PRIVACY POLICY
Pepicon AB, reg. no 559214-7408, with address Värmdövägen 84, 131 54 Nacka, Sweden (“PEPICON”, “we”, “us” or “our”) process personal data as a personal data controller when we provide our Service (as defined in our Terms of Service) to you. This privacy policy (the “Privacy Policy”) aims to explain how PEPICON processes your personal data as a personal data controller. Our partners’, users’ and customers’ trust are of utmost importance to us, and PEPICON therefore takes responsibility for protecting your privacy. All processing of personal data is based on provisions of the General Data Protection Regulation (“GDPR") and we do everything we can to protect your personal data from unauthorized persons.
Set forth below in this Privacy Policy is a general description of how we process your personal data, and the tables in Appendix A sets out the details hereof including but not limited to the types of personal data as well as each separate processing activity conducted by us in relation to your personal data.
If you wish to receive additional information on the processing of your personal data, you are welcome to contact us. You will find our contact details in Section VI below herein.
This Privacy Policy is incorporated in, and an integral part of our Terms of Service. Terms defined in our Terms of Service applies to this Privacy Policy unless otherwise stated herein.
I. PERSONAL DATA AND HOW WE PROCESS IT
Why do we process your personal data (purpose and lawful basis)?
PEPICON processes your personal data for a variety of purposes. However, we must always have a lawful basis (i.e., a reason prescribed by law) for processing your personal data. The table in Appendix A, Section 3 therein, sets out the purpose for the processing of the relevant category of your personal data including the corresponding lawful basis thereto. We mainly process your personal data for the purpose of providing and administrating our Services, managing User relations, complying with legal obligations, for tax and accounting purposes, improving the Services, as well as for communicating with you by sending information, direct marketing or market research. PEPICON may also disclose personal data to our partners to fulfil our obligations towards you.
We process personal data when necessary to provide our Services and fulfil our obligations towards you, in accordance with the Terms of Service, applicable legislation, to send out newsletters and other communication and otherwise when there is a legitimate interest for us to process your personal data. If we process your personal data for any specific purpose which requires your consent under the GDPR, or any other data protection legislation, we will obtain your consent in advance. We process personal data in accordance with this Privacy Policy (for some processing activities, more than one lawful basis may be applicable):
a) In order to fulfil our obligations in accordance with an agreement to which you are a party or to take action at the request of you prior to conclusion of such an agreement;
b) In order to fulfil our legal obligations pursuant to applicable legislation, such as preventing fraud and similar crime in transactions;
c) For purposes relating to our legitimate interest to process your personal data; and
d) To offer services or conduct processing activities if we have your consent thereto.
If we process your personal data for any specific purpose which requires your consent under the GDPR, or any other legislation, we will obtain your consent in advance.
If we process personal data for any specific purpose upon which we have a legitimate interest, we always prior thereto and in each individual case conduct an assessment of balance of interests in order to for example evaluate whether our legitimate interest is overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data in accordance with GDPR. We only process personal data based on our legitimate interest if we make the assessment that our legitimate interest is not overridden by the interests and rights of the relevant data subject.
What kind of personal data do we collect and process?
Personal data refers to information which, directly or indirectly, may be associated with a living natural person. PEPICON processes such personal data as is necessary for us to offer you our Services, such as the following main categories of personal data (i) contact information (ii) identity and other regulatory information (iii) matter and billing information (iv) marketing preferences (v) user related data and browsing and device usage information, (vi) correspondence with customer services and feedback. The personal data that PEPICON processes is either provided (i) directly by you in connection with your use of our Services, (ii) automatically through your use of our Services, (iii) by the company which you represent (if applicable), and which uses our Services. We may also, if necessary subject to any of our purposes for the processing, collect personal data from private and public registers, publicly accessible sources as well as from public authorities.
You are responsible for any personal data obtained, published, or shared with us via the Platform or otherwise, including such personal data which you have obtained from a third party. You shall also be able to confirm that you have such third party’s’ consent to provide such personal data to us (if applicable).
PEPICON always strives to process as limited amount possible of your personal data based on the purpose of the processing. The table in Appendix A, Section 2 therein, sets out the details of the categories and types of personal data we process as well as how such data is obtained by us.
With whom is your personal data shared?
Personal data will always be processed confidentially and protected by appropriate security measures. Your personal data will only be disclosed to the extent that it is relevant to the purpose of the processing. PEPICON employs data processors to perform certain tasks, such as for example, operating and supporting the IT environment, archiving, and for e-mailing. We may also disclose your personal data when we have a legal obligation to do so (e.g., due to anti-money laundering legislation, tax legislation, court orders or requests from government authorities), to safeguard PEPICON’s legal interests, or to detect, prevent or alert fraud and other security or technical issues. This means that the data processors also may receive access to certain information about you as a registered person. However, these parties may not process your personal data for any other purposes other than those the personal data initially was collected. We ensure that companies that manage personal data on our behalf, uses a high level of security measures in order to protect your personal data and always ensure that agreements are entered into with each such relevant party to whom we disclose your personal data in accordance with GDPR.
Further details of the categories of external parties whom we disclose your personal data to, as well as the purpose and lawful basis in each such case are set out in Appendix B hereto. If you wish to receive any additional information on the disclosure of your personal data to such external parties, you are welcome to contact us at: info@dealstation.io.
Is your personal data processed outside the EU/EEA?
Your personal data may be processed in a country outside Sweden or the EU/EEA (“Third Country”) in case a data processor has a part of its activities located in a Third Country. If PEPICON transfer your personal data to a data processor in a Third Country, PEPICON will take appropriate legal, technical and organizational measures and safeguards and ensure that the transferred data is handled in accordance with applicable law and protected at the same level as it would have been within EU/EEA. However, even if we take such security measures as described herein, you acknowledge and agree that transfers and storing of personal data outside the EU/EEA area entail a risk that such personal data might not be protected at the same level as it would have been within EU/EEA. For the avoidance of doubt, such transfer as referred to herein will only include the type of personal data relevant for the purpose of the processing. PEPICON will not share, sell, transfer or otherwise disclose personal data beyond what is stated in the privacy policy unless we have a legal obligation to do so.
Further details of the relevant safeguards used by us to protect the transfer of your personal data are set out in Appendix C. If you wish to receive any additional information on the transfer of your personal data to a Third Country, you are welcome to contact us at: info@dealstation.io.
What security measures do we take?
Personal data will always be processed confidentially and protected by appropriate security measures. PEPICON ensures that companies that process and/or manage personal data on our behalf, uses a high level of security measures in order to protect your personal data. However, please note that, in relation to any personal data you submit to us online, we cannot guarantee the security of data sent to us in this way. Transmission of data over the internet is at your own risk. You are responsible for keeping any passwords you use to access our platforms safe.
If we are to process personal data in a way that is likely to result in a high risk to the rights and freedoms of natural persons, we will prior to such processing carry out an assessment according to the GDPR of the impact of the envisaged processing operations on the protection of personal data (data protection impact assessment). Such assessment will at least contain (i) a systematic description of the envisaged processing operations and the purposes of the processing, (ii) an assessment of the necessity and proportionality of the processing operations in relation to the purposes, (iii) an assessment of the risk to the rights and freedoms of the relevant data subjects, (iv) the envisaged security measures to address the risks and to ensure protection of personal data and demonstrate compliance with GDPR. We only use processes subject to a data protection impact assessment pursuant to the GDPR, that have been approved by us subject to such assessment as described herein. Such approved processes are monitored and reassessed continuously in accordance with our internal routines from time to time.
How long do we store your personal data?
Your personal data will only be retained for as long as there is a need to preserve it in order to fulfill the purposes for which the data was collected, and in accordance with current legislation and relevant guidelines to which our business is subject. PEPICON may save the data longer if it is necessary to comply with legal requirements or to monitor legal interests, for example if a legal process is in progress. This will depend on a number of factors, including for example (i) the laws and regulations that we are required to follow, (ii) whether we are in a legal or other type of dispute with each other or a third party, (iii) the type of information that we hold about you, (vi) whether we are asked by you or a regulatory authority to keep your personal data for a valid reason. If processing of your personal data is no longer necessary, it will be erased in accordance with our erasure procedure from time to time. We make the assessment in each case regarding if we are entitled to store your data, which you can find more information about in Appendix A, Section 3 therein.
Depending on the relevant purpose of the processing of your personal data, we may store the data in accordance with what is specified in the below list (a)-(c) in this Section. In the event that we are processing your personal data based on the legal obligations described below herein, we cannot delete the personal data even if you were to request such action. Should we no longer be required to save your personal data due to a legal obligation, we will make an assessment whether we are in need of the data in order to safeguard our interest in any legal or other type of dispute.
a) Personal data processed as a result of an agreement between you and PEPICON are stored during the term of the agreement and a maximum of ten (10) years thereafter due to statute of limitation.
b) Personal data we store as a result of applicable legislation such as anti-money laundering and accounting legislation are normally stored for five (5) respective seven (7) years.
c) Should we no longer have a legal obligation for the processing of the personal data, the data is stored as long as necessary in order to fulfil each applicable purpose of the processing (normally we erase or anonymize the personal data three (3) months thereafter), more information hereto is set out in Appendix A, Section 3 therein.
By terminating your paid subscription of the Service with PEPICON, your will stay on our free subscription of our Service, meaning that we will continue to process and preserve your name and email address (and such other information and personal data that PEPICON is required by law to preserve) until such free subscription also is terminated by you. Furthermore, following termination of your subscription of our Service, we will continue to provide you with our electronic newsletters and email campaigns, provided that you have not previously unsubscribed from such electronic marketing materials and communication from us. Note that you may unsubscribe from our newsletters or similar communication at any time, by using your right to object in accordance with Section II (e) below herein. In such event we will no longer store or process your personal data for that particular purpose, and we will cease to provide you with such marketing materials and communication.
Personal data is thinned/pseudonymized/de-personalized when the data is no longer to be retained in accordance with current legislation.
If we are subject to liquidation or bankruptcy or if our customer database is transferred to a third party conducting similar activities as us, we shall thereafter erase your personal data, provided however that we are not required to store the information according to applicable legislation and relevant guidelines. If Pepicon is subject to a merger, acquisition, reorganisation, or similar process, we will continue the processing of your personal data pursuant to this Privacy Policy unless otherwise is specifically announced to you in connection with such process.
How do we use automated decision making and profiling?
PEPICON (or an appointed third-party provider that acts on our behalf as a data processor to us) conducts profiling of you when using our own Services. “Profiling” means that we may automize the processing of your personal data in order to determine certain characteristics, such as for example to analyse or predict your personal preferences, like interest in a specific offering. At the same time, we compare your data with our other users of our Services, which have similar user activities of our Services as you. The purpose of PEPICON’s profiling and the personal data of each such processing are further described in Appendix A, Section 3 therein. Profiling subject to these purposes does not have a significant effect on you.
We use profiling in order to (i) provide our adapted Services to you, which adjusts its content based on what we assume is more interesting to you (this concerns the Platform, the different functions in it, and [add applicable example]), and (ii) provide an adapted marketing to you via our Platform as well as via external platforms.
PEPION does not use such automatized individual decision making which could entail legal effects concerning you or would have similar significant effect on you.
If you have any questions regarding our automated individual decision-making process, you may contact us at: info@dealstation.io. You can always object to our profiling for marketing purposes by contacting us and we will thereafter cease such profiling for marketing purposes. You can also end our profiling for our Services by terminating the Services.
II. YOUR RIGHTS
PEPICON is the controller for the processing of your personal data in accordance with this Privacy Policy, and as a data subject, you have certain rights as regards your personal data. The rights are however not absolute, meaning that there are exceptions to some of the rights where we cannot proceed and fulfil your request.
As a data subject, you have the following rights:
a) Right to withdraw your consent – meaning that you have the right to withdraw your consent where PEPICON process your personal data based on consent by submitting a request in accordance with what is stated below in this Section II. In such event, we will no longer store or process your personal data for the relevant purpose;
b) Right to access – meaning that you have the right to request a confirmation of our processing of your personal data, to receive information about the processing, access to the personal data in question, and the right to obtain a copy of your personal data. You will find more information about the right to access at the webpage of Swedish Authority for Privacy Protection (Sw. Integritetsskyddsmyndigheten) (“IMY”);;
c) Right to rectification – meaning that you have the right to have any incorrect personal data about you as a data subject corrected by PEPICON. You will find more information about the right to rectification at IMY’s webpage;
d) Right to erasure – meaning that you have the right have your personal data erased under certain circumstances (such as if there no longer is a legitimate purpose for our processing of your personal data). This right is limited, and we may be obligated to save your personal data in accordance with applicable law. You will find more information about the right to erasure at IMY’s webpage;
e) Right to object – meaning that you have the right to object to PEPICON’s processing of your personal data in certain specific cases (for example you may object to processing of your personal data if we base such processing on our legitimate interest and you have the right at any time to object to PEPICON’s processing of your personal data for direct marketing purposes etc.). You will find more information about the right to object at IMY’s webpage;
f) Right to restricted processing – meaning that you have the right to have PEPICON restrict the processing of your personal data, but not delete it, if you find that the processing is in conflict with applicable law or that we no longer are in need of your personal data for a specific purpose. You will find more information about the right to restricted processing at IMY’s webpage; and
g) Right to data portability – meaning that you may request that PEPICON provides you with a copy of your personal data we process, to fulfil an agreement with you or based on your consent, in order to (if it is technically feasible) transfer your personal data to another data controller. You will find more information about the right to data portability at IMY’s webpage.
If you believe that the processing of your personal data is contrary to the GDPR, and applicable data protection legislation, then you have the right to file a complaint with IMY. You will find more information about your right to lodge a complaint at IMY’s webpage.
You may unsubscribe from our newsletters or similar communication at any time, by using your right to object in accordance with Section e) above. In such event we will no longer store or process your personal data for such purposes, and we will cease to provide you with such marketing materials.
Any requests by you as a data subject to us under this Privacy Policy shall be sent to us at: info@dealstation.io. Requests will be handled as soon as possible, but no later than within one (1) month from the date which PEPICON received the request.
III. LINKS TO THIRD PARTY SITES
Our Services may contain links to third party sites. If you click on a third-party link, you will be directed to that site. Note that these external sites are not operated by PEPICON and, therefore, we strongly advise you to review the privacy policy of these websites. We have no control over, and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.
IV. COOKIES
PEPICON and our partners may use cookies and similar technologies on the Platform for the purpose of providing and updating its Service and to improve the user experience. For information on how PEPICON uses cookies and similar technologies, we refer to our Cookie Policy. The latest version of the Cookie Policy will always be available on the Platform and we advise you to review the Cookie Policy periodically for any changes.
V. CONTACT DETAILS
If you have any questions about the content in this Privacy Policy or wish to adjust or change your personal information or exercise any of the rights as set out above, please contact us:
Pepicon AB
Linnégatan 26,
114 47
Stockholm, Sweden
Email: info@dealstation.io
VI. PRIVACY POLICY CHANGES
This Privacy Policy may be amended by us from time to time. You will be notified of any Privacy Policy changes via e-mail and/or on our Privacy Policy page on PEPICON Platform, where the latest version of our Privacy Policy always will be available. Should any change affect the processing of personal data, which is based on your consent, PEPICON shall collect a new consent from you regarding such processing We advise you to review the PEPICON Platform periodically for any changes.
Our Privacy Policy was lastly edited on 10th May 2023.
Please download the complete Privacy Policy including all relevant Appendices here.