Privacy notice

In connection with your use of Lysa’s services or you otherwise come in contact with us for various reasons, we will process certain personal data about you. Lysa takes great care to protect your privacy. The following describes how we process personal data and what rights you have.

When visiting our website, we can also process certain personal data via cookies after your consent (read more about how we work with cookies here).

We would also like to emphasize that data Lysa has about you as a customer is protected by secrecy in accordance with Chapter 1, Section 11 of the Securities Market Act (2007:528). This means that Lysa may not unauthorisedly disclose this information.

Personal data processing when you / your company registers to receive investment proposals and becomes a customer of Lysa

What personal data processing do we perform and for what purpose?

We process information you provide to us when you sign up when you, or the company you represent, become a customer and to receive an investment proposal. For corporate customers, we also process information concerning (i) the beneficial owner (Sw. verklig huvudman), (name, social security number, citizenship, tax domicile and ownership) and (ii) corporate account user (name and contact information, information about Person in a politically exposed position “PEP”). We mainly collect personal data directly from the data subject, but it happens that we receive information about the data subject without the information coming directly from the data subject, e.g. (i) if the representative who on behalf of the company enters into the agreement with Lysa states someone other than himself/herself as corporate account user or signatory and (ii) company information and information about beneficial owners that we collect from the Swedish Companies Registration Office (via Checkbiz AB), and (iii) your name and social security number/TIN-number from BankID (Swedish customers) and Nets (danish and finnish customers).

Automated decision making and profiling. When you apply to become a customer, an automated decision is made to decide whether we can approve you as a customer. The automated decision consists of your name being automatically searched in sanction lists that we must apply by law. If you name is not in such sanction lists you will be able to become a customer with us. Furthermore, we use automated processing, including profiling, when we prepare an investment proposal for you. The profiling is based on the information you provide to us in connection with the preparation of an investment proposal: financial situation, risk tolerance, knowledge and experience and investment horizon. The decision results in what we recommend for you in regards to the distribution between equity funds and interest funds in your portfolio, the decision may mean that we do not recommend a portfolio for you at Lysa. You can always contact our customer support if you want to have our automatic decision reviewed by a real person, contest such a decision or otherwise want to discuss the decision with us.

Personal data processing in connection with you or your company becoming a customer takes place with the purpose of:

  • fulfill our legal obligations (e.g. regarding suitability assessment, know your customer (KYC), and controls against sanction lists) and be able to provide an investment proposal to enter into an agreement with you, or the company you represent, about our services;
  • email address is processed to verify you as a customer and to be able to send you information about your savings and important events where we must reach you, we will also log information if you have received our information (in some cases we process your email address send marketing emails and other commercial emails, see more in the section “Personal data processing in ,marketing, feedback and customer surveys / user tests”),
  • if you have become a customer via an affiliate link connected to our affiliate network, we will also assign you an order number so that compensation can be issued to the affiliate who contributed to you becoming a customer with us.

What is the legal basis for our processing?

The processing is necessary to fulfill the agreement that we enter into with you as a private person, or our legitimate interest in fulfilling the agreement with the corporate customer you represent. Where applicable, the processing takes place in order to fulfill the legal requirements imposed on us by law (e.g. applicable money laundering legislation and securities market legislation). Processing of your email address is based on our legitimate interest in nurturing our customer relationship with you and takes place provided that you have not declined from such emails. A unique order number is generated and processed with the support of our legitimate interest in being able to pay compensation to the affiliate who recruited you as a customer. Certain data is processed with the support of our legitimate interest in creating statistics for analytical purposes in order to improve our services.

How long do we store the personal data?

We do not store personal data longer than necessary with regard to the purpose of the processing. If you have started the process to become a customer but have not completed your registration, your information will be deleted or anonymised after 2 weeks. If you have completed the signup and become a customer, the personal data will be processed during the time you are a customer with us or - if you are a representative - during the time you are a representative, or during the time we are liable to store the information according to law as set out below.

  • Information related to KYC (e.g. transactions, payers and recipients), 5 years according to the Act on Measures against Money Laundering and Terrorist Financing.
  • Information linked to completed suitability assessment, selected distribution, customer agreement, fee history and transaction history, 5 years in accordance with Finansinspektionen's regulations on securities operations.
  • Information for tax reporting (value of account at the beginning of the quarter, FATCA and CRS information), 5 years according to the Tax Procedure Act.

To provide security and continuity in our services, we create backup copies of our systems, which we can keep longer than the original storage time but a maximum of 360 days. Notification emails within the service and logs of such emails sent within our services are deleted when you cease to be a customer.

Processing of personal data when using Lysa's website and services

What personal data processing do we perform and for what purpose?

We collect personal information when you use Lysa's services - e.g. logs in, opens accounts, makes deposits / withdrawals or monthly savings we direct debit, ISK moves, makes changes in investment orientation, etc. and thus gives consents. Information concerns, for example: (i) name and contact information, (ii) IP address, (iii) the content of your savings with us, (iv) account number, and (v) information provided during KYC, suitability assessment and investment proposals. This information is processed for the purpose of providing you with the services and sending necessary information as well as voluntary notice emails to you. Certain information we need to process due to fulfill legal obligations in order to be able to provide you with the services. We also process information about when and how (e.g time, IP address, operating system) you log in and interact with Lysa's website in order to prevent misuse of our services, to be able to troubleshoot our services and to create statistical data for the purpose to improve and develop our services.

Automated decision making and profiling. When you are a customer, you can open several accounts and receive several investment proposals from us. We use automated processing, including profiling, when we prepare an investment proposal for you. The profiling is based on the information you provide to us in connection with the preparation of an investment proposal: financial situation, risk tolerance, knowledge and experience and investment horizon. The decision results in what we recommend for you in regards to the distribution between equity funds and interest funds in your portfolio, the decision may mean that we do not recommend a portfolio for you at Lysa. You can always contact our customer support if you want to have our automatic decision reviewed by a real person, contest such a decision or otherwise want to discuss the decision with us.

In addition to the information you provide in connection with the above, we also collect name and social security number from BankID when you log in or submit approvals in logged in mode (Swedish customers) and name and TIN-number from Nets when danish and finnish customers log in to Lysa. When you make deposits, we collect name and address from Bankgirocentralen (Swedish customers), from Klarna we receive information about your name and account number / bank (and also when you make withdrawals - both swedish and finnish customers) and information about your telephone number is collected from Swish. In connection with an ISK move from Lysa, we receive information about your account number at your other institution from that institution. For corporate customers, Lysa processes personal data about the beneficial owner (name and email address, signatory (name and email) and the natural person (name, social security number and citizenship) who is stated as insured when opening endowment insurance, this data may concern a person other than the person who provides the information, e.g. if person who creates the Lysa account states other than him/herself. We may also collect information from the customer's bank in order to follow up on suspicious hits in our transaction monitoring.

What is the legal basis for our processing?

The processing is necessary to fulfill the agreement that we enter into with you as a private person, or our legitimate interest in fulfilling the agreement with the corporate customer you represent. Where applicable, the processing takes place in order to fulfill legal obligations imposed on (e.g. applicable money laundering legislation and securities market legislation). Processing of your email address takes place partly due to a legal obligation to inform about withdrawals and certain other information, and partly based on our legitimate interest in nurturing our customer relationship with you and takes place provided that you have not declined such emails. Information about IP addresses and how you interact with Lysa is based on our legitimate interest in preventing misuse of our services, troubleshooting our services and creating statistical data to improve and develop our services.

How long do we store the personal data?

We do not store personal data longer than necessary with regard to the purpose of the processing. The personal data will be processed during the time you are a customer with us, or - if you are a representative - during the time you are a representative, or during the time we are liable to store the information according to law as set out below.

  • Transaction and fee history, 7 years according to Accounting legislation
  • Information related to KYC (e.g. transactions, payers and recipients), 5 years according to the Act on Measures against Money Laundering and Terrorist Financing.
  • Information linked to completed suitability assessment, selected distribution, customer agreement, fee history and transaction history, 5 years in accordance with Finansinspektionen's regulations on securities operations.
  • Information for tax reporting (value of account at the beginning of the quarter, FATCA and CRS information), 5 years according to the Tax Procedure Act.

Inactive accounts are deleted after 12 months of inactivity and information about upcoming deletions is given. To provide security and continuity in our services, we create backup copies of our systems, which we can keep longer than the original storage time but a maximum of 360 days. IP addresses for visitors to our website who are not customers are deleted after 3 months.

Personal data processed in connection with our support organisation or other contacts with Lysa

What personal data processing do we perform and for what purpose?

We process personal data provided at potential customers' and existing customers' or its representatives' (e.g. company representative, good man or manager) contact with our support organsation (eg via email, telephone or messages in logged-in mode), or otherwise contact / are contacted by us, in order to provide them with support and / or nurture our relationship with the customer or the potential customer. The personal data we process in the mentioned context may relate to contact information and identification information, authorization documentation, course of events or other circumstances or information that is relevant to the support assignment or you provide to us. We document our communication with you, such as messages and telephone calls, partly for educational purposes and to improve our support services because it is important that our support is of high quality, partly to document what information has been provided. If we record a phone call, you will always be informed prior. Lysa can also have personnel who are co-listeners in support calls, this is done for educational purposes to improve and ensure Lysa's information provision within customer support.

What is the legal basis for our processing?

The processing within the support organisation is necessary for our legitimate interest to assist you in your relevant issues as well as to improve our support services and document our contacts. Certain information is processed when it is necessary to fulfill Lysa's legal obligations. Information provided at customer meetings is processed in our legitimate interest in nurturing customer relationships and potential customer relationships.

How long do we store the personal data?

If you are a customer or a representative of a customer the personal data is stored until you cease to be a customer or you cease to be a representative of the customer, unless the personal data needs to be saved longer due to legal requirements (e.g. money laundering legislation). If you are not a customer, the information will be deleted after the support case has been finished, as long as the information does not need to be saved longer due to legal obligations.

Information provided in contacts with Lysa other than support, complaint reporting or whistleblowing will be deleted after 6 months from submission if we have not had contact with you in these 6 months or otherwise that there is reason for us to assume that your interest in to become a customer with us remains or we otherwise have a need to continue saving the information.

Personal data processing in the event of a complaint or whistleblowing

What personal data processing do we perform and for what purpose?

We process the information you provide to us in the event that you have a complaint about our services or report a violation to our whistleblower function in order to handle your case.

What is the legal basis for our processing?

The processing is necessary to fulfill Lysa's legal obligations.

How long do we store the data?

Personal data related to complaints where the complainant's request has been without approval is archived for 10 years, other complaints are archived for 5 years. Personal data that is processed within a whistleblower case will be deleted no later than 2 years after the case has been closed.

Personal data processing in marketing, feedback and customer surveys / user tests

What personal data processing do we perform and for what purpose?

We process email addresses that are provided to us in connection with you requesting an investment proposal on our website and signing up for newsletters and similar marketing mailings in order to then be able to send you newsletters, marketing mailings and invitations to submit customer reviews or surveys to you. General profiling. To adapt the emails to customers, an automatic segmentation takes place by creating mailing lists where you as a customer are categorized e.g. according to savings, geographical area, etc. We will also log information if you have received our emails and if you have acted on its content (e.g. followed a link).

We also process personal data about you when we invite to and conduct customer surveys / user tests via interviews in order to evaluate, develop and improve our services. If we take audio recordings of an interview, it is for the purpose of documenting the content of the interview, and then you will always be informed about it beforehand. Notes from interviews are anonymised after the interviews. We may make video recordings in order to capture your reactions during the tests, in which case you will be informed and consent to this separately. In customer surveys, the survey is performed by the company Surveymonkey, which is a personal data processor of Lysa and the information provided by customers is anonymised.

What is the legal basis for our processing?

The processing is necessary for our legitimate interest in marketing our services, maintaining good customer relations and evaluating, developing and improving our services. If you object to receiving emails from marketing and customer surveys, we will discontinue such processing.

How long do we store the data?

Marketing. We will cease processing if you decline from marketing and commercial emails (you can do this in logged-in mode on Lysa's website, as well as in the respective marketing mailing), or you cease to be a customer. Logs of emails will be deleted when you cease to be a customer with us.

Customer surveys / user tests, surveys and feedback. After the collection of information and no later than within 3 months, we will (to create anonymous statistics) anonymize the information you provide during customer surveys, feedback and then delete any recording / email with your answers and personal information. In surveys conducted by our partner, we will never take part of personal information about you, the information of the partner is anonymized and the IP address of the defendant will be deleted no later than after 13 months.

Personal data processing in Lysa’s social media

What personal data processing do we perform and for what purpose?

We use pages on social media, e.g. Lysa Community on Facebook, our Twitter and Instagram as well as our Linkedin page, which is provided by third parties (Facebook and Microsoft) for the purpose of communicating with customers / potential customers and marketing. If you interact with our social media we will receive and process personal information about you. The companies that provide the platforms will also process this information about you for their own purposes. For questions about how they process your information or how you exercise your rights towards them, please see their Privacy Notices.

What is the legal basis for our processing?

The processing takes place with support in our legitimate interest in communicating with customers and marketing.

How long do we store the data?

Reactions, interactions and comments you give us will be processed until you remove them.

Personal data processing affiliates, representative suppliers / affiliates and other partners

What personal data processing do we perform and for what purpose?

We collect and process the personal information provided to us in connection with inquiries or discussions with affiliates, suppliers and other partners, such as names and contact details of representatives, in order to administer the relationship with the supplier, affiliate or partner.

In the event that you are an affiliate in Lysa's affiliate network via a network partner, we will receive information about your name, address, social security number, emailaddress and web address from our network partner in order to be able to accept you into the affiliate network.

What is the legal basis for our processing?

Lysa processes the personal data on the basis of the following grounds: (a) if the contractual relationship is directly with the affiliate or supplier / third party as a private person - to enter into the agreement and fulfill Lysa's obligations under the agreement, (b) if the contractual relationship is with the affiliate or supplier / third party as a legal entity - our legal interest in administering the relationship with the affiliate / supplier and fulfilling our contractual obligations with such party and (c) if the affiliate is an affiliate of Lysa's network partner - on our legitimate interest in administering the relationship with the affiliate.

How long do we store the data?

Personal data that we process in our relationships with suppliers, affiliates and other external parties is stored during the term of the relevant agreement, as long as the person is a representative of the supplier / partner or as long as required by law.

How do we protect your personal data and who has access to the personal data we process?

We have taken appropriate technical and organizational security measures to protect the personal data we process against e.g. loss and unauthorized access. Appropriate security measures that we have taken include the implementation of physical security and protection of data communication (such as personal login, two-factor authentication, encrypted network connections and communications). We regularly review our security policies and processes to ensure that our systems are secure and protected.

Service providers and data processors

Hosting, storing and workspace/email services

Amazon Web Services EMEA SARL, Google Cloud EMEA Limited. We use service providers that provide hosting, storage and workspace services and thus contain personal data. The providers of hosting and storing services do not have access to the personal data and cannot use it or distribute it, they only own and maintain the servers. The Google and Amazon companies that Lysa has agreements with are within the EU / EEA with storage in the EU. Some of Google’s subcontractors that may be required to perform the services are located in the US and also in some other third countries - link. Transfers from Google to their subcontractors are subject to appropriate safeguards, for example in the form of an adequacy decision or the European Commission's standard contractual clauses and, where applicable, additional security measures. You can always contact our DPO if you want to know more about, for example, protective measures taken.

Communication services, support and marketing

Mailchimp (Rocket Science Group). We use services from the service provider to send emails to you. The company is located in the United States. Transfers to the United States are subject to appropriate safeguards in the form of the European Commission's standard contractual clauses and, where applicable, additional security measures. You can always contact our DPO if you want to know about the security measures we have taken for transfers to third countries.

Trustpilot. When you use the opportunity to leave a review about Lysa on Trustpilot, Lysa will share information about your name and e-mail address to Trustpilot A/S.

Wx3 Telefoni AB and Twilio Ireland Limited. To be able to more easily handle support matters that come in by telephone, we use telephony services from the suppliers Wx3 Telefoni AB and Twilio. Twilio stores customers' personal data during calls within the EU, however, it may be that certain specific data needs to be processed in the USA or by some personal data processor in the USA. Transfers to the United States are subject to appropriate safeguards in the form of Binding Corporate Rules as well as the European Commission's standard contractual clauses and, where applicable, additional security measures. You can always contact our DPO if you want to know about the security measures we have taken for transfers to third countries.

Elevio. Lysa uses a widget for FAQ from the Australian company Elevio on our website. Elevio uses subcontractors who host Elevio’s infrastructure in the United States. The transfers to Elevio as an Australian company take place with the support of the European Commission's issuance of adequacy decisions against Australia, meaning that personal data is protected in the country in the same way as within the EU. Elevio's transfers to the United States are subject to appropriate safeguards in the form of the European Commission's standard contractual clauses and, where applicable, additional security measures. You can always contact our DPO if you want to know about the security measures we have taken for transfers to third countries.

Statistics, customer surveys

Google. To measure how you use our services, we use Google Analytics, see our Cookie Policy. However, the information is anonymised and aggregated, and can therefore not be linked to you personally.

Surveymonkey. For some customer surveys the survey is performed by Surveymonkey, who is Lysa's personal data processor for that processing, however, your answers are anonymised.

Whistleblowing function

PWC. Lysa uses an external whistleblower function provided by PWC as a personal data processor for Lysa. The information you provide when using the whistleblower function will be processed by PWC.

Third parties

When your personal data is shared with a party who is independently responsible for personal data, that organization's privacy policy and personal data management apply.

Partners in insurance brokerage, affiliate networks and savings accounts

Futur Pension Försäkringsaktiebolag. In connection with insurance mediation for Swedish corporate customers, Lysa collaborates with Futur Pension Försäkringsaktiebolag to offer customers to take out company-owned endowment insurance. In the case of subscriptions, personal information that you provide with Futur is thus shared.

Affiliate network. If you become a customer via an adlink from one of our affiliates, we will share information you as an Affiliate to our partners for our affiliate networks, so that they can pay compensation to the relevant affiliate.

Savings account cooperation with banks and institutions. In connection with the provision of Lysa's savings account solution, Lysa cooperates from time to time with certain banks and institutions. Where applicable, certain personal data about the customer and its transactions may need to be shared with the partner.

Deposits and withdrawals to/from Lysa

Bankgirocentralen (BCG). We share information about Swedish customer's social security number and account number when the customer sets up a direct debit (Sw. autogiro), if the direct debit is linked to a private account.

MobilePay. For Danish customers, we share the customer's social security number with MobilePay at the customer's deposit.

Danske Bank and customer bank. If you as a customer request a withdrawal, we notify Danske Bank of the recipient account number and for non-Swedish customers we also notify of the name of the owner of the recipient account. For customers in euro countries who make deposits via direct debit, we send information to Danske Bank about autogiro consent. We share information with Danske Bank and/or the customer's bank on request for AML reasons.

Other third parties

Authorities. Lysa may disclose information about you to the Financial Supervisory Authority, the Police, the Tax Agency, the Enforcement Agency and other applicable authorities either in accordance with the agreements that Lysa has entered into with you, or if Lysa is obliged to do so in accordance with applicable law, regulation or authority decision.

Representatives, proxies. Lysa may (if applicable) share information about the customer's Lysa account (e.g balance and account number) to the customer's administrator, estate owner, bankruptcy estate etc.

Shared account. When you choose to grant other Lysa customers access to information about your Lysa account, you choose which recipients you want to be able to see e.g. portfolio composition, development and transaction history on the Lysa account you share. For more information about which information about you and your Lysa account that is shared, see the term and conditions for the Proxy - Power to access information. If you accept a request to access information about another person’s Lysa account, your name and birth date will be shared with the person who made the request.

Your rights

As a data subject, you are entitled to exercise the following rights in relation to our processing of your personal data.

The right of access. You have the right to have access to your personal data (including copies thereof) and certain information regarding the processing of the data.

The right to rectification. You have the right to have inaccurate data rectified and incomplete data completed. If you are a customer you can make such adjustments on your own when signed in to Lysa’s website.

The right to erasure. Under certain circumstances, you have the right to have your personal data erased (“the right to be forgotten”). When your personal data is needed for Lysa to be able to fulfill the purposes for which it was collected, is required to fulfill a legal obligation or is required to be able to establish, assert or defend legal claims, Lysa has no possibility to delete the data. Here you can read more about when you have the opportunity to exercise the right to be deleted.

Also note that data may be retained in our backups. Complete backups are taken daily and deleted automatically 360 days after they are taken.

The right to restriction of processing. You have the right to have the processing of your personal data restricted in case:

  • you do not think the personal data is correct,
  • the processing of personal data is illegal, but you do not want it to be deleted,
  • Lysa no longer needs the personal data for the purposes of the processing - but you need the data to be saved to make a valid legal claim,
  • you have objected to the processing based on a balance of interests or that the processing is necessary in the public interest, and are waiting for Lysa's reasons for the processing to be controlled.

The right to data portability. If the processing of your personal data is based on consent or agreement with you and takes place automatically, you have the right to obtain your personal data (and, if technically possible, have it transferred to another personal data controller) in a structured, commonly used and machine-readable format.

Right to object. You have the right to object at any time to the processing of personal data concerning you that is based on Lysa's legitimate interest (balancing of interests), including profiling based on our legitimate interest. You can also opt out of electronic direct mail in logged-in mode on Lysa's website.

You can always contact our data protection officer (DPO) at dpo@lysa.se or call 08-525 035 70 to make a request according to the above. If you are a customer, however, we prefer that you make your requests via message to us in logged in mode, in this way it is easily ensured that we have contact with the right person and that e.g. information is sent to the right person.

You may also complain about Lysa's processing to the supervisory authority the Swedish Authority for Privacy Protection. You will find contact details to the Authority for Privacy Protection here: https://www.imy.se/other-lang/in-english/about-us/contact-us/.

Contact details to Data Protection Officer

Email: dpo@lysa.se Lysa AB, reg. no 559028-0821 Email: kontakt@lysa.se Phone: 08-525 035 70 Adress: Riddargatan 17A, 114 57 Stockholm

Amendment of this information about personal data processing

Lysa may amend this privacy note as necessary. You will be informed about any changes affecting the processing of your personal data.