Last changed: 4 November 2024
Swimbird AB, reg.no. 559172-8075 ("Swimbird", "we", "our" or"us") respects and protects your privacy. This privacy notice ("Privacy Notice") aims to describe how Swimbird as a data controller processes your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable data protection legislation, what rights you have under the GDPR and how you can enforce them.
This Privacy Notice applies when Swimbird, as a data controller, processes personal data pertaining to you who is:
Please note that some of our processing differs depending on whether you are a Private Individual User or a Company Subscription User, this is described below.
This Privacy Notice applies also when Swimbird, as a data controller, processes personal data pertaining to you who is:
For the avoidance of doubt, Swimbird is only the data controller for the processing of personal data as described in this Privacy Notice, unless we have provided you with any other additional information.
Any processing of Swimbird when providing SWIP as a white label solution to corporate subscribers such as banks is not described in this Privacy Notice, as Swimbird then acts as a data processor for the processing of your personal data as an end-user when using SWIP, while the company subscribers are the data controller in relation to the end-user. We therefore ask you to contact the company subscriber for questions or information regarding the company subscriber's processing of the end-users’ personal data as a data controller.
Further, this Privacy Notice applies when Swimbird, as a data controller, processes personal data pertaining to you who:
Swimbird is the data controller for the processing of your personal data as described in this Privacy Notice. As the data controller, we are responsible for ensuring that our processing of your personal data takes place in compliance with the GDPR and other applicable data protection legislation.
If you have any questions about this Privacy Notice, our processing of your personal data, or if you wish to exercise any of your rights, please contact us at dpo@swimbird.com or through the contact details below.
Swimbird AB, reg. no: 559172-8075
Address: Kaptensgatan 6, 114 57 Stockholm
E-mail: dpo@swimbird.com
We process personal data that has been provided by you when you contact us through, for example, e-mail, our social media accounts, or if you enter into an agreement with us, for your own account (Private Individual Users) or on behalf of the company that you represent (representatives of company subscribers or potential company subscribers).
In addition to the personal data provided by you, we may receive information from the company that you represent, if the said company is a (potential) company subscriber to Swimbird. We may also receive information from a company with whom we have entered into an agreement (Company Subscription User). Furthermore, we may collect your personal data from publicly available sources, such as your employer’s or company’s website.
When you visit and interact with our website, we may collect data such as IP address, browser type, time zone settings, and information about how you use our website from your device. We collect this personal data from your device by using cookies, server logs, pixels, and similar technologies (“Cookies”).
If you are a Private Individual User, we process your personal data to enter into an agreement with you. If you are a representative of a (potential) company subscriber, we process your personal data to enter into an agreement with the company that you represent. It is necessary that you provide us with certain personal data in order to enter into an agreement with us and for us to administer the relationship with you or the company that you represent. If you do not provide us with the necessary personal data, it is not possible for us to enter into an agreement with you or the company that you represent. If we have not entered into an agreement, we will not be able to provide SWIP to you.
In the tables below, you will find a summary of information about the purposes for which we process your personal data, the categories of personal data processed for the stated purpose, how long we process your personal data and the legal basis on which we base the processing. If we base the processing on a legitimate interest as a legal basis, we have also stated what the legitimate interest is.
Purpose of processing:
We process your personal data in order to provide and manage our services. This includes, for example, invoicing and communication regarding the contract or payment.
Categories of personal data:
This processing concerns:
Legal basis: Fulfillment of contract. We process your personal data in order to fulfil the SWIP license agreement with you.
Retention period: Your personal data is processed for the duration of the contractual relationship and up to twelve (12) months after its termination, provided that there are no legal requirements that stipulate a longer retention period. For personal data that must be stored in accordance with the Accounting Act, see section 5.9.
Purpose of processing:
We process your personal data in order to enter into an agreement with the company subscriber that you represent and to administer the agreement and the relationship. This includes, for example, the processing of personal data to manage invoicing and communications regarding the contract or payment.
Categories of personal data:
This processing concerns:
Legal basis: Pre-contractual activities. The processing of your personal data is necessary for our legitimate interest in being able to administer the agreement with our company subscribers. We have assessed that our interest outweighs your rights and interests not to have your personal data processed for this purpose.
Retention period: Your personal data is processed for the duration of the contractual relationship and up to twelve (12) months after its termination, provided that there are no legal requirements that stipulate a longer retention period. For personal data that must be stored in accordance with the Accounting Act, see section 5.9.
Purpose of processing:
We process your personal data in order to provide you with our support services, account services etc.
Categories of personal data:
This processing concerns:
Legal basis: Legitimate interest. The processing of your personal data is necessary for our legitimate interest in being able to provide you with support services, account services etc. We have assessed that our interest outweighs your rights and interests not to have your personal data processed for this purpose.
Retention period: Your personal data is processed for the duration of the contractual relationship and up to twelve (12) months after its termination, provided that there are no legal requirements that stipulate a longer retention period. For personal data that must be stored in accordance with the Accounting Act, see section 5.9.
Purpose of processing:
We process your personal data to send direct marketing to you by e-mail in order to promote our services and business/brand.
Categories of personal data:
This processing concerns:
Legal basis:
Legitimate interest. The processing of your personal data is necessary for our legitimate interest in being able to promote our services and business/brand to you (in your professional role). We have assessed that our interest outweighs your right not to have your personal data processed for this purpose. This legal basis applies to Representatives of a company subscriber or a potential company subscriber).
Consent. If you are a Private Individual User a Company Subscription User, we will process your personal data based on your consent.
Retention period:
Your personal data is processed throughout the contractual relationship and up to twelve (12) months after the contractual relationship ends if you have not objected to our direct marketing before that.
If you have consented, your personal data is processed for two (2) years from the time you provided your consent. If you have renewed your consent, the retention period will be extended by another two (2) years. This requires that you have not withdrawn your consent or objected to the processing for direct marketing purposes.
Purpose of processing:
We process your personal data in order to answer your questions or otherwise communicate with you by e-mail, phone, text message or on our corporate social media accounts.
Categories of personal data:
This processing concerns:
Legal basis: Legitimate interest. The processing of your personal data is necessary for our legitimate interest in answering any questions or otherwise communicating with you who contact us. We have assessed that our interest outweighs your rights and interests not to have your personal data processed for this purpose.
Retention period: Your personal data is processed for up to three (3) months, unless circumstances clearly require otherwise and we need to keep your personal data for a longer period of time to follow up on correspondence. For example, we may process your personal data for a longer period of time if there is an ongoing case that has not been closed or if we need to save your personal data for any other purpose stated in this Privacy Notice.
Purpose of processing:
We process your personal data in order to provide, administer and manage our website to you as a website visitor, e.g. to help diagnose problems with our server and to remember if you have chosen to consent to the use of Cookies on our website.
This purpose is related to Necessary Cookies.
Categories of personal data:
This processing concerns:
Legal basis: Legitimate interest. The processing of your personal data is necessary for our legitimate interest in administering our website, e.g. to help diagnose problems with our server. We have assessed that our interest outweighs your rights and interests not to have your personal data processed for this purpose.
Purpose of processing:
We process your personal data in order to understand how you and other website visitors use our website for the purpose of developing and improving our website.
This purpose is related to Analytical Cookies.
Categories of personal data:
This processing concerns:
Legal basis: Consent. We process your personal data for the stated purpose on the basis of your consent.
Purpose of processing:
We process your personal data in order to identify your and our other website visitors’ preferences, e.g. by analysing trends, tracking website visitors’ movements and gathering broad demographic information.
This purpose is related to Advertising Cookies.
Categories of personal data:
This processing concerns:
Legal basis: Consent. We process your personal data for the stated purpose on the basis of your consent.
Purpose of processing:
We may need to process information about you to fulfill our legal obligations under the Accounting Act. For example, this may include reference data in invoices (provided that the invoices are accounting material), personal data in a contract or other documentation that constitutes a verification of an accounting entry that must be kept according to the Accounting Act.
Categories of personal data:
This processing concerns:
Legal basis: Legal obligation. The processing of your personal data is necessary to fulfill our legal obligations under the Accounting Act.
Retention period: We retain your personal data for as long as it is required by law. According to the Accounting Act, accounting information must be kept for seven (7) years, counting from the end of the calendar year in which the financial year to which the information relates ended.
Purpose of processing:
If Swimbird is to be restructured (e.g., split into several different businesses) or if a third party wishes to acquire Swimbird or our customer database, Swimbird may disclose your personal data to the acquiring Company. This may also occur in the event of a merger or if Swimbird is liquidated or goes bankrupt. In such cases, the acquiring company will continue to process your personal data for the same purposes as stated in this Privacy Notice, unless you receive other information in connection with the transfer.
In order to enable restructuring, listing, sale or liquidation, personal data may also be shared with other companies and advisors as part of the process. In such cases, the companies and/or advisors have undertaken to observe confidentiality.
Categories of personal data:
This processing concerns:
Legal basis: Legitimate interest. We process your personal data based on our legitimate interest to enable the restructuring, listing, sale or liquidation of Swimbird or our assets, which we consider outweighs your right not to have your personal data processed for this purpose. However, this presupposes that the acquiring company carries on similar activities to Swimbird; however, this does not apply to a transfer to a trustee.
Retention period: If Swimbird ceases to exist, e.g., through a merger, division, liquidation or bankruptcy, or if Swimbird's customer database is transferred to an acquiring company, we will delete your personal data as long as the retention of such personal data is not required by law.
Purpose of processing:
We may need to process your personal data in order to defend our interests in the event of a dispute, such as to establish, exercise or defend legal claims, e.g., in the event of a payment dispute.
Categories of personal data:
This processing concerns:
Legal basis: Legitimate interest. We process your personal data on our legitimate interest in establishing, exercising or defending legal claims, which we consider outweighs your right not to have your personal data processed for this purpose.
Retention period: Your personal data is retained for as long as it is needed to establish, exercise, and defend our interests in the event of a dispute. For example, during the time that the dispute is ongoing, before it is finally settled.
When Swimbird has stated "legitimate interest" as the legal basis in section 5, it means that we have assessed that we or a third party have a legitimate interest in the processing being carried out (you will also find information about what the identified legitimate interest is in section 5). In addition to identifying the legitimate interest, we have also weighed this interest against your interests or fundamental rights and freedoms that require the protection of personal data. We can only base the processing of your personal data on a legitimate interest as a legal basis if we have carried out a balancing of interest and concluded that our or a third party's interests outweigh your interests or fundamental rights and freedoms. If we process your personal data on the basis of a legitimate interest, you can contact us through the contact details provided in section 2 to obtain further information about the performed balancing of interest, through a so-called legitimate interest assessment. Please note that the assessments are general (e.g., based on an average individual in the relevant category) and that no individual assessment has been made.
We do not use automated processes to make decisions that significantly affect you.
We will retain your personal data for as long as it is needed for the purposes for which we collected the personal data and as described in this Privacy Notice. When we no longer need your personal data, we will remove it from our systems, databases, and backups unless we have a legal obligation to save your personal data for a longer period. More specific retention periods are provided in the tables under section 5.
Swimbird may disclose your personal data to the recipients listed below. For a detailed list of the recipients to which we have disclosed your personal data, please contact us through the contact details provided in section 2.
Swimbird may engage other companies to process your personal data on our behalf as data processors. Such companies may only process your personal data in accordance with our instructions. We enter into data processing agreements with these companies and ensure a high level of protection to safeguard your personal data. We use the following types of data processors:
IT and system suppliers – Swimbird may share your personal data with IT and system suppliers to manage necessary operation, technical support and maintenance of our IT services.
Marketing and communications agencies – Swimbird may share your personal data with marketing and communications agencies engaged to assist Swimbird with marketing communications to customers and potential customers.
Accounting firm – Swimbird may share personal data contained in invoices and accounting information with our accounting firm, which has been engaged to enable Swimbird to fulfill its obligations under the Accounting Act.
Google LLC – Swimbird may share your personal data with Google LLC for the delivery of Google Cloud Platform, i.e. cloud computing services, such as computing, storage and data analytics.
Microsoft Corporation – Swimbird may share your personal data with Microsoft Corporation for the delivery of Microsoft Office 365, i.e. a cloud-powered productivity platform.
Webflow – Swimbird may share your personal data with Webflow for website building and editing.
Swimbird may share personal data with parties who are independent data controllers, which means that the party independently determines the purposes for which the personal data will be processed and how the processing will be carried out (i.e., the means for the data processing). When sharing personal data with these parties, they have an obligation to inform you about their processing of your personal data. Hence, their respective privacy notice applies to their processing.
Authorities and the judiciary – in some cases, Swimbird may need to disclose your personal data to courts and law enforcement authorities (e.g., the police authority) in accordance with law or in the context of court proceedings. Additionally, we may also need to disclose personal data to other parties in court proceedings or similar. Such a disclosure is based on a legitimate interest as a legal basis or to fulfill a legal obligation under law.
External advisors – we may share your personal data with external advisors, such as audit firms or law firms, in accordance with law or to obtain advice. These advisors usually act as independent data controllers, and a disclosure is usually based on a legitimate interest as a legal basis.
Acquiring company – if Swimbird is to be restructured (e.g., split into several different businesses), or if a third party wishes to acquire Swimbird or our customer database, Swimbird will disclose your personal data to the acquiring company. This may also occur in the event of a merger or if Swimbird is liquidated or goes bankrupt (in such case, to the trustee). In such cases, the acquiring company will continue to use your personal data for the same purposes as stated in this Privacy Notice, unless you receive other information in connection with the transfer. However, this presupposes that the acquiring company carries out similar activities as Swimbird. To enable restructuring, sale or liquidation, personal data may also be shared with other companies as part of the process. In such cases, the companies have undertaken to observe confidentiality. This is described in more detail in sections 5.5.
Social media – if you contact Swimbird through our corporate social media accounts, such as on Facebook and LinkedIn, the social media platforms (e.g. Meta and Microsoft) will process your personal data in accordance with their respective privacy notice as an independent data controller.
Cookie providers – if you visit our website and we obtain your consent, we may collect and share your personal data with cookie providers. These parties generally act as data controllers.
Swimbird strives to process your personal data within the EU/EEA. In certain circumstances, we may need to transfer your personal data to a country outside the EU/EEA ("Third Country"), as set out below. Swimbird ensures that the same high level of protection applies even when data is transferred to a Third Country.
Please contact us through the contact details provided under section 2 for more information on a specific transfer or to obtain a copy of the relevant documentation regarding the safeguards taken. You can also read more at the Swedish Authority for Privacy Protection website, available here, regarding what applies under the GDPR for transfers to Third Countries and appropriate safeguards.
The European Commission has also decided that the United States ensures an adequate level of protection provided that the recipient is covered by the so-called EU-US Data Privacy Framework (“DPF”). Swimbird may transfer personal data to the United States and in such cases ensures that the receiving party (i.e. the data importer) is certified under the DPF, in no other appropriate safeguards are in place.
If your personal data is transferred to a Third Country outside the EU/EEA that is not covered by an adequacy decision by the EU Commission or the DPF, we will ensure that there are appropriate safeguards in place. Appropriate safeguards may be that the party transferring the personal data to a Third Country (i.e. the data exporter) and the party importing personal data into a Third Country (i.e. the data importer) have entered into the EU Commission's standard contractual clauses for international transfers or that other safeguards have been taken. If these safeguards are not sufficient, we ensure that we have taken contractual, technical or organizational supplementary measures to ensure an essentially equivalent level of protection as within the EU for the personal data transferred to the Third Country. You can find more information about the EU Commission’s standard contractual clauses on the Swedish Authority for Privacy Protection’s website here.
Swimbird is responsible, in its capacity as data controller, for ensuring that your personal data is processed in accordance with applicable data protection legislation and that you can effectively exercise your rights under the GDPR. You can find more information about your rights in the sections below and at the Swedish Authority for Privacy Protection (IMY's) website, available here. In order to exercise your rights, you may contact us at any time through the contact details provided under section 2 in this Privacy Notice. Please do not forget to specify the right to which the request relates.
Time limits
Swimbird is obliged to respond to your request to exercise your rights within one month of receiving your request and to inform you of the action taken. In the event that a request is complex or if we have received a large number of requests, we are entitled to extend the time limit by two additional months (i.e., in total no later than three months from receipt of the request). We will notify you of such an extension including the reason for the extension within one month. If we do not take any action in response to your request, we are obliged to notify you within one month of receipt of your request: (i) that the action has not been taken; (ii) the reason for this; and (iii) inform you of your right to lodge a complaint with the supervisory authority and seek judicial redress.
As a general rule, it is free of charge
All information, communication and actions we carry out are free of charge for you. If requests related to your rights are manifestly unfounded or unreasonable, we have the right to either charge a reasonable administrative fee for providing the information or carrying out the requested action. We may also refuse to comply with your request.
We may need to identify you
If we have reasonable grounds to doubt the identity of the applicant, we may request additional information necessary to confirm your identity. We will not collect more personal data than necessary.
According to the GDPR, you have certain rights in relation to the data we process about you, which are described below. Some of these rights apply under certain conditions, which you can read more about below. You have the right to request the following rights.
Access to your personal data
In order for you to check whether processing of your personal data is taking place and whether the processing is lawful, you have the right to request access to your personal data. This means that you have the right to receive confirmation of whether we process your personal data and, if so, receive a copy of the personal data we are processing about you, free of charge. If you are only interested in a certain category of personal data or data processed for a specific purpose (for example, direct marketing), please indicate this in your request. In connection with the access request, you will also receive information about the processing, such as the reason why we process your personal data (i.e., the purpose of the processing), the envisaged period for which the personal data will be stored (if possible), to whom the personal data have been or will be disclosed, etc. For any additional copies you request, we are entitled to charge a reasonable administration fee to cover our administrative costs. If you make a request in electronic format, such as by e-mail, we will provide you with the information in a commonly used electronic format, unless you request otherwise.
Rectification or completion of your personal data
If we process personal data that is inaccurate, you have the right to request rectification. We will also, on our own initiative, rectify or erase information that we discover to be inaccurate. You also have the right to complete any incomplete personal data by providing a supplementary statement.
Erasure of your personal data
In some cases, you have the right to have your personal data deleted. This applies in the event that:
There are exceptions to the right to erasure
For example, there may be requirements in law or other compelling reasons that prevent us from deleting your personal data. A strong reason may be, for example, to establish, exercise or defend Swimbird against legal claims. We may also be prevented from deleting your personal data due to archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes.
Restriction of processing
This means that we temporarily restrict the processing of your personal data so that they are only processed for certain limited purposes. We will inform you before the restriction of processing ends. You have the right to request restriction when:
We will take all reasonable measures possible to notify all recipients of your personal data as set out in section 9 if we have rectified, erased or restricted access to your personal data after you have requested us to do so, provided that it is not impossible or if it would involve a disproportionate effort. At your request, we will inform you about who we have disclosed personal data to.
You have the right to object to our processing of your personal data if we base the processing on a legitimate interest or public interest as a legal basis (see section 5). When you object, you must provide reasons for your objection that are related to your specific situation. If you object to a processing, we will only continue the processing if we have compelling legitimate grounds to continue the processing which override your specific reasons, interests, rights and freedoms or if the processing is necessary to establish, exercise or defend legal claims.
If you do not want us to process your personal data for direct marketing purposes, which include profiling, you always have the right to object to such processing (including profiling) by contacting us. Once we have received your objection, we will cease to process your personal data for this purpose. If you receive marketing communications from us by e-mail or text message, you can also click on our unsubscribe link at the bottom of each e-mail and text message.
If we process your personal data based on your consent as a legal basis (see section 5), you have the right to withdraw your consent at any time by contacting us. We are then not entitled to continue the processing of your personal data if there is no other legal basis for the processing. You will find our contact details in section 2 of this Privacy Notice.
If you wish to withdraw a consent that you have given to us in order to receive our direct marketing by email or SMS, you can choose between contacting us to withdraw your consent or clicking on our unsubscribe link which you will find at the bottom of each email.
If you have given your consent to the placement of Cookies on our website, www.swimbird.com, you can withdraw your consent by [clicking on the cookie icon in the bottom left corner of our website and then clicking on "deny cookies"].
You have the right to data portability when we process your personal data by, for example, automated means and when the legal basis for the processing is your consent or performance of a contract. Your right to data portability means that you have the right to receive the personal data that you have provided to us in a structured, commonly used, and machine-readable format and to transfer this personal data to another data controller. You may also request that we transfer the personal data directly to another data controller, provided that such direct transfer is technically possible.
You always have the right to lodge a complaint with the relevant supervisory authority if you believe that our processing of your personal data violates GDPR. This is particularly the case in the member state where you have your habitual residence, place of work or where the infringement was committed. The supervisory authority in Sweden is the Swedish Authority for Privacy Protection (IMY). You can contact IMY through the e-mail address imy@imy.se or through the contact details provided on IMY's website, available here.
Our mission is that you feel comfortable when we process your personal data. We have therefore implemented both technical and organizational security measures, including access restrictions and regular internal controls, to protect your personal data against, for example, unauthorized access, alteration, or loss. In the event of a personal data breach that could significantly affect you or your personal data, such as the risk of fraud or identity theft, we will contact you to explain what has happened and advise you on how to reduce the risk of potentially harmful effects.
We use Cookies on our website and in our services to, among other things, improve your experience with us and adapt our services to your needs and preferences.
Swimbird may change this Privacy Notice. In the event of a change, you will receive clear information about the change and what it means for you within a reasonable time before the amended version becomes effective. This applies provided that the change is not merely linguistic or editorial but involves a fundamental change in the processing itself, or if the change is not a fundamental change but we consider it to be relevant and to affect you. If a change in the processing of your personal data requires that your consent is obtained, you will be notified of this and given the opportunity to provide your consent.
You can always find the latest version of the Privacy Notice on our website and we will always indicate the date of the last update at the top of the Privacy Notice.