Coaching that helps people feel better in themselves, in their lives and in their relationships with others.
REGISTER LIST
Which systems and/or companies have access to my and my clients' personal information and why I use their services
In my work, I use services provided by the following companies and systems, which are listed below. These companies and systems have access to all or part of the personal data I collect in my work. According to the GDPR, as an entrepreneur, I am obliged to ensure that the systems and/or companies whose services I use handle my customers' personal data in a way that meets the requirements of the GDPR. Read more about each of them and what our cooperation based on GDPR looks like.
1. Wix.com. This website is built via and hosted on the Wix platform. Via Wix, I have my booking system (where the payment systems are included) and my company email. (Based on a collaboration between Wix and Google, my company email is also connected to Gmail, and it is from that platform that I send and receive emails. See further under point 10 below.) These features are services Wix provides in order for me to perform my work: offer and receive payment for video and email sessions and send out my newsletter, and therefore Wix needs access to the personal data used for this (name, email address and payment details). Wix describes in their privacy policy that the company handles and carries out transfers of personal data in a waythat is compatible with the GDPR law, both within and outside the EU. Wix stores my and my customers' personal data as long as my account with them (= my website) is active and possibly longer if there are special reasons for this. Please read further under point 12 of their privacy policy which can be found here: About Privacy | WIX
2. PayPal. If one chooses to pay for a session via PayPal, the customer fills in their payment details (name, address, phone number, email address and payment card details). From this information, I am only allowed to see the customer's name and email address. PayPal describes in their privacy policy that they handle international transfers of personal data in a way that is approved by the European Commission, which, among other things, ensures that EU laws are followed. PayPal stores personal data for as long as I use the PayPal payment service in my work plus a period of 10 years, unless there are special reasons to keep it longer. Please read further in their privacy policy which can be found here: PayPal Privacy Statement
3. Stripe. Stripe is a service that enables a customer to pay by card, such as Visa or MasterCard, via my website. If one chooses to pay for a session via Stripe, the customer fills in their payment details (name, address, phone number, email address and payment card details). From this information, I am only allowed to see the customer's name, email address and the last four digits of the payment card, its expiry date and CVC code. Stripe describes on their privacy center's website that in the case of international transfers of personal data, they have safeguards in place so that the transfers are carried out in an approved manner according to, among other things, GDPR and the European Commission. Stripe stores personal data as long as you use their services, unless there are special reasons to keep it longer. Please read further in their privacy policy located here: Privacy Policy (stripe.com) as well as in their privacy center here: Stripe Privacy Center
4. Swish. Customers residing in Sweden have the option of choosing Swish as a payment method on my website. In the Swish company app, I only get access to the customer's name and phone number. (On the checkout page, however, the customer needs to fill in their billing information (name, email and address) for the booking to go through. Please read more about this in my privacy policy under the heading "How I collect information".) Swish describes that customers' personal data is processed in accordance with the General Data Protection Regulation (GDPR). Swish retains personal data for as long as is necessary to fulfill the purpose of processing them and to fulfill applicable legal requirements, including for a period of at least seven years for processing relating to accounting information according to the Accounting Act. Please read further in their privacy policy here: Microsoft Word - Swish Integritetspolicy 2021-01-25.docx (ctfassets.net)
5. Handelsbanken. Handelsbanken is where I have my business account and Bankgiro. When a customer pays via Bankgiro, they are asked to enter their first and last name; this is so that I can connect a booking with the corresponding payment. (On the checkout page, however, the customer needs to fill in their billing information (name, email address and home address) for the booking to go through. Please read more about this in my privacy policy under the heading "How I collect information".) Please note that I will need to ask for the customer's account number in order to make a refund to someone who chose to pay with Bankgiro but then cancels their consultation. This is to be able to carry out an account transfer from my bank to the customer's bank. Handelsbanken usually saves personal data for a maximum of five years, but if you are a customer of the bank or based on other rules and laws, it may be longer. Feel free to read more in Handelsbanken's personal data document (in Swedish) here:
Behandling av personuppgifter i koncernen Handelsbanken | Handelsbanken
6. Zoom. It is via Zoom that you and I talk if you have booked a video session. Zoom describes on their website that they comply
with all applicable privacy laws, rules and regulations in the jurisdictions where it operates, including GDPR. They further write that the transfer of data is governed by the European Commission's standard contractual clauses. Please read further in their privacy policy here: Zoom | Privacy and Security
7. Therapy Journal. This is the documentation program I use to keep memory notes to support my work. The program is installed on the computer and can be used without a connection to the Internet, which means that no information is saved in any cloud function outside the user's control. The contents of the journal are protected behind passwords and encryption. I do not communicate with other record systems or documentation programs, nor do I ask for my clients' social security numbers. Immediately after each "turn" (a written email to or from me) in an ongoing email session, memory notes are entered into TerapiJournal and the email is deleted from my company email. In the unlikely event that the documentation program crashes, it is my (encrypted) backups that I use to recover saved information, and no outsiders will be involved.
8. Strömberg's accounting firm. An accounting consultant in this agency reviews and manages part of my company's accounting and finances. This means that this consultant may access my customers' personal data based on the accounting. A so called PUB agreement (personal data assistant agreement) has been drawn up between me and Strömberg's accounting firm, which means that my assistant, in this case my accounting consultant, processes my clients' personal data with the same integrity and security as myself and in accordance with GDPR.
9. Fortnox. I use one of Fortnox's services to manage my bookkeeping on an ongoing basis. A so called PUB agreement (personal data processor agreement) is drawn up between Fortnox and their customers, which describes that Fortnox complies with the GDPR law in its handling, storage and transfers (including third country transfers when this is relevant) of personal data. How long Fortnox saves personal data varies depending on the purpose for which it was collected. When entering into an agreement with Fortnox, my data and the data I collect from my customers (that is, the digital receipts I send out via email after completed transactions on my website) will be saved for as long as the agreement lasts and for another 10 years.
10. Gmail and Google Workspace. My company email (contact@consonancecommunication.com), even though it contains my domain in its name, is managed via Gmail based on a collaboration established between Wix and Google Workspace/Gmail. Google describes in their direct contact with me and online that they are committed to complying with the GDPR law and also to help their customers comply with this law. Google Workspace offers a so-called Cloud Data Processing Addendum to its customers, which contains standard contractual clauses as a means of meeting the security, contractual and data transfer requirements under EU, UK and Swiss data protection laws. In my business, I use Gmail as a platform for email contact with my customers (however, as also described in my privacy policy, I do not use Gmail as a storage space, but I delete emails continuously after I reply to them) but I do not use any other Google Workspace services. Please read more here: GDPR and Google Cloud