1. Purpose

1.1 This Privacy Policy applies when Sileon AB (“Sileon”, “we”, “our”), organization number 556584-5889, Box 4169, 102 64 Stockholm, Sweden, carries out the processing of personal data relating to consumers who use Sileon’s services or who make a purchase from a merchant who uses Sileon’s services (“you”, “your”). Sileon’s processing of personal data complies with applicable data protection legislation, including but not limited to the General Data Protection Regulation (EU) 2016/679 (the “General Data Protection Regulation”).

2. The purposes of the processing

2.1 The Merchant works in conjunction with Sileon and allows you to use one or more Sileon payment methods for your order. The claim arising from the contract between you and the Merchant is then transferred to Sileon if Sileon’s payment method is used (factoring).

2.2 Sileon therefore processes your personal data when this is necessary for the purpose of the purchase and assignment of the claim arising from the contractual relationship between you and the merchant. Sileon also processes personal data for the purpose of processing the subsequent payment transaction from Sileon, in connection with contacts in a contractual context and to prevent fraud and similar crime. Sileon’s processing of personal data is based on the legal basis fulfilment of contracts. If necessary, we also transfer personal data in this context and for this purpose to our partners. Sileon cannot provide its services without processing personal data.

2.3 Your personal data is used by Sileon for payment of the merchant’s products and services, delivery of products, invoicing, information, as well as for contact with you as a customer.

2.4 Processing of personal data is also carried out by Sileon in order to comply with legal obligations imposed on Sileon, e.g. under the Consumer Credit Act (SFS 2010: 1846) and the Act on Measures against Money Laundering and Terrorist Financing (SFS 2017:630) and to disclose necessary information to authorities such as the Police , tax authorities or other bodies, to the extent that we are legally required to do so or we have a legitimate interest in the disclosure. An example of such legally necessary disclosures is disclosure for the purpose of combating money laundering and terrorism.

2.5 We also process your personal data for our legitimate interest to be able to take measures to prevent fraud, develop our services and provide information and marketing that we believe you may be interested in.

3. Personal data being processed

3.1 Personal data is any information that can be linked to a living person. Sileon collects and processes different types of personal data within the framework of its business, depending on the type of service that the data subject uses (such as Swish, PayPal, purchase against invoice, card purchase, credit purchase, etc.). The information is either provided directly by you or collected by Sileon to supplement the information you provided, so that the purchase is as smooth as possible.

3.2 The following personal data may be collected by Sileon from you. What is collected depends on which of Sileon’s services you use:

a) Information about your identity – first name, last name and social security number.
b) Your contact details – address for invoice and delivery, e-mail address, telephone number.
c) Payment information – credit or debit card data (card number, validity date, CVV code, card owner).
d) Travel information – if the purchase relates to a trip, Sileon processes information about the trip and the identity of the traveler or traveler.
3.3 Sileon may also need to process other types of personal data depending on the type of service, either due to requirements from merchants (the person you purchase the service or goods from) or due to law or regulation. Such personal data is collected from credit reporting agencies or the merchant. Sileon may need to collect and treat:
a) Information about the purchase – information about the product, service or trip to which the payment relates.
b) Credit information – information about you needed to assess your credit, such as your income, any credits and negative payment history.
c) History – In order to carry out a credit check, Sileon may process data about your previous purchases and your payment and credit history with the merchants using Sileon’s services.
d) Sanctions and PEP lists – comparison of your personal data with lists of sanctioned and politically exposed persons. These lists contain information such as name, date of birth, place of birth, occupation, or position, as well as reasons for inclusion in the list.
e) Communication data – to know how you have been treated and be able to handle support cases, Sileon processes information about how you used Sileon’s service, pages, and infrastructure. These logs are automatically deleted at regular intervals.
f) IT data – in order for you to communicate with Sileon’s systems, we need to process data about the device you are using, such as the device’s IP address and operating system.
3.4 If you contact Sileon’s customer service for assistance with a case or for a refund, the case will require Sileon to process your personal data. Personal data processed within the framework of customer service may include, for example:
a) Information about your identity – such as first name, last name, and social security number. If you also provide information about the identity of others, Sileon will not save that information unless it is required for the case or to investigate fraud or other matter.
b) Contact details – such as address for invoice, delivery address, e-mail address, mobile number and telephone number, population registration address (can be collected from the Swedish Tax Agency to ensure that the address is correct).
c) Case description – at your contact and description of the support case can Sileon does not control what information you provide. Your case description may therefore include personal data that Sileon has no reason to process. Examples of such duties are trustees, trustees, family members, etc. We process your personal data for as long as the support case is ongoing, but for a maximum of twelve (12) months.
d) Voice Recording – Sileon may process recording of your call for educational purposes and to ensure the best possible customer experience. This recording will be stored for six (6) months.
e) Final invoice – when contacting customer support, your credit agreement may be terminated. Customer Support will then process the personal data required to create a final invoice.
f) Refund processing – if the customer service case concerns or leads to a refund, Sileon will need to process the bank account details for the payout, as well as the price and other details of the purchase to which the refund relates.

4. Automated decision-making

4.1 In connection with purchases against invoice, Sileon performs a credit check. Personal data is then collected from credit reporting companies that Sileon collaborates with to make an overall credit assessment. The data is also collected to confirm your identity and address.

4.2 The credit check assesses factors such as your payment history, your income, your credits, and your credit costs. Based on these factors, the credit check will either allow or deny you a purchase against invoice or the credit you applied for. Information about denied or granted credit will not be processed by Sileon other than to avoid Sileon unnecessarily repeating the credit assessment process.

5. Recipients of personal data

5.1 Sileon’s services require Sileon to cooperate with and interact with other systems and actors. In order to make payments and administer customer relationships, Sileon will transfer your personal data to other organizations when it is necessary for the performance of contracts or in accordance with any law, regulation, or decision that Sileon must comply with. The following types of recipients may apply:
a) Merchants – for the most part, merchants who use Sileon’s services are themselves responsible for collecting the data they need to respond to you. In some cases, Sileon will supplement the merchant’s information in order for Sileon or the merchant to fulfill its obligations under contracts with you.
b) Credit reference agencies – according to the description provided above, Sileon will disclose information about you to credit reference agencies when Sileon is required to assess your creditworthiness. Sileon does this to confirm your identity, assess your creditworthiness and determine whether Sileon can offer you the payment method you have chosen.
c) Authorities – Sileon may need to disclose information to authorities, such as the Police or the Swedish Tax Agency, if we are required to do so by law or if you have requested that we do so. In some cases, Sileon may be prevented by law from telling you that your personal information has been requested by government agencies.
d) Notification Services – Sileon uses services to communicate automatically to you, e.g., with confirmations or reminders by post or email. These companies only have access to your name, address or email address and are committed to not sharing your personal data with anyone other than when it is necessary to carry out the service.
We also share personal data with our partners (for the purpose of carrying out credit checks and making payments), service providers and with credit reference agencies as part of providing our services.

5.2 Sileon processes as much of its data as possible within the EU/EEA. If data is transferred to be processed by a supplier or subcontractor outside the EU/EEA, the transfer will take place in accordance with applicable data protection legislation. For example, Sileon ensures that the recipient always enters into contractual terms and appropriate safeguards (if applicable) with Sileon that ensure that the recipient maintains a level of protection comparable to the EU/EEA.

6. Retention of personal data

6.1 Personal data is only retained for as long as is necessary to fulfil the purposes described above and if Sileon is obliged to store personal data for a certain period of time by law, e.g., according to rules on accounting and money laundering. This means that most of the personal data collected about you will be automatically deleted after a payment has been made or a credit has been paid off. There are certain exceptions that result in Sileon retaining personal data even after a debt relationship has ended, these are described below.

6.2 Contact information and identity information will be retained by Sileon’s system after each completed purchase for a shorter period in order to enable troubleshooting and testing.

6.3 The data of a financial nature that Sileon collects from credit reference agencies is always retained for three months from the last time it was used. In this way, it can be avoided that the credit assessment process has to be repeated more than necessary.

7. Deletion of personal data

7.1 Personal data is deleted or depersonalized when the data no longer needs to be retained. Depersonalized means that the data can no longer be used to identify a person.

7.2 Before data is used as a basis for statistics and product development, it is depersonalized and aggregated, which means that it can no longer be linked to you, either by Sileon or anyone else. The information therefore no longer contains personal data.

7.3 When Sileon performs a deletion of personal data, it cannot be revoked/recreated and once the deletion has been carried out, no person can any longer be associated with the information that remains.

8. Information security

8.1 As a data controller, Sileon takes appropriate technical and organizational measures to protect the personal data processed in accordance with Section 2 of the General Data Protection Regulation. Sileon has specific internal policies and processes for dealing with information security issues and for preventing and detecting leaks.

8.2 If your personal data is subject to a security incident (so-called “personal data breach”), Sileon will contact you in accordance with the General Data Protection Regulation.

9. Your rights

9.1 Sileon has a registered Data Protection Officer who can be contacted according to the contact details below. The Data Protection Officer is the contact person for the exercise of rights vis-à-vis Sileon.

9.2 You have the right to withdraw consent to a particular processing free of charge without this affecting the lawfulness of the processing before the withdrawal. For example, you may have chosen to consent to Sileon saving your card details to make it easier for you to make purchases in the future. You can revoke the consent yourself and delete your saved card details.

9.3 You have the right to request that the processing be limited to storage and to object to the processing.

9.4 You also have the right to request a register extract, in electronic format or on paper. Sileon will compile information about how your personal data has been processed and send it to you, normally within one month.

9.5 You have the right to request that Sileon rectify personal data that you believe is inaccurate and to submit supplementary personal data (in special cases) if you believe that the personal data Sileon has processed has given an inaccurate picture of you.

9.6 You have the right to request that Sileon delete your personal data. Sileon will then delete personal data that Sileon is not required to retain in order to comply with legal obligations. Sileon will also continue to process personal data in certain other cases, including when personal data must be processed according to the legal basis performance of contract. Sileon will always respond to you and explain its view on what personal data Sileon has the right to continue processing.

9.7 You have the right to data portability, meaning that Sileon, in its capacity as data controller, shall transfer your personal data to another when this is technically possible.

9.8 You have the right, for reasons relating to your specific situation, to object at any time to the processing of personal data relating to you based on a balance of interests including profiling based on these provisions. In that case, Sileon may no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms or if it is for the establishment, exercise or defense of legal claims.

9.9 You always have the right to lodge a complaint with the supervisory authority, the Swedish Authority for Privacy Protection (IMY).

9.10 If you wish to request a register extract, revoke a consent, or correct/delete a data, please contact Sileon’s Data Protection Officer who can be reached at:

Sileon contact information

Sileon AB
Box 4169
102 64 Stockholm

email: dso@sileon.com

This policy was established during the month of December 2015, and last revised during April 2022.