Myntro AB, 559310-4697, Nils Ericsonsgatan 17, 411 03 Göteborg (“Myntro”, “we”, “us”, “our”) is the data controller responsible for the personal data collected through this website.
Data Protection Officer
Our Group Data Protection Officer (Group DPO) can be contacted at:
Name: Martin Gustafsson
Email: dataprotection@myntro.com
Adress: Nils Ericsonsgatan 17, 411 03 Göteborg
If you are an individual in contact with Myntro in connection with a debt collection matter, a separate privacy notice applies — please see our Integritetspolicy för inkassoverksamheten – Sweden
If you are an individual in contact with Myntro in connection with a savings matter, a separate privacy notice applies — please see our Integritetspolicy Deposit
We collect and process personal data only for specific, defined purposes and on a valid legal basis for each. The sections below set out full details of our processing activities, including the source of the data, its purpose, the legal basis relied upon, and how long we retain it.
We do not knowingly collect personal data from children under the age of 16, and our website and services are not directed at them. If you believe we have inadvertently collected data from a child under 16, please contact us at our data protection mail and we will delete it.
Please do not submit special categories of personal data (such as health data, racial or ethnic origin, political opinions, religious beliefs, or biometric data) through this website. We have generally no legal basis to process such information via this channel and will delete it if received.
2.1 Responding to Enquiries
Data collected: Name, email address, phone number, company name, and any other information you choose to provide in your message.
Source: Directly from you.
Legal basis: Legitimate interest (Article 6(1)(f) GDPR). Our legitimate interest is in managing, responding to, and maintaining records of business enquiries submitted to us, which is a necessary and proportionate part of operating our business. We have conducted an assessment confirming that this interest is not overridden by your rights and freedoms, given the business context in which data is provided and the reasonable expectation that a response will be given.
Retention period: 24 months from the date of last contact, after which data is deleted unless a further legal basis for retention applies.
2.2 Newsletter
Data collected: Name and email address. Where you interact with our newsletters, we also collect engagement data such as email open rates and link click activity.
Source: Directly from you at the point of subscription. Engagement data is collected automatically via our newsletter platform when you interact with a newsletter email.
Legal basis: Consent (Article 6(1)(a) GDPR). This covers both the delivery of the newsletter and the tracking of your engagement with it. We record your consent at the time of subscription (including the date, time, and method of consent) in accordance with Article 7(1) GDPR. You may withdraw your consent at any time by clicking the unsubscribe link in any newsletter email, or by contacting us at our data protection mail. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
Retention period: Until you unsubscribe or withdraw your consent, following which your personal data will be deleted within 30 days. Records of your consent will be retained for an additional period of 3 years from the date of withdrawal, solely to demonstrate compliance with our legal obligations under Article 7(1) GDPR.
2.3 Website Analytics and Personalization
Data collected: Information about your device, browser, and interaction with our website, including pages visited, time spent, content viewed, and referring URLs, processed via cookies and similar technologies.
Source: Collected automatically from your device when you visit our website, subject to your cookie consent.
Legal basis: Consent (Article 6(1)(a) GDPR). We only set analytics and preference cookies after obtaining your consent via our cookie consent tool. We record your consent at the time it is given in accordance with Article 7(1) GDPR. You may withdraw or amend your consent at any time by adjusting your cookie preferences through the cookie settings link available at the bottom of every page.
Purpose (we use this data to):
For full details of the cookies we use them, please see our Cookie Policy.
2.4 Ratings, Reviews and Surveys
Data collected: Name, email address, and responses or feedback provided by you.
Source: Directly from you.
Legal basis: Legitimate interest (Article 6(1)(f) GDPR). Our legitimate interest is in gathering feedback on our services and products to enable us to improve them, and in communicating relevant marketing material to existing and prospective business contacts. We consider this processing to be proportionate given the business context and the reasonable expectations of recipients.
Opt-out: You may object to this processing at any time, including direct marketing, by contacting us at our data protection mail or by using any opt-out mechanism included in the communication we send you. Your right to object to direct marketing is absolute and we will act on it (see also Section 6).
Retention period: 24 months from the date of last contact or receipt of feedback.
2.5 Website Chatbot
Data collected: Any information you choose to enter into the chatbot during your session. The chatbot does not collect your name, email address, or other identifying information unless you voluntarily provide it in your message.
Source: Directly from you.
Legal basis: Legitimate interest (Article 6(1)(f) GDPR). Our legitimate interest is in providing website visitors with an efficient, self-service tool to answer common questions and navigate our services. We have assessed this interest as proportionate given that interactions are session-based.
How the chatbot works: The chatbot on our website is rule-based and scripted. It does not use artificial intelligence or make automated decisions about you. It guides you through a predefined set of options and responses. No human agent reads or monitors conversations in real time.
Data masking and storage: To minimize the processing of personal data, any personal data entered into the chatbot — whether intentionally or inadvertently — is automatically masked before the conversation log is saved. Only a case reference number is retained in the stored file, solely for the purpose of tracking and follow-up where applicable.
Data retention: Chatbot conversations are for 12 months to be able to demonstrate compliance with the accountability principle under Article 5(2) GDPR.
We kindly ask that you refrain from entering sensitive personal data — such as financial information, health data, or identity document details — into the chatbot. The chatbot is designed as a general enquiry tool and is not intended for the transmission of sensitive information.
3.1 We Do Not Sell Your Data
We do not sell, rent, or exchange your personal data with third parties for their own commercial purposes.
3.2 Service Providers (Data Processors)
We share personal data with a limited number of trusted third-party service providers who act as data processors on our behalf. These providers are contractually bound to process your data only on our documented instructions.
Our current data processors for this website include:
| Processor | Purpose | Location | Transfer Mechanism |
| Google LLC (Google Analytics) | Website analytics and visitor behaviour analysis | United States | The data transfer is now supported by Art. 45 GDPR in combination with the European Commission’s adequacy decision. |
| Google LLC (Google Ads) | Advertising services, remarketing, and campaign tracking | United States | The data transfer is now supported by Art. 45 GDPR in combination with the European Commission’s adequacy decision. |
| YouTube (Google LLC) | Embedded video content | United States | The data transfer is now supported by Art. 45 GDPR in combination with the European Commission’s adequacy decision. |
| Ebbot | Chatbot | EU/EEA | – |
3.3 Legal Obligations
We may also disclose personal data to competent authorities, courts, or regulators where we are required to do so by law or by a binding order of a competent authority.
We apply appropriate technical and organizational security measures to protect your personal data against unauthorized access, accidental loss, destruction, or misuse.
Access to personal data is restricted to authorized personnel who are subject to confidentiality obligations and who need access in order to perform their duties.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify Integritetsskyddsmyndigheten (IMY) within 72 hours, and we will notify you directly where required by law.
We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by applicable law. Specific retention periods for each processing activity are set out in Section 2. At the end of the applicable retention period, personal data is deleted or anonymized.
Where we are required to retain data for legal, regulatory, or accounting purposes, we may retain it beyond the periods stated above for that specific purpose only.
Under GDPR, you have the following rights in relation to the personal data we hold about you. To exercise any of your rights, please contact the Group DPO.
We will respond within one month of receiving your request. We may ask you to verify your identity before processing your request. We will not charge a fee unless your request is manifestly unfounded or excessive.
| Right | Description |
| Access (Art. 15) | Request a copy of the personal data we hold about you and information about how it is processed. |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete personal data. |
| Erasure (Art. 17) | Request deletion of your personal data where there is no overriding legal basis for continued processing (the “right to be forgotten”). |
| Restriction (Art. 18) | Request that we suspend processing of your data in certain circumstances. |
| Data Portability (Art. 20) | Where processing is based on consent or contract and carried out by automated means, receive your data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible. |
| Objection (Art. 21) | Where processing is based on legitimate interest, object to that processing. We will cease processing unless we can demonstrate legitimate grounds that override your interests, rights, and freedoms, or unless processing is necessary for the establishment, exercise, or defense of legal claims. |
| Objection to Direct Marketing (Art. 21(2)) | You have an absolute right to object to processing of your personal data for direct marketing purposes at any time, with no need to justify your objection. |
| Withdrawal of Consent (Art. 7(3)) | Where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal. |
| No Automated Decision-Making (Art. 22) | Not be subject to solely automated decision-making, including profiling, that produces legal or similarly significant effects. As noted in Section 2.9, we do not carry out such processing. |
Lodging a Complaint
If you are not satisfied with our response or believe we are processing your data unlawfully, you have the right to lodge a complaint with a data protection supervisory authority.
The lead supervisory authority for Myntro is:
Integritetsskyddsmyndigheten (IMY)
Box 8114, 104 20 Stockholm, Sweden
Email: imy@imy.se
Our website may contain links to third-party websites. This privacy policy applies only to our website, and we are not responsible for the privacy practices of external sites.
We review and update this policy periodically to reflect changes in our processing activities, applicable law, or regulatory guidance.