1. Who are we?
Trustly Group AB, reg. no. 556754-8655 (“Trustly”, “we”, “us” or “our”) is a Swedish payment institution providing online banking payment solutions across Europe. In Australia we provide support services to Merchants to improve the security of on-line commerce through the verification of banking information.
At Trustly, we value your privacy and we work hard to make sure that we manage your personal information in accordance with the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs).
End-users that are using our payment service in relation to a Merchant (which means a seller of goods or services on-line with whom you as an end-user deal and for whom we provide services to help verify your identity)
Website visitors that are interacting with our websites or contacting our support and/or complaints service
3. What personal information do we collect about you?
The personal information that we collect about you is used to verify your identity by confirming that you are the holder of the bank account that you use as part of obtaining a product or service from a Merchant.
The exact information that we collect about you may depend on the financial institution where your bank account is held.
We use different verification methods to verify your identity depending on that financial institution. For some financial institutions we may ask you to enter into your on-line banking using our iFrame interface which allows us to collect and verify bank account information when you log-on to your bank via our iFrame.
Where we ask you to enter you electronic banking log-in details into our iFrame interface then your bank log-in details are encrypted simultaneously as you type them into iFrame and are processed by us for the sole purpose of forwarding it to the interface of your online bank. We do not keep or store your bank log-in details. They do not become part of our records and they are not visible to us.
For other financial institutions we verify that you are the account holder by transferring a very small amount into your bank account. We will then ask you to confirm the transaction information related to that transfer as it appears in your bank account transaction details.
In order for you to more easily understand what type of personal information we may collect about you, we have categorised the personal information into the following categories:
Identifying Information – first name, last name, home address, telephone number, email address, date of birth, nationality, and any user ID given to you by the Merchant.
Transaction Identifying Information – information relating to transfers that we send to your bank account, such as transaction ID references and the time when the transaction was made.
Financial Information – information about your bank account including the bank account number and account balance at the time we are seeking to verify your identity.
Device Information – information relating to the device that you use to interact with us including IP-address, type of device, operating system and browser information.
Behaviour Information – information about how you interact with us.
4. How do we collect your personal information when using our service?
We will never ask you to confirm your bank log-in details to us by sending you an email and asking you click on a link from that e-mail. We will also never ask you to confirm your bank log-in details over the phone. You should never disclose you bank log-in details to any person in either of these ways.
When using our service, we collect your personal information directly from you, your device, your Merchant and your financial institution (when you access your banking information via our iFrame interface). We use secure technology to collect bank account and identifying information.
We may also collect personal information if you:
communicate with us through correspondence, chats, email, or when you share information with us from other social applications, services or websites; or
interact with our sites, services, content and advertising.
5. For what purpose do we process your personal information?
We primarily collect and use your information for the purpose of verifying your identity on behalf of online suppliers providing you with a product or service (i.e. Merchants). In doing so, our aim is to assist Merchants to reduce the risk of any fraudulent transactions occurring (especially those involving identity theft), by securely and promptly verifying the details you provide to the Merchant about your identity and/or bank account.
We may also collect, hold, use and disclose your personal information for the following purposes:
to enable you to access and use our products and services;
to operate, protect, improve, troubleshoot and optimise our product, business and the user experience of our systems;
to send you service, support and administrative messages, reminders, technical notices, updates, security alerts, and information requested by you; and
to perform analysis on how you use our products and services.
If you do not provide your information to us when we request it, then we may not be able to authenticate your identity or ownership of a bank account for the Merchant and the Merchant may refuse to supply you with a product or service.
6. With whom do we disclose your personal information to?
The information we collect about you may be disclosed to different entities depending on the purpose we collected your personal information for. In this section, you can read more about the sharing we do of personal information belonging to individuals who do business with Merchants, websites visitors and other individuals contacting our support and/or complaint service.
As a general rule, when Trustly shares your personal information with third parties, this is done in a responsible way and in accordance with our obligations under the privacy legislation.
Regardless of who you are, your personal information may be shared with companies that form part of the Trustly Group, when needed to fulfil the purpose the personal information was collected for. This includes the disclosure of information to our agents, employees and contractors. This sharing of information is carried out on the basis that we have a legitimate interest of sharing information within our group for commercial, compliance and organisational reasons.
6.2 When you use our product or services
We may disclose personal information to your Merchant and its employees. This is so the Merchant can verify your identity and ownership of a bank account details in order to be able to release any purchased goods or supply its services. What type of information we send to your Merchant may dependi on the financial institution where you keep your bank account. We do not keep a record of your bank log-in details nor do we disclose your bank log-in details to any third parties.
Authorities and your bank
To carry out a transaction when using our service, we need may to transfer some of your personal information to your bank. This processing is carried out on the basis of that it is necessary to fulfil our contractual obligations, as well as our legitimate interest, to carry out the transaction.
We may also need to share your personal information to law enforcement agencies, regulatory bodies and other government authorities as required or authorised by law.
Other third parties with whom we collaborate
We may from time to time also need to share your personal information with cloud-based service providers, who provide us with technical server capacity. This is done for the purpose of providing and improving our services. We may also share your personal information with third-party providers who assist with our IT-security.
The entities described above may be located overseas, including Merchants who may be based in Europe or in the Unites States of America.
We have offices in Sweden, Germany, the UK, Spain, Finland, Portugal, the United States and Malta. Employees and representatives for Trustly in these countries may, if their job descriptions/tasks require so, access your personal information. In particular, your personal information may be shared and stored with our company in the United States of America for further transfer to the Merchant.
We undertake necessary measures to ensure that your personal information is protected with a high level of security that is appropriate to the risks associated with the processing and maintain physical, electronic, and procedural safeguards to protect it. For example, any personal information accessed from these locations is protected by EU information protection standards and is encrypted when transmitted over the Internet.
We restrict access to your personal information to those employees, Trustly representatives and third parties that need to know your information in order for us to be able to fulfil the purpose the information was collected for. We protect your information when transmitted over the Internet by using TLS-enabled services. The TLS-enabled services use industry best-practices configurations and adhere to industry-recognized standards.
6.3 When you visit our websites or contact our support and/or complaints service
Your personal information may be shared with third-party providers such as external advertising agencies. We share this information on the basis that we have a legitimate interest of marketing, through professional advertising agencies, to you regarding products and services that you have shown an interest in. We may also share your personal information to other third-party providers of analytical tools based on our legitimate interest of providing you with a pleasant user experience when interacting with our websites.
In addition, if you contact our end-user support we will share your data with cloud based service providers that we utilise for managing our support function.
7. How long do we keep your personal information for?
We will process your personal information for as long as we need to fulfil the purpose the information was collected for. However, your personal information will in general not be stored for a longer period than seven (7) years to fulfil book keeping requirements. Please note however that during this time, the information will not be used for all of the purposes set out above. Shorter time periods apply depending on the purpose the information was collected for. For example, one set of information, e.g. Financial Information, will be processed for several purposes and may for some purposes be processed only for a very short period of time but for other purposes for longer periods of time.
Trustly has implemented various technical and organisation measures, such as automated deletion of information and access restriction to system where personal information is stored, to ensure that the information is not used for longer periods than necessary to fulfil the respective purpose the information was collected for.
8. How do we process your personal information?
When you to enter you electronic banking log-in details into our iFrame interface, your bank log-in details are encrypted simultaneously as you type them into the iFrame. This information is processed by us for the sole purpose of forwarding it to the interface of your online bank. In this circumstance, we never store your bank log-in details and they are not visible to us.
If we store your personal information, it is stored on servers located within the EU/EEA and/or the United States of America. Sometimes, the Merchant and/or other third parties with whom we share your information may be located outside the EU/EEA. If your personal information is transferred to, and processed by, a Merchant or a third party in a country outside the EU/EEA, we will take all reasonable measures to ensure that your information is processed with a high level of security and in accordance with the requirements set out in applicable information protection legislation.
9. Your rights
You have several rights in accordance with the privacy legislation. These rights are:
Right to access to your information: You can contact us about what personal information we have gathered, why we have gathered it, etc. Sometimes, we may not be able to provide you with access to all of your personal information and, where this is the case, we will tell you why. We may also need to verify your identity when you request your personal information.
Right to correction: If any of your personal information that we process is inaccurate, you are entitled to have it corrected.
Lodge a complaint: If you are unhappy with our handling of your personal information or if we have breached the Privacy Act or the APPs, you can lodge a complaint with our Privacy Officer. We will acknowledge your complaint and respond to you regarding your complaint within a reasonable period of time. If you think that we have failed to resolve the complaint satisfactorily, we will provide you with information about the further steps you can take.
We will also allow the end-users located in Australia to have the following rights as if you were protected by the data protection laws that protect individuals in the EU relating to your personal information that is stored in the EU/EEA.
Right to deletion (“right to be forgotten"): You can request that Trustly erase personal information that we have gathered about you. Trustly will, under certain circumstances, be obliged to remove it.
Right to restriction: You can request that Trustly restricts the processing of your personal information under certain circumstances, e.g. if you contest the accuracy of the personal information processed by us. We must then restrict the processing while verifying the accuracy of your request.
Right to object: You can object to the processing of your personal information that Trustly carries out whereby we must assess if we can continue to process your personal information.
Right to information portability: You can request that Trustly provides all the personal information that Trustly processes about you. In some cases, we are obliged to comply with that request and provide you with the personal information processed about you.
10. Who to contact?
Trustly is responsible for the management of your personal information and has appointed a Privacy Officer who is responsible for monitoring our compliance with applicable information protection legislation.
If you have questions or want to exercise your rights explained above, you are welcome to contact us.
Please do so by either sending a request to our support team by completing this online form https://services.trustlylabs.com/contact-support/, or send an email to our Privacy Officer at firstname.lastname@example.org.