Milkywire cares about privacy and protecting the Personal Data handled by us. All Personal Data is Processed in accordance with Applicable Law. In this Policy we describe how and the purposes for which we use your personal information, as well as what lawful basis we use and what measures we take to protect Personal data. We also provide information on how you exercise the rights you have linked to our Processing of Personal data.
1. Who is responsible for your personal data?
Milkywire AB Reg. No. (559156-8018) ("Milkywire", "we", "us", "our") is the Controller in accordance with the EU General Data Protection Regulation (”GDPR”). This Privacy Policy (the ”Policy") provides information on how we handle Personal Data when you communicate with us, use the Services or visit our website www.milkywire.com.
The information in this Policy covers Personal Data Processing for which Milkywire is the Controller. As a Controller we are responsible for the Processing for which we decide the purpose of ("the why") and the means for the Processing (what methods, what personal data and for how long it is stored). The Policy does not describe how we Process Personal Data in the role of a Processor - i.e. when we process Personal Data on behalf of our customers.
The intended recipient of the information provided in this Policy is:
Users of the Services
Potential customers
Customers
Employees of potential customers
Employees of existing customers
Visitors of our website
2. Definitions
"Applicable Law" refers to the legislation applicable to the processing of Personal Data, including the GDPR, supplementary national legislation, as well as practices, guidelines and recommendations issued by a national or EU supervisory authority.
"Controller" is the company/organisation that decides for what purposes and in what way personal data is to be processed and is responsible for the Processing of Personal Data in accordance with Applicable Law.
"Data Subject" is the living, natural person whose Personal Data is being processed.
"Personal Data" is all information relating, directly or indirectly, to an identifiable natural person.
"Processing" means any operation or set of operations which is performed on Personal data, e.g. storage, modification, reading, handover and similar.
"Processor" is the company/organisation that processes personal data on behalf of the Controller and can therefore only process the Personal Data according to the instructions of the Controller and the Applicable Law.
3. Your rights in relation to your personal data
Access - You always have the right to receive information about the Processing of data that concerns you. We only provide information if we have been able to verify that it is you that are requesting the information.
Rectification - If you find that the Personal Data we process about you is incorrect, let us know and we will fix it!
Erasure - Do you want us to completely forget about you? You have the right to be forgotten and request deletion of your Personal Data when the Processing is no longer necessary for the purpose for which it was collected. If we are required to retain your information under applicable law or a contract that we have entered with you, we will ensure that it is processed only for the specific purpose set forth in such applicable law or contract. We will thereafter erase the information as soon as possible.
Objections - Do you disagree with our assessment that a legitimate interest for Processing your Personal Data overrides your interest in protecting your privacy? Don’t worry - in such case, we will review our legitimate interest assessment. Of course, we add your objection to the balance and make a new assessment to see if we can still justify our Processing of your Personal Data. If you object to direct marketing, we will immediately delete your personal information without making an assessment.
Restriction - You can also ask us to restrict our Processing of your Personal Data
Whilst we are Processing a request from you for any of your other rights;
If, instead of requesting erasure, you want us to limit the Processing of Personal Data for a specific purpose. For example, if you do not want us to send advertising to you in the future, we still need to save your name in order to know that we should not contact you; or
In cases where we no longer need the information in relation to the purpose for which it was collected, provided that you do not have an interest in retaining it to make a legal claim.
Data portability - We may provide you with the data that you have submitted to us or that we have received from you in connection with a contract that we have entered with you. You will receive your information in a commonly used and machine-readable format that you can transfer to another personal data manager.
Withdraw consent - If you have given consent to one or several specific processing(s) of your Personal Data, you have the right to withdraw your consent at any time and thus ask us to terminate the Processing immediately. Please note that you can only withdraw your consent for future processing of Personal Data and not for Processing that has already taken place.
Right to file a complaint - You have the right to submit a complaint to the Swedish Authority for Privacy Protection. More information about our obligations and your rights can be found at https://www.imy.se/. You can contact the authority via e-mail at: imy@imy.se.
How you use your rights
Please contact us directly at legal@milkywire.com if you wish to exercise any of your rights related to our processing of your personal data.
4. What types of personal data do we collect?
In this section, we describe the categories of personal data that we process. In section 5 below, we then describe the purposes for our processing of these categories of personal data, ie. what we use the data for.
Contact and identification information - Name, invoice address, e-mail address, mobile phone number.
Information about services - details regarding the services you have purchased. For example, the selection of beneficiaries for your donations.
Payment information - Credit and debit card information (card number, validity date and CVV code), bank account number, bank name.
Information about your use of Milkywire's services - Which service or services and what different functions in these services you have used and how you have used them. This includes information about your payment history, and your personal preferences.
Technical information generated through your use of Milkywire's services - Technical data such as response time for pages, download errors, and the date and time you used the service.
Information about your contacts with Milkywire's customer service - phone calls, chat conversations and email correspondence.
Your contacts with the beneficiaries you support through us - Information on how you interact with beneficiaries, such as information that you have received updates and which organizations you support.
Device information - Language settings, browser settings, time zone, operating system, platform, screen resolution and similar information about your device settings.
Service-specific personal data - Within our Service we use personal data such as content that you upload to the platform (for example images), location information, information about how you use the browser, and the websites you visit in it.
5. How is personal data used and on what lawful basis?
In this section we describe the purpose for which we will use your personal data and which categories of personal data we use for that purpose. In section 3 above, you can see which data points are included in each category of personal data. In this section, we also describe the lawful basis we have identified under data protection legislation, such as GDPR, to process the information about you. We also describe when Milkywire stops using the personal data for each purpose. Finally, we inform you if the personal data is information that you yourself actively provide to us, or whether it is information that Milkywire receives from another source.
Processings of personal data:
1. Processing and purpose of Processing: To administer our customer relationship in accordance with our agreements with you for each service you use. This requires creating and sending information to you in electronic format (not for marketing purposes). Personal Data: Contact and identification information, payment information, technical information generated through your use of Milkywire’s services. Source: Directly from the data subject, from Milkywire’s services, and from payment processing partners (currently Klarna and Stripe). Lawful basis: Performance of a contract (Art. 6(1)(b) GDPR). Storage period: During the contractual relationship.
2. Processing and purpose of Processing: To be able to perform customer satisfaction surveys and marketing, via e-mail, text message, telephone or through other communication channels. If you do not want us to perform this processing, you can let us know by contacting us, see more about your rights in section 3 above. Personal data: Contact and identification information, Information about your use of Milkywire’s services, technical information generated through your use of Milkywire’s services. Source: Directly from the data subject and from Milkywire’s services. Lawful basis: Balance of interests (Art. 6 (1) (f) GDPR). In balancing that interest, Milkywire has assessed that we have a legitimate interest in being able to carry out these types of surveys, that the processing of personal data is necessary to achieve that purpose and that our interest outweighs your right not to have your data processed for this purpose. Storage period: During the contractual relationship.
3. Processing and purpose of Processing: Ensure network and information security in Milkywire’s services. Personal Data: Contact and identification information, Information about your use of Milkywire’s services, technical information generated through your use of Milkywire’s services. Source: Directly from the data subject and from Milkywire’s services Lawful basis: The lawful basis for the processing constitutes a balance of interests (Art. 6 (1) (f) GDPR). In balancing that interest, Milkywire has assessed that we have a legitimate interest in being able to ensure network and information security, that the processing is necessary to achieve that purpose, and that our interest outweighs your right not to have your data processed for this purpose. That we ensure good information security is also in your interest as a customer. Storage period: During the time when you are using the Service.
4. Processing and purpose of Processing: To perform data analysis for product development and product testing to improve the design of our services (if possible, we first anonymize the data, which means that there is no personal data processing thereafter). Personal Data: Contact and identification information, payment information, Information about your use of Milkywire’s services, technical information generated through your use of Milkywire’s services. Source: Directly from the data subject and from Milkywire’s services. Lawful basis: The lawful basis for the processing constitutes a balance of interests (Art. 6 (1) (f) GDPR). In balancing that interest, Milkywire has assessed that we have a legitimate interest in performing data analysis for product development and product testing. We ensure that the processing this entails is necessary to achieve the purpose of the processing, and that our interest outweighs your right not to have your data processed for this purpose. Our customers also benefit from the treatment because it helps us deliver accurate and sustainable services. Storage period: During the entire time that Milkywire must retain the information in its systems, for example to fulfill the agreement with you, or comply with applicable law.
5. Processing and purpose of Processing: Compile accounting and audit in accordance with applicable law. Personal Data: Contact and identification information, payment information, information about your contact with Milkywire, information about your use of Milkywire’s services and technical information generated through your use of Milkywire’s services. Source: Directly from the data subject and from Milkywire’s services Lawful basis: The processing is necessary for compliance with a legal obligation to which the controller is subject (Art. 6(1)(c) GDPR) (Bokföringslag (1999:1078). Storage period: During the time that the accounts are compiled and 7 years after the end of the year in which the information was registered.
6. Processing and purpose of Processing: If you contact us via social media, such as Instagram or Twitter, your personal data will also be collected and processed by these companies, in accordance with their data protection information. This also applies to the answer you get from us. Milkywire processes this information to answer your questions. Personal Data: Contact and identification information, information about your contact with Milkywire. Source: Directly from the data subject and from Milkywire’s services. Lawful basis: Performance of a contract (Art. 6(1)(b) GDPR). Storage period: Until we have answered your question.
6. Who do we share your personal data with?
When we share your personal data, we ensure that the recipient processes it in accordance with this information, for example by entering into so-called data sharing agreements or data processing agreements with the recipients. Those agreements include all reasonable contractual, legal, technical and organizational measures to ensure that your information is processed with an adequate level of protection and in accordance with applicable law. Below follows a description of categories of recipients that Milkywire may share your personal data with in connection to our Services.
Suppliers and subcontractors
Description of recipients: Suppliers and subcontractors are companies that only have the right to process the personal data they receive from Milkywire on behalf of Milkywire, so-called personal data assistants. Examples of such suppliers and subcontractors are software and data storage providers, payment service providers and business consultants.
Purpose and lawful basis: Milkywire needs access to services and functionality from other companies that Milkywire cannot offer itself. Milkywire has a legitimate interest in having access to these services and functionalities (Article 6 (1) (f) GDPR). We ensure that the processing this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your information processed for this purpose.
Authorities
Description of recipients: Milkywire may provide necessary information to authorities such as the Swedish Financial Supervisory Authority, the Swedish Tax Agency or other authorities and courts.
Purpose and lawful basis: Sharing of personal data with the authority is done when we are required by law to do so, or in some cases if you have asked us to do so, if it is required to administer tax deductions, or counter crime. Depending on the authority and purpose, the lawful basis are an obligation to comply with law (Article 6 (1) (c) GDPR), to fulfill the agreement with you (Article 6 (1) (b) GDPR) or that Milkywire has a legitimate interest in being able to protect themselves from crime (Article 6 (1) (f) GDPR).
Payment service providers and financial institutions
Description of recipients: Payment service providers and financial institutions provide services to you, and Milkywire in order to implement and administer electronic payments through various payment methods, such as credit cards, direct debit and bank transfer.
Purpose and lawful basis: Milkywire’s sharing of your personal data with payment service providers and financial institutions is done to carry out a transaction you have initiated, for the purpose of fulfilling the agreement with you (Article 6 (1) (b) GDPR).
Divestment of operations or assets
Description of recipients: In the event that Milkywire sells business or assets, Milkywire may provide your personal information to a potential buyer of such business or assets. If Milkywire or a significant part of Milkywire’s assets is acquired by a third party, personal information about Milkywire's customers may also be shared.
Purpose and lawful basis: Milkywire has a legitimate interest in being able to carry out these transactions (Article 6 (1) (f) GDPR). We ensure that the processing this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your information processed for this purpose. You have the right to object to this treatment, due to circumstances in your individual case.
Social media
Description of recipients: Social media companies such as Facebook, Instagram or LinkedIn.
Purpose and lawful basis: If you contact us via social media such as Facebook or LinkedIn, your personal information will also be collected and processed by these companies, in accordance with their data protection information. The processing takes place to fulfill the agreement with you (Article 6 (1) (b) GDPR).
7. Where do we process your personal data?
We always strive to process your personal data within the EU / EEA. In certain situations, such as when we share your personal data with a supplier or subcontractor with operations outside the EU / EEA, your personal data may also be processed outside the EU / EEA. In cases where our Processors transfer Personal Data outside the EU/EEA, we have ensured that the level of protection is adequate, and in compliance with Applicable Law, by controlling that either of the following requirements are fulfilled:
the EU Commission has determined that the level of protection is adequate in the third country where the data is processed;
the Processor has signed up to the EU Commission's standard contract clauses (SCCs) for data transfer to non-EU/EEA countries; or
the Processor has taken other appropriate safeguards prior to the transfer and that such safeguards comply with Applicable law.
8. For how long do we store your personal data?
We will keep your personal data as long as it is necessary for the purpose for which it was collected. Depending on the lawful basis on which we support the Processing, this may a) be regulated in a contract, b) be dependent on valid consent, c) be stated in legislation or d) followed by an internal assessment based on a legitimate interest assessment (LIA). In Section 5 above we indicate, where possible, the period during which the Personal Data will be stored.
9. How do we use cookies and other tracking technologies?
In order to provide a tailored experience, Milkywire uses cookies and similar tracking technology in our various interfaces such as our website, portal interface and at checkout of a store that uses Milkywire. You can find information about the tracking technology that Milkywire uses, and information about how you accept or decline the tracking technology in our Cookie Policy (link).
10. Updates to this Policy
We are constantly working to improve our services so that you get an even better user experience. This may involve changes in existing and future services. If such an improvement requires a notice or consent under applicable law, you will be notified or given the opportunity to give your consent. It is also important that you read this data protection information every time you use any of our services, as the processing of your personal data may differ from your previous use of the Service.
This policy was last updated in June 2021.
11. Contact details
Please contact us if you have questions about your rights or if you have any other questions about how we process your personal information.
For legal or general inquiries: legal@milkywire.com
Data Protection Officer Magnus Eriksson dpo@milkywire.com