Privacy policy

Payson Privacy Policy

(Privacy Policy for Design & Crafts Gotland you will find further down the page)

GDPR General
Here we have chosen to compile information about the law and what it means, and where you can find more information to get better track of how this affects you. There are a number of concepts that can be useful to keep track of and also what the basic principles of the GDPR mean.
GDPR stands for General Data Protection Regulation and is a new EU Data Protection ordinance that will become a law in all EU Member States from 25 May 2018. The GDPR will replace the current Personal Data Act (PUL). The law is designed to protect individuals ' privacy and intends to modernise, harmonise and reinforce protection within the EU.
Within each EU Member State, there is a supervisory authority that will check this. In Sweden, this authority is called Integritetskyddsmyndigheten, formerly Datainspektionen. On their  website  you can find more information and guidance to find out what you need to do.  

Processing of personal data
The law is about how companies should process personal data, which are two important concepts to understand. Personal Data may be explained as any information relating to an identified or identifiable individual (also known as a registered person), whereby an identifiable physical person is a person who can be directly or indirectly identified, in particular with Reference to an identifier such as a name, an identification number, a location information or an online identifier, or to one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity. The processing of this data involves the implementation of an action or combination of measures concerning personal data or sets of personal data, whether or not they are carried out by automated means. Examples of such processing are collection, structuring, storage, processing, dissemination or erasure.  

Personal Data controller and Personal Data processor
In the processing of personal data, there are mainly two roles that you should know and their different responsibilities.

Payson is the Personal Data controller
The personal data controller (PuA) is the one who, according to the law, is ultimately responsible for the processing and determines the purpose and means. The controller shall ensure that the law is complied with, shall inform the persons whose personal data is being processed and shall assure the compliance of the processor. Any processing of personal data about you as a customer or user, we are the personal data controller of when you use Payson's services or, for example, contact us. What we do, or do not do, with your personal data, we have described in our privacy policy.  

Personal Data processors to Payson
In some cases, personal data is processed by an external party who then acts as a personal data processor to Payson. The Personal Data Processor (PuB) processes the personal data on behalf of Payson and is responsible for the technical and organisational security measures.  

Basic Principles of GDPR The law is based on these basic principles, which Payson complies with when processing personal data:
Purpose limitation
Personal data may only be processed for specific, explicit and legitimate purposes.
Storage minimization
Personal data shall not be kept for longer than necessary in the light of the purpose.
Data minimization
Personal data shall be adequate, relevant and limited to what is necessary in the light of the purpose.
Legality, regularity and transparency
Processing must be lawful, fair and transparent in relation to the individual and includes an obligation to ensure that the data is accurate.
Privacy and confidentiality
Requirements for appropriate measures in all relevant respects for the safe processing of personal data.
The responsibility includes an obligation to demonstrate compliance with the principles. You can read more about these basic principles at Integritetsskyddsmyndighetens website .

Security and Technology
Because Payson handles large sums of money every day, extreme demands are placed on our security work. Therefore, we use a secure system for payments and together with our partners we continuously monitor all transactions. 

About Payson's security management As a personal data controller, Payson has a general responsibility to implement, on the basis of the privacy risks associated with the processing, appropriate technical and organisational measures to ensure and be able to demonstrate that the processing is carried out in accordance with General Data Protection Regulation (GDPR). Payson is certified by the security companies Trustwave and GlobalSign.

Authentication and Encryption All data communication is done with Transport Layer Security (TLS). To access the services, login with BankID or username and password is required.
·  Payson uses encrypted communication in the form of TLS. ALL data communication to and from the user's computers is encrypted with TLS, the latest approved Internet standard for encrypted communication.
·  Payson applies password protection in the form that the login procedure is fully encrypted, which means that no information is sent as unencrypted text. The user's password is stored in one-way encrypted format, with a standardized one-way cipher.
·  To avoid unauthorized access to information, if a computer is left unattended, the system automatically logs the user out of inactivity. The user is always responsible for the risk of unauthorized use of the services as a result of leaving a logged-on computer unattended.
·  There is continuous verification by users. Each call to Payson's servers involves a check on the credentials of the user.
·  All card transactions are based on banks ' 3D-Secure technology.

Storage and backups
Payson's services are fully operational within Sweden on servers hosted in Sweden.
·  Only approved personnel have access to the platform.
·  Payson's services are built on a modern platform with multi-level redundancy and scalability.
·  Backups are done automatically at predetermined intervals.

Knowledge and Information protection
·  Only a few key people know how the security system is built.
·  ALL personnel are bound by a confidentiality agreement that prevents the dissemination of data, information, and the customer's or user's personal data. Only authorized personnel have access to the data and the jurisdiction is controlled by Payson's management.

Get notifications about the status of your services
Payson works to ensure that our systems are available every hour and every day of the week. On the home page and on Paysons Facebook page you can read notices about problems with our services in case of disruptions.  

E-commerce Security
Payson Guarantee is an example of how we create secure online shopping between our members. Learn more about how it works here.

Four tips for safer e-commerce between individuals
Use common sense. If an offer seems to be too good to be true, that is probably the case. It is possible to do good business on the Internet, but here too there is a limit. Check the product's normal price on sites such as: or to form an idea if the offer seems likely or not.
Ask for the seller's name and phone number and make sure that the person is real. For example, search on or
Most reputable buying and selling sites have some sort of rating system on their users so you can see who's serious. Please contact their customer service if you feel the slightest uncertainty about your purchase. Do not pay in advance to an unknown bank account – instead use a secure payment service that transfers the money to the seller after you have received the goods, for example with the PaysonGaranti service.

Incident Management
To meet new incident management requirements in accordance with GDPR, our incident management process is presented here. Having procedures for detecting, reporting and investigating incidents is important also given that personal data incidents need to be reported to the integrity Protection authority within 72 hours.

If a serious incident occurs, it may mean that it becomes a personal data breach. An example may be if data containing personal data through a security incident falls into the wrong hands, which would be considered a personal data breach.

Incident process
Payson has procedures to manage the necessary coordination, communication and responsibility for assessing, responding to and learning from incidents to reduce the risk of it occurring again. Data breaches and measures are communicated to affected persons. After taking measures and the relevant informed, a causal analysis is carried out in order to prevent the problem from occurring again

Privacy policy
The privacy policy describes how Payson processes personal data in the role of personal data controller and how your rights and privacy are protected.
Payson cares about your privacy, and our privacy policy aims to explain in what way Payson collects your personal data and how it is used. From the policy you can understand what rights you have in relation to us and how you may make these claims. Questions about privacy and data protection can always be sent to us via  the Contact Form  on the home page.
You accept the privacy policy and our processing of your personal data by using Payson's services. You also agree that Payson uses electronic communication channels for sending information to you. Reading and understanding our privacy policy before using our services is important to us.
Payson needs to process your personal data in order to offer you to use our website or our payment options, and we take utmost account of your privacy.

What information is used by us?
Information you provide to us
Information we ask in connection with, for example; A purchase with Payson's payment option on an e-shop website, in contact with us, when using our website or in the use of another service at Payson may be as follows. Please note that all information will not be requested at all times.
·  Personal information: Name and surname, social Security number, address details, e-mail address and telephone number.
·  Information about the Payment: card details, Bank account number and the details of the purchase. 
Collected information from you
When our services are used by you, we may collect the following information in order to manage the transaction or manage your case on our website:
·  Personal information: Name and surname, social security number, address, e-mail address, and telephone number.
·  Purchase Details: Information and details about which e-store the product or service is purchased in and, where applicable, the product or service purchased.
·  Financial information: Your income data, your credit history and your payment history.
·  Technical information: IP address, language, browser, operating system, platform, response times, error messages, Information for Bank ID verification.
Any information that you provide to us, and collected information, such as financial information and information about the payment is necessary to enter into a business relationship with us. Other information is collected for other purposes. These purposes are described below.  

What do we use your information for?
Perform our services and duties towards you. Information is collected and retrieved in order for Payson to provide the services you wish to use. This information is used for the following and the legal support given below:

Purpose Why is the information processed
(Legal basis)
Automatic decision (yes/NO)
Identify and verify you as a person, information and delivery of products Contractual basis for an established business relationship Yes
Administration of payment services including credit assessments e.t.c. Contractual basis for an established business relationship and comply with applicable law Yes
Basis for statistics and product development Contractual basis and other legitimate interests Yes
Conducting risk analyses and other risk assessments Contractual basis for an established business relationship and comply with applicable law Yes
Minimise fraud risk Contractual basis and other legitimate interests No
Product development and the creation of solutions and information tailored to the customer Contractual basis and other legitimate interests No
To meet legal requirements such as the Act on Anti-money laundering and accounting laws and capital adequacy requirements Legal obligation – legislative requirements No

The data are used by Payson for invoicing, information and delivery of products, as well as marketing and as a basis for statistics and product development. The data may serve as a basis for Payson, and where applicable, our partners, to adapt content, advertisements and offers.
The data are analysed and grouped for the selection, prioritization and planning of contacts with member. The tasks link one or more markers about the type of Web services and marketing communication that is directed at the user, so-called profiling.
Payson's members agree that marketing can be done by post, phone, email, SMS and other digital channels. Marketing via email and SMS is regulated in the Marketing Act.
Personal data may be disclosed to Payson's partners. Personal data is disclosed to authorities only where required by virtue of law or Government decision.

In communicating with you
In order to provide you with relevant offers and to share important information with you, the data collected about you is used. If you do not want to be a recipient of such information and communication, this message can most easily be provided via the settings on your account profile after login, or communicated via the Contact Form  on Payson's website.  

Will Payson share your information with anyone?
Under secure forms and technical solutions, your information will be shared with pre-selected third parties. This third party is audited and will handle your information in a secure manner. Subcontractors and suppliers in the Svea Ekonomi group, in which Payson is included, will, if necessary, receive your information in order for us to achieve our contractual commitment to you. We will under no circumstances sell your personal data to third parties unless you have expressly consented to this.

In order for you to purchase goods and services from Payson affiliated e-shops, portions of your personal data will be shared to the E-store in order for the e-shop to be able to administer your purchase. The e-store's handling of personal data is regulated in the e-store's terms and privacy policy.

Credit Reference Agencies
In the event that you choose to pay your purchase by invoice, your personal data will be shared with credit reporting agencies for the purpose of evaluating your creditworthiness, verifying your address details and complying with applicable law. The credit reference agencies used are Bisnode AB and UC AB.

In the event that authorities request information and activity related to your personal data, Payson must disclose the information requested. Examples of such authorities are the Swedish tax agency and the police. Legal requirements also support the sharing of data on possible money laundering and terrorist financing.

Purchase or sale of the business
In the event of the sale of Payson or Paysons purchases of other activities, your personal data may be shared with third parties.

In which countries does our processing of your personal data take place?
Your personal data will be processed within the EU/EEA on each occasion.

How long will your personal data be stored?
Your personal data will be retained as long as the law (for example, the Accounting Act, the Payment Services Act and the Act on Anti-money laundering and terrorist financing) requires it to be retained and as long as necessary in order for us to carry out the Commitments we have towards you as a customer. When the personal data are no longer required in accordance with the above description, all your personal data is depersonalised and cannot be recovered or otherwise inferred.
Therefore, an active user account that is in use will not be decommissioned/unpersonified. A user account with an in-service balance will not be destored/unimpersonated without consent. Consent is requested by email at regular intervals after seven years of inactivity on Payson's service, with inactivity means not having performed transactions, not logged into your user account and not communicated with the company. In the case of a failure to consent, the user account will be screen/depersonalised after another (1) year and after at least four reminders sent. Any outstanding funds will count towards Payson.  

Your rights to access, rectification and erasure
Right to access your data
You can request to receive an excerpt of the information we have about you. The statement is sent free of charge in one copy at one time per year.

Right to Rectification
You have the right to correct incorrect or incomplete information about yourself.

Right to be forgotten
You have the right to request the removal of your personal data when the purpose of the processing is no longer relevant. The deletion cannot be revoked/recreated, and after the deletion is performed, no person can be associated with the user account anymore. However, Payson may have legal obligations as payment institutions, which prevent the immediate removal of your personal data or parts thereof. These obligations come from accounting and tax legislation, banking and money laundering law , but also from consumer law. In this case, only the personal data that we are required to save is saved in order to comply with such legal obligations.

How do you get in touch with Payson in privacy issues?
We are easiest to reach by the Contact Form  on our website. Payson AB is the data controller for the processing of your personal data According to the above and complies with Swedish data protection legislation.

Cookie Policy

When you use Payson's services, you agree to receive Payson's "Cookies". If you have chosen to accept cookies in your browser, a Small text file in your computer. With the help of this cookie we can see information About your visits with us and customize the content for you to experience the site In the best way. We do not store any sensitive personal data in our cookies. The cookie has an expiration date and when it is reached it is automatically deleted. You can also yourself affect the handling of cookies under the Help menu in your browser.

Necessary cookies are needed in order for us to provide Payson's services, such as being able to sign in to your account and manage purchases.

Analytics Cookies Collect anonymous information about how our services are used, such as the Pages that are popular, if you get error messages somewhere or what kind of Device used. For example, third-party cookies for Google Analytics and Google Tag Manager.

Functional Cookies Improve your experience of our services when you return to our Website or checkout. For example, we save your preferred language and Information you used for previous purchase occasions.

Market Cookies are used to gather information about your surfing habits in order to Offer advertising relevant to you. We use this type of cookies To remind you that we want you to come back if you have visited Our site earlier.

Different kinds of cookies are saved for a different time. We have some cookies that is only saved while you are actively using our services, while e.g. language settings Saved for a long time. We are actively trying to minimise the amount Third-party Cookies we use in our services, but some services we see as necessary for analysis and marketing work.

How you can check our use of Cookies
Go to your browser or device settings to learn more about How to adjust your cookie settings. For example, you can choose to Block all cookies, only accept first party cookies, or delete Cookies when you close down your browser.

Please note that some of our services may not work if you block or delete cookies.



Privacy Policy for Design & Crafts Gotland

Processing of personal data at Design & Crafts Gotland HB

For Design & Crafts Gotland HB, personal integrity is important. We strive for a high level of data protection. This policy explains how we collect and use personal data. We also describe your rights and how you can make them effective.
You are always welcome to contact us if you have any questions about how we process your personal data. Contact information is last in this text.

What is a personal information and what is a processing of personal data?

Personal data is all information about a living physical person who can be directly or indirectly linked to that person. It's not just about names and social Security numbers, but also about pictures and email addresses.
The processing of personal data is everything that happens with the personal data in the IT systems, whether it is about mobile devices or computers. This involves, for example, collecting, registering, structuring, storing, processing and transferring. In some cases, manual records can also be covered.

Personal Data Controller

For the treatments that takes place in Design & Crafts Gotland HB's (org. Nr. 969754-9088) business is Göran Stenström responsible for data protection.

What personal data do we collect about you and why?

When our services are used by you, we may collect the following Information in order to manage the transaction or manage your case on the Our website:

  • Personal information: Name, Social Security number, address, e-mail address, and telephone number.
  • Information About purchases: Information and details about which e-shop the product or The service is purchased in Where applicable, the product or service purchased.
  • Economic Information: Your income data, your credit history and your Payment history.
  • Technical Information: IP address, language, browser, operating system, platform, Response times, error messages, Information for Bank ID verification.

Any information that you provide to us, and collected information, such as financial information and information about the payment is necessary to enter into a business relationship with us. We process your personal data in order to be able to send newsletters, identify and verify you as a person, information and delivery of products and material for statistics.

Cookie files

If you leave a comment on our website, you can choose to save your name, email address and website address in cookie files. This is for your convenience in order for you not to have to fill in these details again the next time you write a comment. These cookie files are valid for one year. If you have an account and log in to this site, we will create a temporary cookie file to check if your browser accepts cookie files. This cookie file contains no personally identifiable information and disappears when you close your browser.
In addition, when you log in, we will create multiple cookie files to store information about your login and your choices for designing screen layout. Login cookie files are valid for two days and layout choices cookie files are valid for one year. If you check "Remember Me", your cookie will remain for two weeks. If you log out of your account, the login cookie files will be deleted.
If you edit or publish an article, an additional cookie file will be saved in your browser. This cookie does not contain any personal data, but only specifies the post ID of the item you just edited. It is valid for 1 day.


In some situations, it is necessary for us to engage other parties. For example, different IT providers for HR systems and payment systems. They are then personal data assistants to us. We check personal data processors to ensure that they guarantee the security and confidentiality of the personal data. When the data processors are hired, it is only for the purposes that are compatible with the purposes we have for the processing.

Operators independent of data controllers

We also share your Personal data with certain other actors who are independent of data controllers, For example, authorities such as the Swedish tax agency, companies we employ for payment systems, when we are obliged to disclose such information by virtue of law or Authority decisions. When your personal data is shared with an actor who is independently responsible for personal data, that organisation's Privacy Policy and personal data management applies.

How long do we store your personal data?

We never Save Your personal data for longer than is necessary for each purpose. Due to legislation, some accounting data need, for example, to be Be kept at least seven years.

What are your rights as a registered?

As a registered In accordance with applicable law, you have a number of rights. You are entitled to receive An excerpt showing what personal data we have registered about you, the excerpt is sent in a copy once per year. You can request correction of incorrect Data and in some cases deletion.

Contact us for questions about how we process personal data.

If you have questions about How we process personal data contact Design & Hantverk Gotland HB, Othemarsgatan 3, 621 43 Visby, tel. +46 498-214121, Mail:

We may Make changes to our privacy policy.