Privacy Policy

Privacy Policy - Flow & Partners Finance (0TO9 AB)

  1. Introduction

Flow & Partners Finance is a brand within 0TO9 AB (556976-4110), founded in 2016 with offices in Stockholm. Operations are conducted through 0TO9 AB, which is a credit market company licensed to conduct financing activities pursuant to the Act (2004:297) on Banking and Financing Operations. In order to enter into agreements with you as a customer, potential partners and suppliers, and to thereafter administer the agreement, we will need to process personal data. We also process data to fulfil the requirements imposed on us as a credit market company.

We process personal data for the purposes and on the legal grounds set out below. Unless otherwise specifically stated, Flow & Partners Finance (0TO9 AB), reg. no. 556976-4110, is the data controller for the processing of your personal data.

All processing of personal data is carried out in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR"), as well as other applicable data protection legislation and practice in force from time to time.

  1. Data Controller

Flow & Partners Finance (0TO9 AB) is the data controller for the processing of personal data described in this policy, unless otherwise stated in the individual context.

In certain situations, other parties may also act as independent data controllers for their respective processing of personal data. Such parties may include:

  • credit providers within or outside the group or collaborative context in which the credit intermediation takes place,
  • other companies or functions involved in the business's credit assessment, control, administration or follow-up,
  • banks, credit reference agencies, AML/KYC providers and security agents.

When third parties are engaged to process personal data on behalf of Flow & Partners Finance (0TO9 AB), this is done in the capacity of data processor. In such cases, data processing agreements are established in accordance with applicable data protection rules.

  1. Who Does This Policy Cover?

This policy covers the processing of personal data relating to natural persons who appear in or in connection with the business relationships and financing processes conducted by Flow & Partners Finance (0TO9 AB) within the framework of its credit intermediation activities. The policy applies in particular to the following categories of data subjects:

  • representatives of existing or potential corporate customers,
  • beneficial owners,
  • board members, authorised signatories and other authorised representatives,
  • contact persons at customers, counterparties, suppliers and partners,
  • guarantors, pledgors, security providers and other persons connected to the security structure,
  • representatives of debtors or other counterparties in factoring, invoice receivable or security arrangements,
  • suppliers, consultants and partners and their contact persons,
  • persons who communicate with us via email, telephone, meetings, forms or other channels,
  • website visitors and users of our digital services.
  1. Fundamental Principles for the Processing of Personal Data

Flow & Partners Finance (0TO9 AB) processes personal data in accordance with the fundamental principles of the GDPR. Data is processed lawfully, fairly and in a transparent manner in relation to the data subject. Personal data is collected for specified, explicit and legitimate purposes, limited to what is adequate, relevant and necessary in relation to those purposes, kept accurate and up to date to the extent required, not stored for longer than necessary, and protected through appropriate technical and organisational measures.

  1. Categories of Personal Data Processed

The categories of personal data processed depend on the data subject's relationship with Flow & Partners Finance (0TO9 AB) and the company they represent, as well as the context in which contact is established.

5.1 Identity and Contact Details

  • name,
  • personal identity number or coordination number where necessary,
  • title or role,
  • address,
  • telephone number,
  • email address,
  • information regarding authorisation, signatory rights or other representation.

5.2 Corporate and Organisational Data

  • connection to a company or group,
  • information regarding board positions, signatory rights, beneficial ownership or other control functions,
  • information from the Swedish Companies Registration Office, the register of beneficial owners or other public registers,
  • information about ownership structure, management and operations.

5.3 KYC and AML-Related Data

  • identity verification,
  • information about beneficial owners,
  • information regarding politically exposed persons (PEP),
  • information relating to sanctions lists and other control lists,
  • data required for risk classification, business understanding, purpose of the business relationship and ongoing monitoring,
  • transaction-related information to the extent required for AML purposes.

5.4 Credit and Financing-Related Data

  • information about credit applications and financing needs,
  • information about the company's finances, cash flows, invoices, trade receivables, inventory, floating charges, other collateral, payment history and commitments,
  • information in credit memoranda, internal risk assessments and follow-up,
  • information about guarantee commitments, pledges and other security arrangements,
  • information about communication, case handling and decision-making documentation.

5.5 Communication Data

  • emails, letters and other written correspondence,
  • notes from meetings and telephone calls,
  • any recordings where specifically justified and permitted,
  • information provided in forms, surveys or support matters.

5.6 Technical Data and Website Data

  • IP address,
  • device information,
  • log information,
  • cookie identifiers and similar technical identifiers,
  • information about how our digital services are used.

5.7 Data Relating to Criminal Offences and Special Category Data

The processing of data relating to criminal offences and other special category data is limited as far as possible. Such processing may however occur where necessary to fulfil legal obligations, to prevent or investigate fraud, or to establish, assert or defend legal claims, and only to the extent permitted under applicable law.

  1. Sources of Personal Data

We may collect personal data from the following sources:

  • directly from you or from the company you represent,
  • public registers, such as the Swedish Companies Registration Office, the Swedish Tax Agency and other publicly available sources,
  • credit reference agencies,
  • banks, payment institutions and other financial actors,
  • KYC, AML, sanctions and identity verification providers,
  • credit providers, financing partners, investors, security agents and other partners,
  • other companies or shared functions involved in the business's case handling, control or administration,
  • counterparties in factoring or security arrangements,
  • digital signing and identity services,
  • our website and IT systems through logs, cookies and usage data.

Where personal data has not been obtained directly from the data subject, the information required under applicable data protection rules will be provided, unless statutory exceptions apply.

The provision of personal data may constitute a statutory or contractual requirement, or a requirement necessary for entering into a contract. Certain data is necessary for Flow & Partners Finance (0TO9 AB) to fulfil its legal obligations, for example regarding customer due diligence and identity verification under anti-money laundering regulations. Other data is required in order to assess and intermediate credit or to fulfil contractual obligations. If the data subject does not provide the personal data requested, this may result in Flow & Partners Finance (0TO9 AB) being unable to initiate or maintain the business relationship, process a credit application or fulfil its contractual or legal obligations.

  1. Purposes and Legal Basis for the Processing of Personal Data

Below is an overview of the processing of personal data carried out by Flow & Partners Finance (0TO9 AB).

Purpose Data Subject Data Processed Legal Basis
Assess whether we can enter into a business relationship Representatives, contact persons, beneficial owners Identity, contact, corporate and KYC data Legitimate interest in evaluating business opportunities and, where applicable, taking steps prior to entering into a contract
Assess and intermediate factoring credits and other secured corporate credits Representatives, contact persons, guarantors, security providers Credit documentation, financials, collateral, communication, identity data Legitimate interest and, where applicable, contract
Administer and follow up ongoing commitments Representatives, contact persons, security providers Customer management, payment history, security data, correspondence Legitimate interest, contract and in certain respects legal obligation
Fulfil customer due diligence, risk classification and AML checks Representatives, beneficial owners, authorised signatories, contact persons KYC/AML data, identity verification, PEP/sanctions, transaction data Legal obligation
Prevent, detect and investigate fraud, misuse and security incidents All relevant categories Logs, identity data, transaction patterns, communication Legitimate interest and in certain cases legal obligation
Fulfil bookkeeping, reporting and documentation requirements Representatives, contact persons, counterparties Invoices, payment data, agreements, documentation Legal obligation
Manage supplier and partner relationships Suppliers, consultants, partners Contact details, agreements, invoices, communication Contract, legitimate interest and in certain respects legal obligation
Communicate with customers, counterparties and partners Contact persons, representatives Contact details, correspondence, meeting notes Legitimate interest and sometimes contract
Marketing to existing or potential corporate contacts Contact persons, representatives Name, contact details, company relationship, history Legitimate interest or consent where required
Manage website, analytics, security and cookies Website visitors IP address, logs, cookie data Legitimate interest or consent for cookies/processing where consent is required
Establish, assert or defend legal claims Relevant data subjects Agreements, correspondence, KYC/credit documentation, logs Legitimate interest

7.1 Processing for Credit Assessment and Credit Intermediation

Personal data is processed in order to:

  • receive and handle enquiries regarding corporate financing,
  • analyse financing needs and business arrangements,
  • assess the company's repayment capacity and security structure,
  • prepare credit within the framework of a credit provider's credit process,
  • forward documentation to credit providers who subsequently make decisions regarding potential credit,
  • follow up and administer business relationships and ongoing commitments.

For this processing we normally rely on legitimate interest in conducting, developing and following up our operations within credit intermediation and corporate financing directed at businesses, and where applicable, on the processing being necessary for entering into or performing agreements with the legal entity you represent or with you in your capacity as security provider or other contracting party.

7.2 Processing for Customer Due Diligence and AML

We process personal data in order to fulfil obligations regarding:

  • identification and verification of customers, representatives and beneficial owners,
  • understanding of ownership structures, business models and the purpose of the business relationship,
  • risk classification,
  • screening against PEP and sanctions lists,
  • ongoing monitoring of business relationships and transactions,
  • documentation, reporting obligations and reporting under anti-money laundering regulations.

This processing is carried out on the basis of a legal obligation under applicable anti-money laundering regulations. The regulations impose requirements including customer due diligence, risk assessment, monitoring, documentation and retention of certain data for a specified period.

7.3 Processing for Bookkeeping and Accounting

Personal data is processed to the extent it appears in agreements, invoices, payment documentation and other financial records in order to fulfil obligations under bookkeeping legislation and other applicable accounting and tax regulations. Accounting records are retained as a general rule for the period required by law.

7.4 Processing for Marketing and Business Development

We may process data relating to contact persons and representatives in order to:

  • send information about our services,
  • invite to meetings, seminars and mailings,
  • analyse customer segments and business needs,
  • improve our offerings and our communication.

When marketing to businesses we normally rely on legitimate interest. Where the processing requires consent, for example for certain types of cookies or certain electronic marketing, we obtain such consent before the processing takes place.

7.5 Processing for Security, Incident Management and Regulatory Compliance

We may process personal data in order to:

  • protect IT environments, systems, information and business processes,
  • log access and usage,
  • prevent unauthorised access, fraud and other misuse,
  • carry out internal controls, audits and investigations,
  • manage personal data incidents and other security incidents.

This processing is carried out on the basis of, for example, being able to send general marketing (e.g. newsletters) and personalised marketing to you regarding Flow & Partners (0TO9 AB) products and services related to your customer agreements. The legal basis for the processing is a balancing of interests. Our legitimate interest is to send relevant and in certain cases personalised communication and marketing to you.

  1. Profiling and Automated Decision-Making

In our operations, personal data may be used in automated checks as part of credit assessment, risk classification, fraud prevention, KYC and AML. This may for example involve data being combined to identify risk indicators or anomalies.

We strive to ensure that decisions which have significant legal or similar effects on a natural person are not based solely on automated processing, unless this is permitted under data protection regulations and specific safeguards are in place. Should such a procedure be applied, the data subject has the right to request human intervention, express their view and contest the decision.

  1. Recipients of Personal Data

We only share personal data with other parties to the extent necessary to provide Flow & Partners Finance (0TO9 AB)'s services, if you have requested it, or if required by law. We do not sell personal data to third parties.

We will share your personal data with the company's data processors in the following situations: 1. Personal data is shared with our providers of digital signature solutions (such as BankID) and IT providers (such as core banking system providers, IT system and operations providers); 2. We also transfer information about you to our partners who, where applicable, manage contact with you in connection with your application and after-sales handling; 3. Your financial data is shared with our partners and providers of information and analysis services in order to carry out customer due diligence checks. In such communication we will strive to pseudonymise or anonymise the data. We transfer control data to the Swedish Tax Agency and other authorities as required by law. Furthermore, we transfer necessary and relevant personal data to our partners in order to: 1. Obtain account information as referred to in section 6 above; 2. for loan financing and debt collection; and 3. for the disposal of receivables from terminated customers (forward flow).

Since operations may be conducted with the support of shared functions and collaborations, personal data may be shared internally where necessary for example for:

  • credit assessment, credit intermediation and internal case handling,
  • compliance, risk control and AML functions,
  • IT, operations, administration and reporting,
  • financing arrangements, follow-up and internal governance.

Recipients of personal data as referred to herein are data controllers for their respective processing of personal data.

  1. Transfer of Personal Data to Third Countries

Flow & Partners Finance (0TO9 AB) aims for all processing of personal data to take place within the EU/EEA. Where personal data is transferred to a country outside the EU/EEA, this is done exclusively on the condition that a lawful basis for the transfer exists and that appropriate safeguards have been implemented, for example through a decision by the European Commission on an adequate level of protection or through the application of the European Commission's standard contractual clauses, supplemented where necessary by additional safeguards.

  1. How Long We Retain Personal Data

We do not retain personal data for longer than is necessary for each respective purpose, unless longer retention is required or permitted by law.

11.1 Main Principles for Retention

Type of processing — Typical retention period / principle

Type of Processing Typical Retention Period / Principle
KYC and AML documentation Retained in accordance with anti-money laundering regulations, normally for at least five years after the business relationship has ended or a one-off transaction has been carried out, and in certain cases longer if required by law
Accounting records Retained in accordance with the Bookkeeping Act, normally seven years
Agreements and business documentation For the duration of the contractual relationship and thereafter for as long as needed for follow-up, audit and legal claims
Data relating to potential but uncompleted transactions For as long as needed for case handling, internal control, regulatory compliance and limitation period-related needs, thereafter deleted
Marketing data Until the relationship ends, the data subject objects, or the data is no longer needed for the purpose
Website data and logs In accordance with established internal deletion routines and depending on security and analytics purposes

The anti-money laundering regulations contain specific requirements for the retention of customer due diligence data and certain documentation. Data protection rules simultaneously stipulate that personal data may not be retained for longer than necessary, but the right to erasure does not apply where continued retention is required to fulfil a legal obligation.

  1. Technical and Organisational Security Measures

We implement appropriate technical and organisational security measures to protect personal data against unauthorised access, loss, destruction, alteration and other unlawful processing.

Such measures may include for example:

  • access control and access restrictions,
  • logging and monitoring,
  • encryption and secure communication where appropriate,
  • backup and recovery procedures,
  • segmentation of systems and data environments,
  • staff training,
  • internal governance documents, instructions and incident processes,
  • data processing agreements and supplier follow-up.

The level of security is continuously adapted taking into account the risks associated with the processing and the nature and sensitivity of the personal data.

  1. Cookies and Similar Tracking Technology

When visiting the website of Flow & Partners Finance (0TO9 AB), cookies, pixels, tags and similar technologies may be used in order to:

  • make the website function,
  • improve the user experience,
  • analyse traffic and usage,
  • maintain security,
  • where applicable, enable marketing.

Where consent is required for the use of cookies or similar technologies, we will obtain this before the technology is activated, except for cookies that are strictly necessary for the functioning of the service. Further information shall be set out in our separate cookie information or cookie policy.

  1. Rights of Data Subjects

A data subject has rights under data protection regulations. These rights are not absolute in all situations, but depend on the type of processing concerned and the legal basis on which we rely.

14.1 Right of Access

You have the right to receive information about how we process your personal data and to request a register extract containing details of our processing.

14.2 Right to Rectification

You have the right to request that inaccurate personal data be corrected and that incomplete data be completed.

14.3 Right to Erasure ("The Right to be Forgotten")

In certain cases you may ask us to erase your personal data. This right is however subject to limitations, such as where we process your data on the basis of or as required by law. The right to be forgotten applies for example in cases where processing is based on consent.

14.4 Right to Restriction of Processing

In certain cases you have the right to request that we restrict the processing of your personal data. This may apply for example in order to verify that the data held about you is accurate, to enable you to assert, establish or defend a legal claim, and (where processing is based on a balancing of interests) to verify our legitimate interest.

14.5 Right to Object and Right to Withdraw Consent

You may at any time object to the processing of personal data that is based on our legitimate interest. If you choose to object, we may no longer process your personal data for that purpose unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms. You always have the right to object to processing for direct marketing purposes.

Where processing is based on consent, the data subject has the right to withdraw their consent at any time. A withdrawal does not affect the lawfulness of processing carried out on the basis of consent prior to its withdrawal. Consent may be withdrawn by contacting Flow & Partners Finance (0TO9 AB) via the contact details set out in this policy or by contacting the data protection officer at DPO@plus1.com.

14.6 Right to Data Portability

Where the processing of your personal data is carried out by automated means and is based on a contract or consent, you have the right to receive a copy of the personal data you have provided to us. The personal data shall be provided in a structured, machine-readable format. You thereafter have the right to transfer your personal data to another data controller.

14.7 Rights in Relation to Automated Decision-Making

Where a decision that has legal or similarly significant effects on you is made solely through automated processing, you have the right to the safeguards provided under the GDPR, including the right to request human review.

14.8 How We Handle a Request

We may need to verify your identity before disclosing data or taking other action. As a general rule we will respond without undue delay and no later than one month from receipt of the request, unless a longer period is permitted under data protection regulations.

  1. Data Protection Officer

If you wish to know more about our processing of your personal data or if you wish to exercise your rights as set out above, we ask that you contact our data protection officer at dpo@plus1.com. Via the contact details above you can also obtain detailed information about the processing, such as the legal basis we rely on for each processing purpose and our data retention principles. You always have the right to contact the Swedish Authority for Privacy Protection, which is the supervisory authority for the processing of personal data, if you have any concerns about our handling of your personal data.

The Swedish Authority for Privacy Protection can be reached at: Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm, Email: imy@imy.se, Website: www.imy.se

  1. Changes to the Policy

As we wish to keep this policy current, we may make changes to this policy at any time. We will notify of such changes on our website.