Data and Privacy Policy

Version 2.1 (2024-03-25)

Pej cares about your personal privacy and it’s important to us that you feel confident about our processing of your personal data. We are completely transparent about how we collect, process and disclose the personal data we store about you. We never sell your personal data to any third party without your consent.

We welcome the European-wide regulation which aims to improve and better define the processing of personal data to the benefit of our users. As a matter of fact, the main purpose of the regulation is to protect the natural person’s basic rights and freedoms, in particular their rights to personal data protection.

This policy explains how we collect and use your personal data, and how you can access, rectify and erase your personal data. To us, it is important that you read through and understand the policy. You are welcome to contact us at privacy@pej.se or +46 10 188 00 40 for any questions concerning personal data and privacy protection.

Why do we collect your personal data?

We need your personal data to enable our service to operate in the best possible way, as well as to comply with the legal requirements applicable to our service. For example, we need your email address to comply with applicable laws that require us to send you a receipt after having purchased something from us. Certain personal data are used to provide the best possible service and support.

We process all personal data with the utmost regard to your privacy and your rights and freedoms.

Which personal data do we collect and why?

We collect the personal data required for our service to work, which may vary from case to case. For example, we only use the delivery address when an order is to be delivered to a physical address.

Personal data
Purpose
Legal basis

First and last name

Your first and last name is used to identify you when you place an order and hence helpful to merchants when they deliver your order.

Fulfil contractual obligations

Email address

The email address is used to create your login username.

The email address is also used to send you an order confirmation and receipt related information.

The email address is also used to contact you for matters regarding customer administration, e.g. customer support.

Fulfil contractual obligations

Comply with legal obligations

Fulfil contractual obligations

Profile image
(Optional)

The profile image helps our merchants recognise you when they e.g. are serving your order at a table.

Pej has a legitimate interest of being able to show your profile image to merchants with the goal of providing you with the best possible service through helping the merchant to recognise you when they deliver your order. The profile image is optional and not asked for in the onboarding process.

Payment details

We do not store payment details, either locally or on an external server. Instead, only a so-called tokenisation is created from your card through Stripe when you fill in your payment details. We use Stripe to carry out transactions in the most secure way. We only store a so-called tokenisation of your card information, the four last digits, the name on the card and the expiry date – to allow you to identify which card you are paying with. All sensitive card details are stored by Stripe, which has the payment card industry’s highest possible accreditation (PCI Service Provider Level 1). Read more here.

Fulfil contractual obligations

Location information

When using the service and after allowing us to have access to your location information, we use the location information to help you choose the merchant from which you wish to place an order from.

Consent. The location information is optional and consent to use this is clearly requested in the service.

Order history

We store your order history to allow you easy visibility and access of the purchases you have made through Pej. The order history is also helpful to our merchants when they need to process a refund, and it also helps us in certain support cases.

Fulfil contractual obligations

Phone number

In some cases, we use your phone number to send an order confirmation as a text message to your phone number. In these cases, the text message contains a link to your receipt.

Your phone number may be used by merchants to simplify the delivery of your order, for example when delivering to your home address.

When you opt to make a purchase via Swish (a Swedish payment provider) or Vipps (a Norwegian payment provider), then your phone number may be used to facilitate the payment. Read more about this and Swish and Vipps further down in this policy.

Comply with legal obligations

Fulfil contractual obligations

Fulfil contractual obligations

Car registration number

The car registration number is used in cases where you ask the merchant to deliver your order to your car. The car registration number helps the merchant to identify your car.

Fulfil contractual obligations

Delivery address

The delivery address is used in cases where you ask the merchant to deliver your order to a specific address. The delivery address helps the merchant to identify the address to where the order should be delivered.

Fulfil contractual obligations

Personal data
Purpose
Legal basis

First and last name

Your first and last name is used to identify you when you place an order and hence helpful to merchants when they deliver your order.

Fulfil contractual obligations

Email address

The email address is used to create your login username.

The email address is also used to send you an order confirmation and receipt related information.

The email address is also used to contact you for matters regarding customer administration, e.g. customer support.

Fulfil contractual obligations

Comply with legal obligations

Fulfil contractual obligations

Profile image
(Optional)

The profile image helps our merchants recognise you when they e.g. are serving your order at a table.

Pej has a legitimate interest of being able to show your profile image to merchants with the goal of providing you with the best possible service through helping the merchant to recognise you when they deliver your order. The profile image is optional and not asked for in the onboarding process.

Payment details

We do not store payment details, either locally or on an external server. Instead, only a so-called tokenisation is created from your card through Stripe when you fill in your payment details. We use Stripe to carry out transactions in the most secure way. We only store a so-called tokenisation of your card information, the four last digits, the name on the card and the expiry date – to allow you to identify which card you are paying with. All sensitive card details are stored by Stripe, which has the payment card industry’s highest possible accreditation (PCI Service Provider Level 1). Read more here.

Fulfil contractual obligations

Location information

When using the service and after allowing us to have access to your location information, we use the location information to help you choose the merchant from which you wish to place an order from.

Consent. The location information is optional and consent to use this is clearly requested in the service.

Order history

We store your order history to allow you easy visibility and access of the purchases you have made through Pej. The order history is also helpful to our merchants when they need to process a refund, and it also helps us in certain support cases.

Fulfil contractual obligations

Phone number

In some cases, we use your phone number to send an order confirmation as a text message to your phone number. In these cases, the text message contains a link to your receipt.

Your phone number may be used by merchants to simplify the delivery of your order, for example when delivering to your home address.

When you opt to make a purchase via Swish (a Swedish payment provider) or Vipps (a Norwegian payment provider), then your phone number may be used to facilitate the payment. Read more about this and Swish and Vipps further down in this policy.

Comply with legal obligations

Fulfil contractual obligations

Fulfil contractual obligations

Car registration number

The car registration number is used in cases where you ask the merchant to deliver your order to your car. The car registration number helps the merchant to identify your car.

Fulfil contractual obligations

Delivery address

The delivery address is used in cases where you ask the merchant to deliver your order to a specific address. The delivery address helps the merchant to identify the address to where the order should be delivered.

Fulfil contractual obligations

How do we collect personal details?

You can – directly or indirectly – provide details about yourself to us in a number of ways, either by providing the details yourself when you set up a user account or when you place an order and pay through a third party. We always inform you in the event that we retrieve details from a third party.

Where do we process the data?

We always aim to process your personal data within the EU/EAA. Personal data may be, however, in some situations, transferred to and processed by another supplier or subcontractor that is located in a country outside the EU/EAA. In doing so, all reasonable legal, technical and organisational measures are taken to ensure your personal data are processed securely and with an adequate degree of protection in accordance with GDPR.

If we transfer personal information to countries outside of the EU/EEA, we may rely on a decision from the European Commission determining that the country provides an adequate level of protection to the Data Protection Laws. Alternatively, we may rely on appropriate safeguards in respect of transfers of personal information to a country outside of the EU/EEA, for example, by agreeing standard contractual clauses adopted by the European Commission.

To whom might we potentially disclose your information?

In order to provide our service, we need help from other companies. Some of these are personal data processors while others, such as merchants on our platform, are personal data controllers in addition to us. Personal data processing agreements have been put in place in accordance with GDPR with all personal data processors. We are happy to disclose any or all of our personal data processing agreements, if requested. Our merchants have a responsibility in parallel with us. Please refer to their agreement to read more about their processing of your personal data.

Personal data processor
Purpose
Personal data

Merchant

Merchants who offer Pej’s service in their business have access to certain personal data in order to carry out the order. Some personal data are used to deliver the order while others are required to comply with laws, e.g. accounting laws. To read more about how merchants process your personal data, please refer to their data protection and confidentiality policies, which are available when you place an order.

First and last names, email address, phone number, car registration number, delivery address, order history per each merchant.

Google Cloud Platform

We use the Google Cloud Platform to store personal data.

First and last names, email address, phone number, car registration number, delivery address, Token ID, order details and order history.

G Suite

We are currently using G Suite as our mail server. Google is therefore data processor for support cases handled via email.

First and last names, email address, phone number, car registration number, delivery address, Token ID, order details and order history.

Mailchimp

We use Mailchimp to send a confirmation to your email (”Email confirmation”). This is stored for 30 days only to simplify potential support cases and is thereafter deleted. We also distribute mailings containing important contract information, policies etc. via email.

Mailchimp’s servers are located outside of the EU/EEA and our sending of personal data to them is hence viewed as a third-country transfer. For these transfers of personal data, we rely on appropriate safeguards by using and including standard contractual clauses adopted by the European Commission in our data processing agreement with Mailchimp (you may find our data processing agreement, as well as the standard contractual clauses – the latter under Annex C – here).
Affected personal data: First and last names, email address, delivery address (if ordering delivery)

First and last names, email address, delivery address.

Slack

We use a communication system called Slack for our internal communications and support. As we use Slack to manage support cases, e.g. contacts made through our website, this means Slack have access to certain personal data depending on the individual support case.

Depends on the individual support case.

Stripe

We use Stripe to perform payment transactions in the most secure way. We only store a so-called tokenisation of your payment card plus the four last digits, the name stated on the card and the expiry date – allowing you to identify which card you are using. All sensitive card details are stored by Stripe, who has the payment card industry’s highest possible accreditation (PCI Service Provider Level 1). Read more here.

First and last names, payment details.

Swish

Payment service provider Swish uses your phone number to identify your payment. When making a payment, you are directed to Swish’s own platform, where Swish’s own data protection and confidentiality agreement applies. Link to the agreement.

Phone number, payment details.

Vipps

Payment service provider Vipps may need your phone number to identify your payment (often the communication to Vipps is done without using your phone number). When making a payment, you are directed to Vipps’s own platform, where Vipps’s own data protection and confidentiality agreement applies.

Phone number, payment details.

Personal data processor
Purpose
Personal data

Merchant

Merchants who offer Pej’s service in their business have access to certain personal data in order to carry out the order. Some personal data are used to deliver the order while others are required to comply with laws, e.g. accounting laws. To read more about how merchants process your personal data, please refer to their data protection and confidentiality policies, which are available when you place an order.

First and last names, email address, phone number, car registration number, delivery address, order history per each merchant.

Google Cloud Platform

We use the Google Cloud Platform to store personal data.

First and last names, email address, phone number, car registration number, delivery address, Token ID, order details and order history.

G Suite

We are currently using G Suite as our mail server. Google is therefore data processor for support cases handled via email.

First and last names, email address, phone number, car registration number, delivery address, Token ID, order details and order history.

Mailchimp

We use Mailchimp to send a confirmation to your email (”Email confirmation”). This is stored for 30 days only to simplify potential support cases and is thereafter deleted. We also distribute mailings containing important contract information, policies etc. via email.

Mailchimp’s servers are located outside of the EU/EEA and our sending of personal data to them is hence viewed as a third-country transfer. For these transfers of personal data, we rely on appropriate safeguards by using and including standard contractual clauses adopted by the European Commission in our data processing agreement with Mailchimp (you may find our data processing agreement, as well as the standard contractual clauses – the latter under Annex C – here).
Affected personal data: First and last names, email address, delivery address (if ordering delivery)

First and last names, email address, delivery address.

Slack

We use a communication system called Slack for our internal communications and support. As we use Slack to manage support cases, e.g. contacts made through our website, this means Slack have access to certain personal data depending on the individual support case.

Depends on the individual support case.

Stripe

We use Stripe to perform payment transactions in the most secure way. We only store a so-called tokenisation of your payment card plus the four last digits, the name stated on the card and the expiry date – allowing you to identify which card you are using. All sensitive card details are stored by Stripe, who has the payment card industry’s highest possible accreditation (PCI Service Provider Level 1). Read more here.

First and last names, payment details.

Swish

Payment service provider Swish uses your phone number to identify your payment. When making a payment, you are directed to Swish’s own platform, where Swish’s own data protection and confidentiality agreement applies. Link to the agreement.

Phone number, payment details.

Vipps

Payment service provider Vipps may need your phone number to identify your payment (often the communication to Vipps is done without using your phone number). When making a payment, you are directed to Vipps’s own platform, where Vipps’s own data protection and confidentiality agreement applies.

Phone number, payment details.

Authorities: Pej may potentially disclose required details to authorities such as the police, tax agency or other authorities to whom we are liable to disclose details according to applicable laws, or if you have given us consent to do so. Example of legal obligations to disclose details are measures against money laundering and financing of terrorism.

For how long do we store personal data?

We store personal data for as long as it is necessary to fulfil the purpose for which the data was collected, or to comply with our obligations and for as long as it is statutorily required, particularly in relation to accounting requirements. You can opt to delete your account yourself, meaning only personal data that are statutorily required to be stored, are stored.

The personal data is only stored for as long as necessary. We have clear routines in place for how to minimise storage of data. Inactive users are erasured once per year.

We have the right to remove information and users who do not comply with the law or who we believe act abusively, offensively and/or do not comply with the policy. Our responsibility does not free users from their responsible for what they publish.

What happens in the event of a data breach or personal data incident?

Should, against all presumptions, a serious data breach or personal data incident occur, we will notify all affected parties, as well as the Swedish Data Protection Authority (Sw. Integritetsskyddsmyndigheten) as soon as possible. We have routines in place for this purpose, as well as an established structure for internal and external reporting.

Your right to access, rectification and deletion

Your personal data is your data. We have set up a page for you to log in and get:

  • access to your personal data,

  • right to rectification,

  • right to be erased, and

  • right to data portability.

You find the page on www.pej.se/user.

Non-user data

Non-user data: If you are a customer/potential customer of Pej

When we have been in contact with a customer, we save personal information about the customer representative(s) in order to maintain communications and the business relationship. The same applies to a potential customer with whom we intend to pursue a customer relationship. The information that is stored includes, for example, your name, email address, telephone number, and the name of your company.

Should you consent to receive marketing communications from us, you retain the right to opt out at any moment. Each marketing email we send includes an ’Unsubscribe’ option at its conclusion, allowing you to cease receiving these communications instantly. Alternatively, you may express your desire to unsubscribe at any time by directly contacting us at privacy@pej.se. We are committed to ensuring your preferences are respected promptly.

Why do we collect this information? We collect this information to maintain the professional relationship with our customers and potential customers, as well as to comply with legal requirements for the processing of personal data, such as accounting laws. This information is not stored for longer than necessary to fulfill the purpose of the processing.

Non-user data: If you are applying for a job at Pej

When you apply for a position we will collect information about you that we need to communicate about the position and the recruitment process. This includes, among other things, your name, address, telephone number, educational qualifications, and previous employment.

Why do we collect this information? We collect your personal data in order to include you in a recruitment process and potentially enter into an employment agreement with you. This information is not stored for longer than necessary to fulfil the purpose of the processing.

Non-user data: If you are a supplier to Pej

If you are a supplier to us at Pej, we only process the personal data necessary to maintain a business relationship with you. We process personal data about the supplier representative in order to maintain communication. The information that is saved includes, for example, name, title, email address, and telephone number.

Why do we collect this information? We collect this information to maintain our professional relationship with our suppliers. This information is not stored for longer than necessary to fulfill the purpose of the processing.

Non-user data: If you are a subcontractor to Pej

If you are a subcontractor to Pej, we only process personal data that is necessary to fulfill the assignment/relationship or to investigate whether a specific assignment may be relevant for you as a subcontractor. We process personal data such as name, address, contact information, CV, and, if you have a sole proprietorship, possibly your organization number, as well as start and end dates for assignments and compensation.

Why do we collect this information? We collect this information to maintain and facilitate our relationship with the subcontractor and to be able to support the subcontractor in, for example, an assignment, as well as to pay compensation. This information is not stored for longer than necessary to fulfill the purpose of the processing.

Non-user data: If you contact Pej for other matters

If you contact Pej for purposes other than those mentioned above, we may in some cases also collect your personal information. This may include personal data related to references in the recruitment process, media contacts, and industry colleagues. We also process your personal data when you, for example, register for a webinar, meetup, or if you visit any of our offices.

Why do we collect this information? We collect this information for communication and legal purposes. This information is not stored for longer than necessary to fulfill the purpose of the processing.

Personal data controller

Pej AB, reg.no. 559046-7873, is personal data controller for all our subcontractors and we are thus the party that decides for what purposes the personal data shall be processed and how the processing shall be performed.

The merchant with whom you place an order is a personal data controller in addition to Pej. The merchant’s processing of personal data is governed by their own policy.

Data protection officer

We ensure that the personal data we store about you is always protected and that our processing always comply with applicable data protections regulations, internal guidelines and routines. We have appointed a data protection officer who monitors our compliance with these rules.

Amendments to the policy

We may update this policy. Changes and updates will be published on Pej’s website. This policy supersedes any previously issued policy.

Contact details

Please contact us if you have ideas, thoughts or opinions regarding this policy. Together, we can likely make it even better.

Personal data controller

Name: Pej AB
Reg.no.: 559046-7873
Website: www.pej.io
Email address: hej@pej.se
Phone: +46 (0)10 188 00 40
Address: Pej, Stora Varvsgatan 6A, Malmö (Sweden)

Data protection officer

Email address: privacy@pej.se
Phone: +46 (0)10 188 00 47

Contact details for the Swedish Data Protection Authority (Sw. Integritetsskyddsmyndigheten)

Email address: imy@imy.se
Phone: +46 8-657 61 00