Privacy Policy

Float Finance AB
Effective date: 2026-06-05 Org. no. 559167-3537

This policy covers Float Finance AB's credit products. For our business account service, see the Float Lending AB Privacy Policy.

01·Who we are

Float Finance AB, org. no. 559167-3537 ("we", "us", "our") provides business credit products. Credit applications are submitted through the platform operated and owned by Float Lending AB (the "Platform").

We are registered with the Swedish Financial Supervisory Authority (Finansinspektionen) as a provider of other financial activities under the Act on Currency Exchange and Other Financial Activities (1996:1006), registration date 25 February 2019.

We are the data controller for the processing described in this policy.

Group structure note: Float Finance AB and Float Lending AB are part of the same corporate group. Float Finance AB acts as data controller and Float Lending AB as data processor under a Data Processing Agreement (DPA) for certain processing activities relating to credit assessment, AML and Platform provider.

02·What we collect and why

The table below sets out the personal data we process, the purpose for which we process it, and the legal basis we rely on under the GDPR.

PurposeData collectedExamplesLegal basis
Credit management
Managing and pay-out of your business credit facility
Identity & contact
Name, personal/org. ID, address, email, phone of representatives and beneficial owners

Financial data
Accounting records, bank account records and subscription billing records required for credit assessment
Credit application
Bank statements
Director details
Performance of a contract
Art. 6(1)(b) GDPR
Customer due diligence (AML/KYC)
For our credit services
Identity verification
ID verification through Bank-ID or equivalent, UBO data, business nature and purpose

Transaction monitoring
Data used to detect suspicious transactions

Sanctions & PEP screening
Sanctions, PEP and adverse-media screening data obtained from third-party screening providers

Credit reference data
Reports obtained from credit reference agencies
ID verification through Bank-ID or equivalent system or ID copy
Sanctions screening reports
Legal obligation
Art. 6(1)(c) GDPR, Ch. 3 § 4, 7-8, 9-12 Anti-Money Laundering Act (2017:630)

Legal obligation
Art. 6(1)(c) GDPR, Ch. 4 § 1 Anti-Money Laundering Act (2017:630)
Credit application processing via the Platform Technical data
Data submitted during the application flow on the Platform
Application form data
Submitted documents
Performance of a contract
Art. 6(1)(b) GDPR
Platform access
Providing access to the Platform where you access information about pay-outs, interest payments etc
Login credentials
E mail and Bank-ID verification
Bank-ID verification Performance of a contract
Art. 6(1)(b) GDPR
Information about product updates Contact details
Email address, name, phone number
Product updates
New credit features
Legitimate interests
Art. 6(1)(f) GDPR
Ongoing credit monitoring
Monitoring creditworthiness and risk exposure during the credit relationship
Bank transaction data
Transaction data and account balance information from the your bank accounts, collected at the start of the credit relationship (up to 36 months historical data) and on an ongoing basis during the credit relationship
Open banking feeds
Account statements
Performance of a contract
Art. 6(1)(b) GDPR

03·Where we get your data

Most personal data comes directly from you, when you submit a credit application or communicate with us.

Where a company applies for a business credit product through the Platform, Float Lending AB shares the personal data relevant to the credit application with us. This includes identity and contact data, company information, financial information and other data submitted as part of the application flow (including through connections to your accounting system and/or bank account). Float Lending AB's sharing of this data is described in the Float Lending AB Privacy Policy (available on www.floatfinance.com).

Credit reference agencies

To assess creditworthiness before granting credit, we obtain information from credit reference agencies.

Providers: Creditsafe

Data obtained: Credit rating, payment defaults, income data, and other financial information relating to the company's authorised signatories and beneficial owners.

Connected accounting systems

Where you choose to connect an accounting system through the Platform, we obtain financial data from that system to generate key performance indicators. The data obtained may include revenue, costs, account balances, and transaction categorisation.

Connected bank accounts (open banking)

As part of the credit assessment and ongoing credit monitoring, we collect transaction data and account balance information directly from your bank accounts via open banking. This collection occurs at the start of the credit relationship, covering up to 36 months of historical data, and on an ongoing basis during the credit relationship. Where technically possible, collection is automated via the open banking standard.

Publicly available sources and official registers

To verify information about your company and its representatives.

Sources: Bolagsverket (Swedish Companies Registration Office), Skatteverket (Swedish Tax Agency)

Data obtained: Authorised signatories, board members, and beneficial ownership information.

04·How long we keep it

We keep your personal data only for as long as necessary for the purpose it was collected, or as required by law.

AML/KYC records

Kept for 5 years after the business relationship ends (Ch. 5 § 3, Anti-Money Laundering Act 2017:630). May be extended to 10 years in certain circumstances (Ch. 5 § 4).

Contractual data

Kept for the duration of the credit relationship and thereafter for the period needed to handle complaints or legal claims, typically up to 10 years under the Limitations Act (Preskriptionslagen).

Consent-based data

Kept until you withdraw your consent (Art. 7 GDPR). Withdrawal does not affect anything processed before that point.

Accounting records

Data that constitutes accounting records must be retained for 7 years following the end of the calendar year in which the financial year to which the records relate was completed (Ch. 7 § 2, Swedish Bookkeeping Act, Bokföringslagen 2004:125).

05·Who we share with

We only share your personal data where necessary and lawful. We never sell your data. The categories of recipients are:

Service providers (data processors)

Third-party vendors who help us operate the Platform and our services. They act on our instructions and may not use your data for their own purposes (Art. 28 GDPR). Categories include:

  • Cloud infrastructure and storage providers
  • IT and platform infrastructure providers
  • KYC/identity verification service providers

Funders and financing partners

We may share financial and credit-related data about you with our funders and financing partners to the extent necessary to secure and administer the financing of credit facilities. Such recipients are bound by confidentiality obligations and may not use the data for their own purposes beyond what is necessary for the financing arrangement.

Regulatory authorities

We may be required to share data with relevant authorities where required by law.

06·International data transfers

We prioritise EU/EEA-based service providers and strive to keep all processing within the EU/EEA. In certain cases, a transfer to a country outside the EU/EEA may be necessary, for example where a best-in-class provider operates outside the EEA. In all such cases, we ensure that adequate safeguards are in place in accordance with Chapter V GDPR before the transfer takes place. We do this through one or more of the following mechanisms:

  • An adequacy decision by the European Commission recognising the destination country as providing an equivalent level of data protection.
  • Standard Contractual Clauses (SCCs) in the form approved by the European Commission, entered into with the recipient (Art. 46(2)(c) GDPR).
  • Another appropriate safeguard under Art. 46 GDPR, such as Binding Corporate Rules (BCRs), where applicable.

We continuously monitor developments in EU data protection law and update our transfer mechanisms accordingly.

07·Your rights

Under the GDPR, you have the following rights. To exercise any of them, please contact us using the details in Section 08.

Right of access

You may request confirmation of whether we process your personal data and receive a copy of that data (Art. 15 GDPR).

Right to rectification

You may request that we correct any inaccurate personal data we hold about you (Art. 16 GDPR).

Right to erasure

In certain circumstances, you may request that we delete your personal data, for example, where it is no longer needed for the purpose it was collected, or where you withdraw your consent (Art. 17 GDPR).

Right to object

You may object to processing that is based on our legitimate interests (Art. 21 GDPR).

Right to restriction

In certain circumstances, you may request that we restrict our processing of your data (Art. 18 GDPR).

Right to data portability

You may request a copy of the personal data you have provided to us in a structured, commonly used, machine-readable format (Art. 20 GDPR).

Right to withdraw consent

Where processing is based on your consent, you may withdraw that consent at any time. This does not affect the lawfulness of processing carried out before withdrawal (Art. 7(3) GDPR).

Right to lodge a complaint

If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY).

08·Contact us

Data Controller Float Finance AB
Nybrogatan 55
114 40, Stockholm
Sweden

privacy@floatfinance.com
External Data Protection Officer Kertos GmbH
Brienner Str. 41, 80333 Munich
Data Protection Officer: Dr. Kilian Schmidt
dsb@kertos.io
+49 151 525 797 93

This policy may be updated from time to time. We will publish any changes at www.floatfinance.com. The current version is always available on www.floatfinance.com.