Privacy policy

QLIRO’S PRIVACY POLICY

QLIRO’S PRIVACY POLICY Qliro AB (reg. no. 556962-2441) (“Qliro”, "we", or "us") is the data controller for the processing of your personal data in accordance with the EU General Data Protection Regulation, also known cartas GDPR. We are a credit market company supervised by the Swedish Financial Supervisory Authority (Finansinspektionen).

This privacy policy is addressed to natural persons, whose personal data is processed by Qliro, whether you are acting as a representative of a company or other legal entity, or as a consumer (“customer(s)”, “you”, “your” or “yours”).

This privacy policy describes what type of information Qliro collects and processes when you apply for a credit with us or our savings account, makes a purchase with a merchant using our checkout solutions for merchants, as well as when you are in contact with us or visits our website.

This privacy policy also describes why we use your personal data, how we use it, where we collect it from, how we may share it with other parties, and your rights under the GDPR and how you can exercise those rights. You can always contact us with questions regarding privacy and data protection; see our contact information in section 1 below.

1. CONTACT DETAILS OF THE DATA CONTROLLER 

2. HOW AND WHAT INFORMATION DO WE COLLECT?

As a credit market company, we regularly receive and process several types of personal data in connection with our financial services operations, for example in connection with granting of consumer credits, provision of savings accounts and provision of payment services. Further, we provide a checkout solution for merchants (“Qliro Checkout”) for the purpose of the merchant accepting online and instore payments from the merchant’s customers in the merchant’s stores and we receive and process several types of personal data in connection therewith in order to process your payment for your purchase at the merchant’s store.

“Personal data” refers to any information relating to you as an individual that can directly or indirectly identify you, such as your name, email address and personal identification number.

“Processing” refers to any operation performed on personal data, such as collection, use, processing, organization and storage. 

2.1. PERSONAL DATA YOU PROVIDE TO US

We process personal data that you provide to us directly when you sign up as a customer of our financial services, or when you make a purchase with a merchant using the Qliro Checkout. For merchants signing up to use the Qliro Checkout and our financial services, we may process your personal data if you are a representative of such merchants.

We also process personal data generated when you use our financial services or pay through the Qliro Checkout, or that accumulates from your use of our website or our app.

We may also process personal data we obtain directly from you, for example when you send emails to us or communicate with us through other channels, such as telephone or our chat, when you sign up for newsletters or other marketing materials, or when you sign up for an event organised by us.

You may directly or indirectly provide us with the following categories and types of personal data:

2.2. PERSONAL DATA WE OBTAIN AND PROCESS FROM THIRD PARTIES

For our financial services customers, we may also process personal data obtained from third parties to complement or verify information you provided, such as public registers, credit reference agencies, or to obtain information of your order from the merchant with whom you made the purchase using Qliro Checkout.

The following categories of personal data are obtained from third parties:

3. WHAT DO WE DO WITH YOUR PERSONAL DATA?

In the tables below, we explain how and why we use your personal data. For each purpose, you can see:

1. what we use your personal data for

2. what types of personal data we use

3. the legal reason under GDPR that allows us to use your personal data

4. how long we keep your personal data

3.1. WHEN SHOPPING WITH A MERCHANT USING QLIRO’S CHECKOUT

3.3 COMMUNICATION AND CUSTOMER SUPPORT PURPOSES

3.5. PROCESSING OF PERSONAL DATA THROUGH COOKIES

When you interact with our digital services, i.e., our website Qliro.com or the Qliro app, Qliro collects and processes your personal data in order to provide you with our digital services and to prevent fraud and misuse of our services.

We use cookies and similar tracking technologies to enhance the seamlessness and improve the user experience of our digital services. You can find more information about how we use cookies in our cookie policy, which you can read by following this link: cookie policy

3.6. OTHER PURPOSES

We may use your personal data to communicate relevant information and marketing about the products and services you use or similar products and services that we offer, as well as to conduct market and customer satisfaction surveys and analyses via email, mail, phone calls, or SMS. If you want to object to such processing, you have the right to do so; read more in section 4.7 below.

4. PROFILING AND AUTOMATED DECISION-MAKING

4.1 QLIRO’S USE OF PROFILING AND AUTOMATED DECISION-MAKING

Qliro uses automated decision making when you apply for a credit by choosing one of Qliro’s pay later options as payment method to pay for a purchase from a merchant using the Qliro Checkout. You have the right to express your opinion and contest the decision as well as request that a human reviews and reconsiders the decision.

When you apply for credit, Qliro processes your personal data for profiling, which is a procedure that may involve a series of statistical conclusions to assess certain personal characteristics. The categories of personal data used for profiling are identification data, contact data, financial information, and generated information. By processing your personal data, your creditworthiness or so-called “profile” is determined. Automated decisions to approve or deny your credit application are made based on your profile. If you do not meet the basic criteria according to the respective credit product terms, a decision to deny the requested credit will be made automatically.

Automated decisions to deny a credit application can also be made based on your profile for fraud prevention. In addition to the personal data processed in connection with the credit application, Qliro also processes your device information and information about goods/services for profiling for this purpose.

The purpose of automated decision-making is to enable us to manage credits in an efficient and lawful manner. The automated decision-making process is monitored by Qliro’s data protection officer. 

4.2 YOUR RIGHT TO OBJECT

As a data subject, you also have the right not to be subject to a decision based solely on automated processing, which produces legal effects concerning you or similarly significantly affects you. You have the right to object to such processing, including profiling. However, this right does not apply if the decision-making is necessary to enter into or perform a contract with you, such as a credit assessment, or if you have given explicit consent. However, you have the right to express your opinion, contest the decision, and request a review by a human. Please contact us as dpo@qliro.com if you would like to use your right to object. 

5. YOUR RIGHTS REGARDING QLIRO’S PROCESSING OF YOUR PERSONAL DATA

As a data subject, you have several rights concerning your personal data according to the GDPR. These rights are detailed below. If you wish to exercise your rights, you can contact us using the contact details provided in section 1 of this privacy policy. 

5.1 RIGHT TO INFORMATION

You have the right to receive information about how Qliro processes your personal data. This information is primarily provided through this privacy policy when your personal data is collected and is always available on Qliro.com and in the Qliro app. You also have the right to receive specific information in the event of a personal data breach that affects your personal data and is likely to lead to a high risk for your rights and freedoms, such as the risk of fraud or identity theft. We will communicate such information directly to you via email or another appropriate medium.

5.2 RIGHT OF ACCESS

You have the right to request confirmation of whether Qliro processes your personal data. If we process personal data about you, you have the right to access a copy of the personal data that Qliro processes about you. There may be legal provisions that prevent us from disclosing certain information to you, such as the Act on Measures against Money Laundering and Terrorist Financing (2017:630). Under certain conditions, Qliro may also deny your request for access if, for example, you request access multiple times within a short period. When requesting access or a copy, we need to take certain measures to verify your identity as the data subject. 

5.3 RIGHT TO RECTIFICATION

You have the right to have incorrect personal data rectified or supplemented with personal data that is missing. The right to rectification applies to both personal data collected from you, or a third party and your potential profile created by Qliro through profiling. You can notify us if you wish for us to correct or supplement your personal data.

5.4 RIGHT TO ERASURE (”RIGHT TO BE FORGOTTEN”)

You have the right to request the erasure of your personal data. You also have, in some cases, the right to have your personal data deleted or forgotten. This applies if:

• the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;

• you withdraw your consent on which the processing is based, and there is no other legal ground for the processing;

• you object to processing based on Qliro’s legitimate interest, and there are no overriding legitimate grounds for the processing that outweigh your interests;

• the processing is for direct marketing purposes, and you oppose the processing of your data;

• the personal data has been processed unlawfully; or

• it is necessary to comply with a legal obligation.

Please note that Qliro has the right to partially or fully deny your request for the deletion of your personal data to the extent necessary for Qliro to continue processing your personal data to, for example, comply with a legal obligation or to establish, exercise, or defend legal claims. If you use any of our products or services, have a debt with us, or otherwise have an ongoing relationship with us, you generally cannot have such data deleted. Additionally, there are legal requirements that prevent us from deleting certain information even after the cessation of services or other relationships with us. These obligations stem from banking-, anti-money laundering, accounting, and tax legislation, as well as consumer protection laws.

However, we ensure that such personal data is not processed beyond what is necessary to fulfil these obligations, and we limit the processing and access to personal data as much as we can. You can notify us if you wish for us to delete your personal data. Upon such a request, we need to take certain measures to verify your identity as the data subject.

5.5 RIGHT TO RESTRICTION OF PROCESSING

You have the right to request the restriction of the processing of your personal data. A restriction can be made if:

• you believe the personal data we process about you is incorrect and you have requested rectification, you can request restricted processing during the time we are verifying the accuracy of the personal data;

• the processing is unlawful, and you oppose the deletion of the data and instead request the restriction of their use;

• Qliro no longer needs the personal data for the purposes of processing, but you need the data to establish, exercise, or defend a legal claim; or

you have objected to processing based on legitimate interest; you may request that we restrict the processing during the time we are evaluating whether our legitimate interests outweigh your legitimate interests.

If the processing has been restricted according to any of the above situations, we may, in addition to storage, only process the data to establish, exercise, or defend legal claims, to protect someone else's rights, or based on your consent.

5.6 RIGHT TO DATA PORTABILITY

You have the right to request the transfer of the personal data you have provided to us through your consent or based on a contract with us, and the processing is automated (data portability). You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transfer these personal data to another data controller. The transfer of your personal data can be done provided the transfer is technically feasible.

5.7 RIGHT TO OBJECT TO CERTAIN PROCESSING

You have the right to object at any time to our processing of your personal data based on legitimate interest as a legal basis. Continued processing of your personal data requires us to demonstrate a compelling legitimate ground for the processing that outweighs your interests in the specific processing. Otherwise, we may only process the data to establish, exercise, or defend legal claims.

You always have the right to object to direct marketing, including profiling, without a balance of interests being made. If you have objected to processing for direct marketing, we may no longer process your data for such purposes.

 5.8 RIGHT TO WITHDRAW YOUR CONSENT

If Qliro processes your personal data based on your consent, you have the right to withdraw your consent at any time. Qliro will then cease the processing that relies on the consent. You can withdraw your consent by sending us a message via the contact details provided in section 1.

5.9 THE RIGHT TO LODGE A COMPLAINT

If you believe that we process your personal data in violation of GDPR, you have the right to lodge a complaint to a Data Protection Authority via the contact details provided in section 9. Learn more about how to lodge a complaint at each Data Protection Authorities’ website.

You can also address complaints to our Data Protection Officer in writing via email by sending your complaint to the Data Protection Officer via the contact details provided in section 8.

6. WHO MAY WE SHARE YOUR INFORMATION WITH?  

Qliro does not sell your information to third parties. However, it is necessary for us to share your personal data with certain third parties in order to provide you with our services and fulfil our agreement with you. We implement reasonable technical, legal, and organizational measures to ensure that your personal data is handled securely and with an adequate level of protection. The following categories of third parties may receive and process your personal data.

SUPPLIERS AND SUBCONTRACTORS

Suppliers and subcontractors are companies that provide Qliro with the services and functionalities required for us to provide you with our services and products. In most cases, suppliers and/or subcontractors are companies that only have the right to process the personal data they receive from Qliro on behalf of Qliro, so-called data processors. Examples of such suppliers and subcontractors are financing partners, financial infrastructure partners, and email-, print-, and logistics companies. In some cases, however, some of these suppliers and/or subcontractors process your personal data for their own purposes and are thus separately responsible for that part of the personal data processing. To read more about how these companies process your personal data, we refer you to their privacy policies.

Qliro needs to access services and functionalities from other companies that Qliro cannot offer itself. Therefore, we may share your personal data with suppliers or subcontractors to access these services and functionalities in the performance of our contractual obligations to you or to fulfil our legitimate interest and for the other purposes outlined in this privacy policy. We ensure that the processing involved is necessary to achieve this interest and that our interest outweighs your right not to have your data processed for this purpose. You have the right to object to this processing if we base the transfer on legitimate interest, due to circumstances specific to your individual case. More information about your rights can be found in section 5.

MERCHANTS

A merchant is a company or organisation that sells goods or services online or instore, who uses the Qliro Checkout to enable you to pay for the purchases you make with such merchant. When you make a purchase with one of the merchant’s using the Qliro Checkout, or when you place products in your shopping cart without completing the purchase, the merchant receives information about your purchase or prospect purchase in order to execute and manage your purchase or handle other relevant customer interactions. Qliro also provides information that the merchant needs for certain legitimate interests, such as dispute management or to follow up on an order that was started but not completed. For such information, the respective merchant’s privacy policy applies, and the personal data is handled in accordance with it. You have the right to object to this processing if we base the transfer on legitimate interest due to circumstances in your individual case. More information about your rights can be found in section 5.

CREDIT REPORTING COMPANIES AND CREDIT REGISTERS

Financial information about granted credits and loans, payment defaults, and credit abuse is provided to credit reporting companies and credit registers.

DEBT COLLECTION AGENCIES

We may share your personal data when we assign debt collection agencies to collect unpaid debts or if we sell the debt. Debt collection agencies may also process your personal data as data controllers according to their privacy policy. The legal basis for such disclosure is Qliro’s legitimate interest in collecting and selling claims. You have the right to object to this processing due to circumstances in your individual case. More information about your rights can be found in section 4.

PARTIES INVOLVED IN THE PAYMENT FLOW

To administer your purchase of a good or service, we need to provide personal data to the payment service provider for the payment method you have chosen, such as card acquirers for card transactions. To administer your direct debit payments (Bg Autogiro), we need to provide personal data to Bankgirot. To administer and execute withdrawals from your savings account in Qliro, we need to share your personal data with the bank where you have your withdrawal account, in compliance with applicable banking secrecy regulations. The legal basis for such disclosure is the performance of a contract with you.

PARTNERS

Qliro may work with various partners, for example in the Qliro app. If you choose to use a partner’s service via the Qliro app, we provide generated information such as the fact that you reached the partner via the Qliro app. For certain services you choose, we share financial information and information about goods/services with the relevant partner. Typically, only pseudonymized personal data is shared with our partners. The legal basis for this is to fulfil the contract with you and Qliro’s legitimate interest in product development and partnership followup. In some partnerships, we also share your contact information, which will be made clear when you choose to use the partner’s service. You have the right to object to this processing if we base the transfer on legitimate interest, due to circumstances specific to your individual case. More information about your rights can be found in section 4.

AUTHORITIES

We are in some cases obligated to share your personal data with different authorities if required by law or in response to a legal request, for example, Financial Supervisory Authority, Tax Authority, Enforcement Authority, Authority for Privacy Protection and Police Authority. An example of when we are legally obligated to disclose such information is to prevent money laundering and terrorist financing according to the Act on Measures against Money Laundering and Terrorist Financing (2017:630). We may also disclose your personal data to authorities if you have consented to us doing so.

MERGERS AND ACQUISITIONS

In the event of a sale, merger, or other business transfer, we may transfer your personal data to a third party involved in the transaction. The legal basis for such transfer is Qliro’s legitimate interest in conducting the business transaction. You have the right to object to this processing due to circumstances in your individual case. More information about your rights can be found in section 4.

7. TRANSFER OF YOUR PERSONAL DATA OUTSIDE THE EU/EEA

When applicable, we may share your personal data with other entities in a country outside the EU/EEA, known as a “third country”. In a third country, GDPR does not apply, which may pose an increased privacy risk, including the possibility for authorities in a third country to access your personal data and for your ability to exercise control over the personal data. To protect your personal data and to maintain an adequate level of protection, the transfer is based either on a decision by the EU Commission on an adequate level of protection or through appropriate safeguards such as binding corporate rules approved by the competent supervisory authority or the EU Commission's standard contractual clauses combined with organizational and technical protective measures.

You can read more about which countries are considered to have an adequate level of protection on the EU Commission’s website by following this link: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

You can read more about the standard contractual clauses by following this link: https://commission.europa.eu/law/law-topic/dataprotection/international-dimension-data-protection/standard-contractual-clauses-scc_en

We always aim to conduct a risk assessment before a transfer is made to a third country and implement both technical and organizational protective measures to ensure an appropriate level of protection. We always strive to transfer as little personal data as possible to countries outside the EU/EEA and, if possible, in anonymized form. For more information on the protective measures Qliro takes, see section 7 of this privacy policy.

SOCIAL MEDIA

We're active on social media and love engaging with our customers and community. However, we kindly ask that you don’t share any personal information with us through social media platforms. For questions or support that require personal details, please contact our customer support team directly. You can find the contact details in section 1 of this privacy policy. 

8. HOW DO WE PROTECT YOUR PERSONAL DATA?

Qliro has implemented a range of technical and organizational measures to protect your personal data against loss, misuse, unauthorized access, unauthorized disclosure, alteration, and destruction. Please contact us if you want to learn more about Qliro's organizational and technical security measures.

9. CHANGES TO THIS PRIVACY POLICY

We continuously improve and develop our services, products, the Qliro app, and our websites, and the content of this privacy policy changes over time. We encourage you to read this privacy policy every time you use our services and products. If significant changes have been made to our services, products, or this privacy policy, we may notify you via email or in other ways.

10. CONTACT INFORMATION FOR DATA PROTECTION OFFICER AND AUTHORITY FOR PRIVACY PROTECTION 

Qliro has a Data Protection Officer (DPO) and data protection specialists who work daily on data protection issues to ensure that we comply with data protection legislation in all markets where we offer Qliro’s products and services. If you have questions about the processing of your personal data, you are welcome to contact our DPO at the contact information below.

DPO
Email: dpo@qliro.com

If you are not satisfied with our handling of your case, you have the right to submit a complaint to a Data Protection Authority. 

Data Protection Authority

See contact details following this link where you can choose a country: https://www.edpb.europa.eu/about-edpb/aboutedpb/members_en#member-se

This privacy policy was last updated on 2025-06-25

Qliro AB (publ)
Org.no: 556962-2441
Corporate domicile: Stockholm Qliro.com