Privacy Policy

Data Controller

BlockSettle AB, Idunavägen 2, 216 19 Malmö, Sverige, is the data controller for the processing of personal data.

Contact: [email protected]

What Personal Data We Process

BlockSettle AB processes personal data that is necessary to provide our services:

• • Identity data (name, personal identity number, company registration number, date of birth)
• • Contact data (email address, postal address)
• • Business information (company name, role, ownership structure)
• • Account and financial information provided via account information services (AIS), with your express consent
• • Data relating to payments initiated via our services
• • Technical data (IP address, device information, log data)

We only process data that is relevant and necessary for the purposes below.

Purposes of Processing

We process personal data for the following purposes:

• • Providing payment initiation services (PISP)
• • Providing account information services (AIS)
• • Fulfilling legal obligations, including AML requirements
• • Conducting customer due diligence (KYC)
• • Managing customer relationships and support matters
• • Preventing, detecting and investigating fraud and misuse of the service
• • Maintaining secure operation and protection of our systems

Legal Basis for Processing

Processing of personal data is carried out on the following legal bases:

• • Contract (Article 6.1(b) GDPR) — to provide our services
• • Legal obligation (Article 6.1(c) GDPR) — to comply with legal requirements, such as AML regulations
• • Legitimate interest (Article 6.1(f) GDPR) — to ensure operations, security and fraud prevention
• • Consent (Article 6.1(a) GDPR) — for processing of account information via AIS

You may withdraw your consent at any time, which does not affect the lawfulness of processing carried out before withdrawal.

Retention of Personal Data

Personal data is not retained longer than necessary:

• • AML-related data: 5 years from end of business relationship (as required by law)
• • Contract data: duration of contract plus up to 3 years
• • Technical logs: as long as required for security and operational purposes

Sharing of Personal Data

Personal data may be shared with:

• • Banks and account-holding institutions (for the execution of payment initiation)
• • Payment service providers and technical integration partners
• • IT and operational providers
• • Authorities where required by law

All recipients are bound by contract or law to process data securely and confidentially.

International Transfers

Personal data is not as a rule transferred outside the EEA.

Where a transfer occurs, appropriate safeguards are ensured, such as the European Commission's standard contractual clauses.

Your Rights

You have the following rights under GDPR:

• • Right of access to your personal data
• • Right to rectification of inaccurate data
• • Right to erasure ("the right to be forgotten")
• • Right to restriction of processing
• • Right to object to processing
• • Right to data portability

To exercise your rights, contact: [email protected]

Complaints to the supervisory authority

You have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) if you consider that your personal data is being processed in breach of applicable law.

Automated decision-making

BlockSettle AB does not use automated decision-making that produces legal effects or similarly significantly affects you.