Processing of personal data in Kivra+
Processing of personal data in Kivra+
1. Who is the data controller?
Kivra Sverige AB, company reg. no. 556917-3544, Klara Norra Kyrkogata 33, 111 22 Stockholm (“Kivra”), is the data controller for the processing of personal data that takes place within the framework of Kivra+. If you want to get in touch with us about how we process your personal data, you can email us at dataskydd@kivra.se
2. The relationship between the Service and Kivra+
Kivra is providing a service for a digital mailbox with possibility to, for example, receive, handle, transmit and store electronic messages and other content (the "Service").
When you signed up as a user of the Service you took part of Kivra’s information about processing of personal data.
Kivra+ is an add-on to the Service, where we offer you additional features than in the Service. When you use Kivra+ specific features, Kivra will process your personal data in other, different ways than in the Service.
This information about processing of personal data in Kivra+ thus applies in addition to the information about personal data processing in the Service, and describes the additional personal data processing that takes place when you use Kivra+.
Note that Kivra’s storage of content in your mailbox, both before and after a Kivra+ feature has been applied to the content, is a part of the Service and thus not a part of Kivra+. As such, the information that you took part of when signing up as a user of the Service applies to the storage of content.
3. Which personal data do we process, for which purpose and on which legal ground?
When you use Kivra+ we process the following categories of personal data about you:
Information about your purchase of Kivra+, i.e. purchase date and expiration date for your subscription; which platform was used when purchasing the subscription (iOS/Android), information about specific transactions (transaction ID referring to Google Play and Apple's payment transactions, transaction date) and purchase token, i.e. a string of numbers and letters used to verify your purchase with Google or Apple.
Information about documents you have uploaded in Kivra+: If you use the upload feature in Kivra+, Kivra processes your selected names of uploaded documents and the number of uploaded documents.
Information about categories in Kivra+: If you use the categorisation feature in Kivra+, Kivra processes your selected category names and the number of categories (this applies to both categories pre-determined by Kivra and categories named by you).
Information about payable documents uploaded in Kivra+: If you upload invoices or other documents for payment in Kivra+, Kivra processes the name of the invoice and the payment data contained in the document, such as OCR/message, PG/BG, amount and due date. The collection of such payment data is done via text recognition technology provided by Google and Apple respectively. You can read more about those technologies in section 5 below.
Information on how to use Kivra+: When you use Kivra+, we save and analyze certain actions you take within Kivra+, e.g. how many categories you create and what type of content (such as letter, invoice, receipt, upload) you categorise. Once the data has been collected, it is pseudonymised and aggregated, so that Kivra can see patterns in the use of the service without linking events to a specific user.
Feedback about Kivra+: Kivra can request feedback from you on how you experience and rate the various features offered within Kivra+. If you choose to share feedback with Kivra, we collect that information in anonymised form in order to improve and further develop the service.
In the table below, you can read more about where we retrieve these categories of data from, for what purpose or purposes we process them, with what legal ground and for how long the data is processed for each purpose.
| Type of personal data and and where we get it from | Purpose with the processing | Legal ground | How long is the data processed for this purpose? |
|---|---|---|---|
| Information about your purchase of Kivra+. Retrieved from Google Play resp. Apple App Store | Make sure you have paid for your use of Kivra+. | The processing is necessary to allow you to enter into an agreement about Kivra+, and for the performance of the contract on Kivra+. (Article 6(1)(b) GDPR). | During the time you are a Kivra+ user and 14 months after you terminate the agreement on Kivra+. |
| Information about your purchase of Kivra+ Retrieved from Google Play resp. Apple App Store | Fulfill Kivra's obligations under the Accounting Act (1999:1078). | The processing is necessary for compliance with our legal obligations. (Article 6 (1)(c) GDPR). | No later than six months after the end of each calendar year in which a payment has been made. |
| Information about documents you uploaded in Kivra+ Retrieved from your use of Kivra+ | Provide you with Kivra+ features. | The processing is necessary for the performance of the contract on Kivra+. (Article 6(1)(b) GDPR). | Until you terminate the agreement on Kivra+. |
| Information about categories in Kivra+ Retrieved from your use of Kivra+ | Provide you with Kivra+ features. | The processing is necessary for the performance of the contract on Kivra+. (Article 6(1)(b) GDPR). | Until you terminate the agreement on Kivra+. |
| Information about payable documents that have been uploaded in Kivra+
Retrieved from your use of Kivra+ | Provide you with Kivra+ features. | The processing is necessary for the performance of the contract on Kivra+. (Article 6(1)(b) GDPR). | Until the last payable document you have uploaded in Kivra+ has been paid. |
| Information about how you use Kivra+ Retrieved from your use of Kivra+ | Improve and further develop Kivra+. | The processing is based on a legitimate interest assessment (Article 6(1)(f) GDPR). In that legitimate interest assessment, Kivra has assessed that we have a legitimate interest in being able to perform this type of analysis, that the current personal data processing is necessary to achieve that purpose and that our interest outweighs your right not to have your data processed for this purpose. | Up to 52 days from the termination of the Service, with the exceptions described in the section "For how long do we store your personal data?" in Kivra’s information about processing of personal data. |
| Feedback about Kivra+ Retrieved from you if you choose to leave feedback as an app review through our app. Feedback is made available in the Google Play Console resp. In Apple Connect. | Improve and further develop Kivra+. | The processing is based on a legitimate interest assessment (Article 6(1)(f) GDPR). In that legitimate interest assessment, Kivra has assessed that we have a legitimate interest in being able to perform this type of analysis, that the current personal data processing is necessary to achieve that purpose and that our interest outweighs your right not to have your data processed for this purpose. | Kivra collects your feedback in anonymous form. It therefore does not contain any personal data. We have therefore not set a time limit for how long we use this information. |
4. Sensitive personal data
When you use Kivra+ you can choose which documents you upload and you can name uploaded documents and categories yourself. If you choose to upload documents or use names that reveal e.g. information about your political opinions, membership in a trade union, information about health or information about your sex life, this means that Kivra processes sensitive personal information about you.
For this reason, Kivra informs you specifically about the processing of sensitive personal data when you decide to use Kivra+, and obtains your consent to such processing. You can find the information about sensitive personal data here
5. Who has access to your personal data?
What is stated under the headline “Where is your personal data processed?” in Kivra’s information about processing of personal data applies also when Kivra is providing Kivra+.
To make documents payable via Kivra+, Kivra uses text recognition technology. If you use our Android app, the technology is provided by Google (Google ML Kit) and if you use our Apple app, it is provided by Apple (Apple VisionKit).
The text recognition process takes place entirely on your device, and no data about the content of the uploaded document is shared with Kivra or any other party during the text recognition process.
When the text recognition process is complete, the payment information contained in the document is shared with Kivra (see “Information about payable documents uploaded in Kivra” under section 3 above).
If you choose to upload documents for payment through Kivra's Android app, Google collects certain technical information about the performance of the Google ML Kit, to ensure that the Google ML Kit works properly and to improve the technology. You can read more about what data is collected and how it is used in the table section “All APIs” here.Google is the sole data controller for its collection and processing of that data.
If you choose to upload documents for payment through Kivra's Apple app, Apple will not collect any information about your use of Apple VisionKit.
6. Where is your personal data processed?
What is stated under the headline “Where is your personal data processed?” in Kivra’s information about processing of personal data applies also when Kivra is providing Kivra+.
As described in section 5 above, Google is, as sole data controller, collecting certain data in the use of Google ML Kit. The collection means that the data points are being processed outside of the EU/EEA, and takes place with the support of standard contractual clauses for transfers between data controllers which you find here.
7. Your rights
You have the right to access the personal data we process about you when you use Kivra+. We provide it in the extract from the register that you can request to receive for all services that Kivra provides you in our capacity as a data controller. The extract from the register is free and is normally sent to your mailbox in the Service. If you would rather receive your extract from the register via (password-protected) email or to your population registration address, this is also possible. If we, for any reason, are unable to provide you with the information you request, we have an obligation to justify this to you.
You have the right to request rectification of your personal data. It is important that the information we process about you is accurate. If you change your telephone number, email address and other contact information or find that the information we have about you is incorrect or incomplete, you have the right to request that we correct it. You can also update some of your contact details under the section “Settings” in the Service.
You have the right to request deletion of your personal data (right to “be forgotten") under certain conditions, e.g. if the information is no longer necessary for the purpose for which it was collected, or if you withdraw your consent to the processing and there is no other legal ground for the processing. If you want all information we process about you within the framework of Kivra+ to be deleted, you need to close your account with Kivra. Kivra will then delete all information about you that we may delete. As described in more detail in the section “How long do we store your personal data” in Kivra’s information about processing of personal data, we need to save certain information even if you request to be forgotten. We ensure that such information is blocked so that it can only be used for such specific purposes. If you only want certain data created within the framework of Kivra+ to be deleted, you can to a large extent delete it yourself. You can read more about it in the Special terms and conditions for Kivra+.
In certain situations you are entitled to request that we temporarily restrict the processing of your personal data. This can happen, for example, if you have requested rectification of your personal data and it takes time for us to accommodate your request. In such cases, personal data may be restricted while we are handling the case.
You have the right to obtain the personal data that Kivra processes about you in machine-readable format. If it is technically possible, as determined by Kivra, you also have the possibility to have your personal data transferred to another controller. This can happen, for example, if a user of Kivra wants to switch to another service similar to Kivra.
You have the right to object to activities that we carry out with your personal data that are based on a so-called legitimate interest assessment (see section 3 above which processing that may be relevant to you). Specify to us in your request what processing you object to.
If you want to assert any of your rights, or if you have questions about how Kivra processes your personal data, you can contact Kivra by email at dataskydd@kivra.se or by telephone 077-045 70 00.
8. Who do you turn to in case of complaints?
If you believe that Kivra processes your personal data in violation of applicable data protection legislation, we would of course like you to tell us by writing to dataskydd@kivra.se. You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection, which oversees Kivra’s processing of your personal data. For more information, see the Swedish Authority for Privacy Protection’s website www.imy.se