01·Who we are
Float Finance AB, org. no. 559167-3537 ("we", "us", "our") provides business credit products. Credit applications are submitted through the platform operated and owned by Float Lending AB (the "Platform").
We are registered with the Swedish Financial Supervisory Authority (Finansinspektionen) as a provider of other financial activities under the Act on Currency Exchange and Other Financial Activities (1996:1006), registration date 25 February 2019.
We are the data controller for the processing described in this policy.
Group structure note: Float Finance AB and Float Lending AB are part of the same corporate group. Float Finance AB acts as data controller and Float Lending AB as data processor under a Data Processing Agreement (DPA) for certain processing activities relating to credit assessment, AML and Platform provider.
02·What we collect and why
The table below sets out the personal data we process, the purpose for which we process it, and the legal basis we rely on under the GDPR.
| Purpose | Data collected | Examples | Legal basis |
|---|---|---|---|
| Credit management Managing and pay-out of your business credit facility |
Identity & contact Name, personal/org. ID, address, email, phone of representatives and beneficial owners Financial data Accounting records, bank account records and subscription billing records required for credit assessment |
Credit application Bank statements Director details |
Performance of a contract Art. 6(1)(b) GDPR |
| Customer due diligence (AML/KYC) For our credit services |
Identity verification ID verification through Bank-ID or equivalent, UBO data, business nature and purpose Transaction monitoring Data used to detect suspicious transactions Sanctions & PEP screening Sanctions, PEP and adverse-media screening data obtained from third-party screening providers Credit reference data Reports obtained from credit reference agencies |
ID verification through Bank-ID or equivalent system or ID copy Sanctions screening reports |
Legal obligation Art. 6(1)(c) GDPR, Ch. 3 § 4, 7-8, 9-12 Anti-Money Laundering Act (2017:630) Legal obligation Art. 6(1)(c) GDPR, Ch. 4 § 1 Anti-Money Laundering Act (2017:630) |
| Credit application processing via the Platform | Technical data Data submitted during the application flow on the Platform |
Application form data Submitted documents |
Performance of a contract Art. 6(1)(b) GDPR |
| Platform access Providing access to the Platform where you access information about pay-outs, interest payments etc |
Login credentials E mail and Bank-ID verification |
Bank-ID verification | Performance of a contract Art. 6(1)(b) GDPR |
| Information about product updates | Contact details Email address, name, phone number |
Product updates New credit features |
Legitimate interests Art. 6(1)(f) GDPR |
| Ongoing credit monitoring Monitoring creditworthiness and risk exposure during the credit relationship |
Bank transaction data Transaction data and account balance information from the your bank accounts, collected at the start of the credit relationship (up to 36 months historical data) and on an ongoing basis during the credit relationship |
Open banking feeds Account statements |
Performance of a contract Art. 6(1)(b) GDPR |
03·Where we get your data
Most personal data comes directly from you, when you submit a credit application or communicate with us.
Where a company applies for a business credit product through the Platform, Float Lending AB shares the personal data relevant to the credit application with us. This includes identity and contact data, company information, financial information and other data submitted as part of the application flow (including through connections to your accounting system and/or bank account). Float Lending AB's sharing of this data is described in the Float Lending AB Privacy Policy (available on www.floatfinance.com).
Credit reference agencies
To assess creditworthiness before granting credit, we obtain information from credit reference agencies.
Providers: Creditsafe
Data obtained: Credit rating, payment defaults, income data, and other financial information relating to the company's authorised signatories and beneficial owners.
Connected accounting systems
Where you choose to connect an accounting system through the Platform, we obtain financial data from that system to generate key performance indicators. The data obtained may include revenue, costs, account balances, and transaction categorisation.
Connected bank accounts (open banking)
As part of the credit assessment and ongoing credit monitoring, we collect transaction data and account balance information directly from your bank accounts via open banking. This collection occurs at the start of the credit relationship, covering up to 36 months of historical data, and on an ongoing basis during the credit relationship. Where technically possible, collection is automated via the open banking standard.
Publicly available sources and official registers
To verify information about your company and its representatives.
Sources: Bolagsverket (Swedish Companies Registration Office), Skatteverket (Swedish Tax Agency)
Data obtained: Authorised signatories, board members, and beneficial ownership information.
04·How long we keep it
We keep your personal data only for as long as necessary for the purpose it was collected, or as required by law.
AML/KYC records
Kept for 5 years after the business relationship ends (Ch. 5 § 3, Anti-Money Laundering Act 2017:630). May be extended to 10 years in certain circumstances (Ch. 5 § 4).
Contractual data
Kept for the duration of the credit relationship and thereafter for the period needed to handle complaints or legal claims, typically up to 10 years under the Limitations Act (Preskriptionslagen).
Consent-based data
Kept until you withdraw your consent (Art. 7 GDPR). Withdrawal does not affect anything processed before that point.
Accounting records
Data that constitutes accounting records must be retained for 7 years following the end of the calendar year in which the financial year to which the records relate was completed (Ch. 7 § 2, Swedish Bookkeeping Act, Bokföringslagen 2004:125).
05·Who we share with
We only share your personal data where necessary and lawful. We never sell your data. The categories of recipients are:
Service providers (data processors)
Third-party vendors who help us operate the Platform and our services. They act on our instructions and may not use your data for their own purposes (Art. 28 GDPR). Categories include:
- Cloud infrastructure and storage providers
- IT and platform infrastructure providers
- KYC/identity verification service providers
Funders and financing partners
We may share financial and credit-related data about you with our funders and financing partners to the extent necessary to secure and administer the financing of credit facilities. Such recipients are bound by confidentiality obligations and may not use the data for their own purposes beyond what is necessary for the financing arrangement.
Regulatory authorities
We may be required to share data with relevant authorities where required by law.
06·International data transfers
We prioritise EU/EEA-based service providers and strive to keep all processing within the EU/EEA. In certain cases, a transfer to a country outside the EU/EEA may be necessary, for example where a best-in-class provider operates outside the EEA. In all such cases, we ensure that adequate safeguards are in place in accordance with Chapter V GDPR before the transfer takes place. We do this through one or more of the following mechanisms:
- An adequacy decision by the European Commission recognising the destination country as providing an equivalent level of data protection.
- Standard Contractual Clauses (SCCs) in the form approved by the European Commission, entered into with the recipient (Art. 46(2)(c) GDPR).
- Another appropriate safeguard under Art. 46 GDPR, such as Binding Corporate Rules (BCRs), where applicable.
We continuously monitor developments in EU data protection law and update our transfer mechanisms accordingly.
07·Your rights
Under the GDPR, you have the following rights. To exercise any of them, please contact us using the details in Section 08.
Right of access
You may request confirmation of whether we process your personal data and receive a copy of that data (Art. 15 GDPR).
Right to rectification
You may request that we correct any inaccurate personal data we hold about you (Art. 16 GDPR).
Right to erasure
In certain circumstances, you may request that we delete your personal data, for example, where it is no longer needed for the purpose it was collected, or where you withdraw your consent (Art. 17 GDPR).
Right to object
You may object to processing that is based on our legitimate interests (Art. 21 GDPR).
Right to restriction
In certain circumstances, you may request that we restrict our processing of your data (Art. 18 GDPR).
Right to data portability
You may request a copy of the personal data you have provided to us in a structured, commonly used, machine-readable format (Art. 20 GDPR).
Right to withdraw consent
Where processing is based on your consent, you may withdraw that consent at any time. This does not affect the lawfulness of processing carried out before withdrawal (Art. 7(3) GDPR).
Right to lodge a complaint
If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY).
08·Contact us
|
Data Controller
Float Finance AB Nybrogatan 55 114 40, Stockholm Sweden privacy@floatfinance.com |
External Data Protection Officer
Kertos GmbH Brienner Str. 41, 80333 Munich Data Protection Officer: Dr. Kilian Schmidt dsb@kertos.io +49 151 525 797 93 |
This policy may be updated from time to time. We will publish any changes at www.floatfinance.com. The current version is always available on www.floatfinance.com.

