Privacy policy

Last updated 1 March 2023.

1.      Introduction

This website, app and our services are provided by Kwick Expense AB, company registration number 559408-5796, ("Kwick Expense") located at Eriksbergsgatan 7, 114 30 Stockholm, Sweden. We process personal data in our business and to provide our digital expense management service. Personal data means information that can directly or indirectly identify you. We protect your privacy with the motto: Your personal data belong to you.

This privacy policy includes information about our processing of your personal data. You are encouraged to read this information carefully. Please keep yourself updated on any changes to this privacy policy by regularly visiting our website.

The information applies to you if you use our services, are a contact person for a customer, a supplier, counterparty or one of our cooperation partners, visit our website, and otherwise have contact with us regarding our business or are directly or indirectly affected by the performance of our services. When we refer to "customer" in this policy, we mean the organisation that has contracted with us to purchase our services. By "user" we mean an individual who is or has been employed by the customer and who has a user account to use the customer's purchased services.

Kwick Expense is the controller for the processing of your personal data when you visit our website, register as a user or are otherwise in contact with us.

All data provided by you as a user of our services are processed by us as a data processor for our customer. This means that we do not decide why processing should take place, or which personal data should be processed. Our processing on behalf of a customer is carried out in accordance with a data processing agreement. For more information on such processing, please refer to the respective customer for which you are or have been a user.

Whether we process personal data as a data controller or a data processor, we assume responsibility for ensuring that personal data processed by us are used only for the intended purpose and is protected against unauthorised access. All processing of personal data is carried out in accordance with applicable data protection legislation.

If you have any questions or comments on anything stated here or any other aspect of our data protection or cookie management, please contact us at privacy@kwick.io. You can also contact us here or at the above postal address if you wish to exercise any of your rights listed in section 6.

For questions or help with our services or app, please contact our customer service, chat via app or Kwick.io or email support@kwick.io.

2.      Information that we collect and use

The personal data are collected through you, the company you work for or represent, or the person you have charged with administering your expense report on your behalf, external persons, as well as from publicly available and public sources, such as websites, various registers and databases and authorities (e.g. the Swedish Companies Registration Office). Through our services, we also collect personal data from our cooperation partners. If you visit us on social media, such as LinkedIn, we collect the personal data you provide to us via that channel.

When you use our online services, we collect your electronic identification data and other information. When you visit our website, we collect data using cookies and other technologies on your browser or device, some of which may be considered personal data. See our cookie policy [https://kwick.io/cookie-policy] to learn more about how we use cookies and similar technologies.

The personal data we collect about you when you use our services, visit our website, and otherwise have contact with us regarding our business include the following.

  • Identity and contact details, such as name and personal/corporate identity number (for sole proprietorships), postal address, email address, telephone number.

  • Usage and web traffic information, such as login ID, username and IP address.

  • Profile data, such as job title, organisation number, name and address of the company or organisation to which you belong, and, for relatives, information about the relationship with our employees.

  • Financial information, such as invoice-related information, your purchase information, transaction information and payment history.

  • Content uploaded or shared by you or someone on your behalf, such as photos or comments.

  • Other data, including aggregated and non-aggregated customer or user-generated data, such as session duration, password resets, the context and content of chat conversations, security logs, etc.

3.     Why do we process your personal data?

Below we have listed the reasons that we process personal data where appropriate. The processing of your personal data depends on your relationship with us. To learn more about the categories of personal data processed by us and the legal basis on which we process personal data, please see our detailed information on https://kwick.io/legal about our processing of personal data.

3.1.  Providing our services

In order to provide our services, we process the personal data necessary for the

  • administration of user accounts.

  • provision of support to end users.

  • compliance with the rules governing our activities.

  • performance of contract with our customer.

3.2.  Managing the relationship with customers, suppliers and cooperation partners

If you are the contact person for a customer, supplier, or cooperation partner, we process your personal data for the purpose of managing the customer or supplier relationship, or the co-operation, and when it is necessary for follow-up and evaluation. Our handling includes for example:

  • Registration of you as a contact person.

  • Communication.

  • Management and filing of contracts.

  • Administration of invoices.

3.3.  Communicating about us and our business

We use your personal data to communicate about us and our activities through various channels, for example by sending out information about maintenance work on our web portal and app or for marketing purposes. You can unsubscribe from our marketing emails at any time by clicking on the unsubscribe link in the email or by contacting us.

3.4.  Communicating internally and externally

In the context of communication, for example by e-mail, telephone or other digital means, we may process your personal data where appropriate. Communication takes place both between employees and with external persons. 

3.5.  Evaluating and developing the business

Where appropriate, we may use your personal data to compile reports and statistics at a general level and to analyse them for the purpose of monitoring and evaluating our business. We also use these reports and statistics to develop and improve our operations, business practices and strategies. When compiling these reports and statistics, personal data are anonymised. No profiling takes place in connection with this processing.

3.6.  Carrying on our business

When carrying on our business, except for the provision of services, we use your personal data to

  • Document activities, e.g. to manage and store contracts, decision-making documents, minutes and presentations.

  • Carry out recruitment processes or assess unsolicited applications, including reference contacts.

  • Answer questions and provide customer service.

  • Detect and prevent misuse of our services, for your security, the security of others and the security of the service.

  • Ensure technical functionality and security, such as security logging, fault management and backup.

  • Address and fulfil legal requirements, e.g. in the context of a dispute or litigation. For this purpose, we may share your data with other recipients, see more below.

  • To comply with legal obligations, e.g. to comply with bookkeeping or data protection legislation. For this purpose, we may share your data with other recipients, see more below.

4.     Recipients with whom we share information

When necessary, we share your personal data with different recipients. For more information on categories of data and the legal basis on which we share your personal data with recipients, please see our detailed information at https://kwick.io/legal on when we share information. Where appropriate, we share information, including personal data, with these recipients.

4.1.  Customers

In order to deliver the agreed service, personal data may be shared with our customers, for example in support cases.

4.2.  Data processors

We have used service providers in our business. These service providers provide for example IT services (e.g. storage) and communication services (e.g. support communication), in which connection personal data may be processed. When service providers process personal data on our behalf, they are data processors to us. They are not allowed to use your personal data for their own purposes and are obliged by law and data processing agreements with us to protect your data according to our instructions.

4.3.  Parties who are independent data controllers

4.3.1.      Government agencies (e.g. the Swedish Police Authority, the Swedish Tax Agency)

If we are obliged to do so by law or if we suspect a criminal offence.

4.3.2.      Own companies

We may share personal data with other companies within our group to fulfil our business purposes and to market our services in accordance with applicable legislation.

4.3.3.      Other

To comply with our legal obligations or for business development purposes, your personal data may be shared with our auditor or external advisors.

In connection with a legal dispute, we may transfer data to other parties, such as external advisors, arbitration boards or counterparties. The processing is necessary to pursue our legitimate interest in establishing, exercising and defending legal claims.

We may also share your personal data in connection with an acquisition, transfer, merger or other organisational change with potential buyers, sellers and consultants or advisors. The processing is necessary to pursue our legitimate interest in implementing the organisational change. Such disclosure will only be made to persons covered by a confidentiality agreement.

4.4.  Other recipients

During recruitment processes, we may share your personal data with external parties, such as references provided or recruiters.

5.      Transfers to third countries

When we use service providers based outside the EU/EEA, we ensure that personal data are processed in accordance with the provisions of applicable data protection legislation, such as the European Commission's adequacy decision for the country, transmission with the necessary safeguards, EU standard contractual clauses or the equivalent.

If you would like further information on the countries outside the EU/EEA area to which transfers may be made and the safeguards applied to the transfer in question, please contact us.

6.      Your rights

As a data subject, you have certain rights under current data protection legislation in relation to your personal data that we process. In this section we provide more information on these rights. You also have the right to receive this information orally, provided that your identity has been verified. More information on your rights can be found on the website of the Swedish Authority for Privacy Protection (IMY)(www.imy.se).

Please note that we will not fulfil your request if it would be against the law or if the request is manifestly unfounded, excessive or repetitive. 

We normally fulfil your rights free of charge. If your request is manifestly unfounded, excessive or repetitive, we have the right to either charge an administrative fee for handling the request or to refuse your request.

6.1.  Right of access (so-called 'data extract'), Art. 15 GDPR

You have the right to request confirmation from us as to whether we are processing your personal data. If you want more detailed information on the personal data we process about you, you can request access to the data. The information is provided in the form of a data extract, indicating the purposes, categories of personal data, categories of recipients, storage periods, information on the source of the data and the existence of automated decision-making, and, where appropriate, the safeguards applied to transfers outside the EU/EEA.

The right to a copy of the data extract must not adversely affect the rights of others, including our rights. If we deem that your right to a copy of the data extract has a negative impact on the rights of others or our rights and we therefore exclude data from the copy, you will be informed of this as well as the reason.

A request for a data extract must be submitted in writing and signed in person. The request should be sent to Eriksbergsgatan 7, 114 30 Stockholm. Please note that if we receive a request for access, we may ask for additional information to ensure an efficient handling of your request and that the information is provided to the right person.

6.2.  Right to request rectification, Art 16 GDPR

If you believe that the information we hold about you is inaccurate or misleading, you have the right to request a rectification. Within the framework of the stated purpose, you also have the right to have incomplete personal data completed. You can request a rectification by contacting us at privacy@kwick.io. If you are logged in to your user account, you can change certain data yourself.

Please note that historical data are not automatically considered incorrect, as they may have been correct at the time of registration.

6.3.  Right to erasure, Article 17 GDPR

You can request erasure of personal data (the right to be forgotten) we process about you if:

·     The data are no longer necessary for the purposes for which they were collected or processed;

·     You object to a balance of interest made by us on the basis of a legitimate interest and your reason for objecting overrides our legitimate interest;

·     You object to processing for direct marketing purposes;

·     The personal data are processed unlawfully; or

·     The personal data must be deleted to comply with a legal obligation to which we are subject.

We do not process personal data about a child (under 16 years of age) if collection has taken place in connection with an offer of information society services (e.g. social media).

If you request erasure, we will examine whether your request can be accommodated. We have the right to refuse your request if there are legal obligations that prevent us from immediately erasing certain personal data. These obligations may be laid down in, for example, bookkeeping and tax legislation, banking and anti-money laundering legislation, but can also be laid down in EU directives and regulations. Further processing may also be necessary for the establishment, exercise or defence of legal claims. Should we be prevented from fulfilling a request for erasure, we will ensure that the processing of personal data is restricted to only those purposes that prevent the requested erasure.

6.4.  Right to restriction, Art 18 GDPR

You have the right to request a restriction of our processing of your personal data in certain cases. If you contest the accuracy of the personal data processed by us, you can request a restriction of processing for the time we need to verify the accuracy of the personal data. If we no longer need the personal data for the identified purposes, but you need them for the establishment, exercise or defence of legal claims, you can request us to restrict the processing of your data. This means that you can request that we do not erase your data.

If you have objected to our balance of interests for the processing of your personal data, you can request restricted processing for the time we need to verify whether our legitimate interests override your interests in having the data erased.

If processing has been restricted in any of the above situations, we may only process the data, except for the actual storage, for the establishment, exercise or defence of legal claims, for the protection of the rights of another person or if you have given your consent.

6.5.  Right to data portability, Art. 20 GDPR

You have the right to receive the personal data that you have provided to us relating to you in an electronic format that is commonly used. You also have the right to transfer such data to another data controller (so-called data portability). It is, however, a prerequisite for data portability that the transfer is technically feasible and can be automated. A further prerequisite for the right to data portability is that the processing is based on your consent or in order to perform a contract with you (Art. 6(1)(a) and 6(1)(b) GDPR). In our detailed information on https://kwick.io/legal you can see when we process your personal data on the basis of consent or to perform a contract with you.

6.6.  Right to object to certain types of processing and direct marketing, Art. 21 GDPR

Some of our processing activities are based on a legitimate interest. You have the right to object to these. If you make such an objection, we must be able to demonstrate a legitimate reason for the processing in question that overrides your interests, rights or freedoms. Otherwise, we may only process the data for the establishment, exercise or defence of legal claims.

You have the right to object to the processing of your personal data for direct marketing purposes. The objection also comprises the analyses of personal data (so-called profiling) carried out for direct marketing purposes. Direct marketing refers to all types of proactive marketing activities (e.g. by post, email and SMS). Marketing initiatives where you as a customer have actively chosen to use one of our services or otherwise contacted us to find out more about our services are not considered direct marketing.

We do not carry out any automated decision-making that has legal consequences or otherwise significantly affects you.

6.7.  Right to withdraw consent, Art. 7 GDPR

Where applicable, when we base our processing of your personal data on your consent, you have the right to withdraw such consent at any time. Such withdrawal may be restricted to only part of the processing.

6.8.  Right to lodge a complaint

In addition to the rights listed above, you also have the right to lodge a complaint with your relevant data protection authority. In Sweden, the Swedish Authority for Privacy Protection (IMY) is the supervisory authority. Their contact details can be found at www.imy.se. If you live or work in a country other than Sweden, you can contact the data protection authority in that country. You can find your data protection authority here: Our Members | European Data Protection Board (europa.eu)-(https://edpb.europa.eu/about-edpb/about-edpb/members_en)

7.       Updates to this information

The information in this privacy policy is subject to change. The latest version of the information is always published on our website. When logged into your user account, you will also be notified if the information is updated.