel data.
This notice applies to all services provided by the Xoala group of companies to our customers globally (hereinafter referred to as “Xoala Group”. Xoala Group, in relation to Xoala, means, that company, any subsidiary or any holding company from time to time of that company, and any subsidiary from time to time of a holding company of that company).
We want to ensure that you clearly understand how we handle your personnel information. This Privacy Policy (the “Policy”) explains what data we collect, how we use and share it, and the choices available to you regarding your information. We encourage you to read it carefully.
Below is a brief overview of what’s included in this policy, please note that this summary is not a substitute for reviewing the full policy.
What does this Policy apply to? | This policy applies to all users of our products, services technologies, or features globally. If the user is a business entity, this includes any individual who owns or represents that entity. It also applies to anyone who visits our website, mobile application, or any other platform we operate. |
Who is the data controller? | “We” or “us” in this Policy refers to Xoala. The data controller of your personal information varies by
your location: EEA/Sweden - Steven AB UK - Swipe International Ltd and Steven FS ltd Malaysia - MyMy Payments Malaysia Sdn.Bhd New Zealand - Steven AB (Branch) - New Zealand Poland – Xoala Digital sp. z o.o |
What types of information do we collect and why? | When you create an account to access our Services, we collect certain information—such as your name,
address, government-issued identification, tax identification number, and business details necessary to
set up and manage your account. As part of our Know Your Customer (KYC) and Anti-Money Laundering (AML) obligations, we also process identity verification data. In addition, we handle information related to your transactions, including payment details and beneficiary information. To ensure the security and functionality of our Services, we collect network, device, and usage data. You can find more details about the types of personal information we collect and how we use it in the sections below |
How is your information shared? | To deliver our Services effectively, we work with affiliates and carefully selected third parties. In
doing so, it may be necessary to share your personal information to facilitate the Services or to enable
third-party services you have requested or consented to. When third parties are engaged to support our Services, they do so solely for that purpose and are required to implement appropriate safeguards to protect your personal information. These third-party services may include customer support, transaction processing, account information services, payment initiation, cloud storage, analytics, market research, fraud prevention, business services, and other operational functions. Our global affiliates also support the delivery of our Services. In certain situations, we may be legally required—by court order or applicable law—to disclose specific information. You can find more details about how we share your personal information in the section below. |
Where do we store your information? | Your personal information is primarily stored and processed in the United Kingdom, the European Union, and other designated jurisdictions. However, as part of our global operations, we may transfer your information to, and process it in, countries outside of your country of residence, incorporation, or business activity—particularly where our affiliates, service providers, financial partners, or other ecosystem partners are located. Please contact us at dataprotection@xoala.com for more information |
How long do we retain information for? | We only retain personal information for so long as it is required to fulfil the purpose for which it was collected, unless we are subject to legal or regulatory obligations to retain such information. You can read more about how long we retain specific categories of personal information below. |
What rights do I have to processing of my information? | Depending on where you are located, you may have certain rights with respect to your personal information, such as rights of access, to receive a copy of your information, or to delete your information or restrict or object to our processing of your information. You can read more about your rights below. |
How can I contact Xoala? | If you have questions or concerns about this Policy or a specific request related to your personal information, please contact us at dataprotection@xoala.com |
How will we notify you of changes to this Policy? | We reserve the right to make changes to this Policy at any time by posting a revised version to our Site and updating the “Last Updated” date at the top of this Policy. |
Are there specific terms that apply to certain countries? | Yes. You can read more about the specific processing activities for certain jurisdictions in the Jurisdiction-Specific Addenda below. |
- Scope of Policy
This Privacy Policy applies to your use of, or interaction with, our Services globally, including our website, mobile application, and any other platform we operate (collectively, the “Sites”). “Services” refers to any products, services, technologies, or features offered by Xoala, which may vary depending on your location.
Depending on the context, the term “you” may refer to:
End User: An individual who uses our Services, whether for personal or other purposes. We may receive an End User’s personal information through a Business Customer who provides it to us.
Representative: An individual who owns or acts on behalf of a Business Customer—such as a director, employee, or officer—with authority to manage the Business Customer’s account.
Visitor: An individual who visits our Sites or contacts us (e.g., through our support page) without logging into an Xoala account.
Business Customer: A business entity to whom we provide Services directly or indirectly. Business Customers may share End Users’ personal information with us as part of their use of the Services.
Please note that when you (as an End User or Representative) interact with a Business Customer, your personal information may also be collected, stored, and used by that Business Customer in accordance with their own privacy policy, which may differ from this Policy.
This Privacy Policy (“Policy”), together with any agreement between us and any documents and other policies referred to in such agreement (together our “Terms of Use”) applies to all personal information processing activities carried out about you prior to, during and after your client relationship with us. It is relevant to anyone who uses our website, app, extranet, sandbox, software, systems, services, goods, and finances (together Xoala Services), including but not limited to, customers, prospective customers, suppliers, contractors, website, and app users.
Please read the following carefully to understand our views and practices regarding personal information and how we will treat it. By using the Xoala Services, you are accepting and consenting to the practices described in this Policy.
This Policy explains how your Personal Data is collected, protected, processed, disclosed and shared by Xoala, as the Data Controller and Data Processor. This applies to data collected through our website, pilots, development sandboxes or during interactions you may have with us through various mediums to include, but not limited to, webinars, user groups, events, registered users, job applications.
Within this Policy, the terms “Controller”, “Data Subject”, “Personal Data”, “Processor” and “Processing” shall have the meaning given to these terms in the Data Protection Act (2018:218), EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679 and other applicable data protection legislation. (hereinafter referred to as “Data Protection Legislation”).
We may update our Policy from time to time. When we do, we will communicate any changes by publishing the updated Policy on our website and app. We would encourage you to visit our website or app regularly to stay informed of the purposes for which we process your information and your rights to control how we process it.
- Data Controller
As used in this Policy, “we,” “us” “our” and “Xoala” refers to the Xoala Group entities that acts as the data controller with respect to your information. The data controller responsible for your information under this Policy varies depending on your country of residence and/or the entity used to enter into an agreement with Xoala to provide services to you and is listed below. Our privacy team can be contacted at dataprotection@xoala.com.
Country of Residence Data Controller (s) Address UK Swipe International Ltd & Steven FS Limited 142 Central Street,
Clerkenwell, London,
United Kingdom, EC1V 8AR.Sweden/EEA Steven AB Steven AB
Sturegatan 4
114 35 StockholmPoland Xoala Digital sp. z o.o UL. Piotrkowska 116/52, 90-006 Łódź Malaysia MyMy Payments Malaysia Sdn.Bhd MyMy Payments Malaysia Sdn.Bhd, Unit K03-03-10, UOA Business Park, No. 1 Jalan Pengaturcara,
U1/51A, Seksyen U1, Shah Alam SelangorNew Zealand Steven AB (Branch) - New Zealand Level 10, Suite 1005,
300 Queen Street 1010 Auckland
New Zealand - Collection of information
We respect individuals’ rights to privacy and to the protection of personal information. Xoala has a legitimate interest to Process your Personal Data for the operation of its services as detailed below:
-
What Personal Data do we collect?
We will collect and process various categories of personal data at the start of and for the duration of your relationship with us. We will limit the collection and Processing of information to information necessary to achieve one or more legitimate purposes as identified in this Policy. Personal data may include but not limited to:- personal contact information (including your name, home address, personal telephone number(s) and personal e-mail address);
- business contact information (including e-mail address and telephone number);
- date of birth;
- social security, government identification and / or driving licence number;
- company account details, tax residence and tax status information;
- copies of company statements, utility bills and official correspondence to your residential address;
- asset and liability statements;
- documents gathered during the on-boarding process (including credit history, background vetting information);
- information gathered through our monitoring of its IT systems, building access records and CCTV recording when you attend meetings in person at our offices;
- technical information, including the type of device you use, a unique device identifier, network information, the type of operating system and browser you use, time zone settings, and other device-related information;
- device identification information for fraud prevention purposes (referred to in the application at the time of installation of a device);
- passport, national identity card, driving licence, power of attorney and relevant contact information of your lawyers, accountants, advisers, agents, attorneys or other representatives (including their name, address, telephone number(s) and e-mail address(s));
- due diligence materials (including reports, photographs, valuations and analysis) relating to your property, assets, finances or creditworthiness for the purposes of credit analysis, consideration and approval; transaction structuring, processing and administration/management; and
- Personal Data which you otherwise voluntarily provide, for example when corresponding in writing (including via email or other electronic means), in meetings or during phone conversations or entered into any of our websites.
- The majority of the Personal Data provided by you is mandatory in order for us to administer the client relationship and perform our obligations under our contract(s) with you and/or comply with statutory requirements relating to making or receiving payments, sanctions, immigration or taxation. Failure to provide mandatory Personal Data may affect our ability to accomplish the purposes stated in this Policy and potentially affect your ongoing client relationship with us.
- Where permitted by law, we may process information about criminal convictions or offences and alleged offences for specific and limited activities and purposes, such as to perform checks to prevent and detect crime and to comply with laws relating to money laundering, fraud, terrorist financing, bribery and corruption, and international sanctions. It may involve investigating and gathering intelligence on suspected financial crimes, fraud and threats and sharing data between Xoala and with law enforcement and regulatory bodies.
The list set out above is not exhaustive, and there may be other Personal Data which we Xoala collects, stores and uses in the context of the client relationship.
-
How we obtain information
The majority of the Personal Data which we process will be collected directly from you. Your information is made up of all the financial and personal information we collect and hold about you/your business and the proprietors, officers and beneficial owners of that business and your transactions. It includes, but not limited to:- information you give us;
- information that we receive from third parties – including third parties who we provide services to you and us, credit reference, fraud prevention or government agencies and financial institutions (where permitted by law);
- information that we learn about you through our relationships with you and the way you operate your account/or services;
- information that we gather from the technology which you use to access our services (for example an IP address or telephone number) and how you use it; and
- information that we gather from publicly available sources, such as the press, the electoral register, company registers and online search engines.
-
Cookies
We also use cookies to distinguish you from other users of Xoala’s Services. This helps us to provide you with an enhanced experience when you access or use Xoala’s Services to assist in continuous improvement. Please see our Cookie Policy for more information.
-
- Credit reference and fraud prevention
agencies
-
General
Before we provide Xoala’s Services to you, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process the Personal Data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity.
Xoala and the fraud prevention agencies may also enable law enforcement agencies to access and use your Personal Data to detect, investigate and prevent crime.
We process your Personal Data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with applicable laws and regulations. Such Processing is also a contractual requirement of the services or financing you have requested.
Fraud prevention agencies can hold your Personal Data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years. -
Automated decisions
As part of the Processing of your Personal Data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if our Processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity. You have rights in relation to automated decision making: if you want to know more, please contact us using the contact details at the end of this Policy. -
Consequences of Processing
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or to employ you, or we may stop providing existing services to you.
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us using the contact details at the end of this Policy. -
Data transfers
Where fraud prevention agencies transfer your Personal Data outside of the European Economic Area, they will impose contractual obligations on the recipients of your data to ensure your Personal Data is protected to the standard required in the European Economic Area. These fraud prevention agencies may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.
-
- How do we use your Personal Data?"
We will only use and share your information where it is necessary for us to carry out our lawful business activities. We want to ensure that you fully understand how your information may be used. Please note that if you do not agree to provide us with the requested information, it may not be possible for us to continue to operate your account and/or provide products and services to you.
These lists are not exhaustive, and we may undertake additional Processing of Personal Data in line with the purposes set out below.
We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your Personal Data on an aggregate or anonymous basis (such that it does not identify any individual clients) without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
-
Contractual necessity
We may process your information where it is necessary to enter into a contract with you for the provision of Xoala’s Services. This may include Processing to:- assess and process applications for products or services;
- provide and administer those products and services throughout your relationship with the company, including opening, setting up or closing your accounts or products; processing transactions; resolving any queries or discrepancies and administering any changes.
- communications to our mobile and online helplines may be recorded and monitored for these purposes; and
- manage and maintain our relationships with you and for ongoing customer service.
-
Legal obligation
When you apply for a product or service (and throughout your relationship with us), we are required by law to collect and process certain personal information about you. This may include Processing to:- confirm your identity, including using biometric information and voice-recognition technology;
- perform checks and monitor transactions the purpose of preventing and detecting crime and
- process information about criminal convictions and offences;
- to investigate and gather intelligence on suspected financial crimes, fraud and threats and to share data with law enforcement and regulatory bodies;
- share data with other companies and third parties to help recover funds that have entered your account as a result of a misdirected payment by such a third party;
- share data with police, law enforcement, tax authorities or other government and fraud prevention agencies where we have a legal obligation, including reporting suspicious activity and complying with production and court orders;
- deliver mandatory communications to customers or communicating updates to product and service terms and conditions;
- investigate and resolve complaints;
- conduct investigations into breaches of conduct and corporate policies by our employees;
- manage contentious regulatory matters, investigations and litigation;
- perform assessments and analyse customer data for the purposes of managing, improving and fixing data quality;
- provide assurance that the company has effective processes to identify, manage, monitor and report the risks it is or might be exposed to;
- investigate and report on incidents or emergencies on the company’s properties and premises; and
- coordinate responses to business-disrupting incidents and to ensure facilities, systems and people are available to continue providing services.
-
Legitimate interests
We may process your information in the day-to-day running of our business, to manage our business and financial affairs and to protect our customers, employees and property. It is in our interests to ensure that our processes and systems operate effectively and that we can continue operating as a business. This may include Processing your information to:- ensure business continuity and disaster recovery and responding to information technology and business incidents and emergencies;
- ensure network and information security and protect of your Personal Data;
- provide assurance on the company’s material risks and reporting to internal management and supervisory authorities on whether the company is managing them effectively;
- perform general, financial and regulatory accounting and reporting;
- protect our legal rights and interests;
- manage and monitor our properties (for example through CCTV) for the purpose of crime prevention and prosecution of offenders, for identifying accidents and incidents and emergency situations and for internal training; and
- enable a sale, reorganisation, transfer or other transaction relating to our business.
It is in our interest as a business to ensure that we provide you with the most appropriate products and services and that we continually improve as an organisation. This may require Processing your information to enable us to:
- identify new business opportunities and to develop enquiries and leads into applications or proposals for new business and to develop our relationship with you;
- send you relevant marketing. We may show or send you marketing material online (on our own and other websites including social media platforms), in our app, or by email, SMS or post;
- understand our customers’ actions, behaviour, preferences, expectations, feedback and financial history in order to improve our products and services, develop new products and services, and to improve the relevance of offers of products and services by the company;
- monitor the performance and effectiveness of products and services;
- assess the quality of our customer services and to provide staff training and calls to our service centres and communications to our mobile and online helplines may be recorded and monitored for these purposes; and
- combine your information with third-party data, such as economic data in order to understand
customers’ needs better and improve our services.
- We may perform data analysis, data matching and profiling to support decision-making with regards to the activities mentioned above. It may also involve sharing information with third parties who provide a service to us.
- Xoala’s Services may, from time to time, contain links to and from the websites of our partners, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal information to these websites.
-
- Marketing information
Unless you have told us that you do not want to hear from us, we may send you relevant marketing information (including details of other products or services provided by us, companies which we believe may be of interest to you), by mail, phone, email, text and other forms of electronic communication. If you change your mind about how you would like us to contact you or you no longer wish to receive this information, you can tell us at any time by contacting us in writing using the contact details at the end of this Policy.
- When do we share client Personal Data?
We will share client Personal Data with other parties only in limited circumstances and where this is necessary for the performance of the contract or to comply with a legal obligation, or otherwise in pursuit of its legitimate business interests as follows:
- where we have your permission;
- where required for your product or service;
- where we are required by law and by law enforcement agencies, judicial bodies, government entities, tax authorities or regulatory bodies around the world;
- with companies, financial institutions and payment services companies when making payment to or receiving payment from you;
- with background vetting specialists as part of the client on-boarding process and periodically thereafter to ensure Personal Data held is up to date;
- accountants, lawyers, notaries and other professional advisers when considering, structuring, documenting, concluding, terminating, varying, amending or renewing a particular transaction already in place with you;
- financiers, insurers, participants and sub-participants in order to consider and/or obtain funding, risk mitigation, insurance or other financial or risk support in relation to an agreement between you and us;
- IT service providers as part of routine testing, maintenance, development and improvement to the safety, security or functioning of our IT systems;
- where required for a proposed sale, reorganisation, transfer, financial arrangement, asset disposal or other transaction relating to our business and/or assets held by our business; or
- in anonymised form as part of statistics or other aggregated data shared with third parties.
In all cases, the client’s Personal Data is shared under the terms of a written agreement between us and the third party which includes appropriate security measures to protect the Personal Data in line with this Policy and our obligations. Third parties are permitted to use the Personal Data only for the purposes which we have identified, and not for their own purposes, and they are not permitted to further share the data without our express permission.
- What special categories of Personal Data do we
Process?
Certain categories of data are considered “special categories” of Personal Data and are subject to additional safeguards. We do not need your consent if we use special categories of your Personal Data in accordance with our written Policy to carry out our legal obligations or exercise specific legal rights. In limited circumstances, we may approach you for your written consent to allow us to process particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.
- External parties
We may enter into agreements with external parties, including but not limited to business partners, service providers who perform functions on our behalf, (including external consultants and professional advisers such as lawyers, auditors and accountants), outsourced IT providers, analytics and search engine providers, necessary for our activity. Such third-party outsourcing may include solutions such as, cloud computing, external hosting, technical service provision or similar solutions. Under these agreements we may share your information with these external parties, to the extent that use of your information for these purposes is necessary for our legitimate interests or for the legitimate interests of those external parties.
You agree that we may disclose your personal information to entities across the Xoala Group and third parties
- Transferring information overseas"
From time to time, we may need to share your personal data with other entities within the Xoala Group, including those located outside of the European Economic Area (EEA). In addition, our service providers or support partners—some of whom may also be based in jurisdictions outside the EEA—may be granted access to your personal information. We may also be required to disclose your personal data internationally in response to lawful requests from foreign regulatory or law enforcement authorities.
We are committed to ensuring that any international transfer of your personal data is carried out with appropriate safeguards to protect your privacy and rights:
- We only transfer data to countries deemed to provide an adequate level of data protection, or where we have implemented suitable measures to uphold your privacy rights;
- Transfers within the Xoala Group are governed by internal data transfer agreements that include contractual safeguards to ensure consistent and appropriate protection of your personal data across all locations;
- Data shared with external service providers, or third parties is protected through legally binding agreements, including data protection clauses and, where necessary, additional guarantees;
- Any disclosure in response to official legal or regulatory requests is subject to a thorough review to confirm its validity and necessity before any data is released.
If we transfer information to countries outside of the European Economic Area (which includes countries in the European Union as well as Iceland, Liechtenstein and Norway), we will only do so where:
- the European Commission has decided that the country or the organisation we are sharing your information with will protect your information adequately;
- the transfer has been authorised by the Swedish Authority for Privacy Protection (IMY), and other relevant data protection authorities; and/or
- we have entered into a contract with the organisation with which we are sharing your information (on terms approved by the European Commission) to ensure your information is adequately protected.
Your Data may also be stored at a destination within and outside the EEA. It may also be processed by staff operating outside the EEA who work for us, our affiliates, or for one of our affiliates or partners. These staff may be engaged in the fulfilment of your request, order or reservation, the processing of your details and the provision of support services. By submitting your personal data or using Xoala’s Services, you agree to this transfer, storing or processing.
- Adequacy decisions
The European Commission has determined that certain countries outside of the European Economic Area (EEA) adequately protect personal information, which means that data can be transferred from the European Union (EU) and Norway, Liechtenstein, and Iceland to those countries. The UK and Switzerland have adopted similar adequacy mechanisms.
- How long will my Personal Data be
retained?
By providing you with products or services, we create records that contain your information. Records can be held on a variety of media (physical or electronic) and formats. We manage our records to help us to serve our customers well (for example for operational reasons, such as dealing with any queries relating to your account) and to comply with legal and regulatory requirements. Records help us demonstrate that we are meeting our responsibilities and to keep as evidence of our business activities.
Retention periods for records are determined based on the type of record, the nature of the activity, product or service, the country in which the relevant company is located and the applicable local legal or regulatory requirements.
We may as an exception retain your information for longer periods, particularly where we need to withhold destruction or disposal based on an order from the courts or an investigation by law enforcement agencies or our regulators. This is intended to make sure that we will be able to produce records as evidence, if they are needed.
Under some circumstances we may anonymise your Personal Data so that it can no longer be associated with you. We reserve the right to retain and use such anonymous data for any legitimate business purpose without further notice to you.
During the course of your client relationship with us we will review the Personal Data we hold in relation to you approximately every 12 months and any Personal Data which is no longer needed will be deleted. Following the termination of your client relationship with us we will typically retain data for the periods set out below:
General correspondence 6 years Contractual documentation 6 years Legal Deeds relating to transactions between you and us 12 years Tax and accountancy records relating to your transactions 7 years Background check results and related information 6 years Financial and credit-related information 6 years Personal data in archived e-mails or other electronic files 6 years Forms of identification 6 years CCTV 31 days Retention periods may be changed from time to time based on business or legal and regulatory requirements.
- How is my Personal Data secured?
We have put in place strict security measures to prevent your Personal Data from being accidentally lost, altered, disclosed, used or accessed in an unauthorised way. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your Personal Data on our instructions, and they are subject to a duty of confidentiality. Details of these measures may be obtained from Data Protection Officer (the “DPO”) by contacting us at: dataprotection@xoala.com.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
The transmission of information via the internet is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your Data transmitted to Xoala’s Services; any transmission is at your own risk. Once we have received your Data, we will use strict procedures and security features to try to prevent unauthorized access.
It is your responsibility to ensure that all of your users accessing Xoala’s Services are aware of your security obligations in doing so. We may require your users to provide certain security credentials and/or to answer certain questions (e.g. a memorable word) in order to validate such user and grant access to Xoala’s Services. You are responsible for ensuring that all users possess valid security credentials.
- Your rights
You have the right to be informed about the processing of your personal information. You can contact us if you believe the personal information we have for you is incorrect, if you believe that we are not entitled to use your personal information in accordance with this Policy if you want to restrict our processing of your personal data or if you would like to us to erase personal information that we hold about you. You have the right to move, copy or transfer your personal information (“data portability”) in a machine-readable format. For any of these, please contact us using the contact details within this Policy.
We want to make sure that you are aware of your rights in relation to the personal data we process about you. We have described those rights and the circumstances in which they apply in the table below.
Access – You have a right to get access to the personal information we hold about you. For more information on how to get access to your information and the documents we need you to submit, please contact us using the contact details at the end of this Policy. Rectification – You have a right to rectification of inaccurate personal information and to update incomplete personal information. If you believe that any of the information that we hold about you is inaccurate, you have a right to request that we restrict the Processing of that information and to rectify the inaccurate personal information.
Please note that if you request us to restrict Processing your information, we may have to suspend the operation of your account and/or the products and services we provide to you.Erasure – You have a right to request that we delete your personal information. You may request that we delete your personal information if you believe that: - we no longer need to process your information for the purposes for which it was provided;
- we have requested your permission to process your personal information and you wish to withdraw your consent; or
- we are not using your information in a lawful manner.
Restriction – You have a right to request us to restrict the Processing of your personal information. You may request us to restrict Processing your personal information if you believe that: - any of the information that we hold about you is inaccurate;
- we no longer need to process your information for the purposes for which it was provided, but you require the information to establish, exercise or defend legal claims; or
- we are not using your information in a lawful manner.
Portability – You have a right to data portability. Where we have requested your permission to process your personal information or you have provided us with information for the purposes of entering into a contract with us, you have a right to receive the personal information you provided to us in a portable format.
You may also request us to provide it directly to a third party, if technically feasible. We’re not responsible for any such third party’s use of your account information, which will be governed by their agreement with you and any privacy statement they provide to you.
If you would like to request the personal information you provided to us in a portable format, please write to us at the details provided above.Marketing – You have a right to object to direct marketing. You have a right to object at any time to Processing of your personal information for direct marketing purposes, including profiling you for the purposes of direct marketing. Withdraw consent – You have a right to withdraw your consent. Where we rely on your permission to process your personal information, you have a right to withdraw your consent at any time. We will always make it clear where we need your permission to undertake specific Processing activities.
Please note that if you withdraw your consent we may have to suspend the operation of your account and/or the products and services we provide to you.Lodge complaints – You have a right to lodge a complaint with the regulator. If you wish to raise a complaint on how we have handled your personal information, you can contact our Data Protection Officer who will investigate the matter. We hope that we can address any concerns you may have, but you can always contact the Swedish Authority for Privacy Protection (IMY) using the contact details at the end of this Policy. If you have any questions about these rights or you wish to exercise your rights of access you should set out your request to the DPO in writing to Xoala using the contact details at the end of this Policy.
No fee usually required You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. In such circumstances, we may be entitled under Data Protection Legislation to refuse to comply with the request.
What we may need from you We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it.
Where can I get further information?
If you have questions or concerns about this Policy or a specific request related to your personal information, please contact us at dataprotection@xoala.com.
If you wish to make an inquiry regarding how we process your personal information, please contact us at dataprotection@xoala.com and we will endeavour to deal with your request as soon as possible. This is without prejudice to your right to launch a claim with the data protection authority in the country in which you live or work where you think we have infringed data protection laws.
- Jurisdiction-Specific rights
Some jurisdictions’ laws contain additional terms for users of the Services, which are set out in this policy. If you are a customer of Xoala entity located in a jurisdiction in which we operate, you may also have certain rights regarding information we hold about you under other data protection and privacy laws. Please contact us at dataprotection@xoala.com for more information.