Privacy Policy (Debtors)

1. What is a privacy policy?

1.1 In our privacy policy we explain who is responsible for the personal data processing that takes place in our organisation. We also describe which personal data about you is processed when we receive data about you or when you provide data to us in various situations, how we process the personal data, why we do it and on what legal basis we justify the processing. We also explain which external parties may be processing personal data about you. You also receive information about your rights when it comes to our processing of your personal data and about how you can proceed to exercise your rights.

1.2 We will only process the personal data about you that is necessary for the purposes set out in this privacy policy. We have procedures describing how we store and anonymise personal data in order to make sure on an ongoing basis that your personal data will always be correct and relevant. You can read more below about how processing takes place and which data is processed.

2. Important terms

2.1 Here are explanations of some important terms that can be useful to know in order to understand our privacy policy:

a. “Personal data” means any data that relates to a natural person who can be directly or indirectly identified with the aid of this data; for example a name, an ID number such as a personal ID number, location data, an online identifier such as an IP address or one or more factors that are specific to the natural person’s identity.

b. “Processing” means a measure or a combination of measures carried out with personal data; for example collection, registration, organisation, structuring, storage, processing or modification, production, reading, use, disclosure through transfer, dissemination or provision in another way, adjustment or merging, restriction, erasure or destruction.

c. "Controller" is the party that either solely or in conjunction with another party determines the purpose and means of the processing of personal data and is responsible for ensuring that the processing takes place in accordance with applicable data protection regulations.

d. "Data protection regulations" GDPR stands for the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) and is a European data protection regulation that became directly applicable on 25 May 2018 for all Member States, but also for those countries that in any way process personal data belonging to a natural person in the EU/EEA. The purpose of GDPR is to protect the personal data of natural persons. In addition to the aforementioned regulation, Sweden has also enacted supplementary legislation (Swedish Act (2018:218) with Supplementing Provisions to the EU’s General Data Protection Regulation). When we mention “the data protection regulations” in this privacy policy, we refer to both of the above regulations.

3. Who is responsible for the processing and do you guarantee that personal data is handled securely?

3.1. Axactor Sweden AB, with organization number 556717-2597, is the data controller for the processing of your personal data in cases where we perform debt collection on behalf of others, i.e. when we have been commissioned by the creditor who has a claim against you and when we perform debt collection activities for our own claims. In this text, Axactor Sweden AB is referred to as “we” and “you” are the debtor, i.e. the person against whom a debt collection or monitoring assignment is directed.

3.2. We are obliged to implement appropriate technical and organizational measures to ensure and be able to demonstrate that our processing is carried out in accordance with data protection regulations. We have implemented several appropriate measures to ensure that unauthorized persons do not gain access to your personal data.

4. Source of your personal data

We gain access to your personal data primarily directly from you or from the company or the organisation you represent. Either if you are in contact with us on behalf of your company or your organisation, or if you are designated by your employer as a representative of the company or organisation that you represent. We also have access to your personal data from companies that are part of the Axactor Group. If we believe that you are representing a potential customer, we may also obtain your personal data from the Internet, public registers or social media. If you interact with us via our website, personal data may be obtained from there.

5. Purpose and intention of personal data collection

We process your personal data in order to effectively carry out our assignment and other activities. We process personal data about you in order to handle and make decisions in debt collection and/or monitoring cases in relation to you for the purpose of collecting the debt you owe us or our client. We may process your personal data in connection with legal disputes and complaint handling. We process personal data about you in order to fulfill our accounting obligations, anti-money laundering obligations, data protection obligations, and other legal obligations incumbent upon us. We process your personal data in order to develop our business and thereby streamline the debt collection process. We may process your personal data in order to maintain and ensure the quality of the assignments we perform and to ensure the functioning of our IT environment. We process your personal data in order to administer incoming payments and to conduct our business in general. We may also process some of your personal data to evaluate a claim if we are considering purchasing it. The above description is therefore the purpose and aim of our processing of your personal data.

6. What personal data we process

6.1. We process the personal data and categories of personal data listed below.

a) Name, personal identification number, and contact details. We process personal data such as your name and personal identification number/coordination number, various types of customer and subscriber numbers linked to individual debt collection and monitoring assignments, as well as your contact details, such as address, telephone number, email addresses, and information about and addresses for your workplace, the latter only when necessary for you to be served.

b) Information about the claim and payments. We process personal data linked to the debt collection and monitoring assignments we handle in relation to you or that are otherwise related to the claim and that are necessary for us to be able to fulfill our assignment; normally information about the invoice or claim to be collected, information about the basis for the claim, where applicable, information about delivery and invoice addresses, and information about how and where the order was placed (such as IP address information for online orders). In addition, we process information about both debits and credits (e.g., returns) with specifications, as well as information about any collateral and payments.

c) Information about financial circumstances, etc. We process personal data about your financial circumstances and other circumstances that are relevant to assessing your ability to pay and other ability to fulfill obligations and, where applicable, to claim collateral and similar if such exists. If we consider it necessary in order to make a decision on how your debt collection or monitoring case should be handled, or for the valuation of a claim, we process information about your assessed income, debt circumstances, seizure, employer, the existence of seizable property, and other information obtained from the Swedish Enforcement Authority and other authorities' registers. If relevant for calculating your ability to pay, information about your marital status and family circumstances may also be processed.

In cases where you have applied for or been granted debt restructuring, we also process the information contained in the debt restructuring decision and information about your payment plan and your payments.

d) Information about criminal convictions. Information about criminal convictions is only processed when the processing is necessary in order to establish, assert, or defend legal claims in an individual case, which in our debt collection activities means that our assignment consists of collecting damages due to a crime or in order to be able to assess the payment plan and payments. assert or defend legal claims in an individual case, which in our debt collection business means if our assignment consists of collecting damages due to a crime or to be able to assess payment obligations in cases of fraud where we or our client have a claim.

e) Voice. We may process personal data relating to your voice and other personal data you have provided in telephone calls if you have contacted us by telephone and the telephone call has been recorded. This personal data is processed for the purpose of ensuring the quality of the assignments we perform. Recorded calls will also be transcribed and analyzed using artificial intelligence.

f) Photograph and information about physical and/or electronic identity documents. We may process information about your physical or electronic identity documents, as well as verification photographs, to verify your identity when you contact us or to investigate and pursue disputed claims in court.

g) Information we are required to process by law. In addition, we may process your personal data to fulfill legal obligations, such as accounting obligations, and in such cases the personal data specified by law.

h) Other information. If you provide us with any information that is not of the types listed above, we will also process this information if we deem it necessary and relevant for the performance of our debt collection or monitoring assignment.

6.2. According to data protection regulations, the processing of personal data relating to your health is a special category of personal data that must be treated with greater care than other personal data. In our debt collection activities, we only process such data when the processing is necessary to establish, assert, or defend legal claims; for example, in the case of claims relating to healthcare costs or where health data is otherwise relevant to the individual debt collection case.

7. The legal basis for our processing of personal data

7.1. Data protection regulations only allow us to process your personal data to the extent that we have a basis for doing so. Our processing of your personal data is based on one or more of the following grounds:

a) Public interest. We process your personal data because it is necessary for us to perform a task in the public interest. Debt collection has been deemed to be such a task. The processing of your personal data for the purpose of collecting a debt is therefore permitted even if you have not consented to it.

b) Agreement. In the event that we purchase a claim from a previous creditor, we process your personal data in order to fulfill the agreement that the previous creditor and you have signed, which we have thereby taken over.

c) Legal obligation. Your personal data may also be processed to fulfill our legal obligations, for example, to enable us to fulfill our accounting obligations or to take measures in accordance with anti-money laundering legislation, and to provide information to supervisory authorities.

d) Legitimate interest. When we process data relating to a debt that we are considering purchasing, the personal data is processed on the basis of a so-called balancing of interests, where we have assessed that our interest in being able to evaluate the debt outweighs your interest in the data not being processed. If we then purchase the claim, the data is processed for collection purposes and to fulfill the agreement with you that we have thereby taken over. Furthermore, your personal data may be processed on this basis in order to defend ourselves against any legal claims you may have against us.

e) Consent. We may also process your personal data (e.g., health) on the basis that you voluntarily provide us with data that is not necessary for the establishment, exercise, or defense of legal claims; we may process such data if you consent to the processing.

7.2. As stated above, we process some of your personal data on the basis of a balancing of interests as the legal basis for the processing. The balancing of interests means that we have assessed that our legitimate interest in carrying out the processing outweighs your interest in us not processing your personal data. Our legitimate interest is set out above. If you would like to know more about how we have made this assessment, please feel free to contact us. You can find our contact details under “Contact us."

8. How long do we store personal data?

8.1. Your personal data is processed for the time required for debt collection activities and for the performance of debt collection or monitoring assignments. With regard to ongoing and completed debt collection cases, we follow the guidelines of the Swedish Data Protection Authority, which stipulate that the data must be stored for the entire duration of the debt collection case and for at least a further six months after the assignment has been completed, for the purpose of enabling inspection. All data relating to debt collection cases is always deleted, anonymized, or pseudonymized within 36 months of the case being closed or the assignment being completed. However, data provided to Axactor when not logged in (e.g., in a chat when not logged in) is deleted after 100 days.

8.2. When we process your personal data to evaluate a claim that we are considering purchasing, the data is processed during the evaluation period and until it is clear whether or not we will purchase the claim.

8.3. Special categories of personal data, such as your health, which you have voluntarily provided to us and which you have consented to us processing, will be processed for as long as the data is needed for its purpose, but always until you withdraw your consent or until it is no longer needed to establish, exercise, or defend legal claims. The data will be stored for a maximum of 36 months after the case has been closed or the debt collection assignment has been completed.

8.4. The processing of anonymized data, i.e., data that cannot be directly or indirectly linked to a natural person, is not subject to the restrictions described in this privacy policy.

9. Who may the personal data be disclosed to?

9.1. The personal data we process about you will mainly be processed internally within Axactor and by companies in the same group as us, but may be disclosed to our client, and in relevant parts to our suppliers such as credit information companies, foreign debt collection companies, service companies, postal and printing companies, and others who contribute to our service delivery, as well as to lawyers who represent us, to authorities (for example, to the Swedish Enforcement Authority when necessary for the determination or enforcement of a claim and to the police's service of process when necessary for you to be served) and courts.

9.2. If we use a supplier to process your personal data on our behalf, we will, where applicable, ensure that we have entered into a data protection agreement with them so that we can ensure that your personal data is processed correctly and securely. If you would like to know more about which data processors we use to process your personal data, please contact us.

10. Where is personal data stored?

10.1. Your personal data is mainly stored in our IT infrastructure or in the IT infrastructure provided by one of our data processors. As we are part of the Axactor Group, we may transfer your personal data to another country. In cases where your personal data is transferred to another country, we ensure that appropriate safeguards are in place to comply with data protection regulations.

10.2. Personal data will generally be processed and stored within the EU/EEA. However, your personal data may be transferred outside the EU/EEA if you move abroad and we need to engage a foreign debt collection agency outside the EU/EEA to collect the debt you owe to us or our client. We also use third-party providers outside the EU/EEA who may access your data, including but not limited to the United States. We will never transfer your personal data outside the EU/EEA without ensuring the security and protection of your personal data. We therefore ensure that all recipients have signed the EU's standard clauses to justify the transfer and that the country in question guarantees adequate protection in accordance with data protection regulations. We may also transfer your personal data if required by law.

11. Are you subject to profiling and automated decisions?

11.1. Profiling refers to the automatic processing of personal data used to assess certain personal characteristics of a natural person, in particular to analyze or predict, for example, their financial situation, personal references, interests, and location.

11.2. Automated decisions with legal consequences, or which significantly affect you, are not covered by our activities. In our debt collection activities, we use automated processes that involve profiling. However, these processes do not change your legal position, but are used instead to assess whether or not less intrusive debt collection measures should be taken. Our processes are necessary for us to be able to carry out our assignment and our business in general in an effective manner. This means that you are not subject to profiling or automated decisions as referred to in the data protection regulations.

12. Your rights

12.1. You have certain rights regarding the processing of your personal data. These are described in more detail below. To exercise your rights or ask any questions about your rights, please contact us using the contact details provided under "Contact us."

a) Access. You have the right to obtain confirmation as to whether we are processing your personal data and, if so, you also have the right to obtain information about how we process it and to receive a copy of your personal data. More specifically, this means that you have the right to obtain information about why we process your personal data and how we have weighed up any interests in order to process your personal data, which categories of your personal data we process, with whom we share your personal data, how long we store your personal data and the criteria for assessing the storage period, what rights you have, from whom we obtain your personal data (if we have not obtained it from you), and whether the processing of your personal data includes any automated decision-making, known as profiling, and whether your personal data has been transferred to a country outside the EU/EEA and how we ensure adequate security of your personal data in such cases. However, for any additional copies, beyond the one you are entitled to receive free of charge, we will charge an administrative fee corresponding to the costs we incur in producing and providing the additional copies to you.

b) Rectification. You have the right to have any inaccurate personal data concerning you rectified and to ask us to complete any incomplete personal data.

c) Erasure (the right to be forgotten). Under certain circumstances, you have the right to request the erasure of your personal data. Such circumstances exist, for example, if the personal data is no longer necessary for the purposes for which it was collected or processed, or if you withdraw your consent on which the processing is based and there is no other legal basis for the processing.

d) Restriction. You may also request that the processing of your personal data be restricted (frozen) if you believe that the personal data we process is inaccurate, if the processing is unlawful, if we no longer need to store or process the data but you still need it to assert legal claims, or if you have objected to the processing and until we have dealt with your objection.

e) Data portability. You have the right to ask us to transfer some of your personal data that we hold about you to another company or your organization in a structured, commonly used, and machine-readable format (data portability). The right to data portability applies to personal data that you have provided to us where the processing is based on your consent and is carried out by automated means. You also have the right to have your personal data transferred directly from us to another data controller when this is technically possible.

f) Objection. You have the right to object to processing based on a legitimate interest (balancing of interests). Read more about what balancing of interests means above. In some cases, however, you do not have the right to object to processing based on a balancing of interests (for example, because we need to store your personal data). This is the case if we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or if it is for the establishment, exercise, or defense of legal claims. If you object, we will assess it against the reasons we have for continuing to process your personal data.

g) Right to withdraw consent. For personal data that you may have provided voluntarily (e.g., about your health) and where you have consented to our processing of the data, you have the right to withdraw your consent at any time. The data will then no longer be processed unless it is necessary to establish, exercise, or defend legal claims, or unless there is a legal obligation to store the data. In such cases, after your consent has been withdrawn, the data will only be processed for these purposes.

h) Submit complaints. You also have the right to submit complaints regarding our processing of your personal data; see more about this under "Your right to submit complaints."

13. Your right to lodge a complaint

13.1. We take your privacy seriously. Therefore, we are very keen to ensure that your personal data is always processed correctly and securely. If you have any comments about our personal data processing, please feel free to contact us.

13.2. If you believe that our processing of personal data is incorrect, you have the right to submit a complaint to the Swedish Data Protection Authority, which is the supervisory authority in Sweden. More information is available at www.imy.se.

14. Please feel free to contact us

14.1. If you wish to exercise your rights as described above or have any further questions about how we process your personal data, please contact us (Axactor Sweden AB, organization number 556717–2597) as follows:

a) Mail. Axactor Sweden AB, Att. Data Protection, Nordstadstorget 6, 411 05 Gothenburg, Sweden

b) Telephone. You can reach our customer service by calling +46 (0)31-383 38 00.

c) Email. You can reach our customer service at kundservice@axactor.com and our data protection officer at dataskydd@axactor.com.

14.2. Please note that email may be subject to unauthorized interception, unauthorized additions and changes, computer viruses, or other types of manipulation. Before sending confidential information to us, you should carefully consider the risks associated with sending sensitive information by email.

15. Changes to this privacy policy

15.1. This privacy policy will be updated on an ongoing basis as necessary.

This privacy policy was adopted by Axactor on February 20, 2023, and was last updated on November 26, 2025.