Sparly logo

Privacy policy

Last update: 3 October 2022

Why and for whom?
Why and for whom?

At Sparly AB org. no. (559249-7589) ('Sparly', 'we', 'us', 'ours') we care about personal integrity. This means that we respect and safeguard your privacy and the right to control and transparency in the Processing of your Personal Data.

Sparly is responsible for Personal Data according to the Processing of Personal Data listed in this Privacy Policy(the 'Policy'). The Policy describes for what purposes we need your Personal Data, what lawful basis we rely on and what measures we take to protect Personal Data. We also provide information on how you exercise the rights you have related to our Processing of your Personal Data.

The policy informs you about our handling of Personal Data in cases where you communicate with us, use the mobile application “Sparly”, or visit our website sparly.co.

This policy is aimed at:

Users of the Service (“Users”, “you”)
Visitors to our website (“Visitors”, “you”)

Definitions
Definitions

"Applicable law" means the legislation applicable to the Processing of Personal Data, including the Data Protection Regulation (GDPR), supplementary national legislation, as well as practices, guidelines and recommendations issued by a national or European supervisory authority.

"Data subject" means a living, natural person whose Personal Data is processed.

"Personal Data" is all kinds of information that can be linked to an identifiable, living person.

"Personal Data Controller" is the company/organization that decides for what purposes and in what way the Personal Data should be processed and thus is also responsible for the Personal Data being processed in accordance with Applicable Law.

"Personal Data Processor" is the company / organization that processes Personal Data on behalf of the Personal Data Controller and may thus only Process the Personal Data in accordance with the Personal Data Controller's instructions and applicable legislation.

"Processing" of Personal Data is anything that can be done with Personal Data, e.g. storage, modification, reading, handover, etc.

Sparly's personal data responsibility
Sparly's personal data responsibility

The information in this Policy includes the Processing of Personal Data that Sparly is responsible for as Personal Data Controller, i.e., the processes for which we determine the purpose of (why a Processing is done) and means for (in what way, what Personal Data, how long, etc.).

We provide the mobile application “Sparly”, which is a hub with courses and challenges about personal finance and sustainable living (as described in Sparly's General Terms and Conditions). To provide our services, we need access to your Personal Data.

Sparly's Processing of Personal Data
Sparly's Processing of Personal Data

We have a responsibility to describe and show how we live up to the requirements placed on us when we process your Personal Data. This section aims to provide information regarding:

  • Why the Processing of Personal Data is necessary in relation to the purpose
  • What lawful basis have we identified for the Processing.

Lawsuit basis
Lawsuit basis

Agreement - The Processing is necessary to be able to fulfill obligations in an agreement between us and the Data subject or to prepare to enter into an agreement with the Data subject. We may not provide the Service without access to the Personal Data processed under this lawful basis.

Legitimate interest - several of the purposes for which we process Personal Data are based on our legitimate interests, which we state in more detail below in connection with the specific purposes. We have struck a balance of interests between, on the one hand, our legitimate interests, and on the other hand, the interests and rights of our Users and Visitors, and concluded that our legitimate interests could be exercised without constituting a disproportionate infringement on the privacy of our Users and Visitors. To find out more about how we have reasoned, contact us via the information given further down in the Policy.

Legal obligations - we may have legal obligations to process Personal Data, such as in orders from law enforcement agencies, or if more Personal Data needs to be collected in order for us to fulfill requests for the exercise of rights under the GDPR.

How long do we store your personal data?
How long do we store your personal data?

We store your Personal Data for as long as is necessary for the purpose for which it was collected. Depending on the lawful basis on which we base the Processing, this may a) follow from an agreement, b) be dependent on a valid consent, c) appear in legislation or d) follow from an internal assessment based on the purposes of the Processing.

Processing
Processing

We will primarily use your Personal Data to be able to provide the Service and continuously improve it. To fulfill this, we will process Personal Data for the purposes described below.

1.1. Service/Product: Registration and login
1.2. Purpose: To secure your identity, authorizing you to log in and to block service for consumers below the age of 18. We don’t store your Social Security Number, only access it in a “read-only” mode.
1.3 Personal Data: Social Security number, email
1.4 Lawful basis: In order to fulfill our contractual commitments to you.

2.1. Service/Product: Sparly Challenges
2.1. Purpose: To provide the Service in accordance with the Terms of Use between Sparly and you.
2.3 Personal Data: bank account information, including payment transactions.
2.4 Lawful basis: In order to fulfill our contractual commitments to you.

3.1 Service/Product: Sparly Rewards
3.2. Purpose: If Data subject takes part in an offer or reward from Sparly or one of our partners, Sparly can confirm to the Partner that Data subject is Sparly's customer through an anonymized unique link. Sparly will send digital gift cards via email and physical gift cards to Data subject’s postal address.
3.3 Personal Data: Email, name, postal address
3.4 Lawful basis: In order to fulfill our contractual commitments to you.

4.1. Service/Product: Newsletter and other advertising
4.2. Purpose: To market, send newsletters and streamline marketing of Sparly to Data subject and others.
4.3. Personal Data: Email
4.4. Lawful basis: In order to satisfy our legitimate interest in improving our marketing and making marketing more relevant to you.

5.1 Service/Product: Customer contact
5.2. Purpose: To handle customer communication, user research
5.3 Personal data: Email
5.4 Lawful basis: In order to fulfill our contractual commitments to you.

6.1 Service/Product: All personal data processed by Sparly
6.2. Purpose: Fulfillment of legal obligations and taking care of our own legal interests.
6.3 Personal data: All personal data processed by Sparly
6.4 Lawful basis: In order to comply with applicable laws and to meet our legitimate interests, to defend our legal interests, to protect our service, our users, third parties, and observe our rights.

7.1 Service/Product: All personal data processed by Sparly
7.2. Purpose: To develop new products and to improve our services, such as improvement of our decision models, testing, research and process optimization.
7.3 Personal data: All personal data processed by Sparly
7.4 Lawful basis: In order to satisfy our legitimate interest in developing and improving our products and services.

Source
Source

The email address, name and postal address come directly from the Data subject. Other Personal Data come from third-party providers such as Tink AB, Criipto ApS with the approval of the Data subject.

Period of storage: We store your information for as long as necessary to fulfill the purposes of this Privacy Policy, agreements and legal and regulatory requirements.

You can delete all of your data, including Personal Data, at any given time in the app by navigating to the Settings tab and choosing “Delete account”. It is not enough for you to delete your mobile application from your phone in order to delete all your data, as this does not delete your Sparly account. All Personal Data is automatically deleted if you have been inactive for 12 months. If we are required to retain your information by law or an agreement we have entered into with you, we will ensure that it is processed only for the specific purpose set out in the law or agreement; then, we will make sure that the data is deleted as soon as possible.

All Personal Data is automatically deleted if you have been inactive for 12 months.

Your rights
Your rights

You are the one who decides over your Personal Data. We always strive to ensure that you can exercise your rights as efficiently and smoothly as possible.

Access - You always have the right to receive information about the Personal Data Processing that concerns you. We only disclose information to you if we have been able to confirm your identity.

Correction - If you find that the Personal Data we are Processing for you is incorrect, please contact us and we will amend it. Information that is automatically retrieved from your bank accounts, such as expenses, can not be corrected.

Deletion - Do you want us to forget you completely? You have the right to request the deletion of your Personal Data when it is no longer necessary for the purpose for which it was collected. If we are required to retain your information by law or an agreement we have entered into with you, we will ensure that it is processed only for the specific purpose set out in the law or agreement; then, we will make sure that the data is deleted as soon as possible.

Objection - Do you not agree with us that our interest in Processing your Personal Data outweighs your interest in protecting your privacy? In that case, we review our legitimate interests and check that it still holds. We, of course, consider your objection when we make a new assessment to evaluate whether we can still justify our Processing of your Personal Data. If you object to direct marketing, we will delete your Personal Data at once without reviewing our assessment.

Restriction - You may also ask us to limit our Processing of your Data:

  • While we are Processing a request from you for any of your other rights
  • In cases where we no longer need the data for the purpose for which it was collected; provided that you have no interest in us retaining the information in order to be able to assert a legal claim.

Data portability - We can give you the information you have provided or that we have received from you in connection with the conclusion of an agreement with you. You will receive your information in a commonly used and machine-readable format which you can then take with you to another Personal Data Controller.

Withdrawal of consent - If you have consented to one or more specific Processing(s) of your Personal Data, you have the right to withdraw your consent at any time and thus ask us to terminate the Processing immediately. Please note that you can only revoke your consent for future Processing(s) of Personal Data and not for any Processing that has already taken place.

How you use your rights If you decide to revoke your consent, it does not affect the legality of our Processing of your Personal Data on the basis of the consent you have previously given and up to the time of revocation.

Transfer to personal data
Transfer to personal data

We may use third parties as Personal Data Processors for the handling of Personal Data. The Personal Data Processors will not share your Personal Data or use it in any way other than in accordance with the Privacy Policy.

We do not transfer your data outside the EU / EEA. In cases where our Personal Data Processors transfer Personal Data to a country outside the EU / EEA, we have ensured that the Processing is legal under applicable law by fulfilling one of the following requirements:

  • There is a decision from the European Commission that the country ensures an adequate level of protection;
  • Application of the European Commission's standard contractual clauses for third country transfers; or
  • Other appropriate protective measures that comply with applicable law.

We may also need to provide your Personal Data to certain designated authorities in order to fulfill obligations under law or government decisions.

Security
Security

Sparly has taken technical and organizational measures to ensure that your Personal Data is processed securely and that it is protected from loss, misuse and unauthorized access.

Our security measures

Our organizational security measures are outlined in our internal control documents (policies and instructions). Our technical security measures include:

  • Encryption of information. Amazon DocumentDB uses the 256-bit Advanced Encryption Standard (AES-256) to encrypt data with encryption keys stored in the AWS Key Management Service (AWS KMS).
  • Data transfer between server and client. The HTTPS protocol is used for communication between servers and clients/ third-party tools to provide secure data transfer.
  • Data processing architecture. Sparly uses Amazon Web Services as a provider of infrastructure for data processing. All modules in the Sparly application (database, various backend modules, etc.) are protected by Amazon security means and aren't available from the outside.

Cookies
Cookies

Read our cookie policy for more information.

If we do not keep what we promise
If we do not keep what we promise

If you have any questions about our Processing of your Personal Data, you are welcome to contact us at: team@sparly.co

If you feel that we have processed your Personal Data incorrectly, even after you have notified us of this, you always have the right to submit your complaint to the Privacy Protection Authority. You can contact the Privacy Authority by emailing to imy@imy.se.

Changes to this policy
Changes to this policy

We reserve the right to make changes to this Policy. In the event that the change affects our obligations or your rights, we will inform you of the changes in advance so that you are given the opportunity to take a position on the updated Policy. If we adjust the Personal Data Processing based on your consent, we will obtain new consent.

The Privacy Policy was established on October 3, 2022. The latest updated version of the Privacy Policy is always available at link. If we update the purposes for Personal Data Processing or categories of Personal Data, you will receive information about this via email.

Contact
Contact

Sparly has appointed Jazgul Ismailova as a Data Protection Officer whom you can contact if you have questions regarding Personal Data and privacy by sending an email to: jazgul@sparly.co.