Last updated: 13.02.23
1 Our processing of Personal Data
1.1 Preliminary verification of data input and confirmation of interest to purchase the invoice
We need to verify that a company representative inputs the correct company information, including company name and business address. The legal basis for this processing is our legitimate interests in ensuring that we will be invoicing the correct company at the right invoicing address (GDPR Article 6(1) litra f). For this purpose, we process Personal Data about which company the representative claims to be able to place an order on behalf of.
We share the name of the company with our partner banks. The purpose of this is to inquire whether the banks are interested in purchasing the invoice for the order placed by the company's representative. This processing is based on our legitimate interests in providing the Services to companies and the banks (GDPR Article 6(1) litra f).
1.2 Verification of the potential customer placing an order intent
If none of the funding providers is interested in purchasing the order invoice, the Merchant will not present theTwo Services as a payment option.
If one or funding providers are interested in purchasing invoices regarding orders placed by the company's representative, the Merchant presents the Two Services as a payment option.
For order baskets sized above a certain threshold, we must verify the company placing the order as well as the identity of the person claiming to represent the company. We will then process PersonalData about the company representative placing an order for the purpose of ID verification. We will process information about the representative's name, the company delivery address, and which company the representative claims to be able to order on behalf of. We will also conduct ID verification to match the company representative with the company they claim to place an order on behalf of. For this purpose, we will process the previously stated information in addition to information about the type of connection the representative has with the company in question. We will use methods provided by BankID, Creditsafe Ltd and Creditsafe i Sverige AB for these ID verification purposes.
If the buyer is a registered sole trader, the buyer will enter his or her social security number to perform a legitimate order intent thereby giving Two the right to perform a credit check as per 1.6.
The legal basis for this processing is our legitimate interests in verifying the company and ensuring that the company representative is authorized to represent the company (GDPR Article 6(1) litra f).
1.3 Placing an order choosing the Two Services as a payment method
To place an order using Two as a payment method, we must check with the relevant partner bank whether they confirm their interest in buying the payment claim for the order placed. If this is confirmed, Two facilitates the sale of the invoice from the merchant to the partner bank. For these purposes, Two collects and shares with the partner bank information about the company representative's name, the company delivery address, the name of the company, and the items and products purchased.
Two also facilitates the distribution of the invoice to the buyer company. For this purpose, Two will share the same information as described in the previous paragraph with the company. The company will receive the invoice via Peppol, if the company is found in the Peppol directory, and the company representative will receive the invoice as aPDF-file by email.
The legal basis for this processing is our legitimate interests in facilitating the delivery of the Two Services to the buyer company and the partner bank (GDPR Article 6 (1) litra f).
1.4 Onboarding to the Two Buyer Center
Two provides the opportunity to prospective company representative buyers to onboard themselves (as an individual) and their company via Two's Buyer Center. This onboarding requires collection and other processing of information on the company name, company organization number, registered company address, the representative's name, work email address, relationship to the company, work department, mobile phone number and individual authentication (via BankID Login). If the buyer is a registered sole trader, we will also require Personal Data such as their social security number.
Company representatives who are Admin Users can edit Buyer Profile Types as well as spending limits for all Users onboarded on behalf of a company. Users can view a dashboard of and have the ability to download locally purchase history of their own transactions conducted via theTwo Services. Admin Users can view all the company's transactions conducted via the Two Services. This will include information about which merchant sold the goods or services, which user made the purchase, order data, order amount, which products or services were purchased, order delivery (yes/no) and payment status (paid/to be paid/in arrears).
Using the Buyer Center is voluntary. The legal basis for the processing is our legitimate interests in facilitating the delivery of the Two Services to the buyer company and allowing the company to manage their purchases (GDPR Article 6 (1) litra f).
1.5 Onboarding to the Two Merchant Center
Two provides the opportunity for prospective merchant representatives to onboard themselves (as an individual)and their company via Two's Merchant Center. For this purpose, we will processPersonal Data about the representative's name, social security number (if registered sole trader), work email address, individual authentication (BankIDLogin), the representative's relationship to the company, mobile phone number,DOB, and answers to a series of KYB Questions.
The users can view a dashboard and have the ability to download locally, sales history of the merchant's transactions conducted via the Two Services. This includes information about the buyer company's name (who bought goods/ services), buyer representative’s contact-and identification details, transaction date, transaction items sold, order amount, order Delivery (Yes/No) and payment Status (paid/to be paid).
The representatives can also request a view of the performance of the merchant's buyers' payouts to the funding partner, i.e. for the funding partner to share with the merchants via Two whether the original invoices generated have been paid upon credit term expiry. This will include information about the buyer company's name, transaction date, transaction items sold, order amount, order delivery (Yes/No), payout status to partner bank (paid/to be paid/in arrears/in collection).
The users can set up rules to qualify the(i) level of Strong Customer Authentication, and (ii) establish recourse on transactions that may fail the partner bank's credit check. This will include information about transactions to which no Strong Customer Authentication is required, max order amount, and max buyer credit riskiness (e.g. Probability ofDefault) required in order for the merchant to provide merchant recourse for a prospective invoice financing facility.
Processing as described in this section is based on our legitimate interests in enabling the merchant company and their representatives to use the Two Services (GDPR Article 6 (1) litra f).
1.6 Credit and fraud checks
Two builds algorithmic statistical models based on registered fraud events to identify patterns and predict future fraud behavior for both existing and new merchants, buyer companies, and individuals representing or claiming to represent merchants or buyer companies. For this purpose, we process information about fraud events, type of fraud events, date of fraud events, company name, company organization number, name of involved individual(s), social security number (in the case of sole traders), IP address, delivery address, email address, phone number, "device fingerprint" (if available), order value at risk, recovery of order value after event, number of days until recovery. Fraud decision-making relates to a company representative.
Two builds algorithmic statistical models based on registered credit events to identify patterns and predict future credit risky behavior for both existing and new merchants, buyer companies, and individuals representing or claiming to represent merchants or buyer companies.For this purpose, we process information about credit events, type of credit events, date of credit events, company Name, company organization number, name of involved individuals, transacting order, order value at risk, products and number of items per product in transaction, recovery of order value after event and number of days until recovery.
Therefore, Two’s decision-making on credit and fraud is partially automated. Vis-à-vis fraud risk, a natural person reviews and takes into account all factors before a final decision is reached.The legal basis for these processing purposes is our legitimate interests in preventing, identifying and handling fraud events and in preventing, identifying and handling credit events involving risky behavior. For the sake of clarity, any decision based (wholly or partly) on the a fore mentioned automated processing will only produce legal effects for legal entities (e.g.companies) and not any natural persons.
In the case the buyer is a registered sole trader we will send your social security number to our affiliated credit report agencies. The credit reporting agency will inform you that Two has taken a credit report. The credit information does not affect your credit rating.
1.7 Sales and marketing
We will contact companies and their representatives for sales and marketing purposes. This includes direct marketing to potential and existing customers, conducting customer surveys and finding potential customers via social media. We may, on occasion, use social media channels such as LinkedIn to reach out to those who we note are recurring users, or who we think may otherwise benefit from use of our platform.
We will process information about the company name, phone number, email and URL, and the name, contact and identification information of the relevant company representatives.
For direct marketing to potential customers, we rely on our legitimate interest (GDPRArticle 6(1) litra f) to be able to market our services to prospective customers. Processing for other sales and marketing purposes is also based on our legitimate interests in promoting and increasing the sale of our products and services (GDPR Article 6(1) litra f). You have the absolute right to object at any time to our processing of personal data for marketing purposes. If you object to the processing, your personal data will no longer be processed for the purposes of direct marketing.
The legal basis for this processing is our legitimate interests in analyzing and continuously improving our platforms and making them as relevant as possible to our customers (GDPR Article 6(1) litraf).
1.9 Providing customer service
We process Personal Data about the persons who contact our customer service. The information processed will depend on the information you disclose to us and what other information is necessary toprocess in order to respond to your enquiry. The processing is based on our legitimate interest in receiving feedback in order to further develop and improve the Services (GDPR Article 6(1) litra f).
1.10 Legal obligations and legal claims
We use Personal Data (such as full legal name, address, ID details, etc.) to meet our contractual and legal obligations related to Anti-Money Laundering (AML), Know-Your-Customer (KYC) laws, anti-terrorism, export control and prohibitions on doing business with restricted persons or in certain business areas, and other legal obligations. In such cases, we will only process Personal Data insofar as necessary in order to fulfill the relevant legal obligations (GDPR Article 6(1) litra c).
In some cases, it is necessary for us to process Personal Data (such as full legal name, social security number (for sole traders), address, ID details) for the establishment, exercise and/or defense of legal claims. We will only process Personal Data insofar as necessary for our legitimate interests relating to such claims (GDPR Article6(1) litra f).
2 Who we sharePersonal Data with
We share Personal Data with our merchants, buyer companies, and partner banks, in addition to verification providers (such as Signicat for BankID, Creditsafe ltd and Creditsafe i Sverige AB), as further described above. We also use Google Cloud for hosting purposes, and the hosting servers are located within the EU/EEA.
We will share Personal Data when necessary in order to facilitate commercial transactions, such as mergers and acquisitions. We also share data with governmental and supervisory authorities and others when required to do so by law.
We will not transfer Personal Data to recipients in countries outside the EU/EEA that do not offer adequate data protection, unless appropriate safeguards are in place.
3 Storage and security of processing
3.1 How long will we retain your information?
We will not store Personal Data for a longer period of time than necessary due to the circumstances. How long we store your Personal Data will vary and will generally depend on the purpose for which we are using your personal data, where we will need to keep the information for as long as is necessary for the relevant purpose, and legal obligations, where laws and regulations may require a minimum period during which we must keep your personal data.
Personal Data that we must save according to Swedish accounting legislation must be stored for a period of 7 years following the expiry of the calendar year in which the accounting year (to which the information relates) was closed.
Personal Data that needs to be stored to comply with Anti Money Laundering legislation must be stored for at least 5 years, and if necessary in order to prevent, discover or investigate money laundering or terrorist financing, up to 10 years.
3.2 Transfer of personal data
As a general rule we only process data within the EU/EEA.
We may also transfer certain data to the UK as follows. Data that Two captures is stored in Google Cloud (EU and UK) and does not get transferred outside of that. The European Commission has decided that UK ensures an adequate level of protection for transfers of personal data to be permitted, see https://www.imy.se/verksamhet/dataskydd/det-har-galler-enligt-gdpr/overforing-till-tredje-land/detta-innebar-brexit/
We handle your Personal Data securely and have established procedures that meet data protection requirements. The security measures are of technical, contractual and organizational nature. For example, we conduct regular assessments of the security in all central systems that a reused for the handling of personal data. We have also entered into agreements with our subcontractors that require them to ensure appropriate information security regarding the services they provide to us. We limit the access toPersonal Data to personnel who have a need for access in order to carry out their tasks. We control and limit access to Personal Data to personnel with justifiable need.
4 Your rights
You have certain rights with regard to the processing of your personal data:
● Right to access: You have the right to demand and receive confirmation whether or not we process Personal Data which concerns you. If such data is being processed, you have a right, to receive information regarding the processing and a copy, free of charge, of the data being processed. For any further copies requested by you, we may charge a reasonable fee based on administrative costs.
● Right to request rectification: You have the right to obtain, without undue delay, the rectification of inaccurate Personal Data concerning yourself. Taking into account the purposes of the processing, you also have the right to have incomplete PersonalData completed by providing a supplementary statement.
● Right to erasure (“the right to be forgotten”): You have a right to have PersonalData concerning yourself erased without undue delay and we are obligated to erase Personal Data without undue delay where one of the following grounds applies:
(a) the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the processing is based on your consent and you withdraw your consent, unless there are any other legal grounds for the processing;
(c) you object to processing based on a weighing of interests and there are no overriding legitimate grounds for the processing (note however that you always have the right to erasure of your personal data used for direct marketing purposes);
(d) the Personal Data have been unlawfully processed; or
(e) the Personal Data have to be erased for compliance with a legal obligation in Union or Member State law to which we are subject.
Please note however, that the right to erasure does not always apply, for example if the processing is necessary for compliance with a legal obligation which requires processing by Union or Member State law to which we are subject or for the performance of a task carried out in the public interest or for the establishment, exercise or defence of legal claims.
● Right to request restriction of processing: You have the right to obtain restriction of the processing where one of the following applies:
(a) the accuracy of the Personal Data is contested by you, for a period enabling us to verify the accuracy of the data;
(b) the processing is unlawful and you oppose the erasure of the personal data and request that the use of the data is instead restricted;
(c) we no longer need the Personal Data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
(d) you have objected to processing based on a weighing of interests, pending the verification whether our legitimate grounds to process the data override yours.
Where processing has been restricted under paragraph 1, such personal data may, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person.
● Right to object: You have the right to object, at any time, to processing of personal data which is based on a weighing of interests or based on necessity for the performance of a task carried out in the public interest. We shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. Where Personal Data are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data for such marketing purposes.
● Right to data portability: To the extent the processing is carried out by automated means and that the data has been processed based on your consent pursuant to GDPR Article6(1) litra a, you have the right to transmit the data to another controller. Where technically feasible, you shall have the right to have the Personal Data transmitted directly from us to another controller.
● Right to withdraw consent: If you have consented to our processing of your Personal Data, you may withdraw this consent at any time. Withdrawing your consent will not affect the lawfulness of processing based on your consent prior to the withdrawal.
● Right to lodge a complaint with a supervisory authority: If you disagree with the way we process PersonalData about you or consider that your rights are not being respected by us you are welcome to contact us at firstname.lastname@example.org.You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Sw: Integritetsskyddsmyndigheten or IMY).
5 Changes to this policy
6 Contact information
Two Bcommerce AB
c/o Birger Jarlsgatan 79
113 56, Stockholm