Privacy Policy
BEYOU TOGETHER LTD PRIVACY POLICY
This policy describes how we collect and use personal data about you, in accordance with the Data Protection Act 2018 as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 which merge the previous requirements of that Act with the requirements of the General Data Protection Regulation ((EU) 2016/679) (“UK GDPR”) and any other data protection and privacy laws and regulations applicable to us or to our processing of your personal data (“Data Protection Legislation”).
This policy describes how we may collect and process personal data including about our customers; our employees, consultants and job applicants (referred to together in this policy as “Employees”); our suppliers; and visitors to this website https://beyouonline.co.uk/ (our “website”).
Certain paragraphs (2, 3 and 4) in this policy expressly contain specific information for different categories of data subjects. The other paragraphs of this policy contain information relevant to everyone. Please read this policy carefully so that you are fully aware of how and why we are using your personal data.
Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave this website, we encourage you to read the privacy policy of every website you visit.
1. ABOUT US
BeYou Together Ltd (“BeYou”, “we”, “us”, “our” and “ours”) is a UK registered company with registered number 10958384 and with its registered office at Unit 21, Wainwright Street, Aston, Birmingham, West Midlands, B6 5TJ on 9 October 2018.
We are registered as a data controller with the Information Commissioner’s Office under the Data Protection Act 2018 with registration number ZA710187. For the purpose of the Data Protection Legislation and this policy, we are the “data controller”. This means that we are responsible for deciding how we hold and use personal data about you. We are required under the Data Protection Legislation to notify you of the information contained in this privacy policy.
2. THE PERSONAL DATA WE COLLECT
Everyone
The information we hold about you may include the following:
- Your personal details (such as your name, title, email address, address, telephone number and other contact details);
- Details of any contact we have had with you in relation to the provision of our products;
- Details of any products you have received from us;
- Our correspondence and communications with you;
- Bank account and payment details;
- Information about any complaints and enquiries you may have submitted to us;
- Information from any research or surveys conducted by us in which you may have participated including entering into one of our promotions, e-casts, or trade and consumer shows;
- Information from any marketing activities to which you may have responded or in which you may have participated;
- IP address, your login data (if applicable), browser type and version and other technology on the devices you use to access our website.
We also collect, use and share “Aggregated Data” through Google Analytics such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.
Except for as expressly set out in this policy, we do not collect any Special Categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services).
Employees
In addition to the personal data listed under “Everyone” in this paragraph 2, we may also collect:
- your date of birth/age, gender, marital status and family details, emergency contact information, photograph, electronic signature, national insurance number or equivalent and passport number;
- bank account details, payroll records and tax status information;
- information about your contract of employment (or services) including salary, annual leave, pension and benefits information, start date and end date, location of employment or workplace, details of any benefits you receive or have received and holiday entitlement;
- recruitment information including references and other information included in a CV or cover letter or as part of the application process;
- employment records (including employee ID number, job titles, job duties, your telephone number and email address, work history, working hours, sickness and other absence records, training records and information relating to your performance and behaviour at work, records of disciplinary and grievance processes (whether or not you were the main subject of those proceedings)
- records relating to your access to the Company’s information technology systems, including user profiles, account and log-in information and access rights and information as to your interactions with those systems
We may also collect, store and use the following Special Categories of personal data:
- information about your health, including any medical condition, health and sickness records and doctor’s reports; and
Customers
If you are a customer then we will collect details about payments to and from you and other details of products purchased from us.
We may collect health data from you over the phone in order to understand what you are using our products for so that we may provide recommendations to you on how to use our products. We may use this data to send you information on our products that we think you might like. Health data is classed as a Special Category of Personal Data under Data Protection Legislation, and as such we need to have further justification to process such personal data. We have set out the additional conditions under which we may process your health data in paragraph 4. We may also use this data for internal research purposes, but when we do this, we will always anonymise or pseudonymise your personal data so that it can no longer be associated with you.
3. HOW WE MAY COLLECT YOUR PERSONAL DATA
Everyone
We will collect and process information about you: (i) when you contact us by email, telephone, post or social media; and (ii) from third parties (for example, from CBD marketplaces such as Alphagreen Group Limited).
If you submit an enquiry to us then, depending on the nature of your enquiry, we may collect further details from you so as to understand the context in which you are making the enquiry and/or to understand the products that may be of interest to you.
Visitors
We will only collect personal data about you via our website, apart from your IP address and cookie data, when you contact us to request further information about our products or if you apply for a position with us. On various occasions, including through forms on our website, we may invite or request you to submit your contact details and other information about yourself or to send us emails, each of which will identify you.
Employees
We collect information about employees through our application and recruitment process during the course of your employment/engagement and after its termination. Some of this information is collected directly from you (for example, in forms that you are asked to complete). Other information is automatically collected when you use or otherwise interact with our systems; created by colleagues (for example, in the appraisal process, in the course of an internal investigation or where your role in a particular activity is described in an internal document); or provided to us by third parties (for example, when we conduct background checks such as reference checks).
Customers
If you are or become a customer then we will collect and process information about you when you request information about our products, and when you buy our products.
4. HOW WE USE INFORMATION WE HOLD ABOUT YOU
Everyone
We may process your personal data for purposes necessary for the performance of our contract with you, or for steps preparatory to entering into a contract with you, and to comply with our legal obligations.
We may process your personal data for the purposes of our own legitimate interests provided that those interests do not override any of your own interests, rights and freedoms which require the protection of your personal data. Our legitimate interests are as follows:
- to keep our records updated;
- to study how customers use our products, to develop them and grow our business, and to inform our marketing strategy;
- for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise;
- to define types of customers for our products and services, to keep our website updated and relevant.
We may process your personal data for certain additional purposes with your consent, and in these limited circumstances where your consent is required for the processing of your personal data then (i) we will request such consent from you separately, and (ii) you have the right to withdraw your consent to processing for such specific purposes.
Please note that we may process your personal data on more than one lawful ground depending on the specific purpose for which we are using your data.
We may use your information in order to:
- Carry out our obligations arising from any agreements entered into between you and us, including registering you as a new customer, processing and delivering your order including managing payments and collecting and recovering money owed to us;
- Provide you with information related to our products and our events and activities that you request from us or which we feel may interest you, provided you have consented to be contacted for such purposes;
- Seek your thoughts and opinions on the products we provide, and to enable you to partake in a prize draw or competition;
- Notify you about any changes to our products or terms of service;
- To use data analytics to improve our website, products, marketing, professional relationships and experiences;
- To administer and protect our business and this website;
- To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you;
In some circumstances we may anonymise or pseudonymise the personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.
We may also process your personal data without your knowledge or consent, in accordance with this policy, where we are legally required or permitted to do so.
Employees
We use employee personal data for legitimate business (provided your interests and fundamental rights do not override those interests), human resource management and compliance purposes and to perform our obligations under your employment contract, including:
- Operation of our business including risk management, accounting and auditing and business continuity arrangements;
- Payroll operation and pension administration;
- Education and training;
- Operation of employee benefits, plans and insurances;
- To carry out human resource and legal/regulatory compliance functions, including assessing compliance with your employment contract and related Company policies and dealing with disputes including accidents at work;
- The management of disciplinary procedures;
We may also use your personal data in the following situations, which are likely to be rare:
- To protect your interests (or someone else’s interests) where you are not capable of giving consent.
- Where it is needed in the public interest or for official purposes.
Where we process Special Categories of personal data we need to have further justification for such processing. We may only process special category personal data in the following circumstances:
- Where we need to carry out our legal obligations or exercise rights in connection with employment law obligations. We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits including statutory maternity pay, statutory sick pay, pensions and permanent health insurance.
- Where it is needed in the public interest.
- In limited circumstances, with your explicit written consent.
- Less commonly, where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
Customers
We may process your health data (a Special Category of personal data) as described in paragraph 2. In order to collect and process your health data we will require your explicit consent which we will always collect over the phone before we request details of your health in connection to your use of our products.
Change of purpose
Where we need to use your personal data for another reason, other than for the purpose for which we collected it, we will only use your personal data where that reason is compatible with the original purpose.
Should it be necessary to use your personal data for a new purpose, we will notify you and communicate the legal basis which allows us to do so before starting any new processing.
We will only retain your personal data for as long as is necessary to fulfil the purposes for which it is collected.
When assessing what retention period is appropriate for your personal data, we take into consideration:
- The requirements of our business and the services provided;
- Any legal, accounting, or reporting requirements;
- The purposes for which we originally collected the personal data;
- The lawful grounds on which we based our processing;
- The types of personal data we have collected;
- The amount and categories of your personal data; and
- Whether the purpose of the processing could reasonably be fulfilled by other means.
If you are or become a customer, we normally retain personal for up to 13 months after the date of your last order/booking. After this point, we may contact you by email to see if you'd like to remain on our database, and delete your data thereafter if not. In certain circumstances we will retain personal data for longer where it is necessary for us to do so for compliance with regulatory or other legal obligations, or for the establishment, exercise or defence of legal claims, or where we agree with you to do so.
Where data is stored by the third parties listed at paragraph 6 the terms of which this personal data is held to is determined by their own privacy policy which is also listed.
5. DISCLOSURES OF YOUR PERSONAL DATA
We may share your personal data with the parties set out below for the purposes set out in paragraph 4.
- Customer payment details with Shopify International Limited (https://www.shopify.com/legal/privacy);
- Customer personal information with Klaviyo Ltd who provide marketing services (https://www.klaviyo.com/privacy/dpa);
- Customer personal details with Trustpilot (https://legal.trustpilot.com/end-user-privacy-terms);
- Customer payment details with TrustPayments;
- Employee personal information with Siamais Ltd (who provide HR services for us)
- Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
6. TRANSFERRING INFORMATION OUTSIDE THE UNITED KINGDOM (UK)
Certain of our service providers to whom we will transfer your personal data will hold your personal data on their services located outside the UK. For example, Shopify International Limited, a company registered in Ireland, use servers located in the USA and Canada and they host our customer database. We may also share your personal data with third party service provider Mailchimp, who will hold your personal data on their servers in the USA. Apart from this, we will not ordinarily transfer the personal data we collect about you outside of the UK. However, if any third parties (including Shopify International Limited and Mailchimp) by whom your personal data are to be processed are based outside the UK so that their processing of your personal data will involve a transfer of data outside the UK we will ensure a similar degree of protection is afforded to it by ensuring that at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data through Adequacy Regulations made under Section 17A of the Data Protection Act 2018.
- Where we use certain service providers, we may use specific contracts approved by the Information Commissioner’s Office which give personal data the same protection it has in the UK.
Please contact us if you want further information on the specific mechanism to be used by us if we are to transfer your personal data outside of the UK.
7. DATA SECURITY
We have put in place commercially reasonable and appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. For example:
- we ensure your personal data is stored on secure servers;
- payment details are encrypted and made using SSL technology
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
8. YOUR RIGHTS
Under certain circumstances, by law you have the right to:
- Request access to your personal data. This enables you to receive details of the personal data we hold about you and to check that we are processing it lawfully.
- Request correction of the personal data that we hold about you.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
- Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal data to another party.
We have the capacity to extract your personal data from our databases and provide it to you in a structured, commonly-used way (typically by .csv file).
If you wish to exercise any of your rights at any time, please contact us on the details contained at the beginning of this policy in the first instance. We will require you to verify your identity to us before we provide any personal data, and reserve the right to ask you to specify the types of personal data to which your request relates.
Where you wish to exercise any of your rights, they may be subject to payment of a nominal administration fee (to cover our costs incurred in processing your request) and any clarification we may reasonably require in relation to your request. Such fees may be charged where we consider (acting reasonably) that your request is excessive, unfounded or repetitive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
9. RIGHT TO WITHDRAW CONSENT
In those circumstances where you may have provided your consent to the collection, processing and transfer of your personal data for a specific purpose (for example, in relation to direct marketing that you have indicated you would like to receive from us), you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact us on the details contained at the beginning of this policy.
Where you object to and opt out of receiving direct marketing messages from us, this will not apply to personal data provided to us as a result of a product purchase, warranty registration, product/service experience or other transactions.
We use cookies on our website and this is explained in our cookies policy which is set out on our website.
It is important that the personal data we hold about you is accurate and current. Should your personal data change, please notify us of any changes of which we need to be made aware by contacting us at the details contained at the beginning of this policy.
10. CHANGES TO THIS POLICY
Any changes we may make to our privacy policy in the future will be notified by publishing an updated version on our website at https://beyouonline.co.uk/pages/privacy-policy.
11. CONTACT US
If you have any questions regarding this policy or if you would like to speak to us about the manner in which we process your personal data, please contact us on the details contained at the beginning of this policy.
You also have the right to make a complaint to the Information Commissioner’s Office (ICO: www.ico.org.uk), the UK supervisory authority for data protection issues, at any time. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
This policy was last updated on: 18 June 2021
-----------------------------------------------------------------------------
KLARNA PRIVACY POLICY
It is important to us that you feel safe when you pay with Klarna or use any of our other services. Therefore, we are providing all the information about how we use your personal data in this privacy notice.
In order for you to easily find the sections that interest you, we have divided the notice into a number of headings. To go directly to a section, just click on the heading in question in the list below.
1. Who is responsible for your personal data?
Klarna Bank AB (publ), registered with the Swedish Companies Registration Office under company number 556737-0431 and with registered office at Sveavägen 46, 111 34 Stockholm, also active through its UK branch, registration number BR020956, located at 125 Kingsway, Holborn, London, WC2B 6NH, United Kingdom (“Klarna”, “we”, “our” or “us”), is the data controller in accordance with the UK data protection laws (such as EU Regulation 2016/679 as incorporated and amended into UK domestic law (the “UK GDPR”) and the Data Protection Act 2018. If you have any questions regarding the processing of your personal data, please contact our data protection team by writing to privacy@klarna.co.uk.
2. Your rights in respect of your personal data
-
The right to obtain information. You have the right to obtain information about how we process your personal data. We do this through this privacy notice, by information on our website, and by answering your questions.
-
Right to access your data. You may request a copy of your personal data if you want to know what information we possess about you.
-
Right to data portability. You may request a copy of the personal data concerning you that we process for the performance of a contract with you, or based on your consent, in a machine-readable format.
-
Right to rectification. You have the right to rectify inaccurate information about yourself, and to make additions to incomplete information.
-
Right to have your information erased. You have the right to request that your personal data be erased. This applies to information that is no longer necessary to process for the purpose(s) for which it was originally collected, or if you revoke your consent. It is however important to know that the right to have your information erased is not absolute. Klarna is obligated to retain certain information even if you request us to erase it. These obligations to retain information are described in more detail in sections 4 and 9. These laws prevent us from immediately erasing certain information.
-
Right to restrict processing. If you believe that the data is inaccurate, that our processing is unlawful or that we do not need the information for a specific purpose, you may request that we restrict the processing of your personal data. You may also request a restriction while you are waiting for our assessment to see if our interest in processing your data outweighs your right not to have this data processed.
-
Right to oppose the processing of your personal data or to object to our processing. You may object to our processing of your personal data based on our legitimate interest (Article 6(1)(f) GDPR), with reference to your personal circumstances. Furthermore, you may always object to our use of your personal data for marketing purposes.
-
Right to object to an automated decision that significantly affects you. You have the right to object to an automated decision made by Klarna if this decision entails legal consequences or constitutes a decision that affects you significantly in a similar way. See section 6 on how Klarna makes use of automated decisions.
-
Right to withdraw one’s consent. As described in section 5, in cases where we process your personal data based on your consent, whether implicit or explicit, you have the right to revoke your consent at any time. This means that we will cease the processing, but it does not affect the processing that we have already performed.
-
Right to lodge a complaint. You have the right to lodge a complaint with your supervisory data protection authority (the Information Commissioner), which can be reached using this link: https://ico.org.uk/.
If you wish to exercise one or more of your rights, you may do so by sending an email to privacy@klarna.co.uk stating which rights you wish to exercise. You may also request access to your personal data, or to have your personal data deleted, using the contact information in section 12.
Settings in the Klarna mobile application: In the Klarna mobile application, Klarna provides
you with the functionality to tailor your preferences for certain services, such as current notifications or autofill of your
information at purchase. We will always respect your choices.
3. What kind of personal data do we collect?
In this section, we describe the categories of personal data that we use. In section 4, we describe how we use and how we process these categories of personal data, i.e. how the data are used.
-
Contact and identification data - Name, date of birth, social security number, title, occupation, gender, billing and delivery address, e-mail address, mobile phone number, nationality, age, income data, employment and employment history, audio recordings, photos and video recordings of you and your ID card etc.
-
Information about goods/services - Details concerning the goods/services you have bought or ordered, such as type of item or delivery tracking number.
-
Information about your financial standing - Information about, for example, your income, any credits, negative payment history and previous credit approvals.
-
Payment information - Credit and debit card details (card number, expiry date and CVV code), bank account number, bank name.
-
Information about your use of Klarna’s services - Which service(s) and what different functions in these services you have used and how you have used them. This includes information about outstanding and historical debt, your repayment history, and your personal preferences.
-
Technical information generated through your use of Klarna’s services - Technical data such as response time for web pages, download errors and date and time when you used the service.
-
Information about your contacts with Klarna’s customer service - Recorded phone calls, chat conversations and email correspondence.
-
Your contacts with the stores you shop at or visit - Information about how you interact with stores, such as whether you have received goods and the type of store you shop at.
-
Device information - IP address, language settings, browser settings, time zone, operating system, platform, screen resolution and similar information about your device settings.
-
Information from external sanction lists and PEP lists - Sanction lists and lists of persons constituting politically exposed persons (“PEP”) include information such as name, date of birth, place of birth, occupation or position, and the reason why the person is on the list in question.
-
Sensitive personal data - Sensitive personal data is data that reveals religious beliefs, political or philosophical views, trade union membership, or constitutes information about health, sex life or sexual orientation as well as biometric data.
-
Service-specific personal data - Within the framework of our services through the Klarna mobile application and browser extension, Klarna’s savings and payment accounts, Email Connect, Personal Finance and event registrations, we use additional personal data that are not covered by the categories listed above. Information regarding each service is listed here:
-
The Klarna mobile application and browser extension: All content you upload (such as photos or receipts), location information and the websites you visit in the application’s browser, or with the extension installed;
-
Klarna’s savings and payment accounts: Information about your transactions and deposits and information about where your money comes from. Klarna will also process data about third parties (such as payees or payers) for this service;
-
Email Connect: Information from the connected e-mail account about your completed purchases, product, price and quantity information, delivery tracking numbers and information about stores that we pass on to the Klarna mobile application;
-
Personal Finance: Information from your other bank accounts and other types of accounts (such as card accounts) that you choose to connect to the service, as well as information such as account number, bank, historical transactions from your connected accounts and balances and assets; and
-
Event registration on social media: Information about your profile from your social media account and business information such as your employer’s name, address and type of company.
-
4. What personal data are used for what purposes and with which legal basis?
To make it easier for you, we have described why we will process your personal data (the purpose) and which categories of personal data we use for that purpose in the tables below. In section 3, you will see which data points are included in each category of personal data. In the tables, we also describe what legal rights we have under current data protection legislation, such as the GDPR, to process the data about you, referred to as our “legal basis.” In the tables, we also describe when Klarna stops using the personal data for each purpose. Finally, we describe whether it is data that we receive from you, or if it is information that Klarna receives from another source. If we receive data from another source, that source is indicated between brackets.
4.1 The following are the purposes for which your personal data is always used by Klarna, regardless of the service you use.
Purpose of the processing - what we do and why |
Categories of personal data used for the purpose, and where they come from (the source). See section 3 for further information on what each category contains. |
Legal basis for processing according to the UK GDPR |
When the purpose ends (see section 9 for further information on when the data is erased) |
To manage our customer relationship with you in accordance with our agreements for each service you use. This includes creating and sending information to you in electronic format (not marketing). |
From you:
From other sources:
|
The processing is necessary for Klarna to perform a contract with you (Article 6(1)(b) UK GDPR). If the service processes information that constitutes sensitive personal data (e.g., from materials you choose to upload), our processing takes place based on your explicit consent (Article 9(2)(a) UK GDPR). |
When the contract between you and Klarna terminates. |
To be able to perform customer satisfaction surveys and market surveys, through email, text messages, phone or via other communication channels. If you do not want us to perform this processing, please contact us to let us know. See section 2 for more information about your rights. See section 12 for our contact information. |
From you:
From other sources:
|
The processing is based on a balancing of interests (Article 6(1)(f) UK GDPR). When balancing interests, Klarna has determined that we have a legitimate interest in being able to perform the personal data processing, that the processing is necessary to achieve that purpose, and that our interest outweighs your right not to have your data processed for this purpose. You may contact us for more information about how the determination was made. See section 12 for our contact information. |
When the contract between you and Klarna terminates. |
To ensure network and information security in Klarna’s services. |
From you:
From other sources:
|
The processing is based on a balancing of interests (Article 6(1)(f) UK GDPR). When balancing interests, Klarna has determined that we have a legitimate interest in being able to ensure network and information security, that the processing is necessary to realise that purpose, and that our interest outweighs your right not to have your data processed for this purpose. It is also in your interest as a customer that we ensure strong information security. You may contact us for more information about how the determination was made. See section 12 for our contact information. |
This processing lasts for as long as you are using a service. |
To be able to help you as a vulnerable customer (i.e. if you need extra support when contacting us due to particular circumstances). This means that we can offer you special support, for example, when you contact customer service. |
From you:
From other sources:
|
Based on your consent (Article 6(1)(a) and Article 9(2)(a) UK GDPR). |
When you notify us that you are no longer a vulnerable customer or withdraw your consent. We also cease this processing if and when you notify us that you no longer want to be a Klarna customer. |
To document what measures we have taken to help you as a vulnerable customer (i.e. if you need extra support when contacting us due to particular circumstances). |
From you:
From other sources:
|
The processing is based on a balancing of interests (Article 6(1)(f) UK GDPR). When balancing interests, Klarna has determined that we have a legitimate interest in documenting what measures we took to help you, that the processing is necessary to realise that purpose, and that our interest outweighs your right not to have your data processed for this purpose. In addition, this processing is necessary for reasons of substantial public interest (Article 9(2)(g) UK GDPR). |
We process the records of the measures we took to help you for up to six years. |
To be able to perform risk analysis, prevent fraud, and carry out risk management. We perform the processing to confirm your identity and that the data you provide is correct, as well as to counter criminal activities. This processing constitutes profiling and automated decision-making. We use automated decision-making to be able to determine if you constitute a risk of fraud. See section 6 for more information about profiling and automated decisions. |
From you:
From other sources:
|
The processing is necessary for Klarna to execute and perform a contract with you (Article 6(1)(b) UK GDPR). We are also required by law to establish the identity of our customers (Article 6(1)(c) UK GDPR). Sensitive personal data are processed based on your explicit consent. |
This processing will take place while you use any Klarna service. If Klarna has identified a risk in how you use Klarna, we will continue to use your information for this purpose and continuously update our risk assessment if there is a risk of fraud. This processing lasts as long as we are required by law to keep your information. See section 9 for more information on our obligations and right to retain information according to law. |
To anonymise your personal data in order to improve our services and products and to analyse customer behaviour. |
From you:
From other sources:
|
The processing is based on a balancing of interests (Article 6(1)(f) UK GDPR). When balancing interests, Klarna has determined that we have a legitimate interest in anonymising your personal data for product development purposes and in analysing customer behaviour in order to improve the service and customer experience. We ensure that the particular processing this entails is necessary to achieve the purpose in question, and that our interest outweighs your right not to have your data processed for this purpose. By anonymising information concerning you, we also ensure that we use personal data to the lesser extent possible. You may contact us for more information about how the determination was made. See section 12 for our contact information. |
This processing takes place for the entire period during which Klarna must retain the information in its systems, for example to perform the contract executed with you or to comply with applicable law. See section 9 for more information on our obligations and right to retain information according to law. |
To perform data analyses for product development and testing to improve our risk and credit models and to design our services (if possible, we first anonymise the data, which means that no personal data processing is performed thereafter). |
From you:
From other sources:
|
The processing is based on a balancing of interests (Article 6(1)(f) UK GDPR). When balancing interests, Klarna has determined that we have a legitimate interest in performing data analysis for product development and testing purposes. We ensure that the processing this entails is necessary to achieve the purpose of the processing, and that our interest outweighs your right not to have your data processed for this purpose. Furthermore, our customers benefit from the processing because it helps us deliver error-free and sustainable services. You may contact us for more information about how the determination was made. See section 12 for our contact information. |
This processing takes place for the entire period during which Klarna must retain the information in its systems, for example, to perform the contract executed with you or to comply with applicable law. See section 9 for more information on our obligations and right to retain information according to law. |
To produce statistics and reports for economic analysis or analysis of payment trends or payment volumes in certain regions or industries (if possible, we first anonymise the data, which means that no personal data processing takes place thereafter). |
From you:
From other sources:
|
The processing is based on a balancing of interests (Article 6(1)(f) UK GDPR). When balancing interests, Klarna has determined that we have a legitimate interest in obtaining statistic data and reports for this purpose. We ensure that the processing this entails is necessary to achieve the purpose of the processing, and that our interest outweighs your right not to have your data processed for this purpose. You may contact us for more information about how the determination was made. See section 12 for our contact information. |
This processing takes place for the entire period during which Klarna must retain the information in its systems, for example, to perform the contract executed with you or to comply with applicable law. See section 9 for more information on our obligations and right to retain information according to law. |
To check and verify your identity. |
From you:
|
The processing is necessary for Klarna to perform a contract with you (Article 6(1)(b) UK GDPR). |
As long as you use one of Klarna’s services. |
To share your personal data with the categories of recipients described in section 7.1 (suppliers and subcontractors, companies within the Klarna Group, persons with authority over your financial transactions, authorities and buyers of receivables, businesses or assets). |
|
Varies depending on the recipient (see section 7.1). |
This processing takes place for the entire period during which Klarna must retain the data in its systems, for example, to fulfil the agreement with you or to comply with applicable law. See section 9 for more information on our obligations and right to retain information according to law. |
To decide what kind of marketing we will provide to you. If you do not want us to perform this processing of your data, please contact us. Contact information is available in section 12. The processing may constitute profiling. See section 6 for more information about profiling. |
From you:
From other sources:
|
The processing is based on a balancing of interests (Article 6(1)(f) UK GDPR). When balancing interests, Klarna has determined that we have a legitimate interest in identifying which type of marketing we should provide to you. We ensure that the processing this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your information processed for this purpose. We have also considered the fact that marketing is listed as an example of legitimate interest in the UK GDPR. You may contact us for more information about how the determination was made. See section 12 for our contact information. |
When the contract between you and Klarna terminates, or if you notify us that you are not interested in this processing. |
To provide marketing materials and offers to you about our services. If you do not want us to perform this processing of your data, please contact us to let us know. See section 12 for our contact information. |
From you:
From other sources:
|
The processing is based on a balancing of interests (Article 6(1)(f) UK GDPR). When balancing interests, Klarna has determined that we have a legitimate interest in sending you marketing about our services and offers. We ensure that the processing this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your data processed for this purpose. We have also considered the fact that marketing is listed as an example of legitimate interest in the UK GDPR. You may contact us for more information about how the determination was made. See section 12 for our contact information. |
When the contract between you and Klarna terminates, or if you notify us that you are not interested in this processing. |
To protect Klarna from legal claims and safeguard Klarna’s legal rights. |
In the event of a dispute, Klarna may also collect other categories of personal data concerning you if we need them to exercise our rights. |
The processing is based on a balancing of interests (Article 6(1)(f) UK GDPR). When balancing interests, Klarna has determined that we have a legitimate interest in being able to protect ourselves from legal claims. We ensure that the processing this entails is necessary to achieve the purpose of the processing, and that our interest outweighs your right not to have your data processed for this purpose. You may contact us for more information about how the determination was made. See section 12 for our contact information. |
This processing takes place for the entire period during which Klarna must retain the information in its systems, for example to perform the contract executed with you or to comply with applicable law. See section 9 for more information on our obligations and right to retain information according to law. |
4.2 Purposes for which your personal data is used when you use one of Klarna’s payment methods, log in with Klarna at a store, or choose to pay by debit or credit card in Klarna’s check-out at a store.
Purpose of the processing - what we do and why |
Categories of personal data used for the purpose, and where they come from (the source). See section 3 for further information on what each category contains. |
Legal basis for processing according to the UK GDPR |
When the purpose ends (See section 9 for further information on when the data are erased) |
To transfer the store’s right to payment for your purchase to Klarna (“factoring”). |
From you:
From other sources:
|
The processing is based on a balancing of interests (Article 6(1)(f) UK GDPR). When balancing interests, Klarna has determined that we (and the store) have a legitimate interest in selling or buying your outstanding debt. We ensure that the processing is necessary to achieve the purpose of the processing, and that our interest outweighs your right not to have your data processed for this purpose. You may contact us for more information about how the determination was made. See section 12 for our contact information. |
When the purchase takes place. |
To share your personal information with the categories of recipients described in section 7.2 (stores, payment service providers and financial institutions, fraud prevention agencies and companies providing identity information, and Google). |
From you:
From other sources:
|
Varies depending on the recipient (see section 7.2). |
Primarily when the purchase takes place, but it also occurs during the entire period that Klarna has the data in its systems, i.e. until the data are deleted. See section 9 for more information on our obligations and right to retain information according to law. |
When you shop in a store that offers Klarna as a payment method or has Klarna checkout, we will assess the order in which different payment methods should be presented to you at the store checkout. This processing does not affect which of Klarna’s payment methods are available to you. If you do not want us to perform this processing of your data, please contact us to let us know. Contact information is available in section 12. This processing constitutes profiling. See section 6 for more information about profiling. |
From you:
From other sources:
|
If you have accepted and use the Klarna service called “Shopping Service” as described in more detail in the terms and conditions of the service, which you will find here, then the legal basis for the processing is the performance of the contract 6(1)(b) UK GDPR). Alternatively, if you have not entered into the “Shopping Service” agreement, the processing will be based on a balancing of interests instead (Article 6(1)(f) UK GDPR). When balancing interests, Klarna has determined that we have a legitimate interest in examining the order in which different payment options will be presented to you when checking out at the store. We ensure that the processing this entails is necessary to achieve the purpose of the processing, and that our interest outweighs your right not to have your data processed for this purpose. You may contact us for more information about how the determination was made. See section 12 for our contact information. |
When the payment methods are shown at checkout. |
To prevent Klarna’s operations from being used for money laundering or terrorist financing, by monitoring and reviewing transactions. Klarna also conducts ongoing risk assessments and creates risk models to counter money laundering and terrorist financing.
This processing constitutes profiling and automated decision making. See section 6 for more information about profiling and automated decisions. |
From you:
From other sources:
|
To comply with law (Article 6(1)(c) UK GDPR). As regards sensitive personal data, the basis is that the processing is necessary for reasons of the public interest (Article 9(2)(g) UK GDPR). However, if you have supplied us with sensitive personal data, it is processed based on your explicit consent. |
When the agreement between you and Klarna is terminated. See section 9 for more information on our obligations and right to retain information in accordance with the law. |
To perform a fraud prevention assessment before a purchase is accepted. This processing constitutes profiling and automated decision-making. We use automated decision-making for this purpose, to be able to determine if you constitute a risk of fraud. See section 6 for more information about profiling and automated decisions. Also see section 7.2.3 on our use of fraud prevention agencies to which your information may be shared, and our legal basis for that sharing. |
From you:
From other sources:
In addition to the above, Klarna receives information from fraud prevention agencies on whether your information indicates an attempt at fraud. |
To enter into and perform the agreement (Article 6(1)(b) UK GDPR). |
When the fraud assessment is performed. |
To perform bookkeeping and accounting in accordance with accounting laws and preserve them in compliance with the applicable law. |
From you:
From other sources:
|
To comply with law (Article 6(1)(c) UK GDPR). |
During the period in which the bookkeeping is recorded and 7 years after the end of the year in which the information was registered. See section 9 for more information on our obligations and right to retain information according to law. |
To perform calculations in accordance with rules on capital adequacy obligations. |
From you:
From other sources:
|
To comply with law (Article 6(1)(c) UK GDPR). |
Seven years after the end of the year in which the information was registered. See section 9 for more information on our obligations and right to retain information according to law. |
4.3 Purposes for which your personal data is used when you use one of Klarna’s payment methods involving the provision of credit or when you use the Klarna card or the one-time card.
The following services entail the provision of credit to you: “Pay later” (invoice), “Pay now” (for payment by direct debit), “Financing” (pay in instalments), as well as the Klarna card and the one-time card (both of which are offered in the Klarna mobile application).
Purpose of the processing - what we do and why |
Categories of personal data used for the purpose, and where they come from (the source). See section 3 for further information on what each category contains. |
Legal basis according to the UK GDPR |
When the purpose ends (See section 9 for further information on when the data are erased) |
To perform a credit assessment before credit is granted. This constitutes profiling and the decision to approve or reject the credit constitutes an “automated decision”. See section 6 for more information about profiling and automated decisions. Also see section 7.3.1 on our use of credit information bureaus to which your information may be shared, and our legal basis for that sharing.
|
From you:
From other sources:
|
To enter into and perform the credit agreement (Article 6(1)(b) UK GDPR). |
When the credit assessment is performed. |
To share your personal data with the categories of recipients described in section 7.3 (credit bureaus, debt collection companies and other buyers of outstanding receivables, as well as VISA, debt acquirers and digital wallet providers). |
From you:
From other sources:
|
Varies depending on the recipient (see section 7.3). |
Primarily when the purchase takes place, but also as long as Klarna retains the data in its systems, i.e., until it is deleted. See section 9 for more information on our obligations and right to retain information according to law. |
To transfer Klarna’s right to payment for your purchase to a new owner. |
From you:
From other sources:
|
The processing is based on a balancing of interests (Article 6(1)(f) UK GDPR). When balancing interests, Klarna has determined that we have a legitimate interest in selling outstanding credits as part of conducting our business. We ensure that the processing is necessary to pursue that interest, and that our interest outweighs your right not to have your data processed for this purpose. You may contact us for more information about how the determination was made. See section 12 for our contact information. |
The processing may be performed while the debt is unpaid (you will be notified if the debt is transferred). |
To perform debt collection services, i.e. to collect and sell overdue debts. |
From you:
From other sources:
|
The processing is based on a balancing of interests (Article 6(1)(f) UK GDPR). When balancing interests, Klarna has determined that we have a legitimate interest in collecting and selling debts. We ensure that the processing this entails is necessary to achieve the purpose of the processing, and that our interest outweighs your right not to have your data processed for this purpose. You may contact us for more information about how the determination was made. See section 12 for our contact information. |
When the debt has been paid. |
To prevent Klarna’s operations from being used for money laundering or terrorist financing, by monitoring and reviewing transactions, conducting risk assessments and creating risk models.
This processing constitutes profiling, and a decision that you imply a money laundering risk constitutes an “automated decision”. See section 6 for more information about profiling and automated decisions. |
From you:
From other sources:
|
To comply with law (Article 6(1)(c) UK GDPR). As regards sensitive personal data, the basis is that the processing is necessary in the public interest (Article 9(2)(g) UK GDPR). |
Up to five years from the termination of the agreement or after the termination of the customer relationship (up to ten years in cases where law enforcement authorities so request). See section 9 for more information on our obligations and right to retain information according to law. |
Filing and accounting in accordance with accounting laws. |
From you:
From other sources:
|
To comply with law (Article 6(1)(c) UK GDPR). |
Seven years after the end of the year in which the information was registered. See section 9 for more information on our obligations and right to retain information according to law. |
4.4 Use of your personal data and information to give you access to the Klarna account service (savings and payment accounts).
Purpose of the processing – what we do and why |
Categories of personal data used for the purpose, and where they come from (the source). See section 3 for further information on what each category contains. |
Legal basis according to the UK GDPR |
When the purpose ends (See section 9 for further information on when the data are erased) |
To provide Klarna’s savings and payment accounts. |
From you:
From other sources:
|
The processing is necessary for Klarna to perform a contract with you (Article 6(1)(b) UK GDPR). If the service processes data that constitutes sensitive personal data (from your transactions), our processing takes place based on your explicit consent (Article 9(2)(a) UK GDPR). Information about third parties (such as payment recipient or payer) is based on a balancing of interests (Article 6(1)(f) UK GDPR). When balancing interests, Klarna has determined that we and you (and also the payment recipient/payer) have a legitimate interest in having this data processed to perform the transactions in question. We ensure that the processing this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your information processed for this purpose. You may contact us for more information about how the determination was made. See section 12 for our contact information. |
When the contract between you and Klarna terminates. |
To share your personal data with the categories of recipients described in section 7.4 (credit institutions and other financial institutions). |
From you:
From other sources:
|
The processing is necessary for Klarna to perform a contract with you (Article 6(1)(b) UK GDPR). If the service processes data that constitute sensitive personal data (from your transactions), our processing takes place based on your explicit consent (Article 9(2)(a) UK GDPR). |
When the contract between you and Klarna terminates. |
To prevent Klarna’s operations from being used for money laundering or terrorist financing, by monitoring and reviewing transactions, conducting risk assessments and creating risk models.
This processing constitutes profiling, and a decision that you imply a money laundering risk constitutes an automated decision. See section 6 for more information about profiling and automated decisions. |
From you:
From other sources:
|
To comply with law (Article 6(1)(c) UK GDPR). As regards sensitive personal data, the condition is that the processing is necessary in the public interest (Article 9(2)(g) UK GDPR). |
Up to five years from the termination of the contract or after the termination of the customer relationship (up to ten years in cases where law enforcement authorities so request). See section 9 for more information on our obligations and right to retain information according to law. |
Filing and accounting in accordance with accounting laws. |
From you:
From other sources:
|
To comply with law (Article 6(1)(c) UK GDPR). |
Seven years after the end of the year in which the information first was registered. See section 9 for more information on our obligations and right to retain information according to law. |
To perform calculations in accordance with rules on capital adequacy obligations. |
From you:
From other sources:
|
Abide by the law (Article 6(1)(c) UK GDPR) |
Seven years after the end of the year in which the information was registered. See section 9 for more information on our obligations and right to retain information according to law. |
4.5 Processing of your personal data when you use Klarna’s shopping service
When you use Klarna’s Shopping Service, Klarna will process your personal data for the purposes described in the table below. The terms of the Shopping Service and the description of the features included in the shopping service are available here.
Purpose of the processing - what we do and why |
Categories of personal data used for the purpose, and where they come from (the source). See section 3 for further information on what each category contains. |
Legal basis according to the UK GDPR |
When the purpose ends (See section 9 for further information on when the data are erased) |
To deliver the Klarna’s Shopping Service and the functions included therein. The service involves profiling you to personalise the contents in the Klarna mobile application and at Klarna’s checkout. |
The processing is necessary for Klarna to perform a contract (terms and conditions for the shopping service) with you (Article 6(1)(b) UK GDPR). If the shopping service also processes data that constitutes sensitive personal data (if you have uploaded this data, for example, through receipts for certain purchases/memberships, or if you have otherwise given us access to this data), our processing takes place based on your explicit consent (Article 9(2)(a) UK GDPR). See section 3 for more information about this kind of personal data. |
When the contract between you and Klarna terminates. |
|
You can choose to share your location with us. We use this information to find stores in your vicinity. You can turn off location sharing on your device at any time. |
From you:
|
The processing is necessary for Klarna to perform a contract (terms and conditions for the shopping service) with you (Article 6(1)(b) UK GDPR). |
When the function is closed. Klarna will not save your location after we have shown you the stores that are close to you. |
To provide a browser, through the Klarna mobile application, for you to visit, for example, stores’ websites. Klarna will collect information about how you use the browser to customise the contents of the Klarna mobile application. |
From you:
|
The processing is necessary for Klarna to perform a contract (terms and conditions for the shopping service) with you (Article 6(1)(b) UK GDPR). If the service processes information that constitutes sensitive personal data (e.g. from pages you visit), our processing will take place based on your explicit consent (Article 9(2)(a) UK GDPR). However, this sensitive information will not be used for any purpose other than to show you the current website in the browser. |
When the contract between you and Klarna terminates. |
To share your personal data with the categories of recipients described in section 7.5 (affiliate networks, Google, partners within the framework of the Personal Finances service and the offer and benefit program, and logistics and transportation companies). |
From you:
From other sources:
|
Varies depending on the recipient (see section 7.5). |
When the contract between you and Klarna terminates. |
4.6 Additional services you can access via the Klarna mobile application or through Klarna’s browser extension
Purpose of the processing - what we do and why |
Categories of personal data used for the purpose, and where they come from (the source). See section 3 for further information on what each category contains. |
Legal basis according to the UK GDPR |
When the purpose ends (See section 9 for further information on when the data are erased) |
If you have connected your e-mail account to Klarna’s Email Connect service, Klarna will regularly connect to your e-mail account(s) to obtain information about your purchases. You can terminate this service at any time and thereby delete Klarna’s access to your e-mail account. |
From other sources:
|
The processing is necessary for Klarna to perform a contract (terms and conditions for the shopping service) with you (Article 6(1)(b) UK GDPR). If the service processes sensitive personal data (from your transactions), our processing will take place based on your explicit consent (Article 9(2)(a) UK GDPR). See section 3 for more descriptive information. |
When the contract between you and Klarna terminates. |
If you have chosen to connect your bank accounts to the Personal Finance service, Klarna will display and give you tools to control your finances, by means of offers tailored to your specific needs. This processing constitutes profiling which aims to customise the service’s content, based on what we think you may be interested in. You can read more about profiling in section 6. If you choose to take advantage of offers and benefits that Klarna delivers within the framework of this service, we will share your personal information with the partner who delivers these (see section 7.5.3). |
From other sources:
|
The processing is necessary for Klarna to perform a contract (terms and conditions for the shopping service) with you (Article 6(1)(b) UK GDPR). If the service processes sensitive personal data (from your transactions), our processing will take place based on your explicit consent (Article 9(2)(a) UK GDPR). See section 3 for more information. |
When the contract between you and Klarna terminates. |
If you use our browser extension, Klarna will process your data to deliver the service, which includes processing information about which websites/web domains you visit: Klarna processes information about the ecommerce websites/web domains visited in order to identify deals and provide you with customised offers in the Klarna extension and mobile application. This processing is also done to allow you to create One-time Cards directly in your browser on websites where this service is enabled. Information about non-ecommerce websites/web domains visited will not be stored by Klarna. Read more about how your personal data is used in the extension FAQ. |
From you:
From other sources:
|
The processing is necessary for Klarna to perform a contract (terms and conditions for the Klarna Shopping Service) with you (Article 6(1)(b) GDPR). If the service processes information that constitutes sensitive personal data (i.e. such data about the websites/web domains you visit), our processing will be based on your explicit consent (Article 9(2)(a) GDPR). See section 3 for more information about this kind of personal data. |
When the contract between you and Klarna terminates. |
4.7 Offers and invitations to events posted on social media, and when you contact us through social media
Purpose of the processing - What we do and why |
Categories of personal data used for the purpose, and where they come from (the source). See section 3 for further information on what each category contains. |
Legal basis for processing in accordance with the UK GDPR |
When the purpose ends (See section 9 for further information on when the data are erased) |
If you sign up for an event posted on social media, we will process your personal data to provide the requested service. You can always unsubscribe from this by contacting us. See section 12 for contact information. |
From you:
|
The processing is necessary for Klarna to perform a contract with you (as regards the participation in the event) (Article 6(1)(b) UK GDPR). You may contact us for more information about how the determination was made. See section 12 for our contact information. |
When the event has been held. |
4.8 Klarna’s processing when you contact Klarna’s customer service
Purpose of the processing - What we do and why |
Categories of personal data used for the purpose, and where they come from (the source). See section 3 for further information on what each category contains. |
Legal basis for processing in accordance with the GDPR |
When the purpose ends (See section 9 for further information on when the data are erased) |
To handle all matters that come to Klarna’s customer service. This includes retaining various forms of written conversations to document customer errands, as well as for security purposes and to counter fraud. |
From you:
From other sources:
|
Performance of contracts (Article 6(1)(b) UK GDPR). |
Up to ten years, based on the statute of limitations. See section 9 for more information on our obligations and right to retain information according to law.
|
Quality and service improvement (to ensure satisfactory customer service). We may record telephone conversations between you and our employees for quality purposes in order to deliver better products and services to you. |
From you:
From other sources:
|
The processing is based on a balancing of interests (Article 6(1)(f) GDPR). When balancing interests, Klarna has determined that we have a legitimate interest in improving our services, our internal training and quality control and to document communications with Klarna’s customer service. We ensure that the particular processing this entails is necessary to achieve that purpose, and that our interest outweighs your right not to have your data processed for this purpose. As a customer, you also have an interest in the quality of your interactions with Klarna. You may contact us for more information about how the determination was made. Please see the contact information in section 12. |
We process the recordings of telephone conversations for a time period of 90 days for quality assurance purposes, but may keep the recordings for up to two years for fraud investigation purposes. We may also retain recordings of outbound calls for up to two years, in order to document what has been decided on the call. |
If you contact us via social media such as Facebook or Twitter, your personal data will also be collected and processed by these companies, in accordance with their privacy notices. The same is true for the answer you get from us. Klarna processes this information to answer your questions. |
From you:
From other sources:
|
Performance of contracts (Article 6(1)(b) GDPR). |
When we have answered your question. |
5. How do you withdraw your consent?
When Klarna uses your personal data based on your consent, you can withdraw your consent at any time. You can do this by sending an e-mail to privacy@klarna.co.uk or via the contact information you find in section 12.
You can also delete uploaded information from the Klarna mobile application, or end the service where personal data are processed. We will then delete the information. If you withdraw your consent or delete the uploaded information, you may be unable to use the service in cases where Klarna’s processing of personal data takes place based on your consent.
6. Klarna’s profiling and automated decisions that significantly affect you
6.1 Klarna’s profiling of you as a customer.
“Profiling” means an automated processing of personal data to evaluate certain personal matters, for example, by analysing or predicting your personal preferences, such as buying interests. At the same time, we compare your data with what our other customers, with similar use of our services, have preferred.
The purpose of Klarna’s profiling and the personal data categories used for each occasion and for each profiling are described in detail in section 3. The profiling for these purposes does not have a significant impact on you as a customer.
We use profiling for the following purposes:
-
to deliver our customised services, which customise their content based on what we think is most interesting to you (this applies to the Klarna mobile application, its various functions, and the order different payment methods appear at Klarna’s checkout), and
-
to deliver customised marketing to you.
If you have any questions about how the profiling process works, please contact us. Contact information is available in section 12. You may object to our marketing profiling at any time by contacting us (and we will then cease profiling for marketing purposes). You may also end our profiling for our services by terminating the service.
6.2 Klarna’s automated decisions that significantly affect you.
Automated decisions with legal consequences, or automated decisions that similarly significantly affect you, means that certain decisions in our services are completely automated, without our employees being involved. These decisions have a significant effect on you as a customer, comparable to legal consequences. By making such decisions automatically, Klarna increases its objectivity and transparency in the decision to offer you these services. At the same time, you have the right to object to these decisions at all times. Further on in this section, you will find a description of how to object to these decisions.
Automated decisions that significantly affect you also mean that profiling is performed based on your data before the decision is made. This profiling is made to assess your financial situation (before the decision to grant credit) or to identify whether your use of our services involves a risk of fraud or money laundering. We profile your user behaviour and financial standing and compare this data with behaviours and conditions that indicate different risk levels for us.
We make this kind of automated decision when we:
-
decide to approve your application to use a credit service.
-
decide not to approve your application to use a credit service.
These automated credit decisions are based on the data you provide, data from external sources such as credit bureaus and Klarna’s own internal information. In addition to information about you, Klarna’s credit model includes a large number of other factors, such as Klarna’s internal credit risk levels and our customers’ general repayment rates (based on, for example, the current product category). -
decide whether you pose a risk of fraud, if our processing shows that your behaviour indicates possible fraudulent conduct, that your behaviour is not consistent with previous use of our services, or that you have attempted to conceal your true identity. Automated decisions whereby we assess whether you constitute a fraud risk are based on information you have provided yourself, data from fraud prevention agencies (see section 7.2.3. for details of which ones we use), and Klarna’s own internal information.
-
decide whether there is a risk of money laundering, if our processing shows that your behaviour indicates money laundering. In relevant cases, Klarna also investigates whether specific customers are listed on sanction lists.
The personal data categories used in each decision are described in section 3. See section 7 for more information about whom we share information with as regards profiling during automated decisions.
If you are not approved under the automated decisions described above, you will not have access to Klarna’s services, such as our payment methods. Klarna has several safety mechanisms to ensure the decisions are appropriate. These mechanisms include ongoing overviews of our decision models and random sampling in individual cases. If you have any concern about the outcome, you can contact us, and we will determine whether the procedure was performed appropriately. You can also object in accordance with the following instructions.
Your right to object to these automated decisions
You always have the right to object to an automated decision with legal consequences or decisions which can otherwise significantly affect you (together with the relevant profiling) by sending an e-mail message to privacy@klarna.co.uk. A Klarna employee will then review the decision, taking into account any additional information and circumstances that you provide to us.
7. Who do we share your personal data with?
When we share your personal data, we ensure that the recipient processes it in accordance with this notice, e.g. by entering into data transfer agreements or data processor agreements with the recipients. Those agreements include all reasonable contractual, legal, technical and organizational measures to ensure that your information is processed with an adequate level of protection and in accordance with applicable law.
7.1 Categories of recipients with whom Klarna will always share your personal information, regardless of the service you use.
7.1.1 SUPPLIERS AND SUBCONTRACTORS.
Description of the recipient: Suppliers and subcontractors are companies that only have the right to process the personal data they receive from Klarna on behalf of Klarna, i.e. data processors. Examples of such suppliers and subcontractors are software and data storage providers, payment service providers and business consultants.
Purpose and legal basis: Klarna needs access to services and functionality from other companies where it cannot perform them itself. Klarna has a legitimate interest in being able to access these services and functionality (Article 6(1)(f) UK GDPR). We ensure that the processing this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your information processed for this purpose. You are entitled to object to this processing, for reasons connected to the circumstances in your particular case. See section 2 for more information about your rights.
7.1.2 KLARNA GROUP.
Description of the recipient: Companies in the Klarna Group.
Purpose and legal basis: This is required for Klarna to be able to provide you with services and functionality. Klarna has a legitimate interest in being able to access these services and functionality (Article 6(1)(f) UK GDPR). We ensure that the processing this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your information processed for this purpose. You are entitled to object to this processing, for reasons connected to the circumstances in your particular case. See section 2 for more information about your rights.
7.1.3 A PERSON WHO HOLDS A POWER OF ATTORNEY FOR YOUR FINANCIAL AFFAIRS.
Description of the recipient: Klarna may share your personal information with a person who has the right to access it under a power of attorney.
Purpose and legal basis: This processing is carried out to facilitate your contact with us (through agents), and takes place based on your consent (Article 6(1)(a) UK GDPR).
7.1.4 AUTHORITIES.
Description of the recipient: Klarna may provide necessary information to authorities such as the police, financial authorities, tax authorities or other authorities and courts of law.
Purpose and legal basis: Personal data is shared with the authority when we are required by law to do so, or in some cases if you have asked us to do so, or if required to manage tax deductions or counter crime. An example of a legal obligation to provide information is when it is necessary to take measures against money laundering and terrorist financing. Depending on the authority and purpose, the legal bases are the obligation to comply with the law (Article 6(1)(c) UK GDPR), to fulfil the agreement with you (Article 6(1)(b) UK GDPR), or Klarna’s legitimate interest in protecting itself from crime (Article 6(1)(f) UK GDPR).
There is also a requirement under UK law to withhold tax due on the payments. You will not need to do so, or take any action based on the agreement we have with the UK tax office (the HMRC), as we will disclose the necessary information to the UK tax office to support this agreement. If you have any questions regarding these arrangements, please contact the tax office.
7.1.5 DIVESTMENT OF BUSINESS OR ASSETS.
Description of the recipient: In the event that Klarna sells business or assets, Klarna may hand over your personal information to a potential buyer of such business or assets. If Klarna or a significant part of Klarna’s assets is acquired by a third party, personal information about Klarna’s customers may also be shared.
Purpose and legal basis: Klarna has a legitimate interest in being able to perform these transactions (Article 6(1)(f) UK GDPR). We ensure that the processing this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your information processed for this purpose. You are entitled to object to this processing, for reasons connected to the circumstances in your particular case. See section 2 for more information about your rights.
7.2 Categories of recipients with whom Klarna shares your personal information when you use Klarna’s payment methods, log in with Klarna at a store, or choose to pay by debit or credit card in Klarna’s check-out at a store.
7.2.1 STORES.
Description of the recipient: By stores we mean the stores you visit or shop at (which may include the store’s group companies if you have been informed thereof by the store).
Purpose and legal basis: In order for the store to be able to perform and manage your purchase and your relationship with the store or its group companies, e.g. by confirming your identity, sending goods, handling questions and disputes, in order to prevent fraud and, where appropriate, send relevant marketing. The store’s privacy notice applies to the processing of your personal data that has been shared with the store and that the store processes. Normally, you will find a link to the store’s privacy notice on the store’s website. The legal basis for sharing data with stores is partly the performance of a contract (Article 6(1)(b) UK GDPR), insofar as the data sharing takes place to perform the contract between you and the store, and partly based on Klarna’s and the store’s legitimate interest (Article 6(1)(f) UK GDPR). We ensure that the processing this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your information processed for this purpose. You are entitled to object to this processing, for reasons connected to the circumstances in your particular case. See section 2 for more information about your rights.
7.2.2 PAYMENT SERVICE PROVIDERS AND FINANCIAL INSTITUTIONS.
Description of the recipient: Payment service providers and financial institutions provide services to you, stores and Klarna to implement and administer electronic payments through a variety of payment methods, such as credit cards and bank-based payment methods such as direct debit and bank transfer.
Purpose and legal basis: Some stores use payment service providers with whom they share your information for managing your payment. This sharing takes place in accordance with the stores’ own privacy notices. The store may also let Klarna share your information with the payment service provider they use for processing your payment. Some payment service providers also collect and use your information independently, in accordance with their own privacy notices. This is the case, for example, for electronic wallet suppliers. In addition, Klarna may share your information with other financial institutions when conducting transactions with your account to complete the transactions. Sharing with payment service providers and financial institutions is performed to make a transaction initiated by you and it is done to fulfil the agreement with you (Article 6(1)(b) UK GDPR).
7.2.3 FRAUD PREVENTION AGENCIES AND COMPANIES PROVIDING IDENTITY CHECKS.
Description of the recipient: Your personal data are shared with fraud prevention agencies and companies that provide identity checks.
Purpose and legal basis: Klarna shares your information to verify your identity, the accuracy of the data you have provided, and to combat fraudulent and criminal activities. The companies with which we work are listed here. Please note that these companies may process your data in accordance with their own data privacy notices. Klarna shares your information based on Klarna’s legitimate interest in conducting its business (Article 6(1)(f) UK GDPR), as the fraud prevention agencies and the companies providing identity checks have information on fraud activities and identity confirmation which are important for Klarna to use as input to decrease its level of fraudulent transactions. We ensure that the processing this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your information processed for this purpose. You are entitled to object to this processing, for reasons connected to the circumstances in your particular case. See section 2 for more information about your rights. You can also contact the entities listed in the link above, to exercise the same rights as stated in section 2 also against those entities.
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us on the details in section 12 below.
Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years. We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.
7.2.4 Google.
Description of the recipient: When you use Google Maps at checkout (for example, by searching your address in the address bar), your personal information will be shared with Google. Google will process your data in accordance with Google Maps/Google Earths terms of service and privacy policy.
Purpose and legal basis: Klarna shares this information based on Klarna’s legitimate interest in conducting its business (Article 6(1)(f) UK GDPR), as Google Maps makes it possible to find the address functionality at checkout. We ensure that the processing this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your information processed for this purpose. You are entitled to object to this processing, for reasons connected to the circumstances in your particular case. See section 2 for more information about your rights.
7.3 Categories of recipients with whom Klarna shares your data when you use one of Klarna’s payment methods involving the provision of credit or when you use the Klarna card or the one-time card.
7.3.1 CREDIT INFORMATION BUREAUS.
Description of the recipient: If you apply to use a service from Klarna that involves us providing credit (see section 4.3 on which services from Klarna involve credit), we will share your personal data with credit information bureaus. Sharing does not take place in the event of small amounts or where we already have sufficient information.
Purpose and legal basis: Your personal information is shared with credit bureaus in order to assess your creditworthiness in connection with your credit application, to confirm your identity and your contact information, and to protect you and other customers from fraud. This data sharing constitutes a credit report.
If you apply to use a credit Service (see section 4.3 above for a specification of our credit Services), your personal data may be shared with Credit Reference Agencies (“CRAs”) to assess your creditworthiness in connection with your application, to confirm your identity and your contact information, and to protect you and other customers from fraud.
For Pay Later in 30 days or Pay in 3, this sharing constitutes soft credit searches (or “soft credit lookups”) which does not affect your credit file nor credit score. The search is only visible to you and Klarna. In order to perform these credit searches, Klarna will send the CRAs your name, address, date of birth, phone number, as well as bank account number and sort code if relevant, in order to receive the lookups on you.
However, if you apply for one of our Financing products, a hard credit search (or “a hard credit lookup”) is performed in addition to soft searches. This is due to our Financing product constituting a regulated credit product under UK credit legislation. This hard credit search will be recorded on your credit file and may impact your credit score as follows:
The CRA will keep a record of our enquiry against your name and which may be linked to your representatives (“associated records”). For the purposes of any application for Services from us, you may be assessed with reference to “associated records”. Where any search or application is completed, or agreement entered into, involving joint parties, we may record details about this at the CRAs. As a result an “association” will be created that will link your financial records.
Details of which CRA we have used for a specific search are available on request.
In addition, if you open an agreement with one of our Financing products, we will share further information on your agreement with the CRAs. This will occur on a monthly basis until the agreement is closed. This will include details of your outstanding balance, payments made and any default or failure to meet the terms of your agreement. These records will remain on the CRAs’ files for 6 years after our agreement with you is settled or terminated, whether settled by you or, if applicable, your business or by way of default. This and other information about you (or, if applicable, your business and those with whom you are linked financially) may be used to make credit decisions about you in the future.
The ways in which CRAs use and share personal data are explained in more detail at; https://www.transunion.co.uk/crain and https://www.experian.co.uk/crain. The CRAs will process your information in accordance with their own privacy notices and you can find out which ones we cooperate with here.
Klarna shares your information based on Klarna’s legitimate interest in conducting its business (Article 6(1)(f) UK GDPR),
as the credit information bureaus have information on your financial standing which is important for Klarna to use as input to
ensure a correct credit assessment, and not grant credit to consumers who is unable to repay it. We ensure that the processing
this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your information
processed for this purpose. You are entitled to object to this processing, for reasons connected to the circumstances in your
particular case. See section 2 for
more information about your rights. You can also contact the entities listed in the link above, to exercise the same rights as
stated in section 2 also against those entities.
Klarna retains credit information about you that we have received from a credit information bureaus only in script data format. If you would like to have a readable version, we recommend that you directly contact the credit bureau that informed you that Klarna requested a credit report.
7.3.2 DEBT COLLECTION COMPANIES (FOR DEBTS THAT ARE OVERDUE).
Description of the recipient: Klarna may need to share your information when we sell or outsource collection of unpaid overdue debts through a third party, such as a debt collection company.
Purpose and legal basis: This data is shared to collect your overdue debts. Debt collection companies process personal data in accordance with their own privacy notices, or only on behalf of Klarna in their capacity as Klarna’s data processors. Debt collection companies may report your unpaid debts to credit information bureaus or authorities, which may affect your creditworthiness and your ability to apply for future credit. This data is shared based on our legitimate interest in collecting and selling debt (Article 6(1)(f) UK GDPR). When balancing interests, Klarna has determined that we have a legitimate interest in collecting and selling debts. We ensure that the processing this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your information processed for this purpose. You are entitled to object to this processing, for reasons connected to the circumstances in your particular case. See section 2 for more information about your rights.
7.3.3 VISA AND DIGITAL WALLET SUPPLIERS.
Description of the recipient: We share information about you and your purchases when you use the Klarna card with VISA and with members of VISA’s card network. If you also add the Klarna card to your digital wallet, we may need to share your information with the supplier of that wallet. In such case, data will be processed in accordance with that supplier’s privacy notice.
Purpose and legal basis: The sharing takes place to the extent necessary to carry out card transactions, prevent fraud and follow the rules for VISA’s card network. If you renew your Klarna card or receive a new card, we will transfer this information to VISA so that VISA can inform third parties with whom you have previously chosen to save your card information (for example, for recurring transactions). Sharing is performed to fulfil the agreement with you (Article 6(1)(b) UK GDPR).
7.3.4 DEBT ACQUIRERS (FOR OPEN DEBTS).
Description of the recipient: Klarna can transfer your open debt to debt acquirers.
Purpose and legal basis: Upon transfer of your debt to an acquirer and continuously until you pay off the debt, Klarna will share your contact and identification information (name, date of birth, social security number, address, and phone number), information about your financial standing (such as residual credit, repayments and any negative payment history in relation to the current debt), as well as information about the goods or services associated with the debt. The buyer will process your personal data in accordance with its own privacy notice, which you will receive information about when the debt is transferred.
The sharing of personal data with different acquirers is based on our legitimate interest in selling outstanding debts as part of our business operations (Article 6(1)(f) UK GDPR). We ensure that the processing this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your personal data processed for this purpose. You are entitled to object to this processing, for reasons connected to the circumstances in your particular case. See section 2 for more information about your rights.
7.4 Categories of recipients when using the Klarna accounts service (savings and payment accounts).
7.4.1 CREDIT INSTITUTIONS AND OTHER FINANCIAL INSTITUTIONS.
Description of the recipient: We share your information with credit institutions and other financial institutions (such as other banks) when you make transactions or payments to other accounts.
Purpose and legal basis: If you have made payments to a Klarna account, Klarna will process the information we receive from the bank you used for the transaction, such as contact and identification data and payment information. If you make transactions or payments to accounts in other banks, Klarna will also pass on some of your contact and identification data as well as payment information to the recipient and also to the recipient’s credit institution or financial institution. Sharing is performed to fulfil the agreement with you (Article 6(1)(b) UK GDPR).
7.5 Categories of recipients with whom Klarna shares your personal information when you use Klarna’s Shopping Service.
7.5.1 AFFILIATE NETWORKS.
Description of the recipient: When you choose to click on a sponsored link in the Klarna mobile application or on our website that links to a store, product or service, you will be redirected to another company’s website through a third party, known as an affiliate network.
Purpose and legal basis: The affiliate network may place tracking technology on your device that contains information about you clicking on that link in the Klarna mobile application, and which is then used to document your visit to the store to calculate a potential commission due to Klarna.
The affiliate network may process your data in accordance with its own privacy notice. The processing is based on a balancing of interests (Article 6(1)(f) UK GDPR). When balancing interests, Klarna has determined that we have a legitimate interest in supplying you with sponsored links in order to market shops in the Klarna mobile application and on our website. We ensure that the processing this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your information processed for this purpose.
You are entitled to object to this processing, for reasons connected to the circumstances in your particular case. See section 2 for more information about your rights.
7.5.2 GOOGLE.
Description of the recipient: When you use the Klarna mobile application through our web portal, Google will collect your device information through Google’s reCAPTCHA service which is implemented there, in some cases together with additional information that you choose to enter into the reCAPTCHA service.
Purpose and legal basis: Klarna processes this information based on Klarna’s legitimate interest in conducting its business (Article 6(1)(f) UK GDPR), since the reCAPTCHA service prevents misuse of our services (for example by preventing bots from trying to log in). Google will process this information in accordance with its terms of service and privacy policy. We ensure that the processing this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your information processed for this purpose.
You are entitled to object to this processing, for reasons connected to the circumstances in your particular case. See section 2 for more information about your rights.
7.5.3 PARTNERS WITHIN THE FRAMEWORK OF THE PERSONAL FINANCE SERVICE AND THE OFFER AND BENEFIT PROGRAM.
Description of the recipient: Partners within the framework of the Personal Finance service and the offer and benefit program.
Purpose and legal basis: If you choose to take advantage of Klarna’s offers and benefits within the framework of the Personal Finance service or the offer and benefits program, Klarna will share the personal information required for you to take advantage of the offer with our business partners (which includes the fact that you are a Klarna customer). Each offer specifies the data that will be shared. Data is shared to perform the agreement between yourself and Klarna (Article 6(1)(b) UK GDPR).
7.5.4 LOGISTICS AND TRANSPORT COMPANIES.
Description of the recipient: Logistics and transport companies.
Purpose and legal basis: Klarna will share your personal information with logistics and transport companies that deliver the goods you order if you have signed up for parcel tracking. Examples of information we share are contact and identification data and tracking numbers.
Logistics and transport companies process your data in accordance with their own privacy notices. Sharing is performed to fulfil the agreement between you and Klarna (Article 6(1)(b) UK GDPR).
7.6 Categories of recipients with which Klarna shares your personal information if you contact our customer service through social media.
7.6.1 SOCIAL MEDIA.
Description of the recipient: Social media companies such as Facebook, Instagram or Twitter.
Purpose and legal basis: If you contact us via social media such as Facebook or Twitter, your personal data will also be collected and processed by these companies, in accordance with their privacy notices. Sharing is performed to fulfil the agreement with you (Article 6(1)(b) UK GDPR).
8. Where do we process your personal data?
Your personal data may be transferred to, and processed in, a destination outside of the UK for example when we use a supplier or subcontractor located outside of the UK. If the store where you shop is located outside the UK, our sharing of your personal data with the store will also mean that your data is transferred outside of the UK.
We ensure that an adequate level of protection is maintained, and that suitable safeguards are adopted in line with applicable UK data protection legislation requirements, such as the UK GDPR, when we transfer your data outside of the UK. These safeguards consist of ensuring that the third country or state at hand is subject to an adequacy decision by UK authorities or by implementing so-called standard contractual clauses originating from the European Commission.
9. How long we store your personal data
Klarna stores your personal data in accordance with current laws, such as money laundering and accounting law (normally 5 years and 7 years, respectively). In addition, we only store your personal data for as long as needed to fulfil the respective purpose of our processing (more information can be found in the table in section 3).
Personal data that is important for the contractual relationship between you and Klarna is normally stored for as long as the contractual relationship lasts and thereafter for a maximum of 10 years based on statutes of limitations.
We process the recordings of telephone conversations for a time period of 90 days for quality assurance purposes, but may keep the recordings for up to two years for fraud investigation purposes. We may also retain recordings of outbound calls for up to two years, in order to document what has been decided on the call.
In some cases, the information may need to be stored for a longer period due to capital adequacy laws that Klarna must comply with. If you do not enter into an agreement with us, the personal data are normally stored for a maximum of 3 months, but the data may in some cases have to be stored longer, for example, due to money laundering laws, or to protect Klarna from legal claims and to safeguard Klarna’s legal rights.
10. How we use cookies and other types of tracking technology
To provide a tailored and smoooth experience, Klarna uses cookies and similar tracking technologies in our multiple interfaces,
such as our website, the Klarna mobile application and at the checkout of a store that uses Klarna. You can find information
about the tracking technology that Klarna uses, and information about how you accept or decline the tracking technology, in each
interface.
11. Updates to this privacy notice
We are constantly working to improve our services so that you have a smoooth user experience. This may involve modifications of existing and future services. If that improvement requires a notice or consent in accordance with applicable law, you will be notified or given the opportunity to give your consent. It is also important that you read this privacy notice every time you use any of our services, as the processing of your personal data may differ from your previous use of the service in question.
12. Klarna contact information
Klarna Bank AB (UK branch) located at 125 Kingsway, Holborn, London, WC2B 6NH, United Kingdom.
Klarna has a data protection officer and a team of data protection specialists. We also have a customer service team that handles data protection issues. You can reach all of these individuals at privacy@klarna.co.uk. If you specifically wish to contact Klarna’s data protection officer, enter this on the subject line.
Klarna Bank AB (UK branch) complies with UK data protection laws. Please visit www.klarna.com for more information about Klarna.
13. Acquisition of Close Brothers Retail Finance
In January 2019, Klarna acquired the Retail Finance division of Close Brothers Limited. In relation to this acquisition, Klarna acquired the personal data of customers who use or have used the services of the Retail Finance division. Klarna will process this personal data in order to fulfill contractual obligations, comply with applicable laws, and in line with Klarna’s legitimate interest to conduct its business.
The personal data acquired will be processed in line with the privacy notice, in force at the time of the acquisition, and in line with applicable data protection laws. Please note that you have the rights stipulated in this Privacy Notice also for this data, for example the right to access (See Section 12). The privacy notice, in force at the time of the acquisition may be found here.
This privacy notice was last updated on 19 October 2021.
***