Information about Almi’s processing of your personal data for loan applicants, business development, or customers of Almi
This policy describes how Almi collects, uses, stores, and shares personal data about you who apply for loans, business advice, are a customer of Almi, or have been a customer.
Within the Almi Group (hereinafter Almi), Almi AB has joint controllership for personal data with its respective subsidiaries for the processing of personal data. In the context of credit and business advice, the shared responsibility is between Almi AB and the Almi Företagspartner company to which the credit or business advice application is made or through which you are/have been a customer.
Personal data may be processed in the following areas and processing activities for you who are:
- Representative, authorized signatory, or CEO of the applying company
- Employee of an applying company or customer
- Principal
- Guarantor
- Board member of the applying company
- Representative of co-financiers
- Representative of an audit/accounting firm
- Mentor
Collectively, these categories will be referred to as customers. When we refer to you as a data subject, it means that the personal data comes directly from you, whom we handle personal data about.
Categories of Personal Data and Examples of Personal Data
The information below on how Almi processes your personal data specifies which categories of personal data are included in each processing. The table below provides examples of the personal data handled in each category of personal data.
| Categories of Personal Data | Examples of Personal Data |
| User-generated data | Cookies, logs |
| Bank details | Bank name, account number |
| Criminal data | Conviction for economic crime |
| Demographic data | Date of birth, gender, marital status |
| Financial data | UC, account statements |
| Company data | Company name, organization number (personal number for sole proprietorship) |
| Identity data | Name, personal number, username, various types of ID such as Customer ID, employee number or IP address, signature, passport number, protected ID |
| Communication | Email content, type of case, editorial content, meeting notes, attendance at meetings |
| Contact details | Address, phone number, email |
| Audio- and image material | Videos, photographs, audio recordings |
| Organizational information | Role, title, group affiliation |
| Politically exposed position | Indicated if you have such a position or not |
Almi’s processing of Personal Data About You as a Customer
Below is how Almi processes your personal data where the legal basis is a legitimate interest.
For more information about Almi’s legitimate interest and the assessment that has been made, please contact Almi’s Data Protection Officer.
| Processing | Categories of Personal Data Processed | Purpose of Processing | How Personal Data is Collected |
| Business Development and Financing | Company data, Identity data, Communication, Contact details | Documentation of advice, conversations, and loans to ensure continuity, secure handling, and good customer relations, as well as information about the latest contact. | Customer, UC, Public sources, Representatives of the Customer |
| Anti-fraud | Financial information, Company data, Communication, Contact details, Organizational data | Check and review suspected fraud and report it to the police. | Customer, Generated internally |
| Guarantee Commitments | Company data, Identity data, Communication, Contact details | Handling and administration of guarantee commitments. | You as the data subject, Customer |
| Compliance - Control and audit | Company data, Identity data, Contact details | The purpose is to ensure that Almi complies with applicable laws, regulations, and internal policies. The processing of personal data may be necessary in order to carry out initiated audits. | Collected internally |
| Documentation | Company data, Identity data, Contact details | Document decisions and attendance at meetings, as well as the basis on which decisions are made. | Collected internally |
| EIF-agreements/guarantees | Company data, Identity data, Contact details | Management, administration, and reporting to the European Investment Fund for the purpose of ensuring risk coverage in the event of debt collection or bankruptcies, as well as reporting on recipients of guarantee-backed loans and any payments/recoveries related to them. | Collected internally |
| Electronic communication | Company data, Identity data, Communication, Contact details | Communicate electronically with Almi or within Almi (all communication via email, Teams, etc.). | You as data subject |
| Handling of video and image |
Identity data, Audio- and image-/video material |
Use and storage of images for internal and external purposes. | You as data subject |
| Identify Customer | Identity data | Customer identification via bank ID. | You as the data subject person, service provider |
| Incident management | Identity data | The purpose of processing personal data for incident management is to ensure that the organization can handle and address incidents effectively, while complying with data protection legislation such as the GDPR. This involves collecting, using, and safeguarding the personal data necessary to investigate, report, and resolve security incidents. | The person reporting or collected internally |
| Internal audit - audits | Financial data, Company data, Identity data | The internal audit function conducts audits with the aim of ensuring appropriate internal processes, regulatory compliance, effective risk management, etc. Audits are carried out in material areas as decided by the Board of Directors and the Risk Committee. In exceptional cases, this may require the internal audit function to process customer data. | Collected internally |
| Contact | Identity data, Contact details | To be able to contact you as a representative or interest of a potential customer, customer, or former customer. | You as the data subject person |
| Credit Decision | Bank details | Generate basis for credit decision based on incoming loan applications and for any credit. | You as the data subject person, Customer, UC |
| Credit Product – Handling of Securities | Company data, Identity data, Contact details, Organizational Information | Management of Almi’s credit products, loans, and guarantees to show which securities are linked to the credit/guarantee. | You as the data subject, Customer |
| Customer Complaints | Company data, Contact details, Organizational Information | Through a well-functioning and appropriate complaints handling process, individuals who submit a complaint are given the opportunity to have their interests addressed. This is important for maintaining public trust in Almi. | You as the data subject, Customer |
| Customer Portal | Company data, Identity data, Organizational information | Management of the portal where customers can apply for loans and information about KYC, as well as get information about engagement with Almi such as loan amount, amortization, and next payment date. | You as the data subject, Customer |
| Customer Ledger - Archiving Supporting Documents ERUF | Company data, Identity data | Archiving of supporting documentation (invoice copies and billing records saved as PDFs) in connection with invoicing, based on requirements from the Swedish Agency for Economic and Regional Growth (Tillväxtverket), where the documentation must be retained for potential follow-up research and audits. | Collected internally |
| Logs and monitoring |
User-generated data, Identity data |
Logging and monitoring the use of hardware and systems to be able to trace what happened in case of errors or irregularities or for other security reasons. | Generated internally |
| Loan Documents | Bank details, Company data, Identity data, Communication, Contact details | Handling and administration of agreements for Almi’s customers, including creating and sending out loan documents (promissory notes, securities, etc.), sending payment notices, signing documents, checking authorized signatories, ongoing contact for changes in payment plans, changes in security, etc. | You as the data subject, Customer |
| Insolvency Case | Company data, Identity data, Communication, Contact details, Organizational data | Handling and administration of insolvency cases, including documentation of the case, claims management against the company and guarantor, and collection of claims via the Enforcement Authority and court or bankruptcy trustee. | You as the data subject, Customer, Collected internally |
| Reporting statistics money laundering/terrorism | Identity data, | The management is provided with an overview via statistics on risk levels, trends, and any shortcomings in controls. Through the statistics, one can follow up on how effectively internal controls work and if further actions need to be taken. | Generated internally |
| Reporting owners |
Demographic data, Company data, Identity data, Organizational Information |
Compilation of statistics to be able to report to Almi’s owners. | Collected internally |
| Requisition to the Swedish Agency for Economic and Regional Growth | Demographic data, Company data | Requesting of grants in external projects, where the Swedish Agency for Economic and Regional Growth (Tillväxtverket) requires supporting documentation such as customer and supplier invoices, among other things. | Collected internally |
| Service during interactions with stakeholders |
Company data, Identity data, Communication, Contact details |
Contact with stakeholders and potential customers via email, contact form, chat for the purpose of responding to questions in writing and through this provide guidance regarding Almi’s products and services. For selected subsidiaries, emails are sent to the responsible subsidiary for further processing | You as data subject |
| Statistics and Reporting | Identity Information, Company Information | Compilation and aggregation of statistics for internal purposes such as improvement work, performance tracking, reporting to the board, owners, and goal tracking. | Internally sourced |
| Telemarketing | Company data, Identity data, Contact details, Organizational information | To reach an identified target audience of customers or stakeholders (e.g. potential customers), telemarketing is carried out through an external service provider. | Collected internally |
| System Testing | Company Information, Identity Information | Testing of systems/applications/APIs before production to ensure functionality and security. | Internally sourced |
| Means of verification (may be a private individual) | Contact Information, Organizational Information | Receiving and handling your application for verification means and documenting decisions. | You as the data subject, Customer |
This is how long Almi stores your personal data
Personal data in the above processes will be stored as long as necessary to fulfill the purpose of the processing.
Processes where personal data is collected with legal obligation as the legal basis.
If personal data is not provided for the processes listed below, it will affect your ability to obtain loans or business advice through Almi.
| Processing | Personal Data Handled | Purpose of Processing | Retention Period | How Personal Data is Collected |
| AML Customer Due Diligence |
Criminal data, Financial data, Company data, Identity data, Contact details, Organizational information, Politically exposed position |
Compliance with regulatory requirements by aiming to achieve proper customer due diligence in all business relationships, both prior to their establishment and on an ongoing basis throughout their duration. Conducting risk assessments (customer due diligence) with the purpose of preventing money laundering, terrorist financing, and serious crime in the context of financing, venture capital, and business advisory services. | 5 years (in some cases 10 years) after the end of the customer relationship | Customer, UC, Swedish Companies Registration Office, Swedish Tax Agency, PEP register, public sources |
| Accounting | Identity data, Company data | Archiving of documentation for invoicing for accounting purposes | 7 years | Customer |
| Customer Ledger - Invoicing | Company data, Identity data | Invoicing the customer to receive payment. | 10 years | You as the data subject, Customer |
| Customer Ledger Archiving for ERUF | Identity data, Company data | Archiving of documentation for invoicing based on requirements from the Swedish Agency for Economic and Regional Growth for ERUF funds, where documentation must be saved for potential follow-up research and control. | 10 years from the end of the ERUF program | Collected internally |
| Transaction Monitoring | Financial data, Company data, Identity data, Contact details, Organizational information | For ongoing business relationships, monitor transactions to Almi in the form of amortisations/interest for financing on the FP side and investment transactions/exits, with the aim of, as far as possible, preventing Almi from being involved in criminal transaction flows. Check incoming payments with the purpose of preventing money laundering. | 5 years from the end of the customer relationship | Customer |
| Data subject rights | All types of personal data | Receive and respond to data subject rights requests under the GDPR, as well as carry out the action requested by the data subject, e.g. access requests and erasure of personal data. | 1 year | Collected internally |
|
Information to the Swedish Police Authority/ the Swedish Financial Intelligence Unit (FIU)
|
Bank details, Criminal data, Financial data, Identity data, Communication, Contact details, Organizational information, Politically exposed position |
Disclose information to the Swedish Police Authority in accordance with legal requirements in cases of suspected money laundering or terrorist financing. | 5 years from the date the report was filed, 30 days for the data. | Collected internally |
| Annual reporting to the Financial Supervisory Authority |
Identity data, Politically exposed position |
Prepare a basis for compiling aggregated statistics for the annual reporting to the Financial Supervisory Authority as required by regulations. No personal data is shared with the FI, but processing of personal data is required in certain cases to obtain statistics. | After the statistics have been submitted. | The Data subject |
Disclosure of Personal Data
Personal data may be disclosed to your bank, authorities, and the system providers used by Almi. For exact information on to whom your personal data has been disclosed, please contact Almi’s Data Protection Officer. Note, however, that a disclosure to the police will not be notified to you, and Almi is not allowed to inform you if there is a suspicion of a crime in accordance with the Act (2017:630) on Measures Against Money Laundering and Financing of Terrorism.
The storage of your personal data takes place within the EU, but in several cases, Almi has an IT system provider that either has parent and/or subsidiary companies in countries outside the EU (third countries) and/or subcontractors in third countries. This may result in a transfer of your personal data. When transferring personal data to third countries, this is done based on the European Commission’s adequacy decisions or standard contractual clauses.
Updates of this information
This information may be updated, and significant changes will be indicated here.
2024-07-02: Restructuring and clarification regarding processing, legal basis, where personal data is obtained from, and to whom it may be disclosed.
2025-04-29: Clarified purposes and added processing activities.
Protection of Personal Data
We have taken appropriate administrative, technical, organizational, and physical security measures to protect the data we have about you from loss, misuse, unauthorized access, disclosure, alteration, and destruction.
Your Rights according to GDPR
As a data subject, you have the following rights regarding the personal data Almi holds about you:
Request Access to Your Personal Data
You have the right to access the personal data that Almi holds about you. This is also known as the right to a personal data extract. This means you have the right to request a copy of all personal data that Almi processes about you. This copy should be provided without delay and no later than one month after the request has been received.
Request rectification of Incorrect or Incomplete Personal Data
If personal data is incorrect or incomplete, you have the right to request recitification of the data, with the limitations specified by law or other regulations.
Request erasure
You have the right to contact Almi and request that personal data about you be deleted in the following cases. Deletion should be done without undue delay.
- If the personal data is no longer needed to fulfill the purposes for which it was collected
- You withdraw your consent on which the processing is based and there is no other legal basis for the processing
- You object to the processing
- The personal data has been processed unlawfully
- Personal data must be deleted to comply with a legal obligation
Restriction of Personal Data Processing
You have the right to request that Almi restrict its processing if it is unclear if and when Almi must delete your personal data. Restriction means that Almi, except for storage, may only process your personal data with your consent, to establish, exercise, or defend legal claims, or to protect someone else’s rights. You can use the right to restriction in the following cases.
- You dispute the accuracy of the personal data and Almi should investigate whether the personal data should be corrected
- You do not want Almi to delete your personal data
- Processing is unlawful, and you oppose the deletion of the personal data and instead request a restriction on its use
- Almi no longer needs the personal data, but you need it to establish, exercise, or defend legal claims
- You have objected to the processing and Almi is investigating your objection, but a decision has not yet been made
Object to Processing Based on Almi’s Legitimate Interest
You have the right to object at any time to processing if the processing is based on Almi’s legitimate interest, i.e., the legal basis for the processing is a balance of interests. For Almi to continue processing the personal data after receiving an objection, Almi must demonstrate compelling reasons that Almi’s interest outweighs your interests, rights, and freedoms. Alternatively, Almi must prove that the processing is for the establishment, exercise, or defence of legal claims.
You always have the right to object to direct marketing.
Data Portability
If processing is based on consent or contract and the processing is automated, i.e., using technology without human assistance, and you have provided personal data in a commonly used, machine-readable format, you have the right to transfer this data to another data controller.
Withdraw Your Consent
For processing based on consent, you have the right to withdraw your consent at any time. This means that Almi may no longer process your personal data for the purpose.
Contact Almi or the Swedish Supervisory Authority
For questions, exercising your rights, or other data protection matters that you want to discuss with Almi, you can contact dataskyddsombud@almi.se or write a letter to Almi AB, Dataskyddsombud, Box 70396, 107 24 Stockholm. You can also file a complaint about Almi’s processing of personal data by contacting the Swedish Supervisory Authority IMY by sending an email to imy@imy.se or writing a letter to Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm.