Last updated: 2 July 2020
At Bambora, we take pride in security and data privacy. When you visit Bambora’s web sites, you can therefore normally come and go as you would like without us being able to identify you. However, if you submit your personal data (for example your name, e-mail address or phone number) we will be able to identify you and process your personal data. Such processing is governed by certain legislation, which within the European Union mainly is the General Data Protection Regulation (the “GDPR”). Bambora naturally complies with the GDPR and any other data protection legislation that applies to Bambora. We are also keen on being transparent regarding how we process your personal data and have for these purposes drafted this document, in which you will find information on what kind of personal data we process, why we do it, what we use it for and how we may share it.
The data processing carried out on this web site is conducted by Bambora AB, reg. no. 556233-9423, as data controller. However, for other data processing activities, other Bambora entities may be the data controller, separately or jointly with Bambora AB. For specific information regarding the data controller for the processing of your personal data, please see the separate privacy notice that you received when your personal data was collected or contact us (please see contact details below).
When we collect data and what data we collect
We collect personal data when you (i) sign up for our newsletter or ask to be contacted, (ii) request support and (iii) are browsing our website. Such personal data will in general include your name, e-mail address, telephone, delivery address, payment details, company, IP address, behavior on the website and other information that you voluntarily provide us. As a payment institution with a license to provide payment services under the supervision of the Swedish Financial Supervisory Authority (Sw. Finansinspektionen), Bambora will also collect your credit/debit card information when you make a purchase at a Bambora merchant.
Why we process data, our legal basis for the processing and for how long we process the data
When processing personal data, a specific purpose and an applicable legal basis is always required. Also, the personal data may only be used for a limited period of time. Bambora will only use your personal data for the purposes set out below. We will not use your personal data for any purpose that is incompatible with the below purposes. Further, we will only use your personal data during the period as set out below. Please note that the storage periods below may not apply if Bambora is required to retain your personal data (partly or in full) under applicable mandatory law (e.g. accounting laws).
1. Processing payment transactions
If you have made a purchase online or in a store, Bambora might have received your credit card information from the seller and thus act as data controller. This is the case where Bambora acts as the seller’s acquirer, i.e. processes the seller’s payments, and transfers the money between the correct bank accounts. In such case, we will use this personal data to carry out the transaction. This includes (i) sharing necessary data with card schemes); ii, assisting in disputes/chargebacks, iii) fraud preventing; iiii) and fulfilment of legal obligations on bookkeeping and iiiii) anti-money laundry transaction monitoring. Bambora holds a permit for such processing from the Swedish Data Protection Authority (Sw: Datainspektionen).
1.1. Data that Bambora collects
Bambora collects personal data of card holders in its role as acquirer when processing a payment transaction. Such personal data includes:
- Card Information (i.e. card number, expiry month, expiry year, scheme/issuer) and
- Transaction Information (i.e. usage, currency, issuer country, merchant id, transaction date, transaction amount).
1.2. Collection of the data
Personal data related to card holders is collected through the execution of payment transactions via Bambora products and services provided to a merchant.
1.3. Legal basis
The processing is necessary for our legitimate interests to be able to carry out the payment transaction that you have requested when making the purchase at the merchant.
1.4. Storage period
We store card payment authorization data for 24 months and payment transaction data for seven years in order to comply with the Swedish Bookkeeping Act (1999:1078) (Sw. Bokföringslagen).
1.5. Who we share personal data with
Bambora will share personal data with affiliates, financial institutions, payment schemes, fraud prevention entities and other entities that process payment transactions such as the acquiring processor, the cardholder’s issuing bank and the card’s scheme with the sole purpose of processing payment transactions.
Bambora will also share transaction information with the merchant and its service providers when necessary to provide information on the transaction (e.g. response code of the authorization, information to be able to complete refund), detecting and preventing fraud and proving compliance with contractual obligations.
2. Processing merchant information
Bambora processes personal data which is necessary for the performance of the contract with the merchant or in order to enter into an agreement with the merchant.
2.1. Data that Bambora collects
Bambora collects personal data of the merchant and its staff members. Such personal data may either relate
2.1.1. Boarding and KYC
to the merchant’s majority shareholders, beneficial owners, and board members for ongoing due diligence and when the merchant is boarded by Bambora. The personal data is collected by Bambora to complete KYC requirements for anti-money laundry, fraud and credit assessment purposes. Bambora holds a permit for such processing from the Swedish Data Protection Authority (Sw: Datainspektionen). Such personal data includes:
- Identification Data (i.e. name, surname, personal id number)
- Contact Information (i.e. e-mail address)
- Business Information (i.e. job title, company name)
- Banking and Financial Information (i.e. bank account details, information relating to the creditworthiness of the merchant and information about Politically Exposed Person).
2.1.2. Operational mailings and customer care
to the merchant representatives for customer care purposes and sharing operational mailings with you. Such personal data includes:
- Identification Data (i.e. name, surname)
- Contact Information (i.e. e-mail address, telephone number)
- Business Information (i.e. job title, company name)
2.2. Collection of the data
Personal data is mainly collected directly from the data subject during the boarding and through the various ways Bambora interacts with the merchant and/or the members of its staff: e.g. by entering into an agreement with Bambora, during interactions via physical or electronic communication (such as telephone, email or website forms), through participation in an offer or promotion.
Bambora may also collect data from third parties: e.g. when Bambora jointly offers a service with business partners or where permitted by law; or from public sources: e.g. public records and registers.
2.3. Legal basis
Bambora will mainly process personal data in order to fulfil legal obligations. Certain processing activities are however based on requirements within the payment transaction industry without being obligations originating from law, while certain processing activities are necessary in order for us to fulfil our obligations towards your company. In such case, Bambora processes the Data based on its legitimate interest to be able to conduct its business and provide you with the payment services.
2.4. Storage period
Bambora will process the personal data for as long as you or your company remains a Bambora merchant unless laws or regulations to which Bambora is subject obligate or entitles Bambora to continue the processing.
See specific boarding information, which is available here.
When you make purchases on our web site (such as of receipt rolls or terminal batteries), we will process your personal data to fulfil our contractual obligations towards you. Our purchase form specifies what information you must provide to us, in order for us to complete your purchase.
3.1. Legal basis
The processing is necessary for our performance of the contract with you (i.e. purchase agreement).
3.2. Storage period
We will process your personal data during the term of our contract (including a 24 months warranty period) and will thereafter erase your personal data with the exception for certain accounting data which will be stored for seven years in accordance with the Swedish Bookkeeping Act (1999:1078) (Sw. Bokföringslagen).
4. Contacting you
If you are interested in Bambora’s products and services and ask to be contacted by us, we will process your personal data in order to be able to get in touch with you.
4.1. Legal basis
The processing is necessary for our performance of the contract with you (i.e. your request to be contacted).
4.2. Storage period
After having contacted us, we will stay in touch with you up to one year.
If you sign up for our newsletter, we will process your e-mail address for the purposes of sending you the newsletters. You may at any time unsubscribe by using the link provided in each newsletter.
5.1. Legal basis
The processing is necessary for our performance of the contract with you (i.e. your request to receive the newsletter).
5.2. Storage period
If you unsubscribe from our newsletter we will no longer process your personal data for this purpose.
When you contact us by phone, we will process the personal data you provide us with to be able to assist you with the relevant matter.
6.1. Legal basis
The processing is necessary for our performance of the contract with you (i.e. fulfilling any request made by you).
6.2. Storage period
If you are not a customer of Bambora, we will not process your personal data after the call unless we have a legitimate interest to do so. If you are a customer of Bambora, we will keep information regarding your support matter up to three years in order to improve our services and follow-up customer complaints.
7. Job applications
If you apply for a job at Bambora, we will process the data you provide us with and possibly data from publicly available sources. Our personal data processing for recruitment purposes is more closely specified on our career site.
7.1. Legal basis
See specific job application information.
7.2. Storage period
See specific candidate privacy notice which you will receive when you apply for an open position.
8. SMS surveys
If you or your company have recently boarded as a Bambora merchant or if you have been in contact with us by telephone, we may send you a simple survey by text message to the phone number you have submitted. We appreciate all feedback we receive, but it is completely optional for you to answer the survey. The only personal data that will be processed is your phone number.
8.1. Legal basis
The processing is necessary for our legitimate interests to improve our customers experience.
8.2. Storage period
We will anonymize all answers immediately, after which the answers will no longer be considered personal data.
9. Phone calls to our sales or support department
If you call Bambora’s sales or support department, we might record the phone call. Bambora does not record phone calls in order to document agreements, only for internal educational purposes. We record around 10 % of the calls to our sales and support department. When you call us, you will receive information about that the call may be recorded and you may always object to us recording the phone call.
9.1. Legal basis
The processing is necessary for our legitimate interests to improve and educate the personnel answering the phone calls with the aim to provide you with a better experience next time you call us.
9.2. Storage period
Recorded calls will be retained for 90 days.
10. Identifying potential customers
10.1. Legal basis
10.2. Storage period
11. Direct marketing
When you sign up for our newsletter, ask to be contacted by us or in any other way have been in touch with Bambora (e.g. at an event) or if we find your company interesting, we may send direct marketing to you by e-mail. In each direct marketing e-mail, you will find a link to this privacy notice and a possibility to opt-out from further direct marketing. We may also contact you by calling you, which you of course also may opt-out from.
11.1. Legal basis
The processing is necessary for our legitimate interests to maintain good customer relations.
11.2. Storage period
We will process your personal data for marketing purposes as long as you are an active customer or a potential customer that we have been in contact with during the last three years. You always have the right to opt-out from our marketing. In that case, we will no longer process your personal data for marketing purposes.
Who we share your personal data with
Applies to section 2-11: Only the people who need to process personal data for the purposes mentioned above have access to your personal data. We may need to share your personal data with our group companies to be able to conduct our service, defense against legal claims or conduct internal reporting and business analysis. We further may need to allow our suppliers access to your personal data when they perform services on our behalf, mainly to provide support and maintenance of IT systems and storage services.
Bambora will share personal data with affiliates and business partners with which we combine our offered services for the purposes or ensuring quality and/or the commercial interests of the parties (e.g. calculation of compensation of parties).
Bambora will disclose personal data to public authorities and government agencies (i) if it is required to do so by law or legal process, (ii), (iii) in connection with an investigation of suspected or actual fraudulent or illegal activity, or (iiii) when it is required for Bambora to defend itself against legal claims.
Transfer of data outside the EU/EEA is made in accordance with data protection laws. Our international transfers of personal data are based on the EU Commission’s standard contractual clauses unless the company resides in a country considered by the EU Commission to ensure an adequate level of protection. In addition, transfers to the U.S. may be based on the EU-U.S. Privacy Shield if the recipient is certified thereunder.
Bambora will not sell or otherwise disclose personal information it collects about you.
Rights under the GDPR
In case you have any questions regarding Bambora’s processing of your personal data, please use the contact details at the bottom of this document or contact Bambora’s Data Protection Officer at Dpo@bambora.com. You may also use these contact details if you would like to exercise any of your rights as a data subject under the GDPR. Please note that the rights under the GDPR are not unconditional. Therefore, an attempt to invoke any of the rights might not lead to an action. Your rights under the GDPR include the following:
- Right to access – According to article 15 of the GDPR, you are entitled to access your personal data and receive certain information about the processing. That information is provided in this document.
- Right to rectification – According to article 16 of the GDPR, you are entitled to obtain rectification of inaccurate personal data concerning you and to have incomplete personal data completed.
- Right to erasure – Under certain circumstances, you are according to article 17 of the GDPR entitled to have the personal data erased. This is the so-called “right to be forgotten”.
- Right to restriction of processing – Under certain circumstances, you are according to article 18 of the GDPR entitled to restrict the processing of the personal data that Bambora carries out.
- Right to data portability – You are according to article 20 of the GDPR entitled to receive the personal data (or have the Data directly transmitted to another data controller) in a structured, commonly used and machine-readable format from Bambora.
- Right to object – According to article 21 of the GDPR, you are entitled to object to certain processing activities conducted by Bambora on the personal data, such as all Bambora’s processing of the personal data based on Bambora’s legitimate interest.
Finally, you also have the right to lodge a complaint with the data protection supervisory authority, which in Sweden (the seat of Bambora) is Datainspektionen. You can contact Datainspektionen by sending an e-mail to firstname.lastname@example.org or by calling +468-657 61 00.
We employ appropriate technical and organizational security measures to help protect your personal data against loss and to guard against access by unauthorized persons. Appropriate security measures we have taken include implementing secure private connections, traceability, incident recovery and access limitations. We regularly review our security policies and procedures to ensure our systems are secure and protected.
General contact details
Please use the following details if you would like to contact us.
Att: Data Protection Officer
104 62 Stockholm