Privacy Policy

Privacy Policy for KingsCross AB

1. Information about personal data processing in the KIX app

This Privacy Policy describes how KingsCross AB ("KingsCross", "we") collects and processes your personal data, what rights you have and who you can contact if you have any questions.

We protect your privacy and process your personal data in such a way that you can always feel safe when providing us with your information. This means, among other things, that we always process your personal data using the technical and organisational security measures required in each individual case.

This Privacy Policy shall ensure that the processing of your personal data that is collected and processed complies with legal requirements under the General Data Protection Regulation (GDPR) and other legislation, case law and general advice regarding personal data applicable at any given time.

2. Who is responsible for your personal data?

KingsCross AB, 556850-9599, is the data controller for the processing of your personal data and is responsible for ensuring that the personal data is processed in accordance with this policy as part of the use of the KingsCross app KIX ("KIX") and its services.

3. What personal data is processed and how do we access it?

We collect personal data that you provide yourself or that is created when you use KIX. Personal data is also collected from your bank when you connect a bank account to KIX. General information such as name and personal identity number is collected from the Swedish Tax Agency when you use BankID in KIX. When obtaining a register extract, where you have given us power of attorney to request one, personal data is collected from Valitive Credit AB or another credit information provider. Examples of personal data that may be processed include:

  1. Contact details such as name, phone number, email address and phone number.
  2. Date of birth and personal identity number.
  3. User ID and correlation ID.
  4. Device information such as IP address and device identification, as well as settings in KIX such as language settings.
  5. Bank details, bank account number, account balance, account holder and account name.
  6. Default accounts for deposits and disbursements and the last used bank account.
  7. Transaction history including dates, times and amounts (all transactions, funds transferred, funds received, requests).
  8. Messages sent during transfers and requests including any image or video.
  9. Contacts and their phone numbers, selected favourite contacts, blocked phone numbers.
  10. Profile image.
  11. Your interaction with the stores you shop at through KIX, such as type of store, order history of ordered items and items in the shopping cart.
  12. Membership in various customer clubs that you have joined yourself, subscriptions and VIP codes.
  13. Log for BankID connection and information about signings via BankID such as date, time and document ID.
  14. Examples of additional personal data that may be processed when obtaining register extracts on your behalf are credit information such as marital status, gender, income and tax information, property owner information, information about personal economic activity, records of non-payment, information about debt restructuring, balance due with the Swedish Enforcement Authority, distraint attempts, repossession cases, creditworthiness and compilation of financial information.
  15. Date of your last record retrieval.
  16. Information about incidents in KIX and your use of the same, such as response times, downloading errors, and time of use.
  17. Information you enter into KIX yourself or other information necessary to fulfil the service offered.

4. When do we have the right to process your personal data?

We only process your personal data when we have a legal basis for doing so. This is the case when the processing is necessary for the performance of an existing contract or a contract you wish to enter into, when we have a legitimate interest in the processing or when the processing is carried out for the compliance with a legal obligation.

In the situation where we obtain register extracts on your behalf, by virtue of the General Data Protection Regulation (GDPR), from credit reference agencies, this only happens when you have granted us power of attorney to request such an extract on your behalf. You can always revoke such power of attorney.

If processing of your personal data requires your consent, we will obtain it separately. In such cases, you have the right to withdraw your consent at any time.

5. Why is your personal data processed?

Your personal data is processed, where applicable, to:

  • Provide the service you want to use and enable you to initiate a relationship with the companies that are customers of ours.
  • Enable sending out information about picking up ordered goods.
  • Check and verify your phone number and identity via BankID so that you can create an account in KIX and transfer and receive money.
  • Enable identification and approval of payment via KIX.
  • Develop KIX and its services, including troubleshooting and quality assurance.
  • Compile historical data such as purchase and payment history.
  • Send optional push notifications when you receive money, when someone has sent a request, or for invitations from KIX.
  • Communicate with you, either directly or through one of our customers, including customer service, to provide you with updates and other information relating to the service.
  • Collect, store and provide personal information, on your behalf, to the party with whom you actively choose to share the information.
  • Detect and prevent fraud.
  • Manage legal requirements set out in laws and regulations within the framework of KIX.
  • Establish, assert, and defend legal claims.

6. Who has access to your personal data?

We want you to feel safe letting us process your personal data. Individuals within KingsCross who require access to personal data to fulfil its intended purposes are granted authorisation to access the personal data collected about you.

At your explicit request, we can provide access to your selected personal data to, for example, a store (company). We may also provide access to necessary personal data to our suppliers such as data storage service providers and suppliers that facilitate "open banking" to provide KIX services to you. In some cases, suppliers are also used to, for example, get help with support for our IT systems. In these cases, we have concluded agreements regarding the company's and the supplier's responsibilities as our data processor, as this may involve access to your personal data. The Personal Data Processing Agreement ensures that your personal data is protected.

When we share your personal data, it will be used for the same purposes for which we initially collected it. In the event of a merger, consolidation, restructuring or sale of substantially all shares and/or assets or other reorganisation, personal data may be disclosed to subsequent owners, part-owners and their advisors in connection with the reorganisation. Otherwise, we only share your personal data with third parties if this is required by law, regulation, official decision or to protect the legitimate interests of third parties.

7. Transfer to third country

Your personal data will not be transferred to countries outside the EU/EEA.

8. How long is your personal data stored?

We do not save your personal data for longer than is necessary to fulfil the purposes of processing your personal data. This means that we delete your personal data according to applicable legislation. When you connect a bank account to KIX through BankID, the connection is valid for 180 days. You will receive a reminder when you need to renew the connection. You can delete connected bank accounts from KIX at any time. When the validity period for a obtained register extract has expired, a new register extract is automatically obtained in accordance with the power of attorney submitted to KingsCross. If the power of attorney is revoked, the personal data shown in the register extract will be deleted after three months. If you terminate your use of our services or otherwise terminate your customer relationship with us, your personal data will normally be deleted or de-identified within three months. Exceptions apply when documentation needs to be stored longer by law. If there is a suspicion that fraud or other improper use of our services has occurred, we reserve the right to store this data for a longer period until the suspicions have been investigated.

9. How is your personal data protected?

It is important that your personal data is protected. Therefore, we work effectively to take all appropriate technical and organisational security measures required to protect the personal data against unauthorised access, alteration or destruction, such as protecting our physical servers as well as protecting our systems through firewalls, etc. KingsCross uses professional encryption methods at all times. Additionally, we work to ensure that access to your personal data is granted only to authorised individuals who require it to fulfil the specific purposes for which the processing is conducted.

10. Your Rights

We are committed to ensuring that you are aware of your rights and that you can contact us at any time to exercise the rights set out below. Under the heading "Contact details" below you will find information on where to turn.

11. Right to withdraw consent

You have the right to withdraw your consent at any time. If you wish to withdraw your consent, please contact us as soon as possible. Withdrawal of consent does not affect the lawfulness of processing conducted before the withdrawal.

12. Right to request access to personal data

We always want to be transparent about how your personal data is processed. If you would like to receive confirmation of whether personal data concerning you is being processed or to gain insight into what personal data we process about you, you have the right to request access to your data. You will then also receive information about the purposes of the processing, the personal data processed, the recipients or categories of recipients to whom the personal data have been or will be disclosed and, if possible, the anticipated period for which your personal data will be stored or the criteria used to determine the period. If the personal data has not been collected from you, you will be provided with all available information about the source of this data. Information about additional rights is provided at the same time and you will receive a copy of the personal data being processed.

13. Right to rectification of personal data

You have the right to request that your inaccurate personal data be corrected without undue delay. You also have the right to complete incomplete personal data.

14. Right to erasure of personal data

You have the right to have your personal data deleted. We will delete the personal data without undue delay upon your request to the extent possible under applicable law. This right applies, for example, when the personal data is no longer necessary for the purposes for which it was collected or otherwise processed, if you withdraw consent, object to the processing, the personal data has been processed unlawfully or if the personal data must be erased to comply with a legal obligation, as long as there is no reason under applicable law that makes the processing necessary. For example, processing may be necessary for the exercise of the right to freedom of expression and information, for the fulfilment of a legal obligation or for the establishment, exercise or defence of legal claims.

15. Right to restriction of processing

You also have the right to restrict our processing of your personal data. You can do this, for example, if you dispute the accuracy of the personal data, if the processing is unlawful, if the personal data is no longer necessary for the purposes of the processing but you need it to establish, exercise or defend legal claims or pending any verification of whether our legitimate grounds outweigh your legitimate grounds.

16. Right to object to processing

You also have the right to object at any time to our processing of your personal data for reasons relating to your specific situation, for example, when the processing is based on a legitimate interest.

17. Right to data portability

Under certain conditions, you have the right to have your personal data transmitted to another data controller in a structured, commonly used and machine-readable format, where technically feasible, known as the right to data portability. This applies when the processing of your personal data is based on consent or on a contract and the processing is automated.

18. Right to lodge a complaint

If you believe that we have handled your personal data incorrectly, you have the right to file a complaint with the Swedish Authority for Privacy Protection (IMY).

19. Contact details

KingsCross AB
Kungsgatan 27
111 56 Stockholm
hello@kix.eu

20. Privacy Policy Change

This Privacy Policy is available in KIX. We may, from time to time, need to update this policy. Our latest version of the Privacy Policy is always published in KIX.