SAS EuroBonus Checkout Privacy Notice

This is the privacy notice ("Notice") of SAS EUROBONUS AB in connection with the EuroBonus Checkout Payment Method ("Payment Method"). This Notice sets out how we process personal information that you give to us, or that we may collect or otherwise process in the course of providing the Payment Method to you.

1.1

When you login to or use the Payment Method, SAS EUROBONUS AB, Reg No. 559224-9782, a limited liability company incorporated under the laws of Sweden and having its registered office at Frösundaviks allé 1, 195 87 Stockholm, Sweden ("SAS EB", "we", "us", "our")will be the responsible data controller for the processing of your personal data necessary to provide the Payment Method.

1.2

Pointspay Management FZCO, whose registered address is Dubai Airport Freezone Authority, PO Box 293805, Dubai United Arab Emirates ("Pointspay Management"), operates the Payment Method and processes data as a processor on our behalf. For general questions related to the Payment Method itself, in the first instance please contact customersupport@pointspay.com.

This Privacy Notice applies to our data processing in relation with your use of the Payment Method. The Payment Method website ("Site") is provided by Pointspay Management on behalf of us and may contain links to other sites. Please note that neither we nor Pointspay Management have any control over how your data is collected, stored, or used by other sites and we advise you to check the privacy policies of any such site before providing any data to them.

3.1

We may collect some or all of the following personal and non-personal data (please also see section 6 on our use of Cookies and similar technologies):

• personal details (e.g., name);
• contact information (e.g., country of residence, e-mail address);
• information on your use of the Payment Method (e.g., your shopping behaviour, your payment behaviour and your use of points or cash portion, invoicing and reporting details);
• EuroBonus loyalty program account information (inc. user program profile details, EuroBonus Bonus points balance)
• general payment information such as credit / debit card details;
• technical information (e.g., IP address, web browser type and version, operating system; list of URLs starting with a referring site, your activity on our Site, and the site you exit to).

Note that such collection of personal data may be performed by Pointspay Management acting as a data processor on our behalf.

3.2

Such data may also include sensitive data, i.e., data that requests higher protection. We will usually not process such information unless you give your prior explicit consent thereto.

3.3

You are at no time obliged to provide us with your personal data. However, should you not wish to provide the information we ask you for you may not be able to use the Payment Method.

4.1

We may use your data to:

• provide you with our services (incl. payment card transactions using the Payment Method);
• co-ordinate with Pointspay Management and merchants who are affiliated with the Payment Method ("Merchants");
• process transactions you have requested;
• allow us to improve our services to you;
• personalising and tailoring your experience on our Site;
• reply to communications you send to us or to Pointspay Management;
• analyse your use of our Site and gather feedback to enable us to continually improve the Payment Method and personalise user experience;
• provide you with personalised marketing materials by email, telephone, SMS and/or by post, but only where you have given us your permission to do so.

4.2

Our use of your personal data will only be processed on a lawful basis, either because it is necessary for entering into or the performance of a contract with you, because you have consented to our use of your personal data, or because it reflects a legal requirement or is necessary for legitimate interests.

4.3

When you use the Payment Method and log in to your EuroBonus account on the Site (regardless of whether you complete the purchase and/or choose to ultimately pay via the Payment Method) Pointspay Management (as the operator of the Payment Method on behalf of SAS EB) will get certain access to your EuroBonus account and membership data such as your Bonus Points balance.

4.4

When we base processing of your personal data on legitimate interest, this primarily refers to our interest to (i) provide you with our services, (ii) to run, monitor and improve our business activities (incl. cooperating with business partners and our processors), and (iii) generating statistics and anonymous data about your use of the Payment Method.

5.1

A cookie is a small file of letters and numbers that we and/or Pointspay Management store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer's hard drive. The Site use cookies to distinguish you from other users of the Site. This helps us and Pointspay Management to provide you with a good experience when you browse the Site and also allows us to improve the Site.

5.2

Before cookies are placed on your computer or device, you will be shown a pop-up requesting your consent to set those cookies. By continuing to browse the Site or where you provide consent separately (for example for delivering targeted ads on other sites you may visit), you are agreeing to our use of cookies.

5.3

We and/or Pointspay Management use the following cookies:

• Strictly necessary cookies: These cookies are necessary for the Site to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the Site will not then work. These cookies do not store any personally identifiable information.
• Performance cookies: These cookies allow us to count visits and traffic sources so we can measure and improve the performance of the Payment Method. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited the Site and will not be able to monitor its performance.
• Targeting cookies: These cookies may be set through the Site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

5.4

Cookies are destroyed once they are no longer necessary for their purpose. You do not have to allow us to use cookies, and you can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, whilst our use of them does not pose any risk to your privacy or your safe use of the Payment Method, it does enable us to continually improve the Payment Method, making it a better and more useful experience for you, and if you block all cookies you may not be able to access all or parts of the Site.

5.5

Pointspay Management may also use other technologies to collect information about the use of the Site, such as Local Storage, and similar technologies.

5.6

The Site may contain links to third party sites some of which may also use cookies and other technologies. This Notice does not cover third party sites which will be subject to their own privacy and cookies policies. We and Pointspay Management do not have access to or control over cookies or other features used by such sites. Please contact them directly for more information about their privacy practices.

6.1

This Site uses Google Analytics, a web analysis service of Google Inc. and Google LLC ("Google"). Google uses cookies and other technologies to collect and analyze information about the use of this Site and in order to provide services to us. Google may collect data about your browser, your provider, visited pages and duration of visits, your IP address, device identifiers (e.g., Android Advertising Identifier or Advertising Identifier for iOS) etc. The information generated about your use of this Site is usually transferred to a Google server in the USA and stored there. However, as IP anonymisation is activated on this Site, Google will shorten your IP address within the European Union or European Economic Area beforehand. In exceptional cases the full IP address will be transmitted to a Google server in the USA and shortened there. For these cases Google relies on the European Commission’s model contract clauses. On behalf of the operator of this Site, Google will use this information to evaluate your use of the Site, to compile reports on Site activities and to provide the Site operator with further services associated with Site and Internet use.

6.2

You may refuse the use of cookies by selecting the appropriate settings on your browser (see sec 5.4). You can also prevent Google from collecting the data generated by the cookie and relating to your use of the Site (including your IP address) and from processing this data by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en.

6.3

We and/or Pointspay Management use Google Analytics to analyse and regularly improve the use of the Site. Through the obtained statistics we can improve our offer and make it more interesting for you as a user. For the exceptional cases in which personal data is transferred to the USA, Google relies on the European Commission’s model contract clauses.

6.4

Third Party Information: Google Dublin, Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001.

• Terms of Use: https://marketingplatform.google.com/about/analytics/terms/us/
• Privacy Notice: https://policies.google.com/privacy?hl=en

Pointspay Management may co-ordinate with third parties in the provision of the Payment Method to you (e.g. payment service providers, financial institutions, and suppliers). These parties may process your personal data to supply services to you on our behalf as sub-processors to Pointspay Management, as well as for their own purposes. In that case, these parties act as separate controllers, and you are invited to review their privacy notices to learn more about their processing.

7.2

We may also share your data with other companies in our group for the provision of some of the Services, for example, payment processing as well as for their own purposes. This includes other companies in the SAS Group as well as Pointspay Managements holding company, Pointspay Holding AG, and its affiliates and subsidiaries when acting as sub-processors.

7.3

In some cases, the third parties may require access to some or all of your data. Where any of your data is shared for such a purpose, we will take all reasonable steps to ensure that your data will be handled safely, securely, and in accordance with your rights, our obligations, and the obligations of the third party under the law.

7.4

We and/or Pointspay Management may compile statistics about the use of the Site including data on traffic, usage patterns, user numbers, sales, and other information. Data will only be shared and used within the bounds of the law.

7.5

We and/or Pointspay Management may compile statistics about the use of the Site including data on traffic, usage patterns, user numbers, sales, and other information. Data will only be shared and used within the bounds of the law.

7.6

In certain circumstances, we and/or Pointspay Management may be legally required to share certain data held by us, which may include your personal data, for example, where we are involved in legal proceedings, where we are complying with legal requirements, a court order, or a governmental authority.

7.7

In case that we share and transfer your personal data with third parties (incl. other group-companies) that are located outside of  the European Economic Area (“the EEA”) (e.g., United Arab Emirates or India but potentially world-wide ) we will take all reasonable steps to ensure that your data is treated as safely and securely as it would be under the data protection law applicable to respective processing within the EEA. In such cases, we will ensure data protection with standard contractual clauses for data transfers to third countries issued and approved by the EU Commission and/or the Federal Data Protection and Information Commissioner (FDPIC), as accordingly amended and adapted to local circumstances. If you wish to receive a copy of these clauses, please contact us (cf. section 1 above). We may transfer personal data to such countries without standard contractual clauses where we are expressly authorized by applicable law, for example with your separate consent, where disclosure is directly connected with the conclusion or performance of certain contracts, for important reasons of public interest or to establish, exercise or defend legal claims. SAS EB and Pointspay Management have entered into the EU standard contractual clauses (SCCs) for the transfer of personal data to third countries.

8.1

According to applicable law, you have the right to:

• request access to your personal information.
• request correction of the personal information that we hold about you if it is inaccurate.
• request erasure of your personal information if there is no good reason for us continuing to process it.
• ask us to stop processing personal information (where we are relying on a legitimate interest) if you wish to object to processing on this ground.
• withdraw your consent to processing of your personal data.
• request the restriction of processing of your personal information.
• request the transfer of your personal information to another party.
• lodge a complaint with the competent data protection supervisory authority.

8.2

If you wish to use one of your rights, you can e-mail Pointspay Management at: privacy@pointspay.com.

8.3

Servicing emails sent to you are triggered automatically when you use the Payment Method, for example, when you make a purchase. If you do not wish to receive service triggered emails, you must stop using the Payment Method.

9.1

Securing your personal and non-personal information is very important to us and we take the necessary technical and organizational measures to ensure an adequate level of data protection appropriate to the risk that is related to a respective processing. In particular, all customer databases are held in a secure environment and (except for law enforcement authorities in limited circumstances), only our and/or Pointspay Managements employees or other persons who need access to your information in order to perform their duties are allowed such access.

9.2

If you wish to use one of your rights, you can e-mail Pointspay Management at: privacy@pointspay.com.

9.3

The Site utilises SSL certificate-based encryption on pages where secure information is transmitted over the Internet. All critical information is encrypted using AES 256 algorithm and stored.

We and/or Pointspay Management do not normally keep your personal data for any longer than three (3) months after you complete a transaction via the Payment Method. We will however retain personal data for as long as we have a legitimate interest in the storage, e.g. if we or Pointspay Management need personal data to handle a customer servicing issue, for the enforcement of or the defence against claims, for archiving purposes and for guaranteeing IT security. We will retain your personal data as long as it is subject to a legal retention obligation.

We may change this Privacy Notice from time to time as we add new products and apps, as we improve our current offerings, and as technologies and laws change. Any changes will become effective upon our posting of the revised Privacy Notice on the Site. We will provide notice to you if these changes are material and, where required by applicable law, we will obtain your consent. Moreover, this notice will be provided by email or by posting notice of the changes consistent with applicable laws.

Further information on how we process your personal data in the EuroBonus program is set out in our Privacy Policy for EuroBonus members.

SAS EB has appointed a Data Protection Officer to help us ensure that your personal data is processed in the correct manner. You are welcome to contact our Data Protection Officer with questions or requests concerning our processing of your personal information by sending an email to dataprotectionofficer@sas.se.