Privacy notice

In connection with your use of Lysa’s services or you otherwise come in contact with us for various reasons, we will process certain personal data about you. Lysa takes great care to protect your privacy. The following describes how we process personal data and what rights you have.

When visiting our website, we can also process certain personal data via cookies after your consent (read more about how we work with cookies here).

We would also like to emphasize that data Lysa has about you as a customer is protected by secrecy in accordance with Chapter 1, Section 11 of the Swedish Securities Market Act (2007:528). This means that Lysa may not unauthorisedly disclose this information.

Personal data processing when you / your company registers to receive investment proposals and becomes a customer of Lysa

What personal data processing do we perform and for what purpose?

We process information you provide to us when you sign up when you, or the company you represent, become a customer and to receive an investment proposal. For corporate customers, we also process information concerning (i) the beneficial owner (Sw. verklig huvudman), (name, social security number, citizenship, tax domicile and ownership) and (ii) corporate account user (name and contact information, information about Person in a politically exposed position “PEP”). We mainly collect personal data directly from the data subject, but it happens that we receive information about the data subject without the information coming directly from the data subject, e.g. (i) if the representative who on behalf of the company enters into the agreement with Lysa states someone other than himself/herself as corporate account user or signatory and (ii) company information and information about beneficial owners that we collect from the Swedish Companies Registration Office (via Checkbiz AB), and (iii) your name and social security number/TIN-number from BankID (Swedish customers) and Nets (danish and finnish customers).

Automated decision making and profiling. When you apply to become a customer, an automated decision is made to decide whether we can approve you as a customer. The automated decision consists of your name being automatically searched in sanction lists that we must apply by law. If your name is not in such sanction lists you will be able to become a customer with us. Furthermore, we use automated processing, including profiling, when we prepare an investment proposal for you. The profiling is based on the information you provide to us in connection with the preparation of an investment proposal: financial situation, risk tolerance, knowledge and experience and investment horizon. The decision results in what we recommend for you in regards to the distribution between equity funds and interest funds in your portfolio, the decision may mean that we do not recommend a portfolio for you at Lysa. You can always contact our customer support if you want to have our automatic decision reviewed by a real person, contest such a decision or otherwise want to discuss the decision with us.

Personal data processing in connection with you or your company becoming a customer takes place for the purpose of:

  • performing suitability assessment, ensure know your customer (KYC), and perform controls against sanction lists) in order to fulfill our legal obligations and be able to provide an investment proposal to enter into an agreement with you, or the company you represent, about our services;
  • email address is processed to verify you as a customer and to be able to send you information about your savings and important events where we must reach you, we will also log information if you have received our information (in some cases we process your contact details to send marketing emails and other commercial emails and nurturing our customer relationship, see more in the section “Personal data processing in marketing, customer contacts and events”),
  • if you have become a customer via an affiliate link connected to our affiliate network, we will also assign you an order number and process certain information about which affiliate you became a customer via, so that compensation can be issued to the affiliate who contributed to you becoming a customer with us.

What is the legal basis for our processing?

The processing is necessary to fulfill the agreement that we enter into with you as a private person, or our legitimate interest in fulfilling the agreement with the corporate customer you represent. Where applicable, the processing takes place in order to fulfill the legal requirements imposed on us by law (e.g. applicable money laundering legislation and securities market legislation). Processing of your contact details is based on our legitimate interest in nurturing our customer relationship with you and takes place provided that you have not declined from such emails. A unique order number is generated and processed with the support of our legitimate interest in being able to pay compensation to the affiliate who recruited you as a customer. Certain data is processed with the support of our legitimate interest in creating statistics for analytical purposes in order to improve our services.

How long do we store the personal data?

We do not store personal data longer than necessary with regard to the purpose of the processing. If you have started the process to become a customer but have not completed your registration, your information will be deleted or anonymised after 30 days. If you have completed the signup and become a customer, the personal data will be processed during the time you are a customer with us or - if you are a representative - during the time you are a representative, unless we need to process it longer to fulfill our purpose, or during the time we are obligated to store the information according to law as set out below.

  • Information related to KYC (e.g. transactions, payers and recipients), 5 years according to the Act on Measures against Money Laundering and Terrorist Financing.
  • Information linked to completed suitability assessment, selected distribution, customer agreement, fee history and transaction history, 5 years in accordance with the Swedish Financial Supervisory Authority's regulations on securities operations.
  • Information for tax reporting (e.g. value of account at the beginning of the quarter and CRS information), 5 years according to the Swedish Tax Procedure Act, email address will be deleted 3 months after tax reporting has been fulfilled.

To provide security and continuity in our services, we create backup copies of our systems, which we can keep longer than the original storage time but a maximum of 360 days. Notification emails within the service and logs of such emails sent within our services are deleted when you cease to be a customer.

Processing of personal data when using Lysa's website and services

What personal data processing do we perform and for what purpose?

We collect personal information when you use Lysa's services - e.g. log in, open accounts, make deposits / withdrawals or monthly savings, make changes in investment orientation, etc. Information concerns, for example: (i) name and contact information, (ii) IP address, (iii) the content of your savings with us, (iv) account name/number, and (v) information provided during KYC, suitability assessment and investment proposals. We also process information about when and how (e.g time, IP address, operating system) you log in and interact with Lysa's website and services and chosen settings.

Personal data processing in connection with you or your company becoming a customer takes place for the purpose of:

  • providing you with our services, and be able to send you information about your savings and important events where we need to reach you,
  • ensuring customer knowledge (KYC), be able to report CRS-data and tax declaration reporting,
  • carrying out a suitability assessment to be able to offer investment proposals,
  • preventing abuse of our services and to be able to troubleshoot our services,
  • process data to analyze and improve our services and adapt the user-friendliness.

Automated decision making and profiling. When you are a customer, you can open several accounts and receive several investment proposals from us. We use automated processing, including profiling, when we prepare an investment proposal for you. The profiling is based on the information you provide to us in connection with the preparation of an investment proposal: financial situation, risk tolerance, knowledge and experience and investment horizon. The decision results in what we recommend for you in regards to the distribution between equity funds and interest funds in your portfolio, the decision may mean that we do not recommend a portfolio for you at Lysa. You can always contact our customer support if you want to have our automatic decision reviewed by a real person, contest such a decision or otherwise want to discuss the decision with us.

In addition to the information you provide in connection with the above, we also collect name and social security number from BankID when you log in or submit approvals in logged in mode (Swedish customers) and name and TIN-number from Nets when Danish and Dinnish customers log in to Lysa. When you make deposits via Bankgiro, we collect name and address from Bankgirocentralen (Swedish customers), from Klarna we receive information about your name and account number / bank (and also when you make withdrawals - both Swedish and Finnish customers) and information about your telephone number is collected from payment method Swish. If you make a deposit to your Lysa account number, or use SEPA Direct Debit as deposit method (Finnish customers) we collect your name and address from your bank. In connection with an ISK transfer from Lysa (Swedish customers), we receive information about your account number at your other institution from that institution. For corporate customers, Lysa processes personal data about the beneficial owner (name and email address, signatory (name and email) and the natural person (name, social security number and citizenship) who is stated as insured when opening endowment insurance, this data may concern a person other than the person who provides the information, e.g. if person who creates the Lysa account states other than him/herself. We may also collect information from the customer's bank in order to follow up on suspicious hits in our transaction monitoring.

What is the legal basis for our processing?

The processing is necessary to fulfill the agreement that we enter into with you as a private person, or our legitimate interest in fulfilling the agreement with the corporate customer you represent. Where applicable, the processing takes place in order to fulfill legal obligations imposed on (e.g. applicable money laundering legislation and securities market legislation). Processing of your email address takes place partly due to a legal obligation to inform about withdrawals and certain other information, and partly based on our legitimate interest in nurturing our customer relationship with you and takes place provided that you have not declined such emails. Information is also processed based on our legitimate interest in preventing misuse of our services, troubleshooting our services and processing data to analyze and improve our services and adapt the user-friendliness

How long do we store the personal data?

We do not store personal data longer than necessary with regard to the purpose of the processing. The personal data will be processed during the time you are a customer with us, or - if you are a representative - during the time you are a representative, unless we need to process it longer to fulfill our mentioned purpose, or we are obligated to store the information according to law as set out below.

  • Transaction and fee history, 7 years according to Accounting legislation
  • Information related to KYC (e.g. transactions, payers and recipients), 5 years according to the Act on Measures against Money Laundering and Terrorist Financing.
  • Information linked to completed suitability assessment, selected distribution, customer agreement, fee history and transaction history, 5 years in accordance with the Swedish Financial Supervisory Authority's regulations on securities operations.
  • Information for tax reporting (e.g. value of account at the beginning of the quarter and CRS information), 5 years according to the Swedish Tax Procedure Act, email address will be deleted 3 months after tax reporting has been fulfilled.

Inactive accounts are deleted after 12 months of inactivity and information about upcoming deletions is given. To provide security and continuity in our services, we create backup copies of our systems, which we can keep longer than the original storage time but a maximum of 360 days. IP addresses for visitors to our website who are not customers are deleted after 3 months.

Personal data processed in connection with our support organisation

What personal data processing do we perform and for what purpose?

We process personal data provided at potential customers' and existing customers' or its representatives' (e.g. company representative, law guardian or administrator) contact with our support organsation (e.g. via email, telephone or messages in logged-in mode), in order to provide them with support and. The personal data we process in the mentioned context may relate to contact information and identification information, authorization documentation, course of events or other circumstances or information that is relevant to the support assignment or you provide to us. We document our communication with you, such as messages and telephone calls, partly for educational purposes and to improve our support services because it is important that our support is of high quality, partly to document what information has been provided and collected. If we record a phone call, you will always be informed prior. Lysa can also have personnel who are co-listeners in support calls, this is done for educational purposes to improve and ensure Lysa's information provision within customer support.

What is the legal basis for our processing?

The processing within the support organisation is necessary for our legitimate interest to assist you in your relevant issues as well as to improve our support services and document our contacts. Certain information is processed when it is necessary to fulfill Lysa's legal obligations.

How long do we store the personal data?

If you are a customer or a representative of a customer the personal data is stored until you cease to be a customer or you cease to be a representative of the customer, unless the personal data needs to be saved longer due to legal requirements (e.g. money laundering legislation). If you are not a customer, the information will be deleted shortly after the support case has been finished, as long as the information does not need to be saved longer due to legal obligations.

Personal data processing in connection with marketing, customer contacts and events

What personal data processing do we perform and for what purpose?

We process email addresses that are provided to us in connection with you requesting an investment proposal on our website and signing up for newsletters and similar marketing mailings. We may also collect contact details from public sources. The processing is carried out in order to then be able to reach out to you with newsletters, marketing, contact you to nurture our relationship with you and invite you to events. General profiling. To adapt the emails to customers, a segmentation takes place by creating mailing lists where you as a customer are categorized e.g. according to savings, geographical area as well as any business engagements identified by processing your identification number to obtain information about business engagements. We will also log information if you have received our emails and if you have acted on its content (e.g. followed a link).

We process personal data provided when potential customers and existing customers are in contact with us, for the purpose of nurturing our relationship with the customer or the potential customer.

Personal data processing takes place in connection with registration for events so that we can send invitations to events as well as arrange and administer such events.

What is the legal basis for our processing?

The processing is necessary for our legitimate interest in marketing our services and maintaining good customer relations. If you object to receive marketing or o ther contact we will discontinue such processing including the profiling. For our Danish customers, the email marketing is based on your consent to recieve newsletters and other relevant marketing information about Lysa. If you withdraw your consent we will discontinue such processing including the profiling.

Personal data processing in connection with events is based on our legitimate interest in our events and to arrange and administer such events.

How long do we store the data?

We will cease the processing, including your profiling, if you decline from marketing and commercial emails (you can do this in logged-in mode on Lysa's website, as well as in the respective marketing mailing), or you cease to be a customer. Logs of emails will be deleted when you cease to be a customer with us. For potential customers, we will cease if you decline further contact, or after 6 months if we have not in the meantime been in contact with you in some way or otherwise that there is reason for us to assume that your interest in becoming a customer with us remains.

Personal data related to a specific event, e.g. food preferences, are saved and deleted after the relevant event. We will save contact details to invite you to further events as long as our relationship with you (e.g. as a partner) continues.

Personal data processing in connection with customer surveys / user tests / feedback

What personal data processing do we perform and for what purpose?

We process email addresses that are provided to us in connection with you registering to become a customer to invite you to customer surveys, user tests or to provide feedback. We process personal data when we invite you to provide feedback, and participate in customer surveys/user tests and the carrying through of such in order to evaluate, develop and improve our services. If we make audio recordings of a user test, it is for the purpose of documenting the content of the interview, and then you will always be informed about it beforehand. Potential notes from user tests are anonymised after the test. We may make video recordings where you are visual in order to capture your reactions during the tests, in which case you will be informed and consent to this separately. In customer surveys, the survey is performed by the company Surveymonkey, which is a personal data processor of Lysa and the information provided by customers is anonymised.

What is the legal basis for our processing?

The processing is necessary for our legitimate interest in evaluating, developing and improving our services.

How long do we store the data?

After the collection of information and no later than within 3 months, we will (to create anonymous statistics) anonymize the information you provide during customer surveys, feedback and then delete any recording / email with your answers and personal information. In surveys conducted by our partner, we will never take part of personal information about you, the information of the partner is anonymized and the IP address of the respondent will be deleted no later than after 13 months.

Personal data processing in Lysa’s social media

What personal data processing do we perform and for what purpose?

We use pages on social media, e.g. Lysa Community on Facebook, our Twitter and Instagram as well as our Linkedin page, which is provided by third parties (Facebook and Microsoft) for the purpose of communicating with customers / potential customers and marketing. If you interact with our social media we will receive and process personal information about you. The companies that provide the platforms will also process this information about you for their own purposes. For questions about how they process your information or how you exercise your rights towards them, please see their Privacy Notices.

What is the legal basis for our processing?

The processing takes place with support in our legitimate interest in communicating with customers and marketing.

How long do we store the data?

Reactions, interactions and comments you give us will be processed until you remove them.

Personal data processing in the event of a complaint or whistleblowing

What personal data processing do we perform and for what purpose?

We process the information you provide to us in the event that you have a complaint about our services or report a violation to our whistleblower function in order to handle your case.

What is the legal basis for our processing?

The processing is necessary to fulfill Lysa's legal obligations.

How long do we store the data?

Personal data related to complaints where the complainant's request has been without approval is archived for 10 years, other complaints are archived for 5 years. Personal data that is processed within a whistleblower case will be deleted no later than 2 years after the case has been closed.

Personal data processing affiliates, representative suppliers / affiliates and other partners

What personal data processing do we perform and for what purpose?

We collect and process the personal information provided to us in connection with inquiries or discussions with affiliates, suppliers and other partners, such as names and contact details of representatives, in order to administer the relationship with the supplier, affiliate or partner. Contact details can also be processed for the purpose of inviting to upcoming events (see more in the section on personal data processing at events).

In the event that you are an affiliate in Lysa's affiliate network via a network partner, we will receive information about your name, address, social security number, email address and web address from our network partner in order to be able to accept you into the affiliate network.

What is the legal basis for our processing?

Lysa processes the personal data on the basis of the following grounds: (a) if the contractual relationship is directly with the affiliate or supplier / third party as a private person - to enter into the agreement and fulfill Lysa's obligations under the agreement, (b) if the contractual relationship is with the affiliate or supplier / third party as a legal entity - our legal interest in administering the relationship with the affiliate / supplier and fulfilling our contractual obligations with such party and (c) if the affiliate is an affiliate of Lysa's network partner - on our legitimate interest in administering the relationship with the affiliate. Contact information that is processed for the purpose of inviting to events is processed based on our legitimate interest in our events and to arrange and administer such events.

How long do we store the data?

Personal data that we process in our relationships with suppliers, affiliates and other external parties is stored during the term of the relevant agreement, as long as the person is a representative of the supplier / partner or as long as required by law.

How do we protect your personal data and who has access to the personal data we process?

We have taken appropriate technical and organizational security measures to protect the personal data we process against e.g. loss and unauthorized access. Appropriate security measures that we have taken include the implementation of physical security and protection of data communication (such as personal login, two-factor authentication, encrypted network connections and communications). We regularly review our security policies and processes to ensure that our systems are secure and protected.

Service providers and data processors

Hosting, storing and workspace/email services

Amazon Web Services EMEA SARL, Google Cloud EMEA Limited. We use service providers that provide hosting, storage and workspace services and thus contain personal data. The providers of hosting and storing services do not have access to the personal data and cannot use it or distribute it, they only own and maintain the servers. The Google and Amazon companies that Lysa has agreements with are within the EU / EEA with storage in the EU. Some of Google’s subcontractors that may be required to perform the services are located in the US and also in some other third countries - link. Transfers from Google to their subcontractors are subject to appropriate safeguards, for example in the form of an adequacy decision or the European Commission's standard contractual clauses and, where applicable, additional security measures. You can always contact our DPO if you want to know more about, for example, security measures taken.

Cloudflare Inc. We use Cloudflare's service Pages to distribute Lysa's website. When visiting Lysa's website, Cloudflare receives the visitor's IP address. Cloudflare temporarily stores the information on servers within the EU but may also store outside the EU. The transfer is subject to appropriate safeguards, for example in the form of the European Commission's standard contract clauses and, where applicable, additional security measures. You can always contact our DPO if you want to know more about, for example, security measures taken.

Communication services, support and marketing

Mailchimp (Rocket Science Group). We use services from the service provider to send emails to you. The company is located in the United States. Transfers to the United States are subject to appropriate safeguards in the form of the European Commission's standard contractual clauses and, where applicable, additional security measures. You can always contact our DPO if you want to know about the security measures we have taken for transfers to third countries.

Trustpilot. When you use the opportunity to leave a review about Lysa on Trustpilot, Lysa will share information about your name and e-mail address to Trustpilot A/S.

Wx3 Telecom AB and Twilio Ireland Limited. To be able to more easily handle support matters that come in by telephone, we use telephony services from the suppliers Wx3 Telefoni AB and Twilio. Twilio stores customers' personal data during calls within the EU, however, it may be that certain specific data needs to be processed in the USA or by some personal data processor in the USA. Transfers to the United States are subject to appropriate safeguards in the form of Binding Corporate Rules as well as the European Commission's standard contractual clauses and, where applicable, additional security measures. You can always contact our DPO if you want to know about the security measures we have taken for transfers to third countries.

Elevio. Lysa uses a widget for FAQ from the Australian company Elevio on our website. Elevio uses subcontractors who host Elevio’s infrastructure in the United States. The transfers to Elevio as an Australian company take place with the support of the European Commission's issuance of adequacy decisions against Australia, meaning that personal data is protected in the country in the same way as within the EU. Elevio's transfers to the United States are subject to appropriate safeguards in the form of the European Commission's standard contractual clauses and, where applicable, additional security measures. You can always contact our DPO if you want to know about the security measures we have taken for transfers to third countries.

Statistics, customer surveys

Google. To measure how you use our services, we use Google Analytics, see our Cookie Policy. However, the information is anonymised and aggregated, and can therefore not be linked to you personally.

Surveymonkey. For some customer surveys the survey is performed by Surveymonkey, who is Lysa's personal data processor for that processing, however, your answers are anonymised.

Whistleblowing

CRD Protection AB. Lysa uses an external whistleblower function provided by CRD Protection AB as a personal data processor of Lysa. Personal data may be processed by CRD Protection AB if you chose not to be anonymous.

Third parties

When your personal data is shared with a party who is independently responsible for personal data, that organization's privacy policy and personal data management apply.

Partners in insurance brokerage, affiliate networks and savings accounts

Futur Pension Försäkringsaktiebolag. In connection with insurance mediation for Swedish corporate customers, Lysa collaborates with Futur Pension Försäkringsaktiebolag to offer customers to take out company-owned endowment insurance. In the case of subscriptions, personal information that you provide with Futur is thus shared.

Affiliate network. If you become a customer via an adlink from one of our affiliates, we will share information you as a customer and the affiliate to our partners for our affiliate networks, so that they can pay compensation to the relevant affiliate.

Savings account cooperation with banks and institutions. In connection with the provision of Lysa's savings account solution, Lysa cooperates from time to time with certain banks and institutions. Where applicable, certain personal data about the customer and its transactions may need to be shared with the partner.

Deposits and withdrawals to/from Lysa

Bankgirocentralen (BCG). We share information about Swedish customer's social security number and account number when the customer sets up a direct debit (Sw. autogiro), if the direct debit is linked to a private account.

MobilePay. For Danish customers, we share the customer's social security number and phone number with MobilePay at the customer's deposit.

Danske Bank and customer bank. If you as a customer request a withdrawal, we notify Danske Bank of the recipient account number and for non-Swedish customers we also notify of the name of the owner of the recipient account. For customers in euro countries who make deposits via direct debit, we send information to Danske Bank about autogiro consent. We share information with Danske Bank and/or the customer's bank on request for AML reasons.

Other third parties

Authorities. Lysa may disclose information about you to the Financial Supervisory Authority, the Police, the Tax Agency, the Enforcement Agency and other applicable authorities either in accordance with the agreements that Lysa has entered into with you, or if Lysa is obliged to do so in accordance with applicable law, regulation or authority decision.

Representatives, proxies. Lysa may (if applicable) share information about the customer's Lysa account (e.g balance and account number) to the customer's law guadrian or administrator, estate owner, bankruptcy estate etc.

Shared account. When you choose to grant other Lysa customers access to information about your Lysa account, you choose which recipients you want to be able to see e.g. portfolio composition, development and transaction history on the Lysa account you share. For more information about which information about you and your Lysa account that is shared, see the terms and conditions for the Proxy - Power to access information. If you accept a request to access information about another person’s Lysa account, your name and birth date will be shared with the person who made the request.

Your rights

As a data subject, you are entitled to exercise the following rights in relation to our processing of your personal data.

The right of access. You have the right to have access to your personal data (including copies thereof) and certain information regarding the processing of the data.

The right to rectification. You have the right to have inaccurate data rectified and incomplete data completed. If you are a customer you can make such adjustments on your own when signed in to Lysa’s website.

The right to erasure. Under certain circumstances, you have the right to have your personal data erased (“the right to be forgotten”). When your personal data is needed for Lysa to be able to fulfill the purposes for which it was collected, is required to fulfill a legal obligation or is required to be able to establish, assert or defend legal claims, Lysa has no possibility to delete the data. Here you can read more about when you have the opportunity to exercise the right to be deleted.

Also note that data may be retained in our backups. Complete backups are taken daily and deleted automatically 360 days after they are taken.

The right to restriction of processing. You have the right to have the processing of your personal data restricted in case:

  • you do not think the personal data is correct,
  • the processing of personal data is illegal, but you do not want it to be deleted,
  • Lysa no longer needs the personal data for the purposes of the processing - but you need the data to be saved to make a valid legal claim,
  • you have objected to the processing based on a balance of interests or that the processing is necessary in the public interest, and are waiting for Lysa's reasons for the processing to be controlled.

The right to data portability. If the processing of your personal data is based on consent or agreement with you and takes place automatically, you have the right to obtain your personal data (and, if technically possible, have it transferred to another personal data controller) in a structured, commonly used and machine-readable format.

Right to object. You have the right to object at any time to the processing of personal data concerning you that is based on Lysa's legitimate interest (balancing of interests), including profiling based on our legitimate interest. You can also opt out of electronic direct mail in logged-in mode on Lysa's website.

You can always contact our data protection officer (DPO) at dpo@lysa.se or call 08-525 035 70 to make a request according to the above. If you are a customer, however, we prefer that you make your requests via message to us in logged in mode, in this way it is easily ensured that we have contact with the right person and that e.g. information is sent to the right person.

You may also complain about Lysa's processing to the supervisory authority the Swedish Authority for Privacy Protection. You will find contact details to the Authority for Privacy Protection here: https://www.imy.se/other-lang/in-english/about-us/contact-us/.

Contact details to Data Protection Officer

Email: dpo@lysa.se Lysa AB, reg. no 559028-0821 Email: kontakt@lysa.se Phone: 010 551 32 30 Adress: Löjtnantsgatan 21, 115 50 Stockholm

Amendment of this information about personal data processing

Lysa may amend this privacy note as necessary. You will be informed about any changes affecting the processing of your personal data.