This privacy notice describes how Tink AB (“Tink”, “we”, “our”, “us”) processes your personal data in connection with Tink’s provision of account information services, payment initiation services and other related services (jointly “Tink Services”).
Tink Services are provided to you via any of our collaboration partners (“Partners”) in connection with the respective Partner providing its own services (“Partner Services”) to you.
Information below describes how Tink processes your personal data. Each Partner processes your personal data as a data controller and is responsible for the Partner’s own data processing. For more information on how a Partner processes your personal data, please consult the Partner in question directly.
Tink is the data controller
Tink is the data controller in relation to the processing of your personal data when providing the Tink Services to you.
You can contact us as follows:
111 20 Stockholm, Sweden
How do we collect your data?
Our initial collection of your personal data is done through a Partner Service where we obtain the information required for us to provide respective Tink Service to you. The data refers to basic identity information (such as name and social security number). If the Tink Service we shall provide to you is a payment initiation service, we may also through the Partner Service get access to some of the data needed to be able to provide the payment initiation service (for example the payee’s account number and the amount).
We also collect some information directly from you. This includes information from you that is needed for communication with the respective bank or other service provider, and also certain identity and address information that we might need for the performance of respective Tink Service. We may also collect other information directly from you that is required for us to fulfil our legal obligations (for example anti-money laundering rules).
From your bank
The provision of the Tink Services requires us to collect information from your bank regarding bank accounts, account transactions and other financial information. Please note that we do not collect this type of information without your explicit consent.
From providers of identification solutions etc.
Finally, we may collect and verify basic identity information from suppliers of digital signature solutions (for example BankID) or similar. We may also collect information necessary for us to fulfil our legal obligations (such as anti-money laundering rules) from external parties.
Which data does Tink process about you and why?
When providing Tink Services Tink processes your personal data to fulfil our obligations stipulated in the agreement we have entered into with you, for the provision of Tink Services, to be able to give you the service that you expect and, where applicable, to fulfil our legal obligations or to protect our legal interests and develop Tink Services with the basis of our legitimate interest. We do not store your personal data longer than is necessary to fulfil the purpose with the processing.
The personal data that we process varies depending on which Tink Service we provide to you. Below you will find a summary description of what data we process within respective Tink Service.
Account information service
When we provide you with an account information service, both as a one-off request and when provided under a framework agreement between you and Tink, we process data about you such as; name, contact information, social security number, account information such as account number and account history, information about credits, information about purchases (amount, time, type of transaction and in some cases type of goods and/or place of purchase), other financial information derived from your accounts, data about your geographic location and IP address. We also process data needed for communication with the respective bank.
Payment initiation service
When you use our payment initiation service, we process data about you such as; name, contact information, social security number, account information such as account number, information about your invoices to be paid or similar, information about the payee of the transaction you intend to initiate with our payment initiation service, data about your geographical location and IP address. We also process data needed for communication with the respective bank.
Obligations pursuant to anti-money laundering rules etc.
Some of the aforementioned data is also processed for the purpose of fulfilling our legal obligations, for example to comply with anti-money laundering rules. To comply with such obligations we may process data to determine if you should be deemed as a Politically Exposed Person (so called PEP) and also data needed to perform screening against sanction lists.
How we process your data and the legal basis for processing
Tink processes your personal data to provide Tink Services to you, which is done with the agreement between you and us as a legal basis. This concerns all data we process about you with the exemption of the data we process to fulfil our obligations under applicable anti-money laundering rules.
We also process your data to develop and customize the Tink Services and its functionalities. The data may also form the basis for product- and customer analysis, statistics and business- and method development. Furthermore, data may be processed for the purpose of ensuring that we have performed the Tink Services correctly. Processing of these data categories of data is done with our legitimate interest as a legal basis.
Finally, your data may also be processed in the context of our obligations to comply with applicable anti-money laundering rules or for preventing fraud and to enhance security. These obligations are the legal basis for this processing
For how long do we store your data?
The data we collect for the provision of Tink Services is kept as long as is needed for the purposes for which the data was collected. The data is thereafter deleted or anonymized. Many types of data are in general deleted within one year from when we have fulfilled our obligations in relation to the respective Tink Service, however some data may be kept longer than that, for example the data that is required for a legal process or data that we under applicable anti-money laundering rules must retain for 5 years.
Identity data is retained up to one year after the agreement regulating the provision of Tink Services has been terminated. In cases where, due to other circumstances, we need to store the data longer than that, for example the data that is required for a legal process or data that we under applicable anti-money laundering rules must retain for 5 years, the identity data can be stored for a corresponding period of time.
After we have provided an account information service to you, the retrieved data is made accessible to the designated Partner. After we have made the data accessible to the Partner, the data is used by us to verify that we performed the service correctly and to conduct analysis. We retain the data up to one year after the date the service was performed. Please note that data may also be deleted after a shorter period.
Payment initiation service
hen we provide a payment initiation service to you, we perform the service thereafter the data is made accessible to the designated Partner. After we have made the data accessible to the Partner, the data is used by us to verify that we performed the service correctly, to fulfils our legal obligations pursuant to applicable anti-money laundering rules and also to conduct analysis. For these purposes we retain the information up to five year after the date the service was performed.
Legal disputes etc.
In some cases, for example if the data is relevant in a legal dispute, we may have a need for retaining the data for longer than one year to be able to defend or assert our legal interests.
With whom do we share your data?
Your personal data is primarily shared with the Partner or Partners whose Partner Service(s) you utilize and whom you have instructed us to make the data accessible to. The data is made accessible when we provide the service to you and in connection to your request regarding the provision of the service. The data we disclose to Partners only refers to such data that is necessary to provide the Tink Service you have requested.
Your data may also be shared with your bank when you request that we provide a Tink Service. The login details you have shared with us is only disclosed to your bank and only when respective Service is performed.
Finally, your data may be disclosed to law enforcement authorities within the scope of our obligations under applicable anti-money laundering rules.
We also use software- and data storage providers that may process your data. However, these providers are only allowed to process data on our behalf and in accordance with our instructions, and the data may not be disclosed to anyone other than Tink.
Where do we process your data?
We always strive to process your personal data within the EU/EEA. However, in some situations such as when we share your data with for example an IT provider with operations outside the EU/EEA, your personal data may be processed outside the EU/EEA. If and when your data is processed outside the EU/EEA, we ensure that there is an adequate level of protection and that appropriate safeguards are taken (for example, by using the EU Commission’s standard contractual clauses)
Your rights as a data subject
As a data subject, you have certain rights in relation to the processing of your personal data. If you would like to exercise any of them, please contact us email@example.com.
Right of access: You have the right to access information about what personal data we process about you, including the purpose of and legal basis for the processing.
Right to rectification: If you believe that we are processing inaccurate personal data about you, you can ask us to correct it.
Right to restrict processing: You can request that we restrict the processing of your personal data. As an example, this can be relevant if we have incorrect data about you and you do not want the processing to continue until we have corrected the data.
Right to erasure / right to be forgotten: You can request that we delete your personal data. Although we will comply with such a request to the extent required by applicable law, please note that we, despite your request, may continue to process certain data (such as data that we need to retain in order to protect our legal interests or that we are required to retain pursuant to legal obligations).
Right to object: In connection with the processing of personal data based on our legitimate interest, you have the right to object to the processing of your personal data. If your privacy interests outweigh our interests in processing certain data, we will stop processing such data.
Right to data portability: You may have the right to access personal data that you have provided to us, where we will provide your data in a structured, generally accepted and machine-readable format, and you may also have a right to transfer the personal data to another data controller
If you are displeased with us
If you are dissatisfied with how we process your personal data, please contact our data protection officer at firstname.lastname@example.org.
You may also contact the Swedish Data Protection Authority (Integritetsskyddsmyndigheten, www.imy.se, email@example.com).