Last updated: 01.07.2022
1.1 Preliminary verification of data input and confirmation of interest to purchase the invoice
We need to verify that a company representative inputs the correct company information, including company name and business address. The legal basis for this processing is our legitimate interests in ensuring that we will be invoicing the correct company at the right invoicing address (GDPR Article 6(1) litra f). For this purpose, we process Personal Data about which company the representative claims to be able to place an order on behalf of.
We share the name of the company with our partner banks. The purpose of this is to inquire whether the banks are interested in purchasing the invoice for the order placed by the company's representative. This processing is based on our legitimate interests in providing the Services to companies and the banks (GDPR Article 6(1) litra f).
1.2 Verification of the potential customer placing an order intent
If none of the partner banks is interested in purchasing the order invoice, the Merchant will not present the Two Services as a payment option.
If one or several banks are interested in purchasing invoices regarding orders placed by the company's representative, the Merchant presents the Two Services as a payment option.
For order baskets sized above a certain threshold, we must verify the company placing the order as well as the identity of the person claiming to represent the company. We will then process Personal Data about the company representative placing an order for the purpose of ID verification. We will process information about the representative's name, the company delivery address, and which company the representative claims to be able to order on behalf of. We will also conduct ID verification to match the company representative with the company they claim to place an order on behalf of. For this purpose, we will process the previously stated information in addition to information about the type of connection the representative has with the company in question. We will use methods provided by BankID and Enin AS for these ID verification purposes.
The legal basis for this processing is our legitimate interests in verifying the company and ensuring that the company representative is authorized to represent the company (GDPR Article 6(1) litra f).
1.3 Placing an order choosing the Two Services as a payment method
To place an order using Two as a payment method, we must check with the relevant partner bank whether they confirm their interest in buying the payment claim for the order placed. If this is confirmed, Two facilitates the sale of the invoice from the merchant to the partner bank. For these purposes, Two collects and shares with the partner bank information about the company representative's name, the company delivery address, the name of the company, and the items and products purchased.
Two also facilitates the distribution of the invoice to the buyer company. For this purpose, Two will share the same information as described in the previous paragraph with the company, and the company will receive EHF and the company representative will receive the invoice as a PDF-file by email.
The legal basis for this processing is our legitimate interests in facilitating the delivery of the Two Services to the buyer company and the partner bank (GDPR Article 6 (1) litra f).
1.4 Onboarding to the Two Buyer Center
Two provides the opportunity to prospective company representative buyers to onboard themselves (as an individual) and their company via Two's Buyer Center. This onboarding requires collection and other processing of information on the company name, company organization number, registered company address, the representative's name, work email address, relationship to the company, work department, mobile phone number and individual authentication (via BankID Login).
Company representatives who are Admin Users can edit Buyer Profile Types as well as spending limits for all Users onboarded on behalf of a company. Users can view a dashboard of and have the ability to download locally purchase history of their own transactions conducted via the Two Services. Admin Users can view all the company's transactions conducted via the Two Services. This will include information about which merchant sold the goods or services, which user made the purchase, order data, order amount, which products or services were purchased, order delivery (yes/no) and payment status (paid/to be paid/in arrears).
Using the Buyer Center is voluntary. The legal basis for the processing is our legitimate interests in facilitating the delivery of the Two Services to the buyer company and allowing the company to manage their purchases (GDPR Article 6 (1) litra f).
1.5 Onboarding to the Two Merchant Center
Two provides the opportunity for prospective merchant representatives to onboard themselves (as an individual) and their company via Two's Merchant Center. For this purpose, we will process Personal Data about the representative's name, work email address, individual authentication (BankID Login), the representative's relationship to the company, mobile phone number, DOB, and answers to a series of KYB Questions.
The users can view a dashboard and have the ability to download locally, sales history of the merchant's transactions conducted via the Two Services. This includes information about the buyer company's name (who bought goods/ services), transaction date, transaction items sold, order amount, order Delivery (Yes/No) and payment Status (paid/to be paid).
The representatives can also request a view of the performance of the merchant's buyers' payouts to the partner banks, i.e. for the partner banks to share with the merchants via Two whether the original invoices generated have been paid upon credit term expiry. This will include information about the buyer company's name, transaction date, transaction items sold, order amount, order delivery (Yes/No), payout status to partner bank (paid/to be paid/in arrears/in collection).
The users can set up rules to qualify the (i) level of Strong Customer Authentication, and (ii) establish recourse on transactions that may fail the partner bank's credit check. This will include information about transactions to which no Strong Customer Authentication is required, max order amount, and max buyer credit riskiness (e.g. Probability of Default) required in order for the merchant to provide merchant recourse for a prospective invoice financing facility.
Processing as described in this section is based on our legitimate interests in enabling the merchant company and their representatives to use the Two Services (GDPR Article 6 (1) litra f).
1.6 Credit and fraud checks
Two builds algorithmic statistical models based on registered fraud events to identify patterns and predict future fraud behavior for both existing and new merchants, buyer companies, and individuals representing or claiming to represent merchants or buyer companies. For this purpose, we process information about fraud events, type of fraud events, date of fraud events, company name, company organization number, name of involved individual(s), IP address, delivery address, email address, phone number, "device fingerprint" (if available), order value at risk, recovery of order value after event, number of days until recovery. Fraud decision-making relates to a company representative.
Two builds algorithmic statistical models based on registered credit events to identify patterns and predict future credit risky behavior for both existing and new merchants, buyer companies, and individuals representing or claiming to represent merchants or buyer companies. For this purpose, we process information about credit events, type of credit events, date of credit events, company Name, company organization number, name of involved individuals, transacting order, order value at risk, products and number of items per product in transaction, recovery of order value after event and number of days until recovery.
Therefore, Two’s decision-making on credit and fraud is partially automated. Vis-à-vis fraud risk, a natural person reviews and takes into account all factors before a final decision is reached. The legal basis for these processing purposes is our legitimate interests in preventing, identifying and handling fraud events and in preventing, identifying and handling credit events involving risky behavior. For the sake of clarity, any decision based (wholly or partly) on the aforementioned automated processing will only produce legal effects for legal entities (e.g. companies) and not any natural persons.
1.7 Sales and marketing
We will contact companies and their representatives for sales and marketing purposes. This includes direct marketing to potential and existing customers, conducting customer surveys and finding potential customers via social media. We may, on occasion, use social media channels such as LinkedIn to reach out to those who we note are recurring users, or who we think may otherwise benefit from use of our platform.
We will process information about the company name, phone number, email and URL, and the name and contact information of the relevant company representatives.
For direct marketing to potential customers, we rely on our legitimate interest (GDPR Article 6(1) litra f) to be able to market our services to prospective customers. Processing for other sales and marketing purposes is also based on our legitimate interests in promoting and increasing the sale of our products and services (GDPR Article 6(1) litra f). You have the absolute right to object at any time to our processing of personal data for marketing purposes. If you object to the processing, your personal data will no longer be processed for the purposes of direct marketing.
The legal basis for this processing is our legitimate interests in analyzing and continuously improving our platforms and making them as relevant as possible to our customers (GDPR Article 6(1) litra f).
1.9 Providing customer service
We process Personal Data about the persons who contact our customer service. The information processed will depend on the information you disclose to us and what other information is necessary to process in order to respond to your enquiry. The processing is based on our legitimate interest in receiving feedback in order to further develop and improve the Services (GDPR Article 6(1) litra f).
1.10 Legal obligations and legal claims
We use Personal Data (such as full legal name, address, ID details, etc.) to meet our contractual and legal obligations related to Anti-Money Laundering (AML), Know-Your-Customer (KYC) laws, anti-terrorism, export control and prohibitions on doing business with restricted persons or in certain business areas, and other legal obligations. In such cases, we will only process Personal Data insofar as necessary in order to fulfill the relevant legal obligations (GDPR Article 6(1) litra c).
In some cases, it is necessary for us to process Personal Data (such as full legal name, address, ID details) for the establishment, exercise and/or defense of legal claims. We will only process Personal Data insofar as necessary for our legitimate interests relating to such claims (GDPR Article 6(1) litra f).
We share Personal Data with our merchants, buyer companies, and partner banks, in addition to verification providers (such as Signicat for BankID and Enin AS), as further described above. We also use Google Cloud for hosting purposes, and the hosting servers are located within the EU/EEA.
We will share Personal Data when necessary in order to facilitate commercial transactions, such as mergers and acquisitions. We also share data with governmental and supervisory authorities and others when required to do so by law.
We will not transfer Personal Data to recipients in countries outside the EU/EEA that do not offer adequate data protection, unless appropriate safeguards are in place.
3.1 How long will we retain your information?
We will not store Personal Data for a longer period of time than necessary due to the circumstances. How long we store your Personal Data will vary and will generally depend on the purpose for which we are using your personal data, where we will need to keep the information for as long as is necessary for the relevant purpose, and legal obligations, where laws and regulations may require a minimum period during which we must keep your personal data.
Personal Data that we must save according to Swedish accounting legislation must be stored for a period of 7 years following the expiry of the calendar year in which the accounting year (to which the information relates) was closed.
Personal Data that needs to be stored to comply with Anti Money Laundering legislation must be stored for at least 5 years, and if necessary in order to prevent, discover or investigate money laundering or terrorist financing, up to 10 years.
3.2 Transfer of personal data
As a general rule we only process data within the EU/EEA.
We may also transfer certain data to the UK as follows. Data that Two captures is stored in Google Cloud (EU and UK) and does not get transferred outside of that. The European Commission has decided that UK ensures an adequate level of protection for transfers of personal data to be permitted, see https://www.imy.se/verksamhet/dataskydd/det-har-galler-enligt-gdpr/overforing-till-tredje-land/detta-innebar-brexit/
We handle your Personal Data securely and have established procedures that meet data protection requirements. The security measures are of technical, contractual and organizational nature. For example, we conduct regular assessments of the security in all central systems that are used for the handling of personal data. We have also entered into agreements with our subcontractors that require them to ensure appropriate information security regarding the services they provide to us. We limit the access to Personal Data to personnel who have a need for access in order to carry out their tasks. We control and limit access to Personal Data to personnel with justifiable need.
You have certain rights with regard to the processing of your personal data:
(a) the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the processing is based on your consent and you withdraw your consent, unless there are any other legal grounds for the processing;
(c) you object to processing based on a weighing of interests and there are no overriding legitimate grounds for the processing (note however that you always have the right to erasure of your personal data used for direct marketing purposes);
(d) the Personal Data have been unlawfully processed; or
(e) the Personal Data have to be erased for compliance with a legal obligation in Union or Member State law to which we are subject.
Please note however, that the right to erasure does not always apply, for example if the processing is necessary for compliance with a legal obligation which requires processing by Union or Member State law to which we are subject or for the performance of a task carried out in the public interest or for the establishment, exercise or defence of legal claims.
(a) the accuracy of the Personal Data is contested by you, for a period enabling us to verify the accuracy of the data;
(b) the processing is unlawful and you oppose the erasure of the personal data and request that the use of the data is instead restricted;
(c) we no longer need the Personal Data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
(d) you have objected to processing based on a weighing of interests, pending the verification whether our legitimate grounds to process the data override yours.
Where processing has been restricted under paragraph 1, such personal data may, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person.
Two Bcommerce AB
c/o Epicenter, Mäster Samuelsgatan 36
Stockholm, 111 57