Privacy Policy

Last updated January 2023

Introduction and responsibility for personal data

When you are in contact with Steven (defined below), visiting our website or using our mobile application (the “App”), you entrust us with your personal data. We are committed to keeping that trust. That starts with helping you understand our privacy practices. This Privacy Policy explains how Steven collects and uses your personal data. It also describes your rights towards us and how you can exercise them. As an e-money and payment institution we are bound by professional secrecy by law.

This Privacy Policy constitutes information for data subjects and has been drafted in accordance with Articles 12, 13 and 14 of the General Data Protection Regulation (GDPR).

The data controller for the data processing described in this Privacy Policy is Steven AB, corp. ID no 559026-5673, hereafter “we”, “us” or “Steven”. You are welcome to contact us at any time if you have any questions regarding our processing your personal data. You can send an email to info@getsteven.com.

1. Scope

This Privacy Policy covers personal data processing concerning the following categories of data subjects: 

  • Our Customers (users of our App); 

  • Visitors of our website and individuals who contact us; 

  • Employees/representatives at suppliers, stakeholders and authorities; and

  • Candidates that apply for an employment.

2. How is personal data collected?

From you and the information you submit to us. Most of the personal data we process is submitted by you, for example when you create a user account with us, apply for a payment card, apply for a job, or contact us by email. 

Contact information; Feedback or correspondence; Identification data; KYC-information; User data.

From public and private information registers. Such as SPAR (Sw. Statens personadressregister), private sources that act as sellers of such a register, the Swedish Tax Agency and sanctions lists that may be public or provided by a private source. 

Identification data; KYC-information.

From third parties/partners/suppliers. Through the App you may activate services/ functionalities from partners to us for example Klarna Bank AB’s Open Banking services if you choose to connect your bank account with Steven, or Google Connect. The activation of such services will entail collection of personal data from such partners. 

Information from the Open Banking feature; Payment card data; Payment information. 

Through your use of the App and our services. When you use our services such as the App or the payment card, additional information is created that can be linked to you, such as a history of group settlements, transactions, logs of logins and use of the App along with choices you make. We also collect data from devices, such as your mobile phone, tablet, and computer, about how you interact with our services and information from us. 

Device information; User data; Usage information; Direct marketing information.

3. Categories of personal data

Contact information: first and last name, email address, phone number, professional title and organization name.

Device information: IP-address and information of the device you are using. 

Direct marketing information: details about how you engage with communications sent from us such as newsletter.

Feedback or correspondence: in respect of Steven customers/users: information you provide when you contact us with questions, feedback, or otherwise correspond with us. In respect of employees and representatives at suppliers, stakeholders, and authorities: all information in correspondence with us, notes/minutes from meetings, and information in submissions, orders, and other documents circulated. 

Identification data: first and last name, date of birth, address, e-mail, telephone number, country of residence. 

Information from the Open Banking feature: data retrieved from your online bank accounts which will include financial information including bank account data (e.g. a list of available bank accounts, chosen bank account(s), account number/client number, balance, overdraft limit, pending transfers, historical transactions, amounts, counter party of specific transactions etc.). This data is collected from Klarna Bank AB and shown to you in the App. 

KYC-information: Name, address, social security number, information on ID-documentation, passport, picture, signature, information from external sanction lists and PEP-lists (political exposed person), occupation, nationality, place of birth, and other information about you that is necessary for our Know-Your-Customer check. 

Payment card data: Name, email, phone number, social security number, and/or physical address, PAN (a unique permanent account number), transaction location, and payment- and transaction data.

Payment information: If you use our in-app payments solutions or uploading funds to your Steven account, we process, approximately location, transaction details including information regarding the recipient and the amount, and order identifiers. 

Usage information: information about how you use the App and our services, what services and feature you uses, how you interact with the App, our services, features, and other users including the groups you have joined, expenses made, group settlements, payment method for splits/payment, and logs of logins.

User data: username and password, phone number, and any account preferences for the App and our services, agreement data.

4. How is your personal data processed?

4.1. Steven customers – use of the Steven’s App

General information about the personal data processing

We need to process personal data about our customers/users so that we can offer our services and different features within the services. The personal data collected and processed depends on which features you choose to activate and use.

The personal data is collected from: You; From other users; From public and private information registers; From third parties; Through your use of the App and our services.

Detailed information about the personal data processing

4.1.1. Use of personal data when you use Steven’s App (regardless of which features

you use)

Purpose of the processing

  • To confirm the identity of

    the user.

  • To create and administer

    user accounts.

  • To administer the

    customer relation.

  • Answer to customer queries, complaints and provide support, this includes to communicate with you, investigate your case/issue.

Personal data

Identification data; Social security number; User data; Device Information; Feedback or correspondence.

Identification data; Social security number; User data; Usage information; Device Information; Feedback or correspondence.

Lawful basis

Our processing is based on Article 6.1(b) as it is necessary in order to enter into the agreement with you and for the delivery of the requested services; we will not be able to provide the services/fulfil our contractual obligations if the processing is not performed. 

Our legitimate interest. When balancing interests, Steven has determined that we have a legitimate interest to ensure correct execution of the services to the customer’s satisfaction including providing support and manage complaints. We believe that this is also in the customer’s interest.

 Retention period

During the customer relationship and for six (6) months thereafter.

Purpose of the processing

  • To enable the use of our digital services.

  • To ensure the services’ function properly.

  • To monitor the use of our services in order to identify and assess security treats. 

  • To ensure network and information security in our services. 

    This processing includes troubleshooting and carry out updates in the App/of the services.

Personal data

Identification data; User data (but not password); Device Information; Usage information; Payment information (if any).

Lawful basis

Our processing is based on Article 6.1(b) as it is necessary for the delivery of the requested services; we will not be able to provide the services /fulfil our contractual obligations if the processing is not performed. 

Our legitimate interest. When balancing interests, Steven has determined that we have a legitimate interest to ensure the correct and secure execution of the services. We believe that this is also in the customer’s interest.

 Retention period

During the customer relationship.

Purpose of the processing

For the purposes of evaluating, improving, and developing our services we need to process your data

  • To analyse and understand how the services are used by our customers.

  • To understand how you found the App and downloaded it. 

  • To conduct customer satisfaction surveys by electronic communication or phone.

    This processing includes to anonymize personal data and then use it in an aggregated form to create statistics on, for example, customer types and sales.

Personal data

Identification data; User data (but not password); Device Information; Feedback or correspondence; Usage information; Information from the Open Banking feature (if activated).

After anonymization the data will no longer identify you.

Lawful basis

Our legitimate interest. When balancing interests, Steven has determined that we have a legitimate interest to improve and develop our business and services based on how customers use the services and based on customers satisfaction surveys. 

If you do not wish to receive customer satisfaction surveys, please send an email to info@getsteven.com.

 Retention period

The personal data will be actively processed during the customer relationship. 

Purpose of the processing

For direct marketing purposes, to provide you information about our business, and feature updates that we believe are relevant for you. The information is sent electronically.

To show you customized ads and offers of products/services from third parties in the App, which we believe are relevant to you (direct marketing purposes).

To decide which ads to show you, we will carry out profiling-based analyses on your personal data. This means that the analyses are automated and used to evaluate what we think you are interested in based on our use of the services e.g., if you often enter expenses for taxis, we can show you ads from an IT transport company. This method is not used for any other purpose than providing you relevant marketing/ad.

Personal data

Identification data; Device information (IP-address); Direct marketing information.

Usage information; User data (not password), Information from the Open Banking feature (if activated)

Lawful basis

Our legitimate interest. When balancing interests, Steven has determined that we have a legitimate interest to marketing and informing about our business and encouraging existing customers to use our services.

Our legitimate interest. When balancing interests, Steven has determined that we have a legitimate interest to show you ads and offers regarding other companies’ products. 

The analyses are made by Steven’s employees and no personal data is shared with the company whose ad we show. 


4.1.2. Join groups, split expenses

Purpose of the processing

  • To enable for you to create groups and invite people to the group.

  • To enable for others to invite you to a group.  

  • To add and manage expenses to be split. 

  • To calculate and split expenses. 

  • To enable you and others to integrate/communicate with each other within the group.

  • To follow-up on payments and outstanding amounts.

Personal data

Identification data; Social security number; User data; Usage information; Payment Information; Communication within groups; Feedback or correspondence.

Lawful basis

Our processing is based on Article 6.1(b) as it is necessary for the delivery of the requested services; we will not be able to provide the services /fulfil our contractual obligations if the processing is not performed. 


 Retention period

During the customer relationship and for six (6) months thereafter.

4.1.3. In-app payments and uploading funds

Purpose of the processing

  • To enable you to make in-app payments and settle with other users through the use of payment service providers connected to Steven e.g. Klarna Bank and Swish. This entails to share certain personal data with such partners, see Section 5.2 below. 

  • To enable you to upload funds from your bank to your Steven account. 

  • to provide different alternatives to payment instruments to make such money transfer to your Steven account. 

  • To enable you to make payments with your balance in the App. 

  • To enable you to receive payments from other users within the App and place the payment in your Steven account.

  • To enable you to withdraw funds held in your Steven account and transfer to your bank. 


    To prevent fraud- and money laundering (see Section 4.1.7 below)

Personal data

Identification data; Social security number; User data (not password); Payment Information.

Identification data; Social security number; User data (not password); Payment Information.

Lawful basis

Our processing is based on Article 6.1(b) as it is necessary for the delivery of the requested services; we will not be able to provide the services / fulfil our contractual obligations if the processing is not performed. 

Our processing is based on Article 6.1(b) as it is necessary for the delivery of the requested services; we will not be able to provide the services / fulfil our contractual obligations if the processing is not performed. 

The processing will be carried out by assistance from supplier Enfuce (supplying payment processing services).


Retention period

During the customer relationship however, the personal data Steven must archive to comply with applicable laws will be stored in accordance with Section 4.1.7.

4.1.4. Connecting your bank account to the App (Open Banking feature)

The Open Banking feature offer you the opportunity to have an overall view of your financial situation including your recent transactions and enable you to directly choose transactions that you want to add to a group as a shared expense. You may also use the budgeting- and offers & suggestions-service which helps you to create and follow up on budgeting, categorize your expenses and give you tips on how to lower your expenses. 

The feature is provided together with the account information service provider, Klarna Bank AB. Steven has integrated part of Klarna Bank’s Open Banking service (the account information service) with the App. By requesting the Open Banking service, Klarna Bank will access and collect information from one or more online bank accounts held by you (such as balance and transaction) and supply us, Steven, with the information. The information will be shown to you through the App and enable you to use the information as described in the foregoing. Klarna Bank’s own privacy notice and terms and conditions will apply to their processing of your personal data in connection with the Open Banking services provided by them https://www.klarna.com/international/privacy-policy/.

It may be that we receive information about third parties, for example name, stated in your account history if you have received or transferred funds from or to a third party. However, we do not have practical means to identify such third parties. We will only use this information in accordance with what is stated regarding Open Banking in this policy. However, our processing of such third party’s personal data is based on our legitimate interest to fulfil and perform a contact with our customer.

Purpose of the processing

  • Enable you to initiate the Open Banking service (the account information service) with Klarna Bank AB through the App;

  • To receive your financial and account information from Klarna Bank;

  • Enable you to use the service in the intended way including:
    -give you an overview of your transactions and expenses,
    - adding specific transactions from the imported bank accounts to a group as a shared expense. 

  • If you choose to activate the budgeting service:
    - to categorise your transactions depending on type,
    - give you budget tips, enable you to set budget/saving goals and follow-up and monitor your transactions in relation to set goals.

  • If you choose to activate the offers & suggestions service:
    - analyse your transactions and expenses from the imported bank accounts to give you suggestions on cheaper alternatives/ suppliers. 

Personal data

User data (not password); Usage information; Social Security number; Payment Information; Payment information; Information from the Open Banking feature.

This processing will give us a clear picture of your purchases patterns and behaviour. You should not activate this function if you do not want us to perform this type of data processing.

Lawful basis

Our processing is based on Article 6.1(b) as it is part and parcel of delivery of the requested Open Banking feature; we will not be able to provide said service/fulfil our contractual obligations if the processing is not performed. 

This processing will only commence if you activate the Open Banking feature in the App. You can always, at any time, inactivate the feature.


Retention period

The processing will be carried out from the time you connect your bank account until you deactivate it, or you deactivate or terminate your user account with Steven. However, we will only access and process transactions you have made in the last ninety (90) days.

4.1.5. Connecting your Google contacts

This processing will only commence if you choose to connect your Steven account with your Google contacts.

Purpose of the processing

  • To enable you to integrate with your Google Contacts via Steven which means: sending invitations to Steven and your Steven groups to your Google contacts; helping you to find friends who already use Steven.

Personal data

Device information, your Google username and email address, your sharing settings, phone number, and names of your Google contacts.

Lawful basis

The processing will only be carried out after that you have given us consent by accepting to share your Google contacts with Steven.


Retention period

From the time you actively choose to connect your Steven account with your Google contacts until you deactivate the connection, or you deactivate or terminate your user account with Steven. 

4.1.6. Steven’s Payment Card

This processing will only commence if you apply for a payment card. The processing will be carried out by assistance from our supplier Enfuce (supplying payment processing services).

Purpose of the processing

To provide the payment card service. That includes:

  • To administer, assess and respond to your application of a payment card; 

  • To issuing the card and deliver it to you; and

  • To, in a secure manner, give you access to your card details including PIN-code.

  • Enable you to add the payment card to digital wallets held by third parties (Apple pay and Google Pay).

  • To carry out card transactions, manage your transactions and match them to authorized merchant transactions; 

  • To prevent fraud- and money laundering (see Section 4.1.7 below).

Personal data

Identification data; Social security number; Device information; Payment card data; KYC-information; Feedback or correspondence. 

Payment card data and tokens.  

Identification data; Device information; Payment card data; KYC-information; Feedback or correspondence; Usage information; Payment information. 

Lawful basis

Our processing is based on Article 6.1(b) as it is part and parcel of delivery of the payment card service; we will not be able to provide said service/fulfil our contractual obligations if the processing is not performed. 

Our processing is based on Article 6.1(b) as it is part and parcel of delivery of the payment card service; we will not be able to provide said service/fulfil our contractual obligations if the processing is not performed.

Our processing is based on Article 6.1(b) as it is part and parcel of delivery of the payment card service; we will not be able to provide said service/fulfil our contractual obligations if the processing is not performed. 


Retention period

For the period the customer holds a Steven Payment Card; except, however, the personal data Steven must archive to comply with applicable laws will be stored in accordance with Section 4.1.7

4.1.7. Comply with legal obligations

Purpose of the processing

To prevent our operation from being used for money laundering or terrorist financing, which includes:

  • To confirm your identity, including to carry out KYC-check; 

  • To study and analyse your use of our services, and transactions made within the App and/or with the payment card, in order to detect misuse/fraud, and money laundering; 

  • To conduct risk assessments; and

  • To store documents in accordance with law.

The above jointly called “AML-purposes”

Personal data

Identification data; Device information; Payment card data; KYC-information; Feedback or correspondence; Usage information; Payment information. 

Personal data will be used only to the extent necessary in the individual case.

Lawful basis

Our processing is based on article 6.1(c), to comply with legal obligations.


This processing will only be carried out if you use any of our payment services within the app: uploading funds to your Steven account or using the Steven Payment Card.


Purpose of the processing

  • To apply secure identification in connection with executing transactions;

  • To report to authorities when we have a legal obligation to do so e.g., to Tax agencies, to supervisory authorities, and to the police;

  • To fulfil bookkeeping and accounting requirements.

Personal data

Identification data; Device information; Payment card data; KYC-information; Feedback or correspondence; Usage information; Payment information.

Personal data will be used only to the extent necessary in the individual case.

Lawful basis

Our processing is based on article 6.1(c), to comply with legal obligations.


This processing will only be carried out if you use any of our payment services within the app: uploading funds to your Steven account or using the Steven Payment Card.


Purpose of the processing

  • To apply secure identification in connection with executing transactions;

  • To report to authorities when we have a legal obligation to do so e.g., to Tax agencies, to supervisory authorities, and to the police;

  • To fulfil bookkeeping and accounting requirements.

Personal data

Identification data; Device information; Payment card data; KYC-information; Feedback or correspondence; Usage information; Payment information.

Personal data will be used only to the extent necessary in the individual case.

Lawful basis

Our processing is based on article 6.1(c), to comply with legal obligations. 

Our legitimate interest. When balancing interests, Steven has determined that we have a legitimate interest to comply with applicable laws.

Purpose of the processing

  • Provide you with relevant and required information regarding/in relation to the use of our services.

Personal data

Identification data.

Lawful basis

Our processing is based on article 6.1(c), to comply with legal obligations. 

Our legitimate interest. When balancing interests, Steven has determined that we have a legitimate interest to comply with applicable laws.

Retention period

The personal data will be actively processed as long as the customer relationship is active. We will need to store the KYC-information for five to ten (5-10) years, and for accounting and bookkeeping purposes we store data for seven (7) years plus one (1).

4.1.8. Claims, disputes, safeguard rights etc.

Purpose of the processing

To manage and defend ourselves against legal claims and safeguarding our legal rights we need (where applicable): 

  • To investigate, respond to and defend a legal claim;

  • To demonstrate regulatory compliance and fulfil audit obligations;

  • To provide information to a potential buyer in connection with sale of receivables, an acquisition or merger of the business (de-personalized or pseudonymized data is used as far as possible).

Personal data

All categories of personal data as stated in Section 3.

Personal data will be used only to the extent necessary in the individual case.

Lawful basis

Our legitimate interest. When balancing interests, Steven has determined that we have a legitimate interest to defend ourselves against or manage a legal claim. We also have a legitimate interest to safeguard our rights and, in some cases, to sell your outstanding debt.

Retention period

The personal data will be processed for these purposes during the time we need to retain the personal data in our system. In case of a claim, we will retain the personal data until the claim has been finally settled. 

4.2. Visitor of our website and inquires

General information about the personal data processing

While you visit our website, we collect certain information that will identify you in some cases. Your own browser and device settings affect what information we can collect from your visit. Please read our Cookie Policy to obtain the full picture. If you contact us via our website or sending a letter or an email, we have to collect the information you submit to us in order to handle your enquiry.

Detailed information about the personal data processing

Purpose of the processing

If you contact us by using our digital communication services such as a form on our website or our chat-box; or sending a letter or an email, we have to collect and store personal data in order to

  • enable the use of digital communication services such as the chat-box.

  • recognize your device and thereby optimize the chat-box functionality.

  • manage and respond to your question/request. 

  • confirm your identity.

Personal data

Contact information; Feedback or correspondence; Device information (if you are contacting us through our digital services). 

We use necessary cookies for these purposes, read more in our Cookie Policy.

Lawful basis

Our legitimate interest. When balancing interests, Steven has determined that we have a legitimate interest to manage and respond to queries, and to run out business.

Retention period

Usually, personal data related to inquiries is erased within six (6) months after the inquiry has been properly responded and terminated. However, if we assess that the conversation has contents that we need for the purpose of managing and defending legal claims or safeguarding our legal rights the storage period will be extended to the period of time necessary to achieve these purposes.


Personal data collected by our use of cookies are retained in accordance with our cookie policy.

4.3. Employees and representatives at suppliers, stakeholders, and authoritiesGeneral information about the personal data processing

General information about the personal data processing

As an employee or a representative of a company/organisation that we have a business relationship with (e.g. a supplier), we may process your personal data as follows. The information is collected from you or from your employer. 

Detailed information about the personal data processing

Purpose of the processing

Enter into contracts with suppliers and stakeholders, to administer the contractual relationship, for instance receive delivery of goods, use customer support and otherwise communicate. 

Communicating with supervisory authorities, managing our licenses, and fulfilling legal obligations such as reporting commitments.

For accounting purposes personal data may be stated on supporting documentation/invoices/vouchers.

To investigate, manage and defend us against legal claims and safeguarding our legal and contractual rights (where applicable). For instance, within a dispute with your employer/ principal.

Personal data

Contact information; agreement data; Feedback or correspondence.


Contact information; agreement data; Feedback or correspondence; and case related data.  

Contact information; agreement data; Feedback or correspondence.

Contact information; agreement data; Feedback or correspondence.

Lawful basis

When balancing interests, Steven has determined that we have a legitimate interest in being able to fulfil our obligations with your employer, we also have an interest in use the services/product we bought and safeguard our contractual rights.

When balancing interests, Steven has determined that we have a legitimate interest in complying with applicable law and safeguard our licenses.

Comply with a legal obligation to which we are subject.

When balancing interests, Steven has determined that we have a legitimate interest in defending ourselves against a legal claim, as well as safeguarding our legal and contractual rights.

Retention period

The personal data will be processed as long as we have a relationship with your employer/ principal and two (2) years thereafter. However, if we assess there is information we need for the purpose of managing and defending legal claims, show compliance with a legal or contractual obligation or safeguarding our legal rights, the storage period will be extended to the period of time necessary to achieve these purposes. For accounting and bookkeeping purposes, we store data for seven (7) years plus one.

4.4. Candidates that apply for an employment

General information about the personal data processing

If you send your resume to us or complete a job application, we will process personal data about you. The personal data is collected from you and from third parties such as suppliers of information registers, Internet, and your work references. If we perform tests within the recruitment process, we will provide information about personal data processing of such purposes before initiating the test. We will also ask for your consent before we start such processing activities.

Detailed information about the personal data processing

Purpose of the processing

For the main purpose to find candidates and hire personnel we need to perform and manage a recruitment process. 

To collect and review your application, personal letter, and any certifications. To assess and consider candidates based on experience and qualifications.

To verify the information you have provided by controlling it against other sources. Including, for some roles, carry out a background check (a credit check).

To administrate invitations and bookings to interviews and communicate with candidates.

To inform you about other or future employments that could suit you.


To investigate, manage and defend us against legal claims in the view of Swedish discrimination law as well as safeguarding our legal rights.

Personal data

All data you provide to us in your application, usually: name, social security number, address, contact details, education and grades, work reference, professional experience, and other information that you provide about yourself in your application, and image.

The above-mentioned personal data and results from our controls, notes from interviews and from contacts with your work references.


Name, social security number, work reference, professional experience. Results from our controls which can include financial information (credit checks). Notes from interviews and from contacts with work references.

Contact details and information in communication between us.

Contact details and information in communication between us.

Only the information related to your recruitment process that is necessary for the specific case.

Lawful basis

When balancing interests, Steven has determined that we have a legitimate interest in recruiting new personnel.


When balancing interests, Steven has determined that we have a legitimate interest in recruiting new personnel.

When balancing interests, Steven has determined that we have a legitimate interest in recruiting new personnel.

When balancing interests, Steven has determined that we have a legitimate interest in recruiting new personnel.

When balancing interests, Steven has determined that we have a legitimate interest in recruiting new personnel. Your consent (if we save your information for this purpose for more than six (6) months).

When balancing interests, Steven has determined that we have a legitimate interest in defending ourselves against a legal claim, as well as to safeguard our legal rights and to comply with/carry out legal obligations in the field of employment.

Retention period

Unless you have given us your consent, personal data will only be processed for six (6) months after the recruitment process is over in order to inform you about future employments. However, we will save your documents for two (2) years in order to protect our rights under Swedish discrimination law.

5. Who do we share your personal data with?

To run our business and to provide the services, we need to work with other companies that can provide us with services and functionalities that Steven cannot provide itself, e.g., suppliers of systems, data storage, communication tools, payment solutions and websites/ platforms. In some cases, this means that we have to share your personal data with third parties. In this Section 5 we will inform you about the categories of recipients that we will share personal data with. 

5.1.Suppliers of IT-software and data storage. These recipients are data processors which means that they are only allowed to process the data they receive from us in accordance with our written instructions and for Steven’s purposes. Purposes: Steven needs to use the suppliers’ services to run its business and to be able to provide its services digitally and communicate digitally. The lawful basis is our legitimate interest in operating our business and using digital products and services that we do not produce ourselves. Data subject: Steven’s Customers; Visitors of our website and persons sending inquires; Employees and representatives at suppliers, stakeholders and authorities; and Candidates that apply for an employment. The categories of personal data that these suppliers get access to, depends on the service/product they provide, for example, the supplier of email software for communications will have access to Contact information and Feedback and correspondence data. As far as possible, we use encryption and pseudonymisation to minimize the volume of personal data shared in a clear form.


5.2. Payment service providers. Purposes: to enable you do transactions/pay within Steven’s App (see Section 4.1.2). Personal data shared: We share order identifiers that will pair the Customer at Steven with a payment order at the payment service provider in question. The payment service provider may request additional information directly from you to process your payment (which is a data collection that the provider is responsible for). 

Please make sure that you read the payment service provider’s terms that might apply when using the payment services. If you have any questions relating how the payment service provider handles your personal data, you can contact the provider.


5.3. Account information service provider (Klarna Bank). Purposes: to collect financial- and account information from your bank if you choose to connect the App with your bank i.e. the Open Banking feature (part of Section 4.1.4). Personal data shared: We share your social security number with Klarna Bank. Klarna Bank may request additional information from you to process such request. Please make sure that you read their terms and conditions and privacy note before activating this feature.


5.4. Payment processing provider (for the Steven Payment Card and wallet). The provider is Enfuce Financial Services Ltd. Purposes: To provide you with the payment card (at your request) and to enable payment transactions. The provider assists us with card issuing, payment processing, match transactions, add the payment card to digital wallets, fraud- and money laundering prevention, see Section 4.1.6 and Section 4.1.7 regarding AML-purposes. The provider will in turn share data the parties involved in the payment transaction process e.g., MasterCard, digital wallets, banks, merchants, and other payment service provider. Personal data shared: We share Payment card data and KCY-information with them.


5.5. Third party tools/features. Purposes: To enable you to integrate with your Google Contacts via Steven which means sending invitations to Steven and your Steven groups to your Google contacts; helping you to find friends who already use Steven. Personal data shared: We share Device information, your Google username and email address, your sharing settings, phone number.


5.6. Suppliers for managing direct marketing communication and newsletters. Purposes: For direct marketing purposes, to provide you information about our business, and feature updates that we believe are relevant for you. Personal data shared: We share Identification data, and then the supplier collects history of what information we previously sent you and how you interacted with such information.


5.7. Suppliers of information registers and suppliers for carry out KYC and AML measures. Purpose: To confirm and verify your identity, and to carry out processing related to fraud and to AML-purposes. Personal data shared: We share name and social security number.


5.8. Analytical software tools. Purpose: to analyse how you found the App and how you downloaded it (as part of evaluating, improving, and developing our services as described in Section 4.1.1.). Personal data shared: Device information.


5.9. Authorities. Purposes. We may disclose necessary personal data to authorities such as the police, tax agencies or other authorities if we are required by law or you have agreed to it. An example of legally required sharing is for AML-purposes. Personal data shared: We share KYC-information.

5.10. Courts, counterparties, and legal representatives. Purposes: In connection with disputes, we need to disclose the data that is relevant to the case.

 

5.11. Divestment. Purposes and lawful basis: In the event that we sell off any business or assets, we may disclose parts of your personal data to the prospective buyer of such business or assets. If we or substantially all of our assets are acquired by a third party, personal data about our customers may be disclosed and transferred. The lawful basis is Steven’s owners’ legitimate interest in being able to sell its shares, and/or Steven’s legitimate interest in being able to sell a specific part of its business or re-organise. 

6. Is your data processed outside of the EU/EEA?

We store your personal data in servers located in the European Economic Area (EEA), but we may use service providers that are based elsewhere in limited occasions. In cases where your personal data may be transferred outside of the European Economic Area (EEA) we ensure the lawfulness of the transfer using a valid legal mechanism. These mechanisms include adequacy decisions adopted by the European Commission concerning a specific country and European Commission’s Standard Contractual Clauses for international transfers of personal data. In addition, we use additional security safeguards such as encryption to ensure the security of the personal data transferred.

Currently we have suppliers based in the U.S. with whom we have entered into European Commission’s Standard Contractual Clauses for international transfers of personal data. Contact us at info@getsteven.com if you want more detailed information on the recipients of the personal data and/or a copy of the measures that we have taken with such recipient to protect the data.

7. Information about your rights under the GDPR 

Below is an overall description of the rights you have under the General Data Protection Regulation. You exercise your rights by contacting us. You can contact us by email, info@getsteven.com, or letter to us at BOX 5183, 102 44 Stockholm, Sweden.

Upon receipt of your request, we will make an assessment of the request to determine if it is justified. All rights set forth below are not absolute and exceptions may be made.

We shall answer to your request without undue delay and at least within one (1) month. The replay will be in writing but, upon your request the information can be given orally (provided that we have been able to identify you). 

Right to information. You have the right to be informed about how your personal data is processed, such information shall be provided in connection with the collection of data about you. We do this through this privacy policy. We will also make sure to answer any questions you have regarding the processing. 

If something happens to your personal information that may affect you negatively, you have the right to know. In that case, we will contact you.

Right to access. You have the right to obtain a confirmation as to whether we process personal data about you, and where that is the case, you have the right to get access to the data, together with information about the processing. Such information shall include, among other things, the purposes of the processing and who we will share your data with (recipients). 

We will provide you with a copy of the personal data processed. If such a copy would adversely affect someone else’s rights and freedoms, the copy may need to be restricted e.g. we may need to mask personal information about another person. If you have made your request by electronic means, we will provide you the information in an electronic form, unless you request otherwise.

Right to rectification (correction). The personal data we process about you must be correct, accurate and complete for the purpose in question. You have the right to request rectification of inaccurate personal data of you. You also have the right to request that we complete with relevant personal data that you believe is missing. 

Right to erasure (right to be forgotten). You have the right to request erasure of your personal data. In the following cases we must delete your personal data: the personal data is no longer necessary for the purpose for which they were collected; the processing is carried out based on your consent and you revoke this; the processing takes place for direct marketing and you oppose this; the processing turned out to be unlawfully processed; or deletion is required to fulfil a legal obligation. 

We are also obliged to delete your personal data if you have objected to the processing, and we have no overriding legitimate grounds for the processing that outweigh your interest.

The right to erasure is not an absolute right and there may be legal obligations, contractual relations, and compelling legitimate interests which require us to continue the processing. We are also entitled to continue the processing if necessary for the establishment, exercise or defence of legal claims. 

Right to restriction of processing. In certain cases, you have the right to request restriction on the use of your personal data, e.g., if the accuracy or legality of the personal data is under investigation by us. For instance, if you have requested that incorrect personal data shall be corrected, or if you have objected to the processing. This means that while the matter is being assessed, you can request that the processing of the relevant data also is restricted.

You can also request that we restrict the processing of your personal data in cases where we usually should erase the data; this applies if we no longer need your personal data for the purposes of the processing, but you need it for the establishment, exercise or defence of legal claims. This also applies if the processing is unlawful, but you oppose the erasure of such personal data of yours.

If we have restricted the processing, we may nevertheless process the restricted data a) for the establishment, exercise, or defence of legal claims, b) to protect another natural or legal person’s rights, or c) for reasons of important public interest. We may also process them if we have received your consent.

If we have restricted your personal data, we will notify you before the restriction expires.

Right to object. You have the right to object to the processing of your personal data if the legal basis for the processing is a balance of interests, or to perform a task of public interest. If you object to the processing, we must cease the processing unless we can demonstrate compelling legitimate grounds for the processing which overrides your interests, rights, and freedoms, or for the establishment, exercise or defence legal claims.

You always have the right to object to us using your information for direct marketing purposes, we must then cease such processing activities.

Right to data portability. If you have provided personal data to us and given us your consent for processing, or if you have provided personal data due to an agreement with us, and the processing is carried out by automated means, you have the right to receive the personal data in a structured, commonly used electronic form. 

You also have the right to have the personal data transferred to another controller, e.g. another company, if technically feasible. For example, if you want to use their services instead. 

Right to withdraw your consent. If we are processing your personal data on the basis of your consent, you may withdraw this consent at any time. Your withdrawal does not affect the legality of our processing up to the point of your withdrawal.

The right to object to automated decision-making and profiling. We do not carry out processing and do not make decisions based solely on automated processing, including profiling.

Right to make a complaint. If you are not satisfied with how we are processing your personal data, we ask that you contact us. You also have the right to lodge a complaint with a supervisory authority, which in Sweden is the Swedish Authority for Privacy Protection (www.imy.se), Integritetsskyddsmyndigheten, Box 8114, SE-104 20 Stockholm.

8. Updates to this policy

We may occasionally update this Privacy Policy. If we make significant changes, we will notify you of the changes through the App or through other means such as email. We encourage you to periodically review this Privacy Policy for the latest information on our privacy practices.