Respect for the privacy of the individual is important to us at Billogram and we work proactively to protect the personal data that we process. All personal data is processed in accordance with GDPR. This policy contains information about how we as data controller process personal data if you are a customer of a company that uses our billing and payment service (referred to as “invoice issuer” in this document) and thus receive invoices via our service.

In this Policy, we describe how and for what purposes we use your personal data, the lawful basis for the processing and what measures we take to protect personal data. We also describe how you can invoke your rights in regard to our processing of your personal data.

Billogram’s role as controller

Billogram is in some cases the controller and in other cases the processor for the processing of your personal data. This Privacy Policy describes processing where we are the controller, i.e. where we are the party that decides the purposes (the “why”) and the means (the methods, which personal data to be processed and how long it should be stored).

When an invoice issuer uses our service to provide you with an invoice and distribute your payment, we process your personal data for the most part as data processor for the company where you are a customer. In the role of processor, we process your personal data only in accordance with the controller’s instructions. If you have questions about how your personal data is processed or would like to invoke your rights in respect of billing and payment that are outside the scope of this Privacy Policy, you should contact the invoice issuer where you are a customer.

General information about our personal data processing

We have an obligation to describe how we meet the requirements imposed on us when we process your personal data. This section aims to describe general principles governing our personal data processing.

Lawful basis

In order to process personal data, the controller according to the GDPR must have a lawful basis for the processing. We base our processing of your personal data on the following lawful grounds:

- Legal obligation: Processing of your personal data is necessary for us to meet the legal requirements imposed on us in our business operations.

- Legitimate interest: we have undertaken a legitimate interest assessment and determined that our interests in processing your personal data outweigh your right not to be covered by the processing.

How long do we store your personal data?

We only save your personal data for as long as necessary for the purpose for which it was collected. Depending on the lawful basis, the storage period may be governed by legal requirements imposed on us or be determined by an internal legitimate interest assessment. In the section “How your personal data is processed” below, we specify the criteria for when the purpose ceases and thus the time when we no longer process your data.

When we share your personal data with others

We may share your personal data with others in order for us to perform any of the processing described in this policy, for example for the storage of data. We always enter into Data processing agreements with the data processors we use, in which we, among other things, give the processor instructions on how the personal data may be processed and what security measures are required for the processing. The processor may not carry out any processing of your personal data that goes beyond these instructions.

If required by law, decree, regulation, government decision or other ruling binding on Billogram, we may disclose your personal data to various authorities, such as the Swedish Tax Agency or the Swedish Police Authority.

Transfer of personal data outside the EU/EEA

Where personal data is transferred to countries outside the EU/EEA, we implement safety measures to ensure that the level of security is adequate and in accordance with GDPR. Such safety measures include, inter alia, ensuring the following:

- The European Commission has decided that the third country to which your personal data is transferred achieves an adequate level of protection, in other words, that the protection of your personal data is equivalent to the requirements of GDPR, or

- The European Commission’s standard contractual clauses have been signed between Billogram or its processors and the recipient outside the EU/EEA, meaning that we have entered into an agreement with the processor to ensure that your personal data is protected in accordance with GDPR. In these cases, we also assess whether there is legislation in the recipient country that affects the protection of your personal data. Where necessary, we take special measures to ensure that the protection of your data remains in place when transferring it to the relevant country outside the EU/EEA.

How your personal data is processed

The sections below sets out the personal data we process for different purposes, where the data was collected, the lawful basis for our processing, when the purpose of the processing will cease and, if possible and relevant, the basis for the assessment of the storage period.

Ensure functionality and prevent misuse of our billing service

Categories of personal data we process and source

From your device:
- Type of device, operating system and browser details
- IP address

From Billogram:
-Information regarding navigation within the service (including when the invoice was opened)

Lawful basis

Legitimate interest - Our legitimate interest is that we need to ensure the functionality and prevent misuse of our service to fulfil the requirements towards our customers and you as invoice recipient.

When the purpose ceases

When you no longer receive invoices via our service

Analyse and correct errors within our billing service

Which of the specified categories of personal data that will be processed for this purpose is depending on the nature of the troubleshooting. Only personal data necessary for the specific troubleshooting is processed.

Categories of personal data we process and source

From the invoice issuer:
- Name
- Address
- Customer number
- Name of the invoice issuer
- Invoice number
- Invoice amount
-Date of issue, when the invoice was distributed and due date

From the invoice issuer or from you:
- Personal identity number
- E-mail address
- Telephone number
- Invoice distribution method
- Communication details (communication through the invoice)

From Billogram:
- Billogram unique id
- Recipient id
- Information regarding navigation within the service

From your device:
- Device, operating system and browser details

Billogram or from you:
- Opt-in/opt-out for marketing offers from the creditor (module sales and offerings)

Invoice issuer or generated by Billogram:
- Payment reference number

From Tink or from the invoice issuer:
- Information on chosen bank (for markets with direct debit as payment method)

From the invoice issuer’s bank:
- Information on chosen bank (for e-invoice)

From BankID or similar identification method:
- Date of consent and signing method (for markets with direct debit as payment method)

Depending on payment method: Billogram/invoice issuer /Riverty (if debt collection):
- Payment status (current receivables or liabilities)
- Payment date and method

Lawful basis

Legitimate interest - Our legitimate interest is that we need to correct errors in our service to fulfil the requirements towards our customers and you as an invoice recipient.

When the purpose ceases

3 months after the error is handled (the time we deem necessary to follow up on managed errors)

Improve, develop and measure the use of our billing service

Categories of personal data we process and source

From the invoice issuer or from you:
- E-mail address*
- Invoice distribution method
- Communication information regarding invoices and payments
- Customer number*
- Name of the invoice issuer
- Invoice amount
- Date of issue, when the invoice was distributed and due date

From the invoice issuer:
- Customer number*
- Name of the invoice issuer
- Invoice amount
- Date of issue, when the invoice was distributed and due date

From the invoice issuer or generated by Billogram:
- Payment reference number*

From Billogram:
- Billogram unique id*
- Recipient id*
- Information regarding navigation within the service (including when the invoice was opened)

Depending on payment method: Billogram/invoice issuer (creditor)/Riverty (if dept collection):
- Payment date and payment method

From your device:
- Type of device, operating system and browser details

*The personal data is pseudonymised, which means that all identifying personal data is replaced with non-identifying information. Statistics are compiled at an aggregated level.

Lawful basis

Legitimate interest - Our legitimate interest is to improve and develop our service to fulfil the requirements and requests our customers and you as an invoice recipient have on the service

When the purpose ceases

5 years after you received your last invoice via our service (the time we deem necessary to analyse trends and seasonal variations)

To comply with requirements regarding measures against money laundering and the financing of terrorism

Categories of personal data we process and source

From your bank:
- Name
- Address
- Invoice amount
- Payment date and payment method

From Billogram:
- Case details

Lawful basis

Legal obligation - Swedish Act (2017:630) on measures against money laundering and financing of terrorism

When the purpose ceases

10 years after the completed transaction, or alternatively, if an issue arises, 10 years after the resolution of the matter.

To comply with legal requirements regarding sanctions

Categories of personal data we process and source

From your bank:
Name
Bank and country information (BIC code)

From Billogram:
Case details

Lawful basis

Legal obligation - Sanctions legislation issued by the EU, UN, and OFAC. (OFAC is a U.S. agency that establishes sanction lists similar to the EU and UN, which Billogram is obligated to adhere to.)

When the purpose ceases

When you no longer conduct payments through our service

Processors we share your personal data with

Sometimes we need to share your personal data with others to fulfil the purposes described above.

The personal data we process is stored by Amazon Web Services (AWS) where the processing only occurs within EU/EEA.

To analyse errors in Billogram’s billing service we may share personal data with Sentry and if so, the processing will take place in the USA. The personal data Sentry may process is restricted to Billogram-unique id, recipient id and the name of the invoice issuer. By entering standard contractual clauses (please see “Transfer of personal data outside the EU/EEA” above), we have ensured that the protection of the personal data Sentry processes is equivalent to GDPR requirements.

To fulfill our obligations under anti-money laundering laws and sanctions legislation, we may share your personal data with Softronic, which provides the system we use for this purpose. This processing occurs only within the EU/EEA.

Your rights

According to GDPR, you as a data subject have several rights that you should be aware of.

- You have the right to request a record extract of the information recorded about you.

- If the data we hold on you is incorrect, you have the right to have it corrected.

- You have the right to have your personal data deleted, provided that we do not need to process them for the purposes for which they were collected, for example, to comply with applicable law..

- If you believe that the data is incorrect or that our processing is unlawful or that we do not need the data for a specific purpose, you may request that we restrict the processing of data about you. You can also request restriction of processing while awaiting verification from us as to whether our interest in processing your data outweighs your right not to have this data processed.

- If we cite legitimate interest as a lawful basis, you have the right to object to the processing.

The right to data portability means that in some cases, where the lawful basis is a contract or consent, you have the right to receive your personal data and use your personal data elsewhere. This right does not apply to our processing of your personal data, as we process it on the basis of legal obligation and legitimate interest.

Contact details and Data Protection Officer

Billogram AB is registered with the Swedish Companies Registration Office under corporate registration number 556801-7155 and is headquartered at Klara Södra Kyrkogata 1, SE-111 52 Stockholm, Sweden.

If you have questions about how we process your personal data or wish to invoke any of your rights, you can always contact us at support@billogram.com.

You can also contact our Data Protection Officer by email: dpo@billogram.com or by post at the above address.

Complaints

If you believe that the processing of your personal data is in violation of GDPR, you should contact us. You can also contact the Swedish Authority for Privacy Protection directly with your complaint.

Privacy Policy updates

This Privacy Policy may be updated due to changes in legislation or changes in our personal data processing as a result of the development of our services.

The latest version is always published on our website.

This version was updated on 2024-01-16