Privacy Policy.

Epassi Sweden AB, Epassi Finland Oy and Epassi Clearing Oy

1. GENERAL INFORMATION

Epassi Finland Oy, Epassi Sweden AB and Epassi Clearing Oy (together ”Epassi”, “we” or “us”) respects your privacy and is dedicated to protecting the privacy of persons using Epassi’s services. This privacy policy describes how Epassi processes personal data; e.g. what kinds of personal data we collect, for which purposes the personal data is used and to which parties the personal data can be disclosed.

This privacy policy applies to users of Epassi’s services, including users of Epassi’s end-user services and our websites as well as when we communicate about our services or for customer relationship management reasons. In addition, this privacy policy also applies to our employer customers’ contact persons, potential employer customers’ contact persons and merchant customers’ contact persons.

Personal data refers to any information relating to a natural person (“data subject”) that can identify him/her directly or indirectly. Personal data, data subject, controller and other key terms are defined in the General Data Protection Regulation (2016/679, “GDPR”). Epassi complies with the GDPR in all processing of personal data in conjunction with other applicable national data protection legislation (“data protection legislation”).

Our services may also contain links to external websites and services operated by other organizations that we do not manage. This privacy policy is not applicable to their use, so we encourage you to review the privacy policies that apply to them. We are not responsible for the privacy policies of other websites or external services.

2. JOINT CONTROLLERS AND CONTACT INFORMATION

Joint controller: Epassi Finland Oy

Business ID: 2090737-1

Address: Linnoitustie 11, 02600 Espoo, Finland

Email: dataprivacy@epassi.com

Joint controller representative: Mikael Nordenswan

Joint controller: Epassi Sweden AB

Business ID: 556617-0030

Address: Storgatan 31, 461 30 Trollhättan, Sweden

Email: dataprivacy@epassi.com

Joint controller representative: Mikael Nordenswan

Joint controller: Epassi Clearing Oy

Business ID: 2872241-9

Address: Linnoitustie 11, 02600 Espoo, Finland

Email: dataprivacy@epassi.com

Joint controller representative: Mikael Nordenswan

3. PURPOSES, TYPE OF DATA, LEGAL BASES AND RETENTION TIMES FOR PROCESSING 

Epassi collects only such personal data that is relevant and necessary for the purposes described in this privacy policy. The personal data is subject to periodic updates, as required by mandatory law. The personal data is processed fully separately from other Epassi systems and is not connected to other processing purposes.

Personal data will be processed for the following purposes:

The personal data is processed in order to carry out the end-users’ KYC (Know Your Customer) process so that Epassi is able to identify end-users according to its legal obligation and provide end-user services.

The personal data we process within the scope of this purpose include:

• Name
• Nationality
• Date of birth
• Personal identification code
• Residential address
• Profession
• Political exposure
• Information on the document used to verify the identity, or if the person has been remotely identified, information about the procedure or sources used in the verification

The personal data required for authenticating the end-user is processed by Telia Finland Oyj on behalf of Epassi.

Legal basis: The processing of personal data is based on a legal obligation.

Retention period: Personal data is stored for as long as the end-user uses the Epassi services and maximum period of five years thereafter, and even after such a period in case any open inquiries relating to the end-user exist or required by the mandatory national legislation.

The personal data is processed in order to collect and store the KYC (Know Your Customer) information and the risk categories of the Epassi’s merchant customers to comply with our legal obligations.

The personal data we process within the scope of this purpose include:

• Date of birth
• Personal identification code
• Nationality
• PEP status of the members of the boards of directors, managing director and persons who own more than 25 % of the firm

The data is processed by Visma SolutionsOy as a processor on behalf of Epassi.

Legal basis: The processing of personal data is based on a legal obligation.

Retention period: Personal data is stored for as long as the end-user uses the Epassi services and maximum period of five years thereafter, and even after such a period in case any open inquiries relating to the consumer exist or required by the mandatory legislation.

The personal data is processed for the distribution, use, maintenance, and development of Epassi specific and general payment instruments, financial data, application usage data and other tech solution back-end data.

The personal data we process within the scope of this purpose include:

• Name
• Company (Employer)
• Transactional information
• Purchase history
• Access logs
• User device
• Email address
• Personal identification code (in Sweden)
• Phone number
• Postal code
• User balances
• Personal data provided by the data subject

Legal basis: The processing of personal data is based on valid and legal contract relationship when distributing and using services, and in other respects, the processing is based on Epassi’s legitimate interest to maintain and develop such services, both toward its employer customers and end-users (consumer customers). The processing of the personal identification code is based on the applicable legislation, or the consent given by the data subject.

Retention period: Personal data is stored for as long as the end-user uses the Epassi services and thereafter for a maximum period of two years. Personal data processed and retained for transactional and financial information is stored for 10 years from date of creation as required by mandatory law. The storing may continue based on reasons presented in Section 3.1 and 3.2 for even longer periods of time.

The personal data is processed in order to report to Epassi’s employer customer of benefit usage in relation to allocated benefit. The processing is necessary in order to inform the employer customers of the use of employment benefits for payroll purposes, conclude salary deductions as well as for taxation and invoicing purpose. The personal data can also be processed and shared with employer customers to investigate fraud or misuse of benefits (or suspected cases thereof). 

The personal data we process within the scope of this purpose include:

• Amount of benefit given
• Amount of benefit used
• 10 most popular merchants used by the employees
• Benefit category (in Sweden)
• If requested by the employer: individual benefit usage data i.e., amount of benefit used and place of purchase. 

Legal basis: The processing of personal data is based on a contract. The processing of personal data is based on a legal obligation (fraud/misuse).

Retention period: Personal data is stored for as long as the end-user uses the Epassi services or as required by law in relation to fraud/misuse (10 years transaction history).

The personal data is processed in order to store the end-users’ transactional history to establish or defend legal claims, if necessary.

The personal data we process within the scope of this purpose include:

• Name
• Company
• Transactional information
• Purchase history
• Access logs

Legal basis: The processing of personal data is based on Epassi’s legitimate interest to store transaction history in order to establish or defend legal claims.

Retention period: Personal data is stored for a period necessary in order to establish, exercise or defend legal claims. For transactional and financial information, the storing period is at least 10 years as required by mandatory law.

The personal data we process within the scope of this purpose include:

• Name
• Email address
• Telephone number
• User preferences
• User balances
• Company (Employer)
• Geographical location (in Sweden)

Legal basis: The processing of personal data is based on Epassi’s legitimate interest to promote Epassi’s products and/or services to the users. The processing of personal data is also based on the consent given by the data subject in relation to direct marketing in order to provide targeted marketing and advertising, as well as to provide marketing of third parties’ products or services. The data subject has the right to refuse personal data being used for direct marketing and may at any time recall prior consent.

The electronic user communications (as delivered via email) are conducted through APSIS and Apsis International AB acts as the processor. More information on data transfers in Section 6.

Retention period: Personal data is processed as long as the end-user remains a customer of Epassi and/or has accepted the relevant marketing opt-ins for direct marketing purposes.

The personal data is processed in order to evaluate and follow-up the email recipients’ actions when the email has been sent to the end-users of the Epassi services. This might also include generating aggregated statistics regarding the actions.

The personal data we process within the scope of this purpose include:

• Email address
• Information whether the data subject has opened an e-mail or any attached material or if the data subject has clicked on any links or deleted the e-mail

Legal basis: The processing of personal data is based on Epassi’s legitimate interest to be able to follow up on how the recipients of e-mail act when receiving e-mails from Epassi.

Retention period: Personal data is processed as long as the end-user remains a customer of Epassi and/or has accepted the relevant marketing opt-ins for direct marketing purposes.

The personal data is processed in order to develop Epassi’s services using web analytics and cookies as well as to administrate our website and fulfill user requests.

The personal data we process within the scope of this purpose include:

• IP address
• User preferences
• User device

Legal basis: The processing of personal data is based on the consent given by the data subject.

Retention period: Personal data is stored for a maximum period of two years.

The personal data is processed in order to communicate with the Epassi’s employer and merchant customers’ contact persons.

The personal data we process within the scope of this purpose include:

• Name
• Email address
• Phone number
• Bank account number

Legal basis: The processing of personal data is based on Epassi’s legitimate interest to communicate with Epassi’s employer and merchant customers’ contact persons.

The personal data is processed by HubSpot, Inc. as a processor on behalf of Epassi.

Retention period: Personal data is processed/stored for as long as the employer or merchant customer’s contact person is identified as the contact person representing the company.

The personal data is processed in order to communicate with the Epassi’s financing partner.

The personal data we process within the scope of this purpose include:

• Name
• Email address
• Phone number
• Social security number of a guarantor to a leasing agreement (only in exceptional circumstances when a guarantor is required by financing partner)

Legal basis: The processing of personal data is based on Epassi’s legitimate interest to communicate with Epassi’s financing partners’ contact persons.

The personal data is processed by Tukirahoitus Oy, Svea Bank AB or Svea Bank AB, filial i Finland or Tukirahoitus Oy as a processor on behalf of Epassi.

Retention period: Personal data is processed/stored in accordance with the financing agreement.

The personal data is processed in order to deliver products to Epassi’s end-users.

The personal data we process within the scope of this purpose include:

• Name
• Email address
• Phone number
• Delivery address for product(s)
• Name of employer

Legal basis: The processing of personal data is based on a contract and on Epassi’s legitimate interest to communicate with Epassi’s employer and merchant customers’ contact persons.

The personal data is processed by Shopify, Inc. as a processor on behalf of Epassi.

Retention period: Personal data is processed/stored for as long as the end-user is employed by the same employer, is leasing a product from an employer, or as long as a certain legal obligation requires.

The personal data is processed in order to administrate the support matters for Epassi’s employer customers and end-users as well as to provide phone line support.

The personal data we process within the scope of this purpose include:

• Contact details to the party initiating the support matter
• Contact details to the person responsible for managing the matter
• Information in text fields provided by the party initiating the support matter
• Information in log files
• Phone number

Legal basis: The processing of personal data is based on Epassi’s legitimate interest to administrate the support matters.

Some of the support matters (first-instance phone line support) are conducted through Vakka-Suomen Puhelin Oy in Finland as the processor whereby calls are recorded and stored to e.g., validate contents of a call in the event of a dispute. More information on data transfers in Section 6.

Retention period: Personal data is stored for this purpose only as long as necessary for the purpose it was collected and thereafter for a maximum period of 2 years.

The personal data is processed in order to fulfil our legal obligations, such as for example accounting or tax legislation related obligations.

The personal data we process within the scope of this purpose include:

• All categories of personal data which have been collected and are necessary in order to comply with legal obligations.

Legal basis: The processing of personal data is based on a legal obligation.

Retention period: Personal data is stored for as long as a certain legal obligation requires. For example, in Finland the Accounting Act imposes an obligation to maintain information on the accounting’s supporting material for 6 years following the end of the financial year. In Sweden, the obligation is 7 years following the end of the financial year.

For processing activities that are based on a legitimate interest, we have carefully balanced such legitimate interest with the data subjects right to privacy and concluded that our interest outweighs the data subjects’ rights and freedoms.

Where the processing is such that a consent is required by the applicable legislation, we will state so and obtain the consent, and this will be the legal basis for the processing. However, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. If such withdrawal means that we are no longer able to provide our services, we may cease to provide the services.

4. DATA SOURCES

The personal data is mainly collected directly from the data subjects themselves, for example, at the time of registration or use of our services or during a customer relationship.

The personal data can also be collected from the end-user’s employer in relation to services which are provided by the employer and Epassi to the end-user. These are gathered based on the need to contract the end-user as a consumer customer of Epassi and create their personal account at Epassi.

The personal data may also be collected automatically when the data subject uses our services e.g., when using our end-user services and visiting our website.

In addition, and with the permission of the data subject, data may be collected in other ways in a marketing context.

Personal data may be updated and supplemented by collecting data from private and public sources.

5. RETENTION OF PERSONAL DATA

Personal data collected in connection with our services shall be retained as long as defined in this privacy policy and as required by the law unless such data is replaced through regular updates or otherwise. The periods vary greatly from one type of processing to another.

We evaluate the necessity and accuracy of the personal data on a regular basis and endeavor to ensure that the incorrect and unnecessary personal data are corrected or deleted.

Detailed retention times can be provided upon requests.

6. DISCLOSURES, TRANSFERS AND RECIPIENTS OF PERSONAL DATA

For the purposes stated in this privacy policy, the personal data may be disclosed, when necessary, to authorities, among and to other companies within the same group of companies of Epassi, and to selected third parties, such as third-party service providers (such as our IT vendors and marketing agencies conducting marketing on our behalf etc.). In such case, the personal data will only be disclosed for purposes defined above and any disclosure is always limited to only the strictly necessary personal data included in such purposes. We do not sell or otherwise disclose personal data to any third parties outside Epassi for such third parties’ own purposes.

Regular disclosures of personal data undertaken to third parties in order to provide the agreed services:

• To Epassi Partners, where such partner’s customer is also an Epassi end-user, and the two purposes coincide and require cross-transferring or matching of personal data;
• To Epassi Merchants, as required for financial and payment processing related purposes while using the services;
• To provider(s) of financial services for financing products provided under Epassi’s product portfolio.

In addition, Epassi may share the personal data in connection with any merger, sale of our assets, or a financing or acquisition of all or a portion of our business and in connection with other similar arrangements.

The personal data is also disclosed to third parties if required under any applicable law or regulation or order by competent authorities, and to investigate possible infringing use of the products and services as well as to guarantee the safety and usability of the Epassi products and services.

In order for Epassi to provide the agreed services, personal data is processed also by the following processors of Epassi. List of the processors and other recipients:

• APSIS International AB (Marketing tool)
• BitBot Oy (Support tool for EpassiBIKE)
• Cellip AB (Support tool)
• ePassi payments Oy (IT operations)
• Fortnox AB (Finance tool)
• Freshworks Inc. (Support tool)
• Google LLC (Google Analytics, Google Ads)
• Hetzner Online GmbH (Hosting the online service platform)
• HubSpot, Inc. (CRM tool, Epassi's Finnish employer and merchant customers' contact persons, only applicable in Finland)
• InExchange Factorum AB (Electronic invoicing)
• Kund-o AB (Support tool used for case management)
• Lime Technologies AB (CRM tool, Epassi's Swedish employer and merchant customers' contact persons, only applicable in Sweden)
• Mainloop AB (IT-development)
• Microsoft Corporation (Business tools)
• Parvus Vulpes Oy (Platform tool)
• Paytrail Oyj (Support tool for EpassiBIKE)
• Sharpspring (Marketing tool)
• Shopify (Platform for EpassiBIKE)
  • Lightward Inc. (Functionality tool in Shopify)
  • HulkApps Inc. (Functionality tool in Shopify)
  • Instacollect Inc. (Functionality tool in Shopify)

• Svea Bank AB and Svea Bank AB, filial i Finland or Tukirahoitus Oy (EpassiBIKE financing partner)
• Telavox AB (Support tool)
• Telia Finland Oyj (Strong authentication)
• Vakka-Suomen Puhelin Oy (Support services for customers, only applicable in Finland)
• Visma Solutions Oy (Netvisor and know your customer).
  
  

7. DATA TRANSFERS OUTSIDE THE EU/EEA

Some of the services used by Epassi for processing personal data may operate outside the territory of the European Union (EU) or the European Economic Area (EEA). Thus, personal data can be transferred outside the European Union and the European Economic Area. In case personal data is transferred outside the EU/EEA, such transfers are either made to a country that is deemed to provide a sufficient level of privacy protection by the European Commission or transfers are carried out by using appropriate safeguards such as Standard Contractual Clauses (SCC) adopted, including any supplementary measures, where assessed to be necessary, or otherwise approved by the EU Commission or competent data protection authority in accordance with the GDPR.

The following recipients may transfer personal data outside the EU/ EEA:

• HubSpot, Inc. (Epassi’s Finnish employer and merchant customers’ contact persons data)
• Shopify, Inc. (Epassi’s end-user data for EpassiBIKE)
  • Lightward Inc. (Functionality tool in Shopify)
  • HulkApps Inc. (Functionality tool in Shopify)
  • Instacollect Inc. (Functionality tool in Shopify)

8. PROTECTION OF PERSONAL DATA

Securing the confidentiality, integrity, and availability of personal data is important to Epassi. Epassi's Security Management System is based on the requirements from laws, regulations, contracts and certain standards (such as ISO 27001). Security Management System consists of appropriate technical, administrative, and organizational security measures to protect personal data against unauthorized access, disclosure, destruction, or other unauthorized processing.

Administrative and organizational measures:

• Dedicated servers in two different geographical locations in the EU. Facilities are certified against internationally recognized Information Security Standard.
• Role based access rights management

Technical measures:

• Firewalls
• Backups
• Access controls
• Monitoring of processing
• Safe encryption technologies
• Encrypted network connections (HTTPS)

Nevertheless, considering the cyber threats in modern day online environment, we cannot give full guarantee that our security measures will prevent illegally and maliciously operating third parties from obtaining access to personal data or absolute security of the personal data during its transmission or storage on our systems.

All parties processing personal data have a duty of confidentiality in matters related to the processing of personal data. Access to personal data is restricted to those employees and parties who need it to perform their duties. We also require our service providers to have appropriate methods in place to protect personal data.

9. USE OF COOKIES AND SIMILAR TECHNOLOGIES

The Epassi website uses cookies.

A cookie is a small text file that is stored on your computer and contains information. Cookies are normally used to improve the website for you as a visitor. There are two types:

One type saves a file that remains on the visitor's computer. This file is used, for example, to make it easier for you to use the website according to your preferences and interests.

The second type is called session cookie. While a visitor is on a website, it is temporarily stored in the visitor's computer memory. Session cookies disappear when you close your browser. No personal information is stored about you, such as your email address and name.

Our website uses both types. When you visit the site, a session cookie is sent between your computer and our web server to facilitate navigation, among other things. Session cookies are also used when you use our e-services. The cookie disappears when you end your visit.

Our website also uses Google Analytics to collect anonymous data for service development purposes.

10. AUTOMATED DECISION-MAKING AND PROFILING

Epassi does not use any automated decision-making nor any profiling pursuant to the Article 22 GDPR.

11. RIGHTS OF THE DATA SUBJECTS

The data subject has certain rights in relation to the processing of personal data under applicable data protection laws.

Right of access and right of inspection

The data subject has the right to obtain confirmation as to whether or not personal data concerning them is being processed.

The data subject has the right to inspect and view data concerning them and, upon a request, the right to obtain the data in a written or electric form. This applies to information that the data subject has provided to Epassi insofar the processing is based on a contract/consent.

Exercising this right is generally free of charge.

Right to rectification and right to erasure

The data subject has the right to demand the rectification of incorrect personal data concerning them and to have incomplete personal data completed.

The data subject has the right to require Epassi to delete or stop processing the data subject’s personal data, for example where the data is no longer necessary for the purposes of processing. However, please note that certain personal data is strictly necessary in order to achieve the purposes defined in this privacy policy and may also be required to be retained by applicable laws.

Right to data portability

The data subject has the right to receive the personal data that he or she has provided to Epassi in a structured, commonly used, and machine-readable format and, if desired, transmit that data to another controller. The right to data portability applies on the processing of the personal data based on consent or a contract.

Right to restriction of processing

The data subject has the right, under conditions defined by data protection legislation, to request the restriction of processing of his or her personal data. In situations where personal data suspected to be incorrect cannot be corrected or removed, or if the removal request is unclear, Epassi will limit the access to such data.

Right to object to processing

The data subject has the right to object to the processing of your personal data where Epassi is relying on its legitimate interests as the legal ground for processing. For example, the data subject may object to his or her personal data being used for marketing purposes.

Right to withdraw consent

In cases where the processing is based on the data subjects’ consent, the data subject has the right to withdraw his or her consent to such processing at any time.

Right to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint with a competent data protection authority if the data subject considers that the processing of personal data relating to the data subject infringes current legislation.

However, we request that the matter will be dealt with Epassi in the first instance.

The relevant authority in Finland is the Data Protection Ombudsman (http://www.tietosuoja.fi)

In Sweden relevant authority is Swedish Data Protection Authority (https://www.imy.se/).

Exercising rights

Requests regarding the rights of data subjects shall be made in written or in electronic form, and the request shall be addressed to the controller, Epassi.

Identity will be checked before the information is given out, which is why we may have to ask for additional details. The request will be responded to within a reasonable time and, where possible, within one month of the request and the verification of identity.

If the data subject’s request cannot be met, the refusal shall be communicated to the data subject in writing. Epassi may refuse the request (for example erasure of data) due to a statutory obligation or a statutory right of the company, such as an obligation or a claim relating to our services. Please note that Epassi may charge a reasonable fee where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character.

The data subject may exercise the aforementioned rights by sending a written request by email or mail using the contact information provided in this privacy policy, including the following information: name, phone number, email address, user id and details of the products and services you have used.

If you have any questions relating to our data protection policies or wish to exercise your rights, please do not hesitate to contact us.

12. CHANGES TO THIS PRIVACY POLICY
    
    

Epassi may make changes to this privacy policy at any time by giving a notice on the website and/or by other applicable means. The data subjects are highly recommended to review the privacy policy on our website every now and then.

If the data subject objects to any of the changes to this privacy policy, the data subject should cease using the services, where applicable, and he/she can request that we remove the personal data, unless applicable laws require us to retain such personal data. Unless stated otherwise, the then-current privacy policy applies to all personal data we process at the time.

This privacy policy has been published on 21.10.2021, version 1.0

Version history