Privacy & Security UK
No matter what role we play or product we use when processing your personal data, your privacy is important to us. If your personal data is processed by us, you should be able to rely on us to manage it securely and with a strong level of protection. You should also be able to feel confident that we have done our utmost to ensure that no outsiders can access your information and that you know what information about you we process. We ensure that your personal data is processed in accordance with the UK General Data Protection Regulation (UK GDPR), tailored by the Data Protection Act 2018 and other applicable legislation related to the products. (“Applicable Data Protection Legislation”).
When we process your personal data, we always have a legitimate purpose grounded on a legal basis as to why we process your personal data. We ensure that we only process personal data that is justified in relation to the purposes for which we are processing the personal data. Our ambition is that the personal data we process about you must be correct, which means that we may need to delete the data if it is shown to be incorrect. Your personal data is not stored any longer than is necessary, which means that we delete it if we no longer have a legal basis and a legitimate purpose for processing it.
What is personal data?
Personal data is information that refers to an identified or identifiable natural person. "Identifiable natural person" means a person who can be directly or indirectly identified specifically by reference to an identifier such as a name, identification number, location information, online identifiers, or other factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity.
What does processing mean?
The processing of personal data refers to a measure or combination of measures related to personal data - regardless of whether it takes place automatically or not - such as collection, registration, organization, structuring, storage, processing or modification, production, reading, use, delivery by transfer, dissemination or other provision, adjustment or merging, limitation, deletion or destruction.
Whose personal data do we process?
We process personal data that relates to applicants who apply to work with us, people who represent potential customers, contact persons for our customers and partners, and users of our products.
Personal data processing as a data controller
Findity AB, org.nr. 556838-8200, Box 108, 771 23 Ludvika, Sweden, (“Findity”), is the data controller for the personal data processed regarding job applicants and the Account Information Service users and for the processing of personal data as stated below regarding customer/partner contact persons using the Companyexpense software.
The Account Information Service, Companyexpense, may hereinafter be collectively referred to as (the "Products").
When are we data controllers?
Companies in the Group are the data controller for personal data related to:
- Job applicants
- Contact persons for potential customers who want to use the Products
- Contact persons for customers/partners who use the Products
- Some users of the Products
Why do we process personal data and what kind of personal data is processed?
In order for us to be able to manage customer relationships relating to our Product, we must process the personal data of our customers' contact persons as well as the personal data of users of our Product where we are data controllers.
The personal data is processed primarily to:
- Manage sales and contract processes with customers
- Upon customer request, provide quotes for Products
- Marketing the Products
- Fulfill our contractual obligations in relation to users where we are the data controller
- Provide support to users of the Products
- To improve the Products' functionality and user-friendliness
- To manage customer agreements by, for example, billing
- To be able to reach contact persons and users.
Regarding the Product, our personal data processing is described in Attachment 1.
We collect personal data related to potential customers in order to carry out marketing measures. Primarily, the personal data collected comprises name, telephone number, company name, title, email address. Personal data is collected, for example, at trade fairs, from public registers and company websites, as well as from our own contact form on our website. The personal data is then used to book meetings with potential customers, send out newsletters, and send invitations to our events or webinars.
The legal basis for our processing personal data related to potential customers is our commercially legitimate interest in processing the personal data. Similarly, in our opinion, processing does not have a negative impact on the data subject's privacy, especially when considering that persons whose data we process may opt out of our marketing mailings, and that the data processed is not of a sensitive nature.
For visitors to our website, IP addresses are stored in access logs, however, this information is anonymized.
How do we collect personal data?
The personal data we process is primarily collected directly from you. However, regarding our customers, we can also collect personal data from someone else who is also employed by your employer. When it comes to job applicants, we often receive personal data during the application process, for example. from a recruiter or directly from you as a job applicant.
We may also collect personal data from public records, websites or when you register as a service user. We may also collect personal data from partners.
We may also process personal data related to images that you upload in the Products, for example, images of receipts. The amount of personal data we collect in connection with these images varies depending on the document that has been photographed.
How do we share your personal data?
We may share your personal data with third parties, for example, in the following situations:
We will share your personal data with partners and suppliers. These may be suppliers of servers, web agencies, or other partners that we work with in the delivery of our Products.
In certain situations, authorities may request that personal data be disclosed to an authority. In such a situation, we will only disclose personal data if there is a decision from the authority that requires the personal data to be disclosed.
In connection with an acquisition, merger with another company, or division of any of the companies in the Findity Group, the acquiring company and/or its hired consultants may demand access to certain personal data that we process about you. In the event of such disclosure, we will ensure that the person who receives the personal data is covered by a confidentiality agreement.
You can choose not to accept marketing from us by either:
- Following the instructions included regarding opting out of our communications; or
- Contact us using the contact forms provided on the website.
You have the right to access your personal data, which we process, to review it. You also have the right to request data portability for the processed personal data. Should any of the personal data we process about you be incorrect, you can request that we correct it.
In certain circumstances, you have the right to request that the personal data we process about you be deleted. Should you request deletion, we must delete the personal data if (i) the personal data is no longer needed for the purpose for which it was collected, (ii) you revoke any consent, (iii) the personal data is processed illegally, or (iiii) the personal data must be deleted for legal reasons.
If you have any questions or want to exercise your rights, please contact our Data Protection Officer at firstname.lastname@example.org
If you have any objections or comments related to our personal data processing, you can also contact the Information Commissioner's Office:
Information Commissioner's Office
or email: email@example.com
When contacting us to assert your rights, we may request ID documents or copies of ID documents in order for you to verify your identity. We process this personal data so that we can fulfill our obligations in accordance with applicable legislation. This data will be deleted as soon as we have verified your identity.
How we process and store your personal data
When we process your personal data, everyone in our business is obliged to comply with Applicable Data Protection Legislation and that which is stated in this document in order to maintain a high level of protection for your privacy.
When we process your personal data, we must:
- Prevent unauthorized access to your personal data
- Prevent the spread of your personal data; and
- Prevent other discrepancies when we process your personal data.
We ensure that your personal data is treated with confidentiality, that your privacy is not compromised by our personal data processing and we guarantee the availability of personal data in accordance with prevailing Applicable Data Protection Legislation.
To achieve the appropriate level of protection when processing your personal data, we use reasonable technical and organizational measures. The reasonableness is assessed on the basis of the category of personal data that we process in relation to the risk that may arise in the event of a breach of our systems or our operations and the costs of introducing protection measures.
- We have appointed a data protection officer
- We have established processes for how we should act in the event of a data breach
- We hold regular training sessions for our employees on issues related to personal data processing
- We have a Data Processing Agreement in place with all our suppliers and other interested parties who process personal data on our behalf.
- We have established instructions for IT management within the organization.
- We use 256-bit encryption (128-bit for some older phones with hardware restrictions) and 2048-bit keys.
- All communication to and from users is encrypted using TLS. Data stored in server environments is encrypted with ZFS encryption.
- Checks for detecting and preventing malware are run regularly using rootkit detection and removal tools.
- IDS/IDP monitors check and delete malware continuously.
- Our Products are in operation on servers in data centers that are monitored and staffed around the clock.
- All data is stored in two different locations in Sweden.
- Data is backed up every hour.
- The data centers are climate-controlled and fire-protected.
- The data centers are equipped with secondary power supplies and diesel generators to ensure the power supply to the servers.
- Our server environment and networks are protected by firewalls.
For how long do we process your personal data?
We will process your personal data for as long as necessary for the purpose for which we have collected the personal data and as long as we have a legal basis for the processing of the personal data. This means that we may process your personal data for some time after a contractual relationship has ended. As soon as we no longer need the personal data or do not have a legal basis for processing it, we will delete it.
Personal data processing as a data processor
As part of how we provide the Products, we will, during certain transactions, process personal data related to users and customer representatives on behalf of our customers in partner and direct customer transactions as these parties have been given the right to provide the Products in their own name. In these situations, our customers and partners decide the purposes and means of personal data processing. This means that, in these situations, we only process personal data on behalf of the customer or partner and may only process such personal data in accordance with the instructions they provide us. The relationship between us and any such partner or customer is governed by a Data Processing Agreement.
When our customers or partners are responsible for personal data, it is the customer or partner who must ensure that they have a legal basis for processing the personal data and that the data subjects are informed in accordance with the requirements set out in Applicable Data Protection Legislation.
When our customers or partners use our products, we must ensure that the products meet the requirements set out in Applicable Data Protection Legislation. We will also work with our customers and partners so that they can fulfill their obligations to those whose personal data is being processed.
The use of data processors and sub-processors
In our personal data processing, we may, in certain situations, use other actors to process personal data on our behalf. When we commission these data processors or sub-processors, the personal data will, as a general rule, not be processed outside the United Kingdom or EU/EEA.
When we commission these data processors or sub-processors, we ensure that they can meet the requirements for processing personal data in accordance with Applicable Data Protection Legislation. We always enter into Data Processing Agreements with such actors to ensure that they meet these requirements. If the person we commission is an actor who may process your personal data outside the United Kingdom or EU/EEA, we make sure to take the measures required under Applicable Data Protection Legislation for a transfer to a country outside the United Kingdom or EU/EEA to be considered legal. For the full list of our sub-processors please refer to Attachment 2.
Links to other websites
In the event our website contains links to third party websites or materials published by third parties, these links are for information purposes only. As we have no control over material or personal data processing on these pages, we take no responsibility for personal data processing related to such pages.
Changes to this Policy
In the event this Policy is changed, an updated version of the document will be made available on our website. Therefore, to keep up to date with its content, we recommend that you visit our website regularly. Should we make any significant changes to this document, for example, change the purpose for personal data processing, we will also send an e-mail or post a notice using our social media.
If you have any questions regarding this Policy, your personal information, or if you suspect that we are breaching your rights, please contact us in one of the following ways:
P.O. Box 108
771 23 Ludvika