Version 1.2 (2021-06-17)
Pej cares about your personal privacy and it’s important to us that you feel confident about our processing of your personal data. We are completely transparent about how we collect, process and disclose the personal data we store about you. We never sell your personal data to any third party without your consent.
We welcome the European-wide regulation which aims to improve and better define the processing of personal data to the benefit of our users. As a matter of fact, the main purpose of the regulation is to protect the natural person’s basic rights and freedoms, in particular their rights to personal data protection.
This policy explains how we collect and use your personal data, and how you can access, rectify and erase your personal data. To us, it is important that you read through and understand the policy. You are welcome to contact us at firstname.lastname@example.org or +46 10 188 00 40 for any questions concerning personal data and privacy protection.
Why do we collect your personal data?
We need your personal data to enable our service to operate in the best possible way, as well as to comply with the legal requirements applicable to our service. For example, we need your email address to comply with applicable laws that require us to send you a receipt after having purchased something from us. Certain personal data are used to provide the best possible service and support.
We process all personal data with the utmost regard to your privacy and your rights and freedoms.
Which personal data do we collect and why?
We collect the personal data required for our service to work, which may vary from case to case. For example, we only use the delivery address when an order is to be delivered to a physical address.
|Personal data||Purpose||Legal basis|
|First and last name||Your first and last name is used to identify you when you place an order and hence helpful to merchants when they deliver your order.||Fulfil contractual obligations|
|Email address||The email address is used to create your login username.
The email address is also used to send you an order confirmation and receipt related information.
The email address is also used to contact you for matters regarding customer administration, e.g. customer support.
|Fulfil contractual obligations
Comply with legal obligations
Fulfil contractual obligations
|The profile image helps our merchants recognise you when they e.g. are serving your order at a table.||Pej has a legitimate interest of being able to show your profile image to merchants with the goal of providing you with the best possible service through helping the merchant to recognise you when they deliver your order. The profile image is optional and not asked for in the onboarding process.|
|Payment details||We do not store payment details, either locally or on an external server. Instead, only a so-called tokenisation is created from your card through Stripe when you fill in your payment details. We use Stripe to carry out transactions in the most secure way. We only store a so-called tokenisation of your card information, the four last digits, the name on the card and the expiry date – to allow you to identify which card you are paying with. All sensitive card details are stored by Stripe, which has the payment card industry’s highest possible accreditation (PCI Service Provider Level 1). Read more here.||Fulfil contractual obligations|
|Location information||When using the service and after allowing us to have access to your location information, we use the location information to help you choose the merchant from which you wish to place an order from.||Consent. The location information is optional and consent to use this is clearly requested in the service.|
|Order history||We store your order history to allow you easy visibility and access of the purchases you have made through Pej. The order history is also helpful to our merchants when they need to process a refund, and it also helps us in certain support cases.||Fulfil contractual obligations|
|Phone number||In some cases, we use your phone number to send an order confirmation as a text message to your phone number. In these cases, the text message contains a link to your receipt.
Your phone number may be used by merchants to simplify the delivery of your order, for example when delivering to your home address.
When you opt to make a purchase via Swish (a Swedish payment provider) or Vipps (a Norwegian payment provider), then your phone number may be used to facilitate the payment. Read more about this and Swish and Vipps further down in this policy.
|Comply with legal obligations
Fulfil contractual obligations
Fulfil contractual obligations
|Car registration number||The car registration number is used in cases where you ask the merchant to deliver your order to your car. The car registration number helps the merchant to identify your car.||Fulfil contractual obligations|
|Delivery address||The delivery address is used in cases where you ask the merchant to deliver your order to a specific address. The delivery address helps the merchant to identify the address to where the order should be delivered.||Fulfil contractual obligations|
How do we collect personal details?
You can – directly or indirectly – provide details about yourself to us in a number of ways, either by providing the details yourself when you set up a user account or when you place an order and pay through a third party. We always inform you in the event that we retrieve details from a third party.
Where do we process the data?
We always aim to process your personal data within the EU/EAA. Personal data may be, however, in some situations, transferred to and processed by another supplier or subcontractor that is located in a country outside the EU/EAA. In doing so, all reasonable legal, technical and organisational measures are taken to ensure your personal data are processed securely and with an adequate degree of protection in accordance with GDPR.
If we transfer personal information to countries outside of the EU/EEA, we may rely on a decision from the European Commission determining that the country provides an adequate level of protection to the Data Protection Laws. Alternatively, we may rely on appropriate safeguards in respect of transfers of personal information to a country outside of the EU/EEA, for example, by agreeing standard contractual clauses adopted by the European Commission.
To whom might we potentially disclose your information?
In order to provide our service, we need help from other companies. Some of these are personal data processors while others, such as merchants on our platform, are personal data controllers in addition to us. Personal data processing agreements have been put in place in accordance with GDPR with all personal data processors. We are happy to disclose any or all of our personal data processing agreements, if requested. Our merchants have a responsibility in parallel with us. Please refer to their agreement to read more about their processing of your personal data.
|Personal data processor||Purpose||Personal data|
|Merchant||Merchants who offer Pej’s service in their business have access to certain personal data in order to carry out the order. Some personal data are used to deliver the order while others are required to comply with laws, e.g. accounting laws. To read more about how merchants process your personal data, please refer to their data protection and confidentiality policies, which are available when you place an order.||First and last names, email address, phone number, car registration number, delivery address, order history per each merchant.|
|Google Cloud Platform||We use the Google Cloud Platform to store personal data.||First and last names, email address, phone number, car registration number, delivery address, Token ID, order details and order history.|
|G Suite||We are currently using G Suite as our mail server. Google is therefore data processor for support cases handled via email.||Depends on the individual support case.|
|Mailchimp||We use Mailchimp to send a confirmation to your email (”Email confirmation”). This is stored for 30 days only to simplify potential support cases and is thereafter deleted. We also distribute mailings containing important contract information, policies etc. via email.
Mailchimp’s servers are located outside of the EU/EEA and our sending of personal data to them is hence viewed as a third-country transfer. For these transfers of personal data, we rely on appropriate safeguards by using and including standard contractual clauses adopted by the European Commission in our data processing agreement with Mailchimp (you may find our data processing agreement, as well as the standard contractual clauses – the latter under Annex C – here).
|First and last names, email address, delivery address.|
|Slack||We use a communication system called Slack for our internal communications and support. As we use Slack to manage support cases, e.g. contacts made through our website, this means Slack have access to certain personal data depending on the individual support case.||Depends on the individual support case.|
|Stripe||We use Stripe to perform payment transactions in the most secure way. We only store a so-called tokenisation of your payment card plus the four last digits, the name stated on the card and the expiry date – allowing you to identify which card you are using. All sensitive card details are stored by Stripe, who has the payment card industry’s highest possible accreditation (PCI Service Provider Level 1). Read more here.||First and last names, payment details.|
|Swish||Payment service provider Swish uses your phone number to identify your payment. When making a payment, you are directed to Swish’s own platform, where Swish’s own data protection and confidentiality agreement applies. Link to the agreement.||Phone number, payment details.|
|Vipps||Payment service provider Vipps may need your phone number to identify your payment (often the communication to Vipps is done without using your phone number). When making a payment, you are directed to Vipps’s own platform, where Vipps’s own data protection and confidentiality agreement applies.||Phone number, payment details.|
Authorities: Pej may potentially disclose required details to authorities such as the police, tax agency or other authorities to whom we are liable to disclose details according to applicable laws, or if you have given us consent to do so. Example of legal obligations to disclose details are measures against money laundering and financing of terrorism.
For how long do we store personal data?
We store personal data for as long as it is necessary to fulfil the purpose for which the data was collected, or to comply with our obligations and for as long as it is statutorily required, particularly in relation to accounting requirements. You can opt to delete your account yourself, meaning only personal data that are statutorily required to be stored, are stored. The personal data is only stored for as long as necessary. We have clear routines in place for how to minimise storage of data.
We have the right to remove information and users who do not comply with the law or who we believe act abusively, offensively and/or do not comply with the policy. Our responsibility does not free users from their responsible for what they publish.
What happens in the event of a data breach or personal data incident?
Should, against all presumptions, a serious data breach or personal data incident occur, we will notify all affected parties, as well as the Swedish Data Protection Authority (Sw. Integritetsskyddsmyndigheten) as soon as possible. We have routines in place for this purpose, as well as an established structure for internal and external reporting.
Your right to access, rectification and deletion
Your personal data is your data. We have set up a page for you to log in and get:
- access to your personal data,
- right to rectification,
- right to be erased, and
- right to data portability.
You find the page on www.pej.se/user.
Personal data controller
Pej AB, reg.no. 559046-7873, is personal data controller for all our subcontractors and we are thus the party that decides for what purposes the personal data shall be processed and how the processing shall be performed.
The merchant with whom you place an order is a personal data controller in addition to Pej. The merchant’s processing of personal data is governed by their own policy.
Data protection officer
We ensure that the personal data we store about you is always protected and that our processing always comply with applicable data protections regulations, internal guidelines and routines. We have appointed a data protection officer who monitors our compliance with these rules.
Amendments to the policy
We may update this policy. Changes and updates will be published on Pej’s website. This policy supersedes any previously issued policy.
Please contact us if you have ideas, thoughts or opinions regarding this policy. Together, we can likely make it even better.
Personal data controller
Name: Pej AB
Email address: email@example.com
Phone: +46 (0)10 188 00 40
Address: Pej, Stora Varvsgatan 6A, Malmö (Sweden)
Data protection officer
Email address: firstname.lastname@example.org
Phone: +46 (0)10 188 00 47
Contact details for the Swedish Data Protection Authority (Sw. Integritetsskyddsmyndigheten)
Email address: email@example.com
Phone: +46 8-657 61 00