Privacy Policy

Introduction

In this privacy policy you can read about how Setly Sweden AB with org. no: 559060-9045 (hereinafter referred to as the “Company” and referred to as “we”, “our”, “us”) processes Personal Data. References to “you”, “you”, “your” refer to the Data Subject whose Personal Data we Process.

Here we have compiled information on, among other things, why Personal Data is processed and where it is stored. We also describe to whom it is shared, the rights of Data Subjects under the GDPR and other information about our Processing of Personal Data. This Privacy Policy covers all types of Personal Data, in both structured and unstructured data.

 

Definitions

The following terms used in this Privacy Policy shall have the meanings set forth below, both when expressed in the plural and singular:

The website: https://setly.com/

Customer: refers to a natural or legal person who enters into an agreement with Setly Sweden AB regarding Setly Sweden AB’s services.

Services: refers to the services provided by Setly Sweden AB at any given time.

Personal data: any information which, directly or indirectly, alone or in conjunction with other information, can be linked to an identified or identifiable natural living person, is Personal Data within the meaning of the GDPR. Common examples of Personal Data are: name, phone number, address, email address, user ID, account card number, vehicle registration number, IP address, etc.

Data Subject: the person who can be identified by the Personal Data.

Processing: processing of Personal Data may take place in different ways. Anything done with Personal Data, automated or otherwise, is a form of Processing. Treatment can be a single measure or a combination of measures. Examples of common Processing of Personal Data are storage, erasure, sharing, reading, recording, copying, collection, organisation, use, adjustment, destruction, etc.

Data controller: The person who determines the purpose of a particular Processing of Personal Data and how the Processing is to be carried out is considered a Controller under the GDPR. Natural persons, legal persons, public authorities, institutions or other bodies may be data controllers.

Processor: anyone who processes Personal Data on behalf of a Controller, under the Controller’s instructions, is considered a Processor under the GDPR.

Third party: third party means someone other than the Controller (and the persons authorised to Process the Personal Data), the Data Subject or the Processor (and the persons authorised to Process the Personal Data). A third party may be a legal person or a natural person, institution, authority or other body.

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

SCC: Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council, or later updated version.

Any other GDPR-related terms not defined here shall have the same meaning in this Privacy Policy as set out in Article 4 of the GDPR.

Who is responsible for the Processing of Personal Data?

Our Processing of your Personal Data is carried out in accordance with the GDPR (and SCC where applicable) and the basic data protection principles.

Setly Sweden AB is the controller of all Processing of Personal Data carried out by us or on our behalf, and we are responsible for the Processing thereof to the extent that we determine the means and purposes of the Processing (in accordance with the principle of accountability). For example, Setly Sweden AB acts as a data controller when the Company registers the Customer as a customer in the systems we use in the context of the business or when Setly Sweden AB handles the Customer’s data including any Personal Data in order to fulfill obligations under the customer agreement, carry out billing for the Service, etc.

In some cases, Setly Sweden AB acts as a Data Processor for the Customer, who is the Data Controller. For example, Setly Sweden AB processes Personal Data on behalf of the Customer and in accordance with the Customer’s instructions, when a Customer engages Setly Sweden AB as its accounting firm in order for Setly Sweden AB to handle the Customer’s bookkeeping/accounting/invoicing, etc. The processing of Personal Data that Setly Sweden AB performs in its capacity as Personal Data Processor is regulated in more detail in a Personal Data Processor Agreement that has been entered into with the Customer.

Categories of Personal Data We Process

In accordance with the principle of data minimisation, we only process Personal Data that is adequate, necessary and relevant to fulfil the purposes for which it was collected.

We primarily Process the following categories of Personal Data that we may obtain when you contact us, enter into a contract with us or otherwise in connection with the performance of our services:

  • Identifying information: first name, surname, social security number or equivalent.
  • Contact details: phone number, email address, address, social media user ID.
  • Other Personal Data: any other Personal Data that is provided to us, such as that which is included in a message sent to us.

 

Purposes and legal basis for our Processing of Personal Data

In accordance with the purpose limitation principle, we only process Personal Data for specific, explicit and legitimate purposes. In addition, any Processing is legally justified and lawful in accordance with the provisions of the GDPR. Below you can read more about the legal basis and purposes of the Processing of Personal Data.

  • When you visit our website:

Our website uses cookies. We may obtain information about visitors’ use of the website through, among other things, web analytics and/or traffic measurement providers through cookies. The use of non-essential cookies will only take place if you give your consent to it. You may withdraw your consent at any time (without prejudice to the lawfulness of the Processing carried out on the basis of your consent before it was withdrawn). In addition, you can manage the storage of cookies yourself via your browser settings. Legal basis for Processing: consent. You can read more about how we use cookies on the Site in our Cookie Policy: https://setly.com/policies/cookie-policy/.

  • When we receive contact via email, phone, social media or contact form:

We may contact you, and you may contact us, via email, telephone or social media and in such cases we will have access to your Personal Data as disclosed in connection with such contact. For example, we may obtain the following Personal Data: first name, last name, phone number, email address, social media user ID (if applicable) and other information you provide to us. This information is processed by us to know who we are talking to and to keep in touch with you on the matter. Legal basis for the Processing: legitimate interest.

You can also contact us by sending us a complaint via the contact form on the Website. We will then have access to the following Personal Data belonging to you: first name, last name, telephone number, e-mail address, and the information you include in the message. This data is processed by us in order to know who we are talking to and to reply to the message. Before sending the message to us, you give your active consent to our Processing of your Personal Data in accordance with this Privacy Policy, by ticking a checkbox for consent. Legal basis for Processing: consent.

  • When you enter into a contract with us:

We Process Personal Data of the Customer’s contact person and/or company signatory in order to perform the contract for our Services. The personal data that we Process relating to the Customer’s contact person and/or company signatory include: first name, last name, telephone number, e-mail address, employer. Legal basis for Processing: contract.

We Process and store our invoices and other accounting records that we are required to Process and store under applicable legislation, such as the Accounting Act (1999:1078). Accounting records and supporting documents may in some cases contain Personal Data, such as the contact details of the Customer’s contact person and/or company signatory. Such data is stored for at least seven (7) years or as long as required by law. Legal basis for Processing: legal obligation.

  • When you sign up to receive newsletters from us:

You can choose to receive newsletters from us by giving your voluntary and active consent to us processing your email address for that purpose. You can unsubscribe at any time by clicking on the link in the newsletter to unsubscribe from the newsletters or by emailing us. Legal basis for Processing: consent.

  • Other purposes of our Processing of Personal Data:

If we are obliged by law, court or authority decision to Process certain Personal Data, the Processing is carried out on the basis of a legal obligation as a legal basis. In such cases, Processing will only take place to the extent necessary for us to comply with our legal obligations and we will only Process necessary Personal Data for as long as required by law (in accordance with the principle of retention minimisation).

Where a Processing of Personal Data is carried out on the basis of a Legitimate Interest, we consider that the Processing does not constitute an infringement of your right to privacy and integrity. We have reached this conclusion after balancing what the Processing in question means for your interests and right to privacy on the one hand, and our legitimate interest in the Processing in question on the other. However, we never Process sensitive Personal Data on this legal basis.

Based on our Legitimate Interest , we may Process Personal Data in order to:

  • protect our rights and property,
  • carry out direct marketing of our services,
  • ensure the technical functionality of the Website,
  • collect anonymous statistics, performance measurements, etc. relating to our services.

Storage location and storage time

We aim to store all Personal Data that we Process within the EU/EEA, in accordance with the principle of integrity and confidentiality. If Personal Data is stored in a country outside the EU/EEA, we shall ensure that such storage location ensures an adequate level of protection in accordance with the provisions of the GDPR and the SCC.

Personal data will be stored for as long as it is necessary to fulfil the purposes for which it was collected. When the Personal Data no longer need to be stored for the purposes, they are either deleted (erased) or anonymised, in accordance with the principle of minimisation of storage.

We follow internal guidelines and written procedures regarding the deletion and logging of deleted Personal Data, to ensure that the Processing of Personal Data is in compliance with the GDPR.

 

Sharing of Personal Data

Personal data that we Process will not be shared with unauthorised persons. We may disclose Personal Data to someone else, such as public authorities or data processors that we engage in order to fulfil our obligations under contract and applicable law from time to time. Below is a brief summary of the different situations in which we may share Personal Data that we Process.

Authorities: we may share Personal Data that we Process if necessary to prevent, detect, deter or investigate criminal activity and to protect our interests and property.

Other service providers: we engage various service providers as processors of Personal Data for us, in order to, among other things:

  • protect our legal interests;
  • fulfil our contractual and legal obligations;
  • detect and prevent technical, operational or safety problems; and
  • provide, improve and maintain the Website (software maintenance).

Examples of service providers that we use are: web developers, document management systems, sub-consultants for the performance of contracted Services on our behalf to the Customer, etc.

Before we share any Personal Data with such service providers, we enter into a Data Processor Agreement with them in accordance with the provisions of the GDPR (or SCC if the Data Processor is located in a country outside the EU/EEA). This is done to ensure the safe and accurate Processing of Personal Data.

 

Technical and organisational security measures

We take and implement various technical and organisational security measures with a focus on the privacy of the Data Subjects. These measures are intended to protect against intrusion, misuse, loss, destruction and other changes that may compromise privacy (in accordance with the principle of integrity and confidentiality).

Below are examples of some of the security measures we take and implement:

  • Internal procedures have been established with instructions regarding the processing of Personal Data that all staff must follow. This includes internal procedures for the deletion of Personal Data and the handling/documentation of Personal Data incidents.
  • Internal procedures, policies and instructions are reviewed regularly, at least annually and as needed.
  • A contact person for personal data matters has been appointed, who also reports directly to the company’s senior management.
  • Staff have knowledge of how the Processing of Personal Data may take place.
  • Access to databases, IT systems and parts of the IT infrastructure and network requires passwords.
  • The suppliers and subcontractors used guarantee an adequate level of technical and organisational security for the services provided and the tasks performed.
  • All employees have undertaken to respect the confidentiality of, among other things, Personal Data processed in the context of the activities and performance of the work.
  • We follow the seven basic data protection principles in all Processing of Personal Data. The principles are documented in internal procedures, to which our employees have access and which they follow in all Processing of Personal Data for which we are Data Controllers.

 

Rights of data subjects under the GDPR

If we Process your Personal Data, you have various rights under the GDPR in relation to our Processing of your Personal Data.

Under certain conditions, you have the right to:

  • obtain access to your Personal Data.
  • have inaccurate Personal Data corrected.
  • request restriction of our Processing of your Personal Data.
  • have your Personal Data deleted.
  • move your Personal Data (data portability).
  • receive information about Personal Data Incidents involving your Personal Data.
  • object to the use of Personal Data for direct marketing and profiling purposes.

We hereby inform you that some of these rights only apply in certain situations and only if it is legal and possible for us to carry out your request.

You are welcome to contact us using the contact details set out below, should you wish to exercise any of the rights set out above in relation to your Personal Data that we Process.

 

Personal data incidents encountered

According to the GDPR, a Personal Data Incident means a security incident that has caused the destruction, loss, alteration or unauthorised disclosure of Processed Personal Data. An incident can be intentional or unintentional, for example due to negligence or a crime (data breach, etc.).

Regulatory authorities are independent public authorities. Each country within the EU has designated its own supervisory authority to handle GDPR-related cases. In Sweden, the supervisory authority is the Swedish Data Protection Authority (IMY).

We comply with the provisions of the GDPR regarding the handling, notification and documentation of Personal Data Incidents. Where required by the GDPR, we will notify IMY of any Personal Data Incident that has occurred within 72 hours, and notify the Data Subjects affected by the Personal Data Incident that has occurred.

Changes

The contents of this Privacy Policy may be updated from time to time, without prior notice. For example, if it is necessary to clarify something, due to amended or newly introduced legislation or if our Processing of Personal Data changes.

The latest version is always published on our website which is accessible to the public. You are responsible for reviewing the contents of this Privacy Policy and for keeping yourself informed of any changes.

 

Questions or complaints

If you have any questions or concerns, or are dissatisfied with our Processing of your Personal Data, you are always welcome to contact us. Below are our company and contact details

Company: Setly Sweden AB

Org. no.: 559060-9045

E-mail: info@setly.com

Postal address: David Bagares gata 7, 114 32 Stockholm

 

Our contact person for personal data matters:

We have appointed a Personal Data Contact Person whom you can contact if you have any questions regarding our Processing of Personal Data.

Name: Caroline Hassel

E-mail: caroline.hassel@setly.com

 

You also have the right to contact the Swedish supervisory authority to lodge a complaint.

Name: the Privacy Authority (IMY).

Telephone: 08-657 61 00.

E-mail: imy@imy.se.

Postal address: the Swedish Data Protection Authority, Box 8114, 104 20 Stockholm.