Privacy notice
Here we have gathered information about how we process your personal data. This data protection information is effective from 2025-07-04.
We protect your privacy
On this page, we explain how Kivra handles your personal data when you use Kivra's services or otherwise interact with Kivra. You also receive information about your rights and how you can exercise them.
To make it easier for you to find the information you are interested in, we have divided the page into a number of headings. You can click on the various headings in the list on the right to go directly to the section you are looking for.
The terms used in this data protection information have the same meaning as in Kivras terms. When we talk about Kivra, we mean Kivra Sweden AB (org no. 556917-3544). If you are looking for a job at Kivra, it refers instead to Kivra AB (org no. 556840-2266).
1. About the processing of personal data
Personal data is all information that can be directly or indirectly linked to a living natural person. Examples of personal data are name, e-mail address, telephone number, social security number, IP address and account number.
Most of us want to be able to control who we share our personal data with, and how it is used. For that reason, there are special laws and regulations on how companies and other actors may process personal data, so-called data protection legislation. Examples of data protection legislation are the EU's General Data Protection Regulation (GDPR). Data protection legislation governs how companies and other actors may process personal data and what rights individuals have when their personal data is processed. Processing of personal data is basically any use of personal data - such as collecting, creating, analyzing, sharing, and deleting personal data.
Most obligations under data protection legislation fall on the person responsible for personal data. A personal data controller is an actor, for example a company, which decides for which purposes personal data shall be processed and how the processing shall take place.
In certain situations, personal data controllers can hire a so-called personal data assistant. A personal data processor is an actor who is tasked with processing personal data on behalf of the personal data controller. A personal data assistant may only process personal data according to instructions from the personal data controller, and may never use the data for other purposes.
2. Is Kivra a personal data controller or a personal data assistant?
Kivra processes personal data both in the role of personal data controller and as personal data assistant for others. Sections 3-8 of this data protection information describe what applies when Kivra processes your personal data as a data controller. If you want to get a complete picture of which treatments it refers to see section 3 below.
Below is a description of the most important examples when Kivra processes your personal data as a personal data processor:
When Kivra conveys E-mails, Forms or Offers to you, it is the Sender who is the personal data controller for the processing, and Kivra is the personal data assistant to the Sender. If you want information about how your personal data is processed during the mediation, we refer you to the Sender who is responsible for the shipment in question.
When an e-mail is in your mailbox in Kivra, responsibility for personal data is transferred from the Sender to you. Kivra is then your personal data assistant. This is because Kivra only processes personal data according to your instructions and purposes. Kivra has no own purpose in processing your personal data except to provide the Services for you.
If you are a private person who only uses personal data for your own, personal purposes (the so-called "household exception"), the GDPR does not apply. This means that you do not have to comply with the requirements set out in the regulation. However, Kivra is still obliged to fulfill its obligations as a personal data processor, for example by only processing personal data according to your instructions. For that reason, Kivra signs a personal data assistant agreement with all Users, even if you as a User are not bound by the requirements of the regulation. The purpose is that you should always feel secure that your personal data is handled in a safe and legal manner, in accordance with your instructions. What obligations Kivra has when we act as a personal data processor is shown in your personal data processing agreement with Kivra.
When Kivra sends an SMS that you can access a credit report copy, it is the credit reporting company that created the credit report and is the personal data controller for the processing. Kivra is a personal data assistant for the credit reporting company. If you want information about how your personal data is processed at the brokerage, we refer you to the credit information company that created the credit information. You can find general information about how your personal data is processed in connection with credit reporting companies sending credit report copies here.
3. What does Kivra use your personal data for?
The tables below describe:
For what purposes we use your personal data.
Which categories of personal data we use for each purpose.
Where we have received the personal data from, i.e. whether we have received the data from you or from another source.
What legal basis we have for our processing of your personal data. Without a legal basis, we may not process your personal data.
How long we use and save your personal data for each purpose.
About and with whom we share your personal data.
3.1 When you use Kivra as a private person
In this section, we describe how your personal data is processed when you use Kivra's services as a private individual. According to our general terms and conditions for individuals, in this role you are referred to as a "User".
3.1.1 To manage your account and basic functions
The processing necessary for your account to be created, exist and function as a secure digital mailbox is described here. This includes, among other things, how we verify your identity, keep your information up to date and ensure that you can receive mail from connected senders.
Purpose | Categories of personal data and the source of the data | Legal basis | How long is the personal data used for the purpose? | Who do we share personal data with? |
Verify your identity in connection with using Mobile BankID, e.g. when you log into the Service or sign a payment. | Social security number (From you) Information about your activity with BankID (Financial ID-Teknik BID AB) | The processing is necessary to fulfill your contract with Kivra.
| Up to 20 days after you terminate the Service. | Finansiell ID Teknik BID AB, which provides BankID in the role of personal data controller, read more here. |
Create and provide your account with Kivra, to allow you to use Kivra's Services. | Name Social security number Email address Telephone number (From you) Information about your activity with BankID (Financial ID-Teknik BID AB) User ID (Kivra) | The processing is necessary to fulfill your contract with Kivra. | Up to 20 days from when you terminated the Service. | Finansiell ID Teknik BID AB, which provides BankID in the role of personal data controller, read more here. |
Notify the Sender which Users can receive E-mails in Kivra - in cases where Kivra provides the Sender with contact and identification details for all Users. Email shipments to. As can be seen from section 2 above, in some cases it is the Sender, and not Kivra, who is responsible for the processing of personal data to check whether you can receive e-mails in Kivra. | Social security number Email address Telephone number (From you)
| The processing is necessary to fulfill your contract with Kivra. | Up to 20 days after you terminate the Service. | Sender who sends e-mails to you in the role of personal data controller. |
Notify the Danish Agency for Digital Administration (DIGG) if you have chosen to receive (or chose not to receive) e-mails from different senders in Kivra. | Social security number (From you) | The processing is necessary to fulfill your contract with Kivra. | Up to 20 days after you terminate the Service. | The authority for digital management (DIGG) which provides the Brokerage Address Register (FaR) in the role of personal data controller, read more here. |
Carry out daily checks against the State's personal address register (SPAR) of your contact and identification details, in order to ensure that the details are updated and correct. | Name Social security number (From you) | The processing is necessary to fulfill Kivra's legal obligations to only process correct data according to the data protection regulation. | Up to 20 days after you terminate the Service. | Creditsafe i Sverige AB, which collects data from the State's Personal Address Register (SPAR) in the role of personal data controller, read more here. |
If you are a minor: Obtain the guardian's approval before you enter into an agreement with Kivra.
| Name Social security number (From you) Details of your guardians (SPAR)
| The processing of information about the minor is necessary in order to enter into an agreement with the minor.
| We will save the guardian's consent until the earlier of i) up to 20 days after you terminate your agreement with Kivra; and ii) 12 months after you turn 18. | Your guardians Creditsafe i Sverige AB, which collects data from the State's Personal Address Register (SPAR) in the role of personal data controller, read more here. Finansiell ID Teknik BID AB, which provides BankID in the role of personal data controller, read more here. |
If you are a guardian: Obtain and save your approval of the minor entering into an agreement with Kivra. | Social security number (From you) Information about your activity with Mobile BankID (Financial ID-Teknik BID AB) | The processing of information about guardians is based on a Balance of Interest. It is motivated by Kivra's legitimate interest in ensuring that minors who acquire Kivra have the consent of their guardians. | We will save the guardian's consent until the earlier of i) up to 20 days after you terminate your agreement with Kivra; and ii) 12 months after you turn 18. | Finansiell ID Teknik BID AB, which provides BankID in the role of personal data controller, read more here. |
3.1.2 To enable you to use specific services and functions
Here it is described how your personal data is processed when you choose to use one of our additional services, such as receiving digital receipts or taking part in offers. The treatments only take place if you use the specific function.
Purpose | Categories of personal data and the source of the data | Legal basis | How long is the personal data used for the purpose? | Who do we share personal data with? |
Notify the Sender if you can receive digital receipts in Kivra - in cases where Kivra provides the Sender with contact and identification details to all Users. | Social security number Email address Telephone number (From you) User ID (Squeal) Information about your payment card (From you and the Sender) | The processing is necessary to fulfill your contract with Kivra. | Up to 20 days after you terminate the Service. | The sender Storebox Aps, which provides a platform for handling digital receipts in the EU/EEA in the role of personal data processor. |
Delete information about an expired payment card. | User ID (Squeal) Information about your payment card (From you) | Balance of interests justified by Kivra's legitimate interest in deleting redundant and outdated personal data and continuing to provide a functioning service. | Saved as long as the payment card is registered in the Service. | Storebox Aps, which provides a platform for handling digital receipts in the EU/EEA in the role of personal data processor. |
Validate your payment card details | Information about your payment card (From you) | The processing is necessary to fulfill your contract with Kivra. | Deleted immediately after validation. | |
Obtain information about the Users' civil registration address. | Social security number (From you) Address (SPAR) | Balance of interests motivated by Kivra's legitimate interest in making it possible for Users to take part in Offers in their immediate area. | Up to 20 days after you terminate the Service. | Creditsafe i Sverige AB, which collects data from the State's Personal Address Register (SPAR) in the role of personal data controller, read more here. |
Show which Offers are available in the Users' vicinity. | Social security number (From you) Address (SPAR) Coordinates based on address (Squeal) | Balance of interests motivated by Kivra's legitimate interest in making it possible for Users to take part in Offers in their immediate area. | As long as the Offer is available. | Google Cloud EMEA Limited which provides a cloud-based API service for geocoding (transformation of addresses into geographic coordinates) in the EU/EEA in the role of data processor. |
Create aggregated and anonymized information about how many Users have opened a certain Offer from the Sender. This is done in order to invoice the Senders for Kivra's service. | Information about your choices, settings and interactions with the Service (From you) | Balancing of interests motivated by Kivra's legitimate interest in charging Senders for their services. | Up to 20 days after you terminate the Service. | Google Cloud EMEA Limited which provides infrastructure for data storage and analysis in the EU/EEA in the role of personal data processor. Hex Technologies Inc. which provides a service for analysis and visualization within the EU/EEA in the role of Kivra's personal data assistant. Tableau Ireland providing an analysis and visualization service in the EU/EEA in the role of Kivra's data controller. |
3.1.3 For our communications and marketing to you
Here is how we process your data to communicate with you. It can be about everything from service announcements and news about the Service to marketing and personalized notices, so that your experience is as relevant as possible.
Purpose | Categories of personal data and the source of the data | Legal basis | How long is the personal data used for the purpose? | Who do we share personal data with? |
Communicate with you in the Service (eg give you news or tips about Kivra's Service). In some cases, the treatment may constitute profiling in order to adapt the content of the communication and make it more relevant to you. You can object to the profiling at any time by contacting us. | User ID (Squeal) Information about the digital device (eg mobile phone or computer) that you use (From you) Information about your e-mails (The Sender) Information about your choices, settings and interactions with the Service (From you) | Balance of interests motivated by Kivra's legitimate interest in providing you with relevant information about Kivra's Service. | Up to 20 days after you terminate the Service. | Braze, Ltd. which provides a service for customer communication in the EU/EEA in the role of Kivra's personal data assistant. |
Send E-mails to you in Kivra when Kivra is the Sender. | Social security number (From you) Personal data appearing in the e-mail (Squeal) Information about your e-mails (Squeal) | Balance of interests motivated by Kivra's legitimate interest in providing you with relevant information about Kivra's Service. | The mediation takes place immediately. | |
Send marketing messages, surveys and questions about Kivra's Service. You can choose to decline such mailings through settings in the Service or by unregistering via the link in the mailing. If you decline the mailings, Kivra needs to save information about you in a blocking list to avoid further mailings being made to you. | Name Social security number Email address (From you) | For sending: Balance of interests motivated by Kivra's legitimate interest in informing you about news related to Kivra's Service and sending you questions (e.g. a survey or survey regarding Kivra or Kivra's Service). For blacklisting: Legal obligation not to send to you if you have refused. | Up to 20 days after you terminate the Service. | Braze, Ltd. which provides a service for customer communication in the EU/EEA in the role of Kivra's personal data assistant. |
Through tracking technology, we collect information about you in order to send you notifications or show you relevant messages. This is to be able to give you a more personal experience of our websites and apps. See here what tracking technology is used for personal adaptation. | Information about the digital device (eg mobile phone or computer) that you use (From you). Information about your choices, settings and interactions with the Service (From you). | Your consent.
| For information on how long we save the information we collect through tracking technology, see here | Braze, Ltd. which provides a service for customer communication in the EU/EEA in the role of Kivra's personal data assistant. |
3.1.4 To analyze, improve and secure the Service
This describes the technical and analytical processing we perform in the background to ensure that Kivra is a safe, stable and user-friendly platform. This includes, among other things, troubleshooting, protection against cyber attacks and analysis at an overall level in order to develop and improve our services.
Purpose | Categories of personal data and the source of the data | Legal basis | How long is the personal data used for the purpose? | Who do we share personal data with? |
Process your personal data and use it for so-called business intelligence and business development, i.e. to understand how our Services are used so that we can make appropriate business and product development decisions. | Information about your Content (From you and the Sender) Information about your choices, settings and interactions with the Service (Squeal) Information about the digital device (eg mobile phone or computer) that you use (From you) | Balancing of interests motivated by Kivra's legitimate interest in making appropriate business and product development decisions. | The data is anonymized 45 days after processing. If you have terminated the Service, the data will be deleted 45 days after you have terminated the Service.
| Google Cloud EMEA Limited which provides infrastructure for data storage and analysis in the EU/EEA in the role of personal data processor. Hex Technologies Inc. which provides a service for analysis and visualization within the EU/EEA in the role of Kivra's personal data assistant. Tableau Ireland providing an analysis and visualization service in the EU/EEA in the role of Kivra's data controller. |
Create aggregated and anonymized information for the Sender about the type of e-mails Kivra has delivered to the Sender. This is done in order to be able to invoice the Senders for Kivra's mediation of E-mails. | Information about your e-mail shipments . (The Sender) Information about your choices, settings and interactions with the Service (From you) | Balancing of interests motivated by Kivra's legitimate interest in charging Senders for their services. | Up to 20 days after you terminate the Service. | Google Cloud EMEA Limited which provides infrastructure for data storage and analysis in the EU/EEA in the role of personal data processor. |
Create aggregated and anonymized information for Senders, to provide them with insights into the services Kivra provides them, e.g. how many e-mails have been delivered to the Sender and the average open rate. | Information about your e-mail shipments (The Sender) Information about your choices, settings and interactions with the Service (From you) Information about the digital device (eg mobile phone or computer) that you use. (From you) | Balance of interests motivated by Kivra's legitimate interest in providing the Sender with insights into Kivra's services to the Sender. | Up to 20 days after you terminate the Service. |
|
Through tracking technology, we collect information that is necessary for our websites and apps to function properly. See here which tracking technology is to be considered as necessary. | Information about the digital device (eg mobile phone or computer) that you use (From you) Information about your choices, settings and interactions with the Service (From you)
| Balance of interests justified by Kivra's legitimate interest in providing a secure and functional service. | For information on how long we save the information we collect through tracking technology, see here. | Google Cloud EMEA Limited which provides a service for analyzing errors and crashes as well as for notifications in the EU/EEA in the role of Kivra's personal data assistant. Braze, Ltd. which provides a service for customer communication in the EU/EEA in the role of Kivra's personal data assistant. |
Through tracking technology, we collect information about how you use our websites and apps to analyze and improve, on an aggregated level, the user experience of our Services. See here which tracking technology is used for analysis. | Information about the digital device (eg mobile phone or computer) that you use (From you). Information about your choices, settings and interactions with the Service (From you). | Your consent for analysis of our app. Balance of interests for analyzing our web pages motivated by Kivra's legitimate interest in improving the user experience of our Services.
| For information on how long we save the information we collect through tracking technology, see here. | Amplitude, Inc. which provides analysis tools in Kivra's apps in the EU/EEA in the role of Kivra's personal data assistant. Plausible Insights OÜ, which provides analysis tools on Kivra's web pages in the EU/EEA in the role of Kivra's personal data assistant. |
Troubleshooting and familiarity with the use of logs, metrics and tracing
| Information about the digital device (eg mobile phone or computer) that you use (From you) Information about your choices, settings and interactions with the Service (From you) | Balance of interests motivated by Kivra's legitimate interest in following up that the Service functions correctly and being able to detect, follow up, handle and remedy any errors and security incidents | Up to 90 days from the event being logged. | Supplier providing services for log analysis and monitoring in the EU/EEA in the role of Kivra's personal data assistant. Google Cloud EMEA Limited providing a troubleshooting service in the EU/EEA in the role of Kivra's personal data assistant. |
Measures for security purposes, such as network segmentation and DDoS protection | IP address of the digital device(s) (e.g. mobile phone or computer) that you use (From you) | Balance of interests motivated by Kivra's legitimate interest in providing a secure Service by protecting systems and applications from unauthorized access, malicious code, cyber threats or the like | 45 days from the event being logged. | Providers of cyber security services that provide services within the EU/EEA to protect Kivra's Service in the role of Kivra's personal data assistant |
Backup to protect and restore data
| All categories of personal data in connection with your use of our Services | Balance of interests motivated by Kivra's legitimate interest in providing a secure and reliable Service by being able to protect and restore data, including personal data, in the event of technical errors or incidents. | 30 days from when the event is logged. | Supplier that provides infrastructure and platform services in Sweden for the restoration of data in the role of Kivra's personal data assistant |
3.1.5 When you are in contact with our customer service or leave feedback
This describes how your personal data is processed when you contact our support, report a bug or otherwise give us feedback, for example by participating in a customer survey. The aim is for us to be able to give you the best possible help and take advantage of your views.
Purpose | Categories of personal data and the source of the data | Legal basis | How long is the personal data used for the purpose? | Who do we share personal data with? |
Identify yourself securely in your case with Kivra's customer service | Name Social security number Email address Telephone number Address (From you) Information about your activity with Mobile BankID (Financial ID-Teknik BID AB) Verification code (Squeal) | Balancing of interests justified by Kivra's legitimate interest in providing a secure customer service. | 13 months from the end of the case. | Finansiell ID-Teknik BID AB, which provides BankID in the role of personal data controller, read more here. |
Handling of customer service cases | Information about your contacts with Kivra's customer service (From you) Any recordings of conversations with you (From you) Any information from a relative who helps you manage the Service (Relative) Any information about payments (Think) Any information about direct debit authorization and payments (Trustly) Any information about payments (Swish) Any information about your Content (The Sender) | Balancing of interests justified by Kivra's legitimate interest in providing customer service. Recordings of calls: Your consent
| 13 months from the end of the case. | Telavox AB, which provides telephony services in the EU/EEA in the role of Kivra's personal data assistant. Zendesk Inc. which provides a platform for customer service in the EU/EEA in the role of Kivra's personal data assistant. Google Cloud EMEA Limited, which provides Google Workspace in the EU/EEA in the role of Kivra's personal data assistant. Your relatives who help you manage the Service. Tink AB, which provides payment services in the role of personal data controller, read more here. Trustly Group AB, which provides payment services in the role of personal data controller, read more here. Getswish AB, which provides payment services in the role of personal data controller, read more here. |
Logging that is done in order for Kivra's customer service to be able to see how you have interacted with Kivra. | Information about your choices, settings and interactions with the Service (From you) Information about your e-mails (Squeal) Details of your guardians (SPAR) | Balancing of interests justified by Kivra's legitimate interest in providing customer service. | The last 500 events that have been logged. The last 500 events are saved up to 20 days after you terminate the Service. | CreditSafe AB, which collects information from the State's personal address register (SPAR) in the role of personal data controller, read more here. |
Contact you within the framework of a customer survey | Name Email address Telephone number (From you or the customer research company) | Your consent (for customer surveys via customer survey companies) Balance of interests (for other feedback and customer surveys carried out by Kivra) Kivra's legitimate interest in contacting you in the context of a customer survey | As long as the customer survey is ongoing. | The customer survey company that recruits a consumer panel in the role of personal data controller. Google Cloud EMEA Limited which provides a Google Workspace in the EU/EEA in the role of Kivra's personal data assistant. |
Improve Kivra's Services. | Data that you provide in the survey or report (From you) | Your consent (for customer surveys via customer survey companies) Balance of interests (for other feedback and customer surveys carried out by Kivra) motivated by Kivra's legitimate interest in being able to identify you and manage your feedback regarding Kivra's Service. | As long as the customer survey is ongoing (for customer surveys). 13 months from the end of the case with Kivra's customer service (for other feedback). | The customer survey company that recruits a consumer panel in the role of personal data controller. Google Cloud EMEA Limited, which provides Google Workspace in the EU/EEA in the role of Kivra's personal data assistant. |
Contact you when you have reported a bug or otherwise provided feedback on our Services. | Name Email address Telephone number (From you) Data that you provide in the survey or report (From you) | Balance of interests motivated by Kivra's legitimate interest in being able to identify you and manage your feedback regarding Kivra's Service. | 13 months from the end of the case with Kivra's customer service. |
3.2 When you represent a company or an organization
3.2.1 When managing an account for a business
Here we describe how your personal data is processed when you, as an authorized representative, create and administer an account for the company or organization you represent (in accordance with our terms a "Business User"). The information covers, among other things, how we verify your eligibility and handle any payments.
Note: In order to represent a Business user in Kivra, you need a private Kivra account. This means that the treatments described in section 3.1 (When you use Kivra as a private person) also apply to you. This section describes the treatments that are added specifically because of your role as a representative.
Purpose | Categories of personal data and the source of the data | Legal basis | How long is the personal data used for the purpose? | Who do we share personal data with? |
Check your eligibility to represent a company through daily checks against DIGG's register. | Social security number (From you) Information about your company positions (DIGG) | Balance of interests motivated by Kivra's legitimate interest in ensuring that you, as a representative, have the right to represent the company/organization. | As long as you represent the Business User or up to 20 days after you terminate the Service. | The authority for digital governance (DIGG) which provides the intermediary address register (FaR) in the role of personal data controller, read more here. |
Share with Sweden's National Sports Confederation to check eligibility to represent Business users who are non-profit organizations. | Social security number (From you / Sweden's National Sports Confederation) Information about your association positions (Swedish National Sports Confederation) | Balancing of interests motivated by Kivra's legitimate interest in ensuring that representatives have the right to represent the Business User. | Sharing takes place immediately after registration by the User and processing ceases thereafter. | Sweden's National Sports Confederation, which provides its membership register in the role of personal data controller, read more here. |
Grant and revoke authorization to represent a Business user. | Social security number (From you or the Swedish National Sports Confederation) Information about your company positions (DIGG or Sweden's National Sports Confederation) | Balancing of interests motivated by Kivra's legitimate interest in ensuring that representatives have the right to represent the Business User. | As long as the User represents the Business User. | The Digital Governance Authority (DIGG) which provides the Intermediary Address Register (FaR), read more here. Sweden's National Sports Confederation, which provides its member register in the role of personal data controller, read more here. |
Get paid for Kivra Företag Plus. | Information about your payment card (From you) Information about your purchase of Kivra Företag Plus (From you) | Balancing of interests motivated by Kivra's legitimate interest in charging for our services. | The former of i) that you update your payment card details; and ii) 45 days after you terminate the agreement on Kivra Företag Plus. | Stripe Payments Europe, Ltd which provides payment services in the EU/EEA in the role of Kivra's personal data assistant. |
Fulfill Kivra's obligations according to the Accounting Act (1999:1078). | Information about your purchase of Kivra Företag Plus (From you) | The processing is necessary to fulfill Kivra's legal obligations. | From the date of purchase through the seventh (7) year following the end of the calendar year in which the fiscal year ended. | Stripe Payments Europe, Ltd which provides payment services in the EU/EEA in the role of Kivra's personal data assistant. |
3.2.2 As a representative of a Sender, partner or supplier
This describes how we process your work-related personal data when you are a contact person at a Sender, partner or suppliers. The text covers the entire business relationship - from initial dialogue and agreement to ongoing administration and communication - regardless of whether Kivra is a supplier or customer in the relationship.
Purpose | Categories of personal data and the source of the data | Legal basis | How long is the personal data used for the purpose? | Who do we share personal data with? |
Prospecting: Identify new leads and relevant decision makers by collecting work-related contact information. | Name E-mail address Phone number Title (Publicly available information, e.g. company websites, LinkedIn, company register) | Our legitimate interest in being able to identify potential business customers and establish an initial contact in order to grow our business, where the processing only relates to work-related contact information obtained from public sources. | The data is saved for up to 6 months in order to initiate a contact. If no dialogue has been initiated during this period, the data will be deleted. | Salesforce.com EMEA Limited providing a customer relationship management (CRM) platform in the EU/EEA in the role of Kivra's data controller. |
Sales dialogue: Manage and conduct a sales dialogue with you as a company representative to understand your organization's needs and drive a dialogue towards a possible collaboration. This applies regardless of whether the dialogue was initiated by us, or if you yourself contacted us with an expression of interest. | Name E-mail address Telephone number Title (From you) | Our legitimate interest in being able to conduct a business dialogue with you as a company representative in order to present our services and establish a new business relationship. | During the time the dialogue is active. If no activity has taken place for one (1) year, the data is deleted. | Salesforce.com EMEA Limited providing a customer relationship management (CRM) platform in the EU/EEA in the role of Kivra's data controller. Google Cloud EMEA Limited providing a platform for e-mail and productivity (Google Workspace) in the EU/EEA in the role of Kivra's data controller. |
Order, contract process and signing: Conduct dialogue, negotiate and produce a contract proposal which is then signed electronically to formally start the business relationship. | Name E-mail address Phone number Title Signature (From you) | Our legitimate interest in being able to administer the contractual process with the organization you represent to establish and manage the business relationship. | Data linked to the dialogue is saved as long as it is active. The signed agreement, which constitutes accounting information, is saved in accordance with the Accounting Act up to and including the seventh (7) year after the end of the calendar year in which the accounting year ended. | Salesforce.com EMEA Limited providing a customer relationship management (CRM) platform in the EU/EEA in the role of Kivra's data controller. Scrive AB, which provides a platform for electronic signing in the EU/EEA in the role of Kivra's personal data assistant. Google Cloud EMEA Limited providing a platform for e-mail and productivity (Google Workspace) in the EU/EEA in the role of Kivra's data controller. |
Provision of digital services: To give authorized users at your place access to agreed services, such as Sender Portal and Kivra Campaign. This includes secure identification and authentication to protect your account and data. | Name Email address (From you) | Our legitimate interest in being able to identify authorized users in order to securely provide the contracted service to the organization you represent. | As long as you are an active user on behalf of your organization. | |
Ongoing support and incident management: Manage your organization's support issues, troubleshoot, report relevant incidents (such as personal data incidents and other security incidents) and communicate necessary service information. | Name Email address Telephone number (From you) | Our legitimate interest in being able to offer support and communicate service information to maintain the functionality of the service your organization uses. Also legal obligation for reporting certain incidents. | As long as the contractual relationship lasts. | Salesforce.com EMEA Limited providing a customer relationship management (CRM) platform in the EU/EEA in the role of Kivra's data controller. Google Cloud EMEA Limited providing a platform for e-mail and productivity (Google Workspace) in the EU/EEA in the role of Kivra's data controller. |
Billing: Manage billing for the services your organization uses. | Name of invoice reference (From you) | Our legitimate interest in being able to manage payment and invoicing for the services your organization uses, in order to administer the business relationship. Also legal obligation to store documents according to the Accounting Act. | Up to and including the seventh (7) year after the end of the calendar year in which the fiscal year ended. | Fortnox AB which provides a platform for financial administration and invoicing in Sweden in the role of Kivra's personal data assistant. Salesforce.com EMEA Limited providing a customer relationship management (CRM) platform in the EU/EEA in the role of Kivra's data controller. |
Reporting and statistics: Compile and make available reports and statistics for your organization, based on your use of Kivra's services, to provide insight and added value. | User data that is aggregated (From you) | Our legitimate interest in being able to offer added value to your organization through insightful statistics, as well as being able to understand and analyze the use of our services for future product development. | Instant aggregation. No personal data is saved. | |
Newsletter and information: As a company representative, keep yourself informed of relevant news, product updates and industry insights via email. | Name Email address Title (From you)
| Our legitimate interest in being able to maintain the business relationship with the organization you represent and to market relevant services and news, with a clear and simple opportunity for you to unsubscribe from mailings. | During the contract period and up to one (1) year afterwards. Always ends if you unregister. | Salesforce.com EMEA Limited providing a customer relationship management (CRM) platform in the EU/EEA in the role of Kivra's data controller. Braze, Ltd. which provides a service for customer communication in the EU/EEA in the role of Kivra's personal data assistant. |
Events and webinars: Invite you and manage registrations for events and webinars in order to build and maintain business relationships. | Name Email address Any food preferences (From you)
| Our legitimate interest in being able to build and maintain business relationships and market our services by inviting relevant contact persons to events and webinars. | Invitation and participant lists are saved for one (1) year after the event has been completed. | Salesforce.com EMEA Limited providing a customer relationship management (CRM) platform in the EU/EEA in the role of Kivra's data controller. Braze, Ltd. which provides a service for customer communication in the EU/EEA in the role of Kivra's personal data assistant. Livestorm SAS, which provides a platform for webinars in the EU/EEA in the role of Kivra's personal data assistant. |
Administration of suppliers and purchases: Manage the purchasing process and the contractual relationship with suppliers, from evaluation and negotiation to ongoing contract management. | Name Email address title Signature (From you) | Our legitimate interest in being able to purchase, implement and manage the necessary systems and services to be able to run and develop our own business. The processing is necessary in order to establish and maintain the business relationship with the supplier you represent. | Personal data in ongoing communication is saved as long as the contractual relationship with the supplier lasts. The agreement itself, which constitutes accounting information, is saved in accordance with the Accounting Act up to and including the seventh (7) year after the end of the calendar year in which the accounting year ended. | Precisely AB which provides a platform for storage and management of agreements in Sweden in the role of Kivra's personal data assistant. Google Cloud EMEA Limited providing a platform for e-mail and productivity (Google Workspace) in the EU/EEA in the role of Kivra's data controller. |
3.2.3 When you use Kivra's Verification Service
In this section, we describe how your personal data is processed when you use Kivra's Verification Service. You then act as a representative of a company or an organization. According to the terms and conditions of the service, the organization you represent is called a "Controller".
Purpose | Categories of personal data and the source of the data | Legal basis | How long is the personal data used for the purpose? | Who do we share personal data with? |
Verify your identity in connection with using Mobile BankID, e.g. when you log into Kivra's verification service. | Social security number (controller's representative) Information about your activity with BankID (Financial ID-Teknik BID AB) | Balancing of interests motivated by Kivra's legitimate interest in verifying your identity when using the verification service. | During the time you are logged in to the verification service. | |
Through tracking technology, we collect information that is necessary for our web pages to function properly. See here which tracking technology is to be considered necessary.
| Information about the digital device (eg mobile phone or computer) that you use (From you) Information about your choices, preferences and interactions with the verification service (From you) | Balance of interests justified by Kivra's legitimate interest in providing a secure and functional service.
| For information on how long we save the information we collect through tracking technology, see here. | |
Analysis and logging done for security reasons, e.g. to be able to detect, manage and investigate possible intrusions and cyber attacks.
| Social security number (controller's representative) Information about your activity with BankID (Financial ID-Teknik BID AB) Information about the digital device (eg mobile phone or computer) that you use (controller's representative) Information about your choices, preferences and interactions with the verification service (controller's representative) | Balance of interests motivated by Kivra's legitimate interest in following up that the verification service is working correctly and in being able to detect, follow up, manage and remedy any security incidents. | Up to 5 years from the event that is logged. | |
Logging that is done to ensure that Kivra's website and verification service works as intended, and to investigate errors that are detected (so-called application logs).
| Social security number (controller's representative) Information about your activity with BankID (Financial ID-Teknik BID AB) Information about the digital device (eg mobile phone or computer) that you use (controller's representative) Information about your choices, preferences and interactions with the verification service (controller's representative) | Balance of interests motivated by Kivra's legitimate interest in following up that the verification service works correctly and in being able to detect, follow up, manage and remedy any errors. | 45 days from the event being logged. | |
Troubleshoot and investigate suspected security incidents.
| All categories of personal data that Kivra processes can be used, depending on the error / incident in question. | Balance of interests motivated by Kivra's legitimate interest in following up that the verification service is working correctly and in being able to detect, follow up, manage and remedy any errors and security incidents. | During the investigation of the error / incident. |
3.3 When you apply for a job or internship with us
Here is how we process your personal data throughout the entire recruitment journey. It includes everything from when you submit an application or are contacted by us, to interviews, possible work samples and how we save your data for future opportunities.
Purpose | Categories of personal data and the source of the data | Legal basis | How long is the personal data used for the purpose? | Who do we share personal data with? |
Manage and assess your application (such as collecting, reviewing CVs, grades, certificates, conducting tests/cases) | Name, social security number, contact details (address, e-mail, phone), CV, cover letter, grades, certificates, references, information from any tests, case exercises, interviews (incl. notes) Ev. link to LinkedIn profile or other public source you specify. Data from reference persons or recruitment firms that you have approved for us to contact (data from you, reference person or recruitment firm) | Our legitimate interest in being able to administer the recruitment process and assess your suitability for the position or internship applied for. | 180 days after completion of recruitment for the specific post. See treatment below for the possibility of longer storage for future recruitment opportunities | Teamtailor AB (personal data assistant for recruitment platform) |
Administer the recruitment process (call for an interview, book meetings, communicate status, leave a message) | Name, contact details (email, telephone), information related to the specific recruitment process (e.g. interview times, notes from conversations) (data from you) | Our legitimate interest in being able to effectively manage and communicate with you regarding the recruitment process. | 180 days after completion of recruitment for the specific position.
| Teamtailor AB which provides a recruitment platform in the EU/EEA in the role of Kivra's personal data assistant. |
Save data for future recruitment opportunities (contact you about future services that match your profile) | Name, contact details (email, telephone), CV, personal letter, place of work/preferences, notes from previous processes (if relevant) (data from you in previous application process at Kivra) Name, telephone number, email address, place of work, CV, cover letter and notes from previous interviews at Kivra, if such has occurred | Your consent which you provide separately by actively agreeing to remain in our candidate database by email). You can revoke this consent at any time. 180 days, up to 2 years and match your profile to future job positions with us if you approve this job seeker or intern chooses to be in Kivra's job seeker database | Up to two (2) years from the time you gave your consent, or until you revoke it. We may contact you before the period expires to ask for renewed consent. | Teamtailor AB which provides a recruitment platform in the EU/EEA in the role of Kivra's personal data assistant. |
Fulfill our obligations and safeguard our rights in accordance with, for example, labor legislation, collective agreements and the discrimination act. | Name, information relevant to be able to handle a possible claim, for example information from the application, interview notes, communication, assessments. (information from you who are applying for a position or internship) | Our legitimate interest in being able to defend against and deal with any legal claims (e.g. discrimination cases | Up to two (2) years after the end of the recruitment process, in accordance with the statute of limitations in the Discrimination Act. This storage takes place regardless of whether you have agreed to point 3 or not, but access is limited. | Teamtailor AB which provides a recruitment platform in the EU/EEA in the role of Kivra's personal data assistant. External legal advice in the event of a dispute |
Conduct background checks (if relevant to the post) to verify details and assess suitability for specific roles) | Name, social security number, contact details (email, telephone), information about the intended service | Our legitimate interest in ensuring that candidates for particularly sensitive positions (for example financial responsibility or security clearance) meet the necessary requirements and are trustworthy. Before the background check begins, you as a candidate will be informed about this . | The report from the supplier is stored for 45 days. This period can be extended if the report needs to be saved pending determination of the judgment | Supplier that has the Swedish Data Protection Authority's (IMY) permission to process personal data regarding violations of the law during background checks and acts as an independent personal data controller. |
Contact potential candidates (head-hunting). For example, when Kivra finds your profile via e.g. LinkedIn or tips and contact you.
| Name, contact details (if available), current/former employer information, role, education, skills (from public sources such as LinkedIn). Any username and profile picture from social media (data from public sources, e.g. LinkedIn, networks, tips) | Our legitimate interest in identifying and contacting potential candidates for current or future positions with us | In the meantime we evaluate your profile and have an ongoing dialogue. If you show interest and want to be part of a recruitment process, your data will be processed for 180 days. | Teamtailor AB which provides a recruitment platform in the EU/EEA in the role of Kivra's personal data assistant. |
Manage your registration via "connect" on Kivra's career page (so that you can receive notices about vacancies) | Name, e-mail address, if information you share from external platforms, such as LinkedIn profile if you choose to connect it (data from you and public sources, such as LinkedIn) | Our legitimate interest in being able to communicate with you and to be able to evaluate your profile and match your profile to future services. You can unsubscribe at any time. | Until you choose to unregister from the connect service. If you do not interact with the service for 180 days, you will disappear from the site. | Teamtailor AB which provides a recruitment platform in the EU/EEA in the role of Kivra's personal data assistant. |
Evaluate and improve our recruitment process | Name, email address, your answers in the survey (data from you) | Our legitimate interest in analyzing, evaluating and improving the efficiency and quality of our recruitment process. | Raw data from surveys is saved for 180 days for analysis purposes. | Teamtailor AB which provides a recruitment platform in the EU/EEA in the role of Kivra's personal data assistant. |
Carry out and assess case assignments/work samples (to evaluate practical skills) | Name, results from case/work sample, possible link to external platform where work sample was performed (e.g. GitHub) | Our legitimate interest in being able to assess your practical skills and your suitability for the position applied for | 180 days after completion of process for specific service | Teamtailor AB which provides a recruitment platform in the EU/EEA in the role of Kivra's personal data assistant. |
3.4 In other interactions and legal obligations
3.4.1 When you interact with us on social media
This describes how your personal data is handled when you communicate with us or otherwise interact with our accounts on platforms such as Facebook, LinkedIn and Instagram.
Purpose | Categories of personal data and the source of the data | Legal basis | How long is the personal data used for the purpose? | Who do we share personal data with? |
Interact with Users and other visitors in social media | Information about your interaction with Kivra (From you) | Balancing of interests motivated by Kivra's legitimate interest in being able to respond to your interactions with Kivra in social media. | Direct messages are saved for 2 months after the end of interaction. Your own comments, reactions, etc. are not actively deleted by Kivra but you can delete them whenever you want. | Meta Platforms, Inc. which provides Facebook and Instagram in the role of joint data controller with Kivra, read more here. LinkedIn Corporation providing LinkedIn in the role of joint data controller with Kivra, read more here. |
3.4.2 When we handle requests from authorities
Here it is described under what circumstances and in what way we may share your personal data with Swedish authorities, for example in the event of a legal process or when we have a legal obligation to do so.
Purpose | Categories of personal data and the source of the data | Legal basis | How long is the personal data used for the purpose? | Who do we share personal data with? |
Release information to authorities when Kivra has a legal obligation to do so. | All categories of personal data that Kivra processes can be used, depending on what the authority requests. | The processing is necessary to fulfill Kivra's legal obligations. | Disclosure takes place immediately. | Swedish authority in the role of personal data controller. |
Release information to authorities in legal proceedings. | All categories of personal data that Kivra processes can be used, depending on what the authority requests. | Balance of interests motivated by Kivra's legitimate interest in being able to establish, enforce or defend Kivra's legal claims. | Disclosure takes place immediately. | Swedish authority in the role of personal data controller. |
3.4.3 To satisfy your rights under the GDPR
This describes the processing that we carry out in order to fulfill your statutory rights, such as your right to request a register extract or have your data deleted.
Purpose | Categories of personal data and the source of the data | Legal basis | How long is the personal data used for the purpose? | Who do we share personal data with? |
Meet your rights under Section 6 of this data protection information (apart from the right to register extracts - see column below) under the Data Protection Regulation | All categories of personal data that Kivra processes may be used, depending on which right you invoke. | The processing is necessary to fulfill Kivra's legal obligations according to the data protection regulation. | Up to 20 days after you terminate the Service. | |
Satisfy your right of access and provide you with information about which personal data we process about you and how it is used, in a so-called register extract
| All categories of personal data that Kivra processes as a data controller can be included in a register extract | The processing is necessary for us to be able to fulfill our legal obligations according to the data protection regulation | A copy of your register extract is saved for three (3) months in order to be able to answer any questions from you. Information about when you requested the register extract and when we responded is saved for ten (10) years. |
4. Is your personal data processed in other countries outside the EU/EEA?
As a general rule, your personal data is only processed in Sweden or within the EU/EEA. However, there are situations where Kivra has chosen to process your personal data using services and tools that store and process your personal data outside the EU/EEA, see section 3.
In that case, Kivra only transfers personal data to countries outside the EU/EEA which, according to the European Commission, have an adequate level of protection. You will find more information on which countries are considered to have an adequate level of protection EU Commission website.
If the processing takes place in the USA, Kivra ensures that the receiving party is part of the Data Privacy Framework (DPF) developed between the EU and the USA. Kivra only has US subcontractors who have chosen to join the framework and Kivra always contracts and verifies that Kivra's subcontractors include DPF in their data protection information. Furthermore, Kivra always checks that personal data processing that the subcontractor specifies in their data protection information also includes the personal data processing that we want them to carry out on Kivra's behalf. You can find the list of which companies are connected to DPF at US Department of Commerce website.
5. What rights do you have?
Under the various subheadings below, you can read about the rights you have when Kivra is the data controller for the processing of your personal data. For information on how to exercise your rights, see section 8 below.
5.1 Right to information
Every time Kivra collects personal data about you, you have the right to information about how we process your personal data. You also have the right to be informed if we plan to process your personal data for any purpose other than that for which the data was first collected.
We provide you with such information, and other information we believe is important to you, through this privacy notice. We also provide you with information about how we process your personal data by answering any questions you may ask us.
5.2 Right to access
You have the right to receive confirmation of whether Kivra is processing personal data about you, and in such cases to also have access to the personal data we process, together with certain information about the processing itself.
You get access to your personal data by giving you a copy of the personal data we process, in a so-called register extract. It is free of charge to obtain a copy of your register statement. Should you request additional copies, Kivra may charge a reasonable administrative fee. As a rule, we provide you with your register extract in the Service. The register extract can also be sent encrypted by e-mail, or to your civil registry address, if you prefer or if you do not have a Kivra account.
5.3 Right to rectification
You have the right to request that we correct incorrect information about you, and that we supplement incomplete information about you.
If you change your phone number, email address or other contact information, you can update such information yourself by logging into the Service and adjusting your account settings.
If you apply for a job or internship, you can adjust or change information you have provided to us in connection with your application in the recruitment platform that Kivra uses. You can also contact us to get help correcting incorrect information about you and if you want us to supplement incomplete information about you.
5.4 Right to have your personal data deleted
Under certain circumstances, you have the right to have the personal data Kivra processes about you deleted. This is the case, for example, if it is no longer necessary for Kivra to process the data for the purpose for which we collected them; if you withdraw your consent; if you have objected to the processing and there are no legitimate, weightier reasons for the processing; or if the processing concerns direct marketing and you object to the direct marketing. (Regarding the separate right to object, see the next subsection.)
If you want Kivra to delete all of your personal data covered by your right to have your data deleted, you must first close your account with Kivra. Kivra will then delete personal data about you in accordance with what is described under section 6.4 above.
The right to have personal data deleted is not absolute, but applies when the legal conditions for deletion are met. Examples of situations when those conditions are not met, and we will not delete your data, are if the data is necessary to process for the legal purpose for which it was collected, or if we have to retain the data according to the law.
If you have applied for a job or internship at Kivra, you can delete your data at any time in the recruitment platform that Kivra uses, you can also contact us for help in deleting your personal data.
5.5 Right to object to processing
You have the right to object at any time to processing that Kivra carries out with your personal data against the background of a so-called balancing of interests. In section 3 above, you can read about when Kivra processes your personal data with balancing of interests as a legal basis.
If you object to such processing, Kivra may no longer carry out the processing, unless we can demonstrate compelling legitimate reasons for the processing that outweigh your interests, rights and freedoms; or if it is for the establishment, exercise or defense of legal claims.
You also have the right to object to us using your personal data for direct marketing. If you notify us that you no longer wish to receive direct marketing from us, we will stop sending you such marketing. We will also stop processing your personal data for that purpose.
5.6 Right to restriction of processing
You have the right to request that we limit our processing of your personal data. Your right to restrict the processing of your personal data applies if you believe that information about you is incorrect; that the processing is against the law (but you object to the deletion of the data); that we no longer need the data for the purpose for which it was processed (but you need it to establish, exercise or defend legal claims); or if you have exercised your right to object to our processing of your personal data.
If Kivra's processing of your personal data is restricted, we will (with the exception of storage) only process the data with your consent or to establish, assert or defend legal claims, to protect the rights of another natural or legal person, or for reasons related to important public interest.
5.7 Right to move your personal data to another recipient (data portability)
You have the right to receive certain personal data about you in a structured, commonly used and machine-readable format, so-called data portability. You have the right to transfer such data to another recipient, for example another service. If it is technically possible, as determined by Kivra, you also have the right to request that Kivra transfer the data directly to the other recipient.
The right to data portability only covers personal data concerning you, which you yourself have provided to Kivra, which Kivra processes automatically, and which you have agreed to provide to Kivra or which you have provided to Kivra due to an agreement. In practice, this means that you have the right to obtain your contact details and any payment details that you have provided to Kivra. Your Content is not covered by the right to data portability. If you want to download your Content, the easiest way is to log in to Kivra and click 'Download' on the respective Content you want to download.
If you have applied for a job or internship at Kivra, you can request to have data you uploaded yourself transferred to another recipient.
5.8 Right to withdraw your consent
In cases where we process your personal data based on your consent, you have the right to withdraw your consent at any time. When you withdraw your consent, we will stop the processing. Withdrawing your consent does not affect the legality of the processing that was based on your consent, before the consent was withdrawn. Under section 3 above, you can read in which cases Kivra processes your personal data based on your consent.
5.9 Right to lodge a complaint
If you want to complain about how Kivra processes your personal data, we would like you to tell us by writing to dataskydd@kivra.se.
You also have the right to submit a complaint to the Swedish Data Protection Authority, which is the supervisory authority for Kivra's personal data processing.
You can find more information about how to submit a complaint to the Swedish Privacy Protection Authority at the authority's website.
6. How can you exercise your rights?
If you want to get in touch with Kivra to exercise your rights under the data protection regulation, you can reach us at the email address: dataskydd@kivra.se.
It is also possible to call Kivra's support on non-holiday weekdays between 09-11.00 and 13.00-15.00, on telephone number 077-045 70 00. It may happen that our opening hours differ, in the event of different opening hours this is indicated via telephone answers and on Kivra's website www.kivra.se.
If you wish to exercise any of your rights, we will inform you of the measures we have taken in response to your request within one month at the latest. This period can be extended by another two months, if necessary depending on the complexity of your request or the number of other requests received. We will inform you of any such extension and the reasons for the extension within one month of receiving your request.
It is free of charge for you to exercise your rights, unless your request is manifestly unfounded or unreasonable. In the latter case, we may charge a reasonable administrative fee, or oppose your request.
If we do not take action on your request, we will, within one month of receiving it, inform you of the reason for not taking action and of the possibility of filing a complaint with the Privacy Protection Authority and requesting a legal review.
7. Updates to the data protection information
We update this data protection information when necessary - for example, because we start processing your personal data in some new way, when we want to make the information even clearer for you, or if it needs to be updated to meet requirements in accordance with data protection legislation.
If we make major changes, we will communicate this on our website, in the app or in some other way that makes you aware of changes.
8. Where do you turn with comments or questions?
You are always welcome to contact Kivra if you have questions or comments on how we handle your personal data. You can reach us by email: dataskydd@kivra.se or telephone: 077-045 70 00.
All Kivra employees receive data protection training and information, and we have a legal team to answer your data protection questions, receive comments and help you exercise your rights. Kivra also has a data protection officer (DPO) who checks that we comply with the data protection regulation. If you wish to contact the DPO directly, please write “DPO” in the subject line.