Privacy notice
In this privacy notice, you can find information about how we process your personal data when you use Kivra's Services. This privacy notice applies as of 2023-07-07.
We care about your privacy
On this page we explain how Kivra collects and uses your personal data when you visit Kivra’s websites or interact with Kivra in social media, when you contact our customer service, or otherwise use our Services. You will also be informed about your rights and how to invoke them.
To make it easy for you to find the sections you are interested in, we have divided the page into a number of headings. You can click the different headings in the list on the right to go directly to a specific section.
When we refer to "Kivra", "we" or "us", we are referring to Kivra Sverige AB (reg. no. 556917-3544), Klara Norra kyrkogata 33, 111 22 Stockholm, Sweden. Email: dataskydd@kivra.se
Other defined terms used in this privacy notice (e.g. Sender, Service, E-Letter and Business User) have the same meaning as in Kivra's General Terms and Conditions and in the specific terms and conditions applicable to the relevant Service.
1. About the processing of personal data
Kivra processes personal data both as a controller and as a processor of personal data on behalf of others.
Sections 3 - 11 of this notice describe what applies when Kivra processes Users' personal data in its capacity as a data controller. For a full description of the processing this includes, see section 4 below.
However, there are also situations where Kivra processes its Users' personal data without being a controller. The main examples of such situations are:
Most Senders will verify whether you can receive E-letters by providing Kivra with the contact and identification information of the recipients to whom the Sender is looking to send E-letters. When Kivra verifies this information against its user database, the Sender is the controller for the processing. Kivra is the data processor of the Sender. If you would like to know how your personal data will be processed during the verification, we refer you to the Sender responsible for the E-letter at hand.
When Kivra transmits E-letters to you, the data controller for the processing is the Sender, and Kivra is the data processor of the Sender. If you would like to know how your personal data is processed in the transmission process, we refer you to the Sender responsible for the E-letter at hand.
One type of E-letter that is transmitted by Kivra is the digital Covid-19 certificate, which may contain sensitive personal data. Kivra is the data processor of the Sender when we transmit and show your covid certificate. If you would like to know how your personal data is processed in this case, please contact the Swedish eHealth Agency, which is responsible for vaccination certificates
When Kivra sends a text message that you can access a copy of a credit report, the credit reference agency that created the credit report is the data controller for the processing. Kivra is a data processor for the credit reference agency. If you would like to know how your personal data is processed by the agency, we refer you to the credit reference agency that created the credit report. For general information on how your personal data is processed when credit reference agencies send you credit reference copies, please see here.
When an E-letter reaches a private user's mailbox at Kivra, both the responsibility for the Sender as a controller and the responsibility for Kivra as a processor for the content in the E-letter end, as processing of personal data for private use is not subject to the GDPR.
When an E-letter reaches a Business User's mailbox at Kivra, the responsibility as data controller for the personal data passes from the Sender to the Business User. Kivra then acts as a processor to the Business User. Kivra’s obligations as a processor to you as a Business User are set out in your personal data processor agreement with Kivra.
2. Is Kivra a controller or processor?
Kivra processes personal data both as a controller and as a processor of personal data on behalf of others.
Sections 3 - 11 of this notice describe what applies when Kivra processes Users' personal data in its capacity as a data controller. For a full description of the processing this includes, see section 4 below.
However, there are also situations where Kivra processes its Users' personal data without being a controller. The main examples of such situations are:
Most Senders will verify whether you can receive E-letters by providing Kivra with the contact and identification information of the recipients to whom the Sender is looking to send E-letters. When Kivra verifies this information against its user database, the Sender is the controller for the processing. Kivra is the data processor of the Sender. If you would like to know how your personal data will be processed during the verification, we refer you to the Sender responsible for the E-letter at hand.
When Kivra transmits E-letters to you, the data controller for the processing is the Sender, and Kivra is the data processor of the Sender. If you would like to know how your personal data is processed in the transmission process, we refer you to the Sender responsible for the E-letter at hand.
One type of E-letter that is transmitted by Kivra is the digital Covid-19 certificate, which may contain sensitive personal data. Kivra is the data processor of the Sender when we transmit and show your covid certificate. If you would like to know how your personal data is processed in this case, please contact the Swedish eHealth Agency, which is responsible for vaccination certificates
When Kivra sends a text message that you can access a copy of a credit report, the credit reference agency that created the credit report is the data controller for the processing. Kivra is a data processor for the credit reference agency. If you would like to know how your personal data is processed by the agency, we refer you to the credit reference agency that created the credit report. For general information on how your personal data is processed when credit reference agencies send you credit reference copies, please see here.
When an E-letter reaches a Business User's mailbox at Kivra, the responsibility as data controller for the personal data passes from the Sender to the Business User. Kivra then acts as a processor to the Business User. Kivra’s obligations as a processor to you as a Business User are set out in your personal data processor agreement with Kivra.
3. What personal data do we use?
This section describes the categories of personal data that Kivra processes in the various Kivra Services. In section 4 below, you can read more about what the different categories of personal data are used for.
3.1 Personal data we always process
Certain categories of personal data are always collected or created by us when you use the Kivra Service. These are the following categories of personal data:
Contact and identification information - such as name, social security number, e-mail address, mobile phone number, Kivra's internal identification data (such as your user ID), data collected in connection with your activity with Mobile Bank ID, etc.
Data in specific cases - if you hold a corporate position, Kivra collects information about your position. If you are a minor, Kivra collects information about your and your guardian's name and social security number. If you are the legal guardian of a minor who will be using the Kivra Service, Kivra will collect information that you have consented to the minor's use of the Service.
Information about your E-letters - metadata associated with the E-letters you have received in Kivra, which Kivra uses to present your E-letters to you. Examples of such information are the Sender, type, subject and specific payment information for payable E-letters.
Content in and information about your uploads - documents you have uploaded to Kivra and information about such documents, such as name of upload, date and time of upload, type of upload (PDF or image) and file size.
Information about your use of the Kivra Services - which Service(s), as well as the various features of those Services, you have used and how you have used them.
Technical information generated by your use of the Kivra Services - such as data about how you have interacted with the Kivra websites and app, how you have interacted with your E-letters (e.g., read/unread and paid/unpaid), page response time, download errors, and the date and time you used the Service.
Device information - IP address, device ID, language settings, browser settings, time zone, operating system, platform, screen resolution and similar information about your device settings.
3.2 Personal data we process if you use some of Kivra's Services
If you choose to use certain Kivra Services, we collect and create additional personal data. These are the following categories of personal data:
If you interact with Kivra on social media
Information about your interaction with Kivra: any personal data you provide through, for example, reactions, direct messages or comments on our posts.
If you contact Kivra customer service
Information about your interactions with Kivra's customer service - such as recorded phone calls, chat conversations and email correspondence.
If you receive receipts in Kivra
Information about the content of your receipt - such as date, amount, store and product.
Information about your payment card - such as card number, expiry date, name, payment card type, and identifiers representing your payment card, e.g. in the form of a token.
If you participate in a customer survey, report bugs, or otherwise provide feedback on Kivra's Services
Information about you from the survey or report - i.e. personal data collected or created about you in the course of the survey or report, such as feedback you have given Kivra or recordings of the survey.
If you make payments in Kivra via Tink
Payment initiation information - such as your social security number, choice of bank, account number and date of payment, OCR number, payee, invoice amount and other invoice details.
Payment initiation status information - status information that Kivra receives from Tink, in order to show you the status of your payment initiation.
If you make payments in Kivra via Swish
Payment information - such as payment date, OCR number, payee, invoice amount and other invoice details.
Payment status information - status information that Kivra receives from Swish, in order to show you the status of your payment.
If you use Kivra+
Information about your purchase of Kivra+ - such as the purchase date and expiry date of your subscription, which platform you used to purchase the subscription (iOS/Android), information about specific transactions (transaction ID referring to Google Play and Apple payment transactions, transaction date) and the purchase token - i.e. a string of numbers and letters used to verify your purchase with Google or Apple.
Information about categories in Kivra+ - such as selected category names, the number of categorized documents and the number of categories (both for categories predefined by Kivra and categories named by you).
Information about payable documents uploaded to Kivra+ - such as file name, OCR/message, PG/BG, amount and due date.
If you use Kivra's User-to-User signing service
Information about signatures - such as date, time, signing method, parties, signing administrator, IP address, document ID, document title and document checksum.
3.3 Personal data we process if you have used Kivra's previous Services
If you have used certain Services that Kivra has previously provided, we have also collected and created additional personal data.These are the following categories of personal data:
If you used Kivra's own payment service
Customer Due Diligence-information - data collected to achieve proper customer due diligence, in the form of social security number (and, in the case of a suspected hit against a sanctions list, also first and last name) and information on when a check against sanctions lists has been carried out. If you have notified Kivra that you are, or have connections with, a politically exposed person, information on your first and last name and registered address will also be processed.
Information on payments made - details of payments made with Kivra's previous, own payment service such as OCR number, invoice amount, payee, payment date and bank account for payment.
4. What does Kivra use your personal data for?
The tables below describe the following:
For what purpose(s) we use your personal data.
What categories of personal data we use for each purpose.
The source of the personal data, i.e. whether we received the data from you or from another source.
The so-called legal basis for processing your personal data for a particular purpose. A legal basis is a reason for using the data that is justified under data protection legislation.
How long Kivra uses the personal data for each purpose.
4.1 Purposes for which your personal data is always used
Purpose | Categories of personal data used. The source of the data is also indicated in brackets. | Legal basis | How long is the personal data used for this purpose? |
Verify your identity when using Mobile Bank ID, for example when you log into the Service or sign a payment. | Contact and identification information. (Finansiell ID-Teknik BID AB) | The processing is necessary for the performance of your contract with Kivra. | Up to fifty-two (52) days after you terminate the Service. |
Create and provide your account with Kivra, to allow you to use the Kivra Services. | Contact and identification information in the form of:
Data collected in connection with your activity with Mobile Bank ID. (Finansiell ID-Teknik BID AB)
Other contact and identification details (User)
| The processing is necessary for the performance of your contract with Kivra. | Up to fifty-two (52) days from termination of the Service. |
Notify Senders which Users can receive E-letters in Kivra - where Kivra provides the Sender with contact and identification details of all Users to whom the Sender can send E-letters.
As described in section 2 above, the data controller for the processing carried out to verify your eligibility to receive E-letters in Kivra is sometimes the Sender, and not Kivra. | Contact and identification information. (User)
Information about your use of the Kivra Services. (Kivra) | The processing is necessary for the performance of your contract with Kivra. | Up to fifty-two (52) days after you terminate the Service. |
Notify The Swedish Agency for Digital Government (DIGG), which provides Mina Meddelanden, if you have chosen to receive (or not to receive) E-letters from different Senders in Kivra. | Contact and identification information. (User) | The processing is necessary for the performance of your contract with Kivra. | Up to fifty-two (52) days after you terminate the Service. |
Carry out daily checks against the State Personal Address Register (SPAR) of your contact and identification details, to ensure they are up to date and accurate. | Contact and identification information. (SPAR) | The processing is necessary for the fulfillment of Kivra's legal obligations under the GDPR. | Up to fifty-two (52) days after you terminate the Service. |
Present and let you take actions with your E-letters. Examples of such actions are making invoices payable and managing your bookings. | Information about your E-letters. (Sender) | The processing is necessary for the performance of your contract with Kivra. | As long as you still have the E-letter in your Kivra.
If you terminate your agreement with Kivra, we will use the data for this purpose for up to fifty-two (52) days after you terminate the Service. |
Otherwise provide and customize the Service according to your choices, settings and interactions with the Service - for example, language settings, allowing you to choose to receive or not receive E-letters from certain Senders, and allowing you to share your mailbox with another User. | Technical information generated by your use of the Kivra Services. (Kivra) Information about your use of the Kivra Services. (Kivra) Contact and identification information. (User) Information about your E-letters. (Sender) Content in and information about your uploads. (User) Device information. (Kivra) | The processing is necessary for the performance of your contract with Kivra. | Up to fifty-two (52) days after you terminate the Service. |
Send you notifications about your E-letters (e.g., that a new E-letter is available, or reminders related to your E-letters) and otherwise communicate with you about the Service.
You can choose to opt out of email notifications and push notifications through the settings in the Service. | Contact and identification information. (User) Information about your E-letters. (Sender) Technical information generated by your use of the Kivra Services. (Kivra) | The processing is necessary for the performance of your contract with Kivra | Up to fifty-two (52) days after you terminate the Service. |
Send marketing messages, surveys and questions about the Kivra Service. You can choose to opt out of such messages by notifying Kivra, or by unsubscribing via the link in the message.
If you decline the messages, Kivra will need to keep a note of your opt out on a suppression list to avoid further messages for these purposes to you. | Contact and identification information. (User) | For messages: Balancing of interests justified by Kivra's legitimate interest to inform you about news related to the Kivra Service and to send you questions (e.g. a survey or inquiry regarding Kivra or the Kivra Service).
For suppression list: Balancing of interests justified by Kivra's legitimate interest in not sending you messages of this kind if you have declined them. | Up to fifty-two (52) days after you terminate the Service. |
If you are a minor: Obtain your guardian's consent to enter into a contract with Kivra. If you are a guardian: Obtain and retain your consent for the minor to enter into a contract with Kivra. As part of this will share your details with Creditsafe i Sverige AB, who will check them against SPAR.
| Contact and identification information in the form of:
The underage User's personal identity number. (User)
Data about the guardian. (SPAR)
Data collected in connection with caregiver activity with Mobile Bank ID (Finansiell ID-Teknik BID AB)
Data in specific cases. (Finansiell ID-Teknik BID AB) | The processing of personal data concerning the minor is necessary for the conclusion of a contract with the minor. The processing of personal data on guardians is based on a balancing of interests. It is justified by Kivra's legitimate interest in ensuring that minors who use Kivra have the consent of their guardians.
| We will retain the guardian's consent until the earlier of i) up to fifty-two (52) days after the underage User terminates his or her agreement with Kivra; and ii) 12 months after the underage User turns 18.
|
Pseudonymize your personal data and use it for business intelligence and business development purposes, i.e. to understand how our Services are used so that we can make appropriate business and product development decisions. | Information about your E-letters. (Sender) Content in and information about your uploads. (User) Information about your use of the Kivra Services. (Kivra) Technical information generated by your use of the Kivra Services. (Kivra) Device information. (Kivra) | Balancing of interests justified by Kivra's legitimate interest in making appropriate business and product development decisions. | Up to fifty-two (52) days after you terminate the Service. |
Create aggregated and anonymized information for Senders on the type of E-letters Kivra has delivered to the Sender. This is done in order to be able to invoice Senders for Kivra's transmission of E-letters. | Information about your E-letters. (Sender)
Information about your use of the Kivra Services. (Kivra) Technical information generated by your use of the Kivra Services. (Kivra) | Balancing of interests justified by Kivra's legitimate interest in charging Senders for its services. | Up to fifty-two (52) days after you terminate the Service. |
Create aggregated and anonymized information for Senders, to provide them with insights into the services Kivra provides to them, such as the number of E-letters delivered to the Sender and the average open rate.
| Contact and identification information. (User)
Information about your E-letters. (Sender)
Content in and information about your uploads. (User) Information about your use of the Kivra Services. (Kivra) Technical information generated by your use of the Kivra Services. (Kivra) Device information. (Kivra) | Balancing of interests justified by Kivra's legitimate interest in providing Senders with insights about Kivra's services to Sender. | Up to fifty-two (52) days after you terminate the Service. |
Collect information about your use of our websites and our app, using so-called tracking technologies. Kivra uses tracking technologies for two reasons: Either the tracking technologies are necessary to provide our Services, or they are an effective way for Kivra to analyze and improve the user experience of our Services. You can read more about how we use tracking technologies here. | Technical information generated by your use of the Kivra Services. (Kivra) Device information. (User) | Necessary tracking technologies: The processing is necessary for the performance of your contract with Kivra.
Tracking technologies for analytical purposes: Your consent. | For information on how long we keep the information we collect using tracking technologies, see here. |
Logging for security purposes, such as detecting and investigating intrusions and cyber attacks. | Contact and identification information.(Kivra). Device information. (Kivra) Technical information generated by your use of the Kivra Services. (Kivra) | Balancing of interests justified by Kivra's legitimate interest in monitoring the proper functioning of the Service and in detecting, monitoring, managing and remediating any security incidents. | Up to 5 years from the event logged. |
Logging to ensure that the Kivra website, apps and other Services are working as intended, and to investigate errors that are detected (so-called application logs). | Contact and identification information.(Kivra). Device information. (Kivra) Technical information generated by your use of the Kivra Services. (Kivra) | Balancing of interests justified by Kivra's legitimate interest in monitoring the proper functioning of the Service and in detecting, monitoring, managing and remedying any errors. | Up to fifty-two (52) days after you terminate the Service. |
Logging for the purpose of allowing Kivra's customer service to see how you have interacted with Kivra. | Contact and identification information. (Kivra) Information about your use of the Kivra Services. (Kivra) Technical information generated by your use of the Kivra Services. (Kivra) Information about your E-letters. (Kivra) Content in and information about your uploads. (Kivra) Data in specific cases. (Kivra) | The processing is necessary for the performance of your contract with Kivra. | The last 500 events logged. The last 500 events are stored for up to fifty-two (52) days after you terminate the Service. |
Troubleshoot and investigate suspected security incidents.
| All categories of personal data processed by Kivra can be used, depending on the error/incident in question. | Balancing of interests motivated by Kivra's legitimate interest in monitoring the proper functioning of the Service and in detecting, monitoring, managing and remedying any errors and security incidents. | During the investigation of the error/incident. |
If you hold a corporate position: Inform you which of Kivra's business services might be of interest to you. This is done by Kivra sharing your data with Creditsafe i Sverige AB, who checks it against the register of the Swedish Companies Registration Office. | Contact and identification information. (Swedish Companies Registration Office) Data in specific cases. (Swedish Companies Registration Office) | Balancing of interests justified by Kivra's legitimate interest in being able to provide you with relevant information about the Kivra Service. | The earlier of:
i) Within one month of Kivra receiving information from Creditsafe i Sverige AB that you no longer hold a corporate position. (This is checked monthly)
ii) Up to fifty-two (52) days after you terminate the Service. |
Allow you to exercise your rights under the GDPR, such as providing you with a register extract or complying with your right to be forgotten. | All categories of personal data processed by Kivra can be used, depending on the right you invoke. | The processing is necessary for the fulfillment of Kivra's legal obligations under the GDPR.. | Up to fifty-two (52) days after you terminate the Service. |
Allow you to upload, view and delete documents in the Service, using the camera or the upload function on your device.
As set out in section 2.3 of Kivra’s General Terms and Conditions, the upload of sensitive personal or criminal data to the Service is not permitted. | Content in and information about your uploads in the form of: Content of upload and name of upload. (User) Date and time of upload, type of upload and file size. (Kivra)
| The processing is necessary for the performance of your contract with Kivra. | Up to fifty-two (52) days after you terminate the Service. |
Erase your personal data when you terminate the Kivra Service. This is described in more detail in section 7 below. | See section 7 below. | The processing is necessary for the fulfillment of Kivra's legal obligations under the GDPR. . | See section 7 below. |
4.2 Purposes for which your personal data is used if you use certain Kivra Services
If you interact with Kivra on social media
Purpose | Categories of personal data used. The source of the data is also indicated in brackets. | Legal basis | How long is the personal data used for this purpose? |
Interact with Users and other visitors on social media | Information about your interaction with Kivra. (User/ the visitor) | Balancing of interests justified by Kivra's legitimate interest in being able to respond to your interactions with Kivra on social media. | Direct messages are stored for 2 months after the end of the interaction. Your own comments, reactions etc. are not actively erased by Kivra, but you can erase them at any time. |
If you contact Kivra customer service
Purpose | Categories of personal data used. The source of the data is also indicated in brackets. | Legal basis | How long is the personal data used for this purpose? |
Identify you securely and communicate with you about your case to Kivra's customer service. | Contact and identification details. (User)
Information about your contacts with Kivra's customer service, in the form of:
Information from you in the case. (User)
Information created by Kivra needed to handle the case. (Kivra)
When applicable - information from a relative, if a relative needs to help the User manage the Service (Relative).
| The processing of data on prospective and existing users is necessary in order to conclude or perform a contract with the person contacting Kivra’s customer service.
The processing of data concerning a relative is based on a balancing of interests justified by Kivra's legitimate interests in (i) ensuring that the relative has the right to represent the User; and (ii) handling the User's case via the relative.
| 13 months from closing the case. |
If you receive digital receipts
Purpose | Categories of personal data used. The source of the data is also indicated in brackets | Legal basis | How long is the personal data used for this purpose? |
Notify Senders if you can receive digital receipts in Kivra. | Contact and identification information (User)
Information about your payment card in the form of:
User ID for your payment card (Kivra)
Token (Sender's payment gateway)
Other information about your payment card (User)
| The processing is necessary for the performance of your contract with Kivra. | Up to fifty-two (52) days after you terminate the Service. |
Erase information regarding an expired payment card and remind you that your payment card is about to expire. | Information about your payment card in the form of: User ID for your payment card (Kivra)
Other information about your payment card (Kivra's digital receipt subcontractor) | The processing is necessary for the performance of your contract with Kivra. | Saved as long as the payment card is registered in the Service. |
Validate your payment card information | Your payment card information (Kivra's digital receipt subcontractor) | The processing is necessary for the performance of your contract with Kivra. | Erased immediately after validation. |
Administer digital receipts in accordance with your agreement with Kivra. Examples of such administration include organizing digital receipts so that they can be displayed to you in the Service, and so that you can search the receipts. | Information about the content of your receipt (Sender)
| The processing is necessary for the performance of your contract with Kivra. | The earlier of (i) 7 years after receipt; and (ii) up to fifty-two (52) days after you terminate the Service. |
If you choose to share your digital receipt with a third party, such as a disbursement management system, Kivra will share the contents of your digital receipt with the party you choose to share it with. | Information about the content of your receipt (Sender) | The processing is necessary for the performance of your contract with Kivra. | Information about the sharing of the receipt is saved for up to fifty-two (52) days after you terminate the Service. |
If you participate in a customer survey, report bugs or otherwise provide us with feedback on our Services
Purpose | Categories of personal data used. The source of the data is also indicated in brackets. | Legal basis | How long is the personal data used for this purpose? |
Contact you in the context of a customer survey
| Contact and identification information. (Customer survey company)
| Your consent.
| As long as the customer survey is ongoing. |
Improve the Kivra Services.
| Information about you from the survey or report. (User)
| Your consent (for customer surveys)
Balancing of interests (for other feedback), justified by Kivra's legitimate interest in being able to identify you and manage your feedback regarding the Kivra Services. | As long as the customer survey is ongoing (for customer surveys).
13 months from the closing of the case at Kivra customer service (for other feedback). |
Contact you when you report a bug or otherwise provide feedback on our Services. | Contact and identification information. (User)
Information about you from the survey or report. (User) | Balancing of interests justified by Kivra's legitimate interest in being able to identify you and manage your feedback regarding the Kivra Service. | 13 months from the closing of the case at Kivra customer service. |
If you make payments in Kivra via Tink
Purpose | Categories of personal data used. The source of the data is also indicated in brackets | Legal basis | How long is the personal data used for this purpose? |
Share with Tink AB ("Tink") to identify you. | Contact and identification information. (User)
| The processing is necessary for the performance of your contract with Kivra. | Sharing takes place immediately after instructions from the User and processing ceases thereafter. |
Share with Tink to ensure that payment is made from the correct bank and in accordance with your instructions regarding the timing of payment. | Payment initiation information. (User).
| The processing is necessary for the performance of your contract with Kivra. | Sharing takes place immediately after instructions from the User and processing ceases thereafter. |
Process and share with Tink to ensure that payment is made in accordance with the payable E-letters you receive from the Sender. | Payment initiation information. (Sender)
| The processing is necessary for the performance of your contract with Kivra. | Sharing takes place immediately after instructions from the User and processing ceases thereafter. |
Show you the current status in connection with the invoice. | Payment initiation status information. (Tink)
| The processing is necessary for the performance of your contract with Kivra. | Up to fifty-two (52) days after you terminate the Service. |
Show your default account in the Service. Kivra also shares the details of your default account back to Tink for the next payment so that you don't have to make the choice again. | Payment initiation information. (Tink)
| The processing is necessary for the performance of your contract with Kivra. | Up to fifty-two (52) days after you terminate the Service.
|
Show payment history in the Service. | Information on payment initiation, in the form of:
Bank and account number. (Tink)
Amount, PG/BG number and OCR. (Sender)
Point of time for the User’s payment initiation (Kivra)
| The processing is necessary for the performance of your contract with Kivra. | Up to fifty-two (52) days after you terminate the Service. |
Share data with Tink and receive data back from Tink, for support related to your payment. | Payment initiation information (Tink).
Payment initiation status information (Tink). | The processing is necessary for the performance of your contract with Kivra. | 30 days after the case has been closed by Kivra customer service. |
If you make payments in Kivra via Swish
Purpose | Categories of personal data used. The source of the data is also indicated in brackets. | Legal basis | How long is the personal data used for this purpose? |
Show you the current status in connection with the invoice. | Payment status information (Swish) | The processing is necessary for the performance of your contract with Kivra. | Up to fifty-two (52) days after you terminate the Service. |
Show payment history in the Service. | Payment information, in the form of:
Amount, Swish number and OCR. (Sender)
Time of payment. (Kivra)
| The processing is necessary for the performance of your contract with Kivra. | Up to fifty-two (52) days after you terminate the Service. |
If you use the signing service between Senders and User
Purpose | Categories of personal data used. The source of the data is also indicated in brackets. | Legal basis | How long is the personal data used for this purpose? |
Securely identify that you are the correct recipient of E-letter items to be signed by you from the Senders. | Contact and identification information. (User of the signing service)
| The processing is necessary for the performance of your contract with Kivra. | For Users who have a digital mailbox with Kivra, the data is stored for up to fifty-two (52) days after the User has terminated the Service. For other Users, the data is stored for the duration of the identification process. |
Identify you as part of the verification when logging in or signing with Mobile BankID. | Contact and identification information. (Finansiell ID-Teknik BID AB)
| The processing is necessary for the performance of your contract with Kivra. | 30 days after the User has signed a document or, if the document is signed by several parties, 30 days after the document is signed by all parties. |
If you use Kivra+
Purpose | Categories of personal data used. The source of the data is also indicated in brackets. | Legal basis | How long is the personal data used for this purpose? |
Ensure that you have paid for your use of Kivra+. | Information about your purchase of Kivra+. (Google Play or Apple App Store)
| The processing is necessary for the performance of your contract with Kivra. | The earlier of (i) 14 months after you terminate the Kivra+ Agreement; and (ii) up to fifty-two (52) days after you terminate the Service. |
Fulfill Kivra's obligations under the Accounting Act (1999:1078). | Information about your purchase of Kivra+. (Google Play or Apple App Store) | The processing is necessary for the fulfillment of Kivra's legal obligations. | No later than six months after the end of each calendar year in which a payment has been made. |
Provide you with Kivra+ functionalities.
If you upload payable documents to the Kivra Android app, Google text recognition technology (Google ML Kit) is used. Google LLC (“Google”) collects certain technical data about the performance of Google ML Kit to ensure that Google ML Kit works properly and to improve the technology. Google is solely responsible as the controller of personal data for its collection and processing of that information, and will process it in accordance with the terms and conditions for Google ML Kit. | Information about payable documents uploaded to Kivra+. (Kivra) Information about categories in Kivra+. (Kivra)
| The processing is necessary for the performance of your contract with Kivra.
If the documents or categories you manage in Kivra+ contain sensitive personal data the processing is based on your consent. For more information on how you can provide and withdraw your consent to that processing see the specific conditions for Kivra+ | Up to fifty-two (52) days after you terminate the Service. |
If you use the Kivra Service to validate signatures between Users
Purpose | Categories of personal data used. The source of the data is also indicated in brackets. | Legal basis | How long is the personal data used for this purpose? |
Show you details of signatures in the Service. | Information about signatures, in the form of:
Date, time, signing method, IP address, document ID and document checksum. (Kivra)
Document title, parties. (Administrator for signing)
| The processing is necessary for the performance of your contract with Kivra. | The earlier of::
(i) 30 days after all parties have deleted a signed document; and
(ii) up to 52 days after all parties have terminated the Service. |
Verify signed documents. | Information about signatures. (User)
| The processing is necessary for the performance of your contract with Kivra. | 13 months from the closing of the case with Kivra's customer service. |
If you represent a Business User
Purpose | Categories of personal data used. The source of the data is also indicated in brackets | Legal basis | How long is the personal data used for this purpose? |
Share with the Swedish Agency for Digital Government (DIGG) to verify eligibility to represent Business Users who are not a non-profit organization against the register of the Swedish Companies Registration Office. | Contact and identification information. (User) | Balancing of interests justified by Kivra's legitimate interest in ensuring that representatives are entitled to represent the Business User.
| Sharing takes place immediately after registration of the User and processing ceases thereafter. |
Share with the Swedish Sports Confederation to check eligibility to represent Business Users who are non-profit organizations. | Contact and identification information. (User / Swedish Sports Confederation)
| Balancing of interests justified by Kivra's legitimate interest in ensuring that representatives are entitled to represent the Business User. | Sharing takes place immediately after registration of the User and processing ceases thereafter. |
Send you notifications of E-letters in the Business Mailbox (e.g. that a new E-letter is available) and otherwise communicate with you about the Service.
You can choose to opt out of email notifications and push notifications via settings in the Service. | Contact and identification information. (User / Swedish Sports Confederation)
Data in specific cases(Swedish Companies Registration Office or Swedish Sports Confederation) Information about your E-letters. (Sender) Technical information generated by your use of the Kivra Services. (Kivra) | Balancing of interests justified by Kivra's legitimate interest in ensuring that representatives receive relevant information about events in the Business Mailbox. | As long as the User represents the Business User. |
Assign and revoke authorization to represent a Business User. | Contact and identification information. (The User or the Swedish Sports Confederation)
Data in specific cases.(Swedish Companies Registration Office or Swedish Sports Confederation) | Balancing of interests justified by Kivra's legitimate interest in ensuring that representatives have the right to represent the Business User. | As long as the User represents the Business User. |
4.3 Purposes for which your personal data is used if you have used Kivra's previous Services
If you used Kivra's previous payment service
Purpose | Categories of personal data used. The source of the data is also indicated in brackets. | Legal basis | How long is the personal data used for this purpose? |
Show information regarding the invoices you have paid or managed in Kivra. | Information on payments made, in the form of:
OCR number, invoice amount, payee. (Sender)
Payment date (Kivra)
Bank account for payment (User). | The processing is necessary for the performance of your contract with Kivra. | Up to fifty-two (52) days after you terminate the Service. |
Fulfill Kivra's legal obligations under the Money Laundering and Terrorist Financing (Prevention) Act (2017:630) and the Payment Services Act (2010:751). | Customer Due Diligence-information, in the form of:
Personal identity number and, in case of a suspected hit against the sanctions list, first and last name. (User)
Information that a check against sanctions lists has been carried out (Kivra)
First name, last name and address in case the User is a PEP (User)
Information on payments made, in the form of:
OCR number, invoice amount, payee. (Sender)
Payment date (Kivra)
Personal identity number Bank account for payment (User). | The processing is necessary for the performance of our legal obligations. | Five (5) years after Kivra stopped providing the payment service to you. |
5. Where is your personal data processed?
Storage and other processing of your E-letters only takes place in Sweden. Storage and other processing of the other personal data that you as a User provide to us, or that is created when you use Kivra's Services, as a general rule only takes place in Sweden or within the EU/EEA.
But in some cases, Kivra has chosen to process the User's personal data using IT tools and services that store and process Users' personal data outside the EU/EEA. This is the case when:
You represent a Business user and pay for the company's use of Kivra for Business+ with your payment card. The payment is handled by Kivra's data processor which stores your payment card details in the US, and which may use subcontractors in other countries outside the EU/EEA.
Kivra uses certain tracking technologies. You can read more about these technologies, and where your personal data is processed when they are used, in Kivra's information on tracking technologies.
Kivra also processes Users' personal data using IT tools or services that store and process Users' personal data within the EU/EEA, but where Kivra - due to the fact that Kivra's data processor or its' subcontractors have connections to a country outside the EU/EEA - has nevertheless analyzed the risk that the personal data may be disclosed to countries outside the EU/EEA, for example due to an authority request.
In all cases where we have not been able to rule out a risk that personal data may be disclosed to countries outside the EU/EEA, we have ensured that the relevant country outside the EU/EEA has what is known as an adequate level of protection, or that the European Commission's standard contractual clauses have been entered into with the recipient. You can find more information about which countries are considered to have an adequate level of protection on the EU Commission's website. You can read about the various standard contract clauses, and find copies of them in Swedish translation, on the Swedish Authority for Privacy Protection's website.
We have also analyzed which technical and organizational safeguards are appropriate to implement to protect the personal data in the event of disclosure.
Exactly which protective measures have been implemented depends on what has been technically feasible and considered sufficiently effective for the respective service.
If you want more information about the protective measures that are implemented, you can always contact us. You will find our contact details in sections 9 and 11 below.
6. Who do we share your personal data with?
6.1 Specific recipients
Section 4 above describes the cases in which Kivra shares your personal data with specific recipients, such as:
Senders (applies to all Users)
DIGG (applies to all Users)
Creditsafe i Sverige AB (applies to all Users)
Disbursement management system (if you choose to share your digital receipt with a third party)
Google LLC (if you use Kivra+ and upload payable documents in Kivra’s Android-app)
Tink (if you make payments in Kivra via Tink)
Creditsafe i Sverige AB and Sveriges Riksidrottsförbund (if you represent a Business User)
6.2 Other categories of recipient
In addition to the specific recipients, Kivra shares your personal data with the following categories of recipients:
Kivra's suppliers and subcontractors We share information about you with our suppliers who provide services and functionality to Kivra, such as software, data storage and business consultants. The suppliers may in their turn disclose such information to their subcontractors. The suppliers and their subcontractors are Kivra’s processors.
We share your data with Kivra's suppliers because we need to access services and functionality from other companies that we are not able to provide ourselves. We share your data with our suppliers when we consider that we have a legitimate interest in accessing a supplier's service. We ensure that the processing it involves is necessary to pursue that interest, and that our interest outweighs your right not to have your data processed for this purpose.
AuthoritiesIf a government agency requests information about you, and Kivra is required by law to provide the information, we will do so. Examples of when this can happen are:
A request to obtain information about payment transactions in the payment service previously offered to Kivra's Users, which involved Kivra making payments on behalf of our Users, under the Money Laundering and Terrorist Financing (Prevention) Act (2017:630) or the Payment Services Act (2010:751).
A request for information based on a search warrant.
A request from the Swedish Authority for Privacy Protection to review how Kivra has handled your personal data in any respect.
Kivra also shares information about you with public authorities when we believe we have a legitimate interest in doing so, such as for Kivra to establish, enforce or defend its legal claims. We ensure that the processing it involves is necessary to pursue that interest, and that our interest outweighs your right not to have your data processed for this purpose.
7. How long do we keep your personal data?
If you terminate the Kivra Service, we will delete the personal data we have processed about you in connection with the Kivra Services within fifty-two (52) days, with the exception of:
Some information collected via tracking technologies. For information on how long we keep the information we collect using tracking technologies, see here.
The data retained in the Kivra application logs. They are stored for forty-five (45) days from the event logged, see section 4.1 above.
The data contained in our security logs. They are stored for five (5) years from the event logged, see section 4.1 above.
Your direct messages to Kivra on social media, if you have interacted with Kivra just before terminating the Service. Such instant messages are stored for two (2) months after the end of the interaction, see section 4.2 above.
Information about your contacts with Kivra's customer service. They are kept for thirteen (13) months from closing the case, see section 4.2 above.
Information that you have paid for Kivra+. Such information is kept for up to six months after the end of each calendar year in which payment has been made, see section 4.2 above.
Data that we use to validate that you and another User have signed a document in Kivra. When such data is deleted depends on when all signing parties delete the document or terminate the Kivra Service, see section 4.2 above.
Data stored to comply with Kivra's legal obligations, if you used Kivra's previous payment service. Such data will be retained for five (5) years after Kivra has ceased to provide the payment service to you, see section 4.3 above.
It takes up to fifty-two (52) days for your personal data to be deleted, in order to give the Senders time to provide your E-letters via another communication channel, and to give you as a User time to save your E-letters and other documents elsewhere. The personal data we do not delete will only be used for the specific purposes for which we have indicated that we will keep the data.
8. What rights do you have?
Under the various subheadings below, you can read about the rights you have when Kivra is the controller of the processing of your personal data. For information on how to exercise your rights, see section 9 below.
8.1 Right to information
Whenever Kivra collects personal data about you, you have the right to be informed about how we process your personal data. You also have the right to be informed if we plan to process your personal data for any purpose other than that for which it was originally collected.
We provide you with such information, and other information we believe is important for you, through this privacy notice. We will also provide you with information about how we process your personal data by answering any questions you may have for us.
You can read more about what information you are entitled to receive from us, how the information should be provided, etc. at the Swedish Authority for Privacy Protection’s website.
8.2 Right of access
You have the right to obtain confirmation as to whether Kivra is processing personal data about you, and if so, have access to the personal data we are processing, together with certain information about the processing.
You access your personal data by receiving a copy of the personal data we process, a so-called register extract. There is no charge for obtaining a copy of your register extract. For any additional copies you request, Kivra may charge a reasonable fee to cover our administrative costs.
As a general rule, we will provide you with your register extract in the Service. The register extract can also be sent encrypted by e-mail, or to your registered address, if you prefer.
You can read more about what information you are entitled to receive from us if you request a register extract, how the information should be provided, etc. at The Swedish Authority for Privacy Protection’s website.
8.3 Right to rectification
You have the right to request that we correct inaccurate information about you, and that we complete incomplete information about you.
If you change your phone number, email address or other contact information, you can update such information yourself, by logging into the Service and adjusting your account settings.
You can read more about the right of rectification, examples of when it applies and how you can exercise it at the Swedish Authority for Privacy Protection’s website.
8.4 Right to erasure
In certain circumstances, you have the right to have the personal data Kivra processes about you erased. This is the case, for example, if it is no longer necessary for Kivra to process the data for the purpose for which we collected it; if you withdraw your consent; if you have objected to the processing and there are no legitimate, overriding justifications for the processing; or if the processing relates to direct marketing and you object to the direct marketing. (For the separate right to object, see the next subheading.)
Your right to have your personal data erased is not absolute, but applies when the legal conditions for erasure are met. Examples of situations where those conditions are not met, and where we do not comply with your request, are if the data is still necessary to process for the lawful purpose for which it was collected, or if there is a legal requirement for us to retain the data.
If you want Kivra to erase all of the personal data covered by your right to have your data erased, you must first close your account with Kivra. Kivra will then erase personal data about you as described in section 7 above.
You can read more about when you have the right to have your personal data erased, in which cases Kivra has the right to refuse your request for erasure, etc. at the Swedish Authority for Privacy Protection’s website.
8.5 Right to object to processing
You have the right to, due to your specific situation, object at any time to the processing of your personal data carried out by Kivra on the basis of a so-called balancing of interests. In section 4 and section 6 above, you can read about the cases in which Kivra processes your personal data based on a balancing of interests.
If you object to such processing, Kivra may no longer carry out the processing, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms; or for the establishment, exercise or defense of legal claims.
You can also object at any time to our use of your personal data for direct marketing purposes. If you notify us that you no longer wish to receive direct marketing from us, we will stop sending you such marketing. We will also stop processing your personal data for that purpose.
You can read more about your right to object to personal data processing at The Swedish Authority for Privacy Protection’s website.
8.6 Right to restriction of processing
You have the right to request that we restrict our processing of your personal data if you believe that data we hold about you is inaccurate; that our processing is unlawful (but you object to its erasure); that we no longer need the data for the purpose for which it was processed (but you need it to establish, exercise or defend a legal claim); or if you have exercised your right to object to our processing of your personal data.
If Kivra's processing of your personal data is restricted, we will (with the exception of storage) only process the data with your consent or for the establishment, exercise or defense of legal claims, to protect the rights of another natural or legal person, or for reasons relating to an important public interest.
You can read more about the right to restriction of processing and find examples of when it can be invoked at the Swedish Authority for Privacy Protection’s website.
8.7 Right to transfer your personal data to another recipient ("Right to data portability")
You have the right to receive certain personal data about you in a structured, commonly used and machine-readable format, known as data portability. You have the right to transfer such data to another recipient, such as another service. If technically feasible, as determined by Kivra, you also have the right to request that Kivra transfer the data directly to the other recipient.
The right to data portability covers personal data relating to you, which you have provided to Kivra, which Kivra processes automatically, and which you have consented to provide to Kivra or which you have provided to Kivra pursuant to a contract. (Under section 4 and section 6 above you can read about the cases in which Kivra processes your personal data with your consent or on the basis of a contract.)
You can read more about the right to data portability at the Swedish Authority for Privacy Protection’s website.
8.8 Right to withdraw your consent
Where we process your personal data based on your consent, you have the right to withdraw your consent at any time. When you withdraw your consent, we will stop the processing. The withdrawal of your consent does not affect the lawfulness of the processing that was based on your consent before it was withdrawn. (See section 4 above for the cases in which Kivra processes your personal data based on your consent.)
8.9 Right to lodge a complaint
If you have a complaint about how Kivra processes your personal data, we would like you to tell us by writing to dataskydd@kivra.se. You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection, which is the supervisory authority for Kivra's personal data processing. For more information on how to lodge a complaint with the Swedish Authority for Privacy Protection, please visit the authority's website.
9. How can you exercise your rights?
You can read more about your rights, how to exercise them and how to file a complaint on the Swedish Authority for Privacy Protection's website.
If you wish to get in touch with Kivra to exercise your rights under the GDPR you can reach us by email dataskydd@kivra.se or by phone: 077-045 70 00.
If you wish to exercise any of your rights, we will inform you of the action we have taken in response to your request within one month at the latest. This period may be extended by a further two months if necessary in view of the complexity of the request or the number of requests received. We will inform you of such an extension and the reasons for the extension within one month of receiving your request.
Exercising your rights is free of charge for you, unless your requests are manifestly unfounded or unreasonable. In the latter case, we may charge a reasonable fee to cover our administrative costs in complying with your request, or refuse your request.
If we do not take action on your request, we will, within one month of receiving it, inform you of the reason for the failure to take action and of the possibility of lodging a complaint with the Swedish Authority for Privacy Protection and requesting a judicial remedy.
10. Updates
We update this privacy notice when necessary - for example, because we start processing your personal data in a new way, because we want to make the information even clearer to you, or if it is necessary to do so in order to comply with data protection legislation.
If we make major changes, we will communicate this on our website, in the app or in some other way that makes you aware of the change, for example by sending you an email.
11. Where do you turn with comments or questions?
You are always welcome to contact Kivra by email dataskydd@kivra.se or by phone: 077-045 70 00 if you have any questions or concerns about how we handle your personal data.
All Kivra employees receive data protection training and information, and we have a dedicated team to answer your data protection questions, receive feedback and ensure that you can exercise your rights. Kivra also has a Data Protection Officer (DPO) who monitors our compliance with the GDPR.
Kivra's data protection team and DPO can be reached by email at dataskydd@kivra.se. If you wish to contact the DPO directly, please write "DPO" in the subject line.