Zenny logo with Zenny on white on dark blue background

Privacy Policy

ZENNY

Zenny AB (559501-2237), Mailbox 401, 111 37 Stockholm, Sweden

Zenny AB is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect personal data in connection with our B2B financial intelligence platform and financing services. This policy complies with the EU General Data Protection Regulation (GDPR) and applicable Swedish data protection law.

1.   DATA CONTROLLER AND CONTACT INFORMATION

1.1  Zenny AB (organisation number 559501-2237), with registered office at Mailbox 401, 111 37 Stockholm, Sweden, is the data controller responsible for the processing of your personal data in connection with the Zenny platform and financing services.

1.2  For questions about this Privacy Policy or to exercise your data protection rights, contact us at:

(a)  Email: support@zenny.ai

(b)  Postal address: Zenny AB, Mailbox 401, 111 37 Stockholm, Sweden

1.3  If you have concerns about how we handle your personal data, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at www.imy.se, or the supervisory authority in your EU/EEA member state.

2.   SCOPE AND SERVICE LEVELS

2.1  Categories of Data Subjects

2.1.1  This Privacy Policy applies to personal data we process in connection with our business-to-business (B2B) services. We do not provide services to consumers. The categories of individuals whose personal data we process include:

(a)  Company directors, authorised signatories, and beneficial owners (ultimate beneficial owners, UBOs) of business entities that use our services;

(b)  Employees and authorised representatives of business customers who access and use the Zenny platform;

(c)  Contact persons for financing applications and customer relationship management; and

(d)  Individuals identified in sanctions screening and politically exposed persons (PEPs) checks.

2.1.2  All personal data processing described in this policy relates to individuals acting in a professional or business capacity, not as consumers.

2.2  Two Service Levels

We provide two levels of service, each involving different personal data processing:

Dashboard Service (Free): When you register for a Zenny account and use the dashboard, we process basic account data (name, email, company information) and any data from platforms you choose to connect. All API connections (Shopify, accounting software, bank accounts) are optional for dashboard use, though the dashboard has limited utility without connected data sources. You control which platforms to connect and when.

Financing Service: If you apply for business financing, we process additional personal data required for credit assessment, KYC/AML compliance, and risk management. This includes mandatory data collection: Shopify store connection, business bank account connection (via PSD2-licensed provider), identity verification documents, beneficial ownership (UBO) information, and credit reference checks. The financing service is governed by a separate Financing Agreement in addition to our Terms of Service.

2.2.1  The data categories and legal bases described in the following sections apply differently depending on which service level you use. We clearly identify when data collection is mandatory (financing applicants only) versus optional (dashboard users).

3.   PERSONAL DATA WE COLLECT

3.1  Data Collected from All Users (Dashboard Service)

The following data categories are collected when you register for and use the Zenny dashboard:

3.1.1  Identity and Contact Data

(a)  Full name, email address, and telephone number;

(b)  Position, role, and employer details.

3.1.2  Company Data

(a)  Company name, registration number, registered address, and jurisdiction of incorporation;

(b)  Company financial statements and business registration documents (where voluntarily provided).

3.1.3  Optional Connected Platform Data

If you choose to connect third-party platforms to enhance your dashboard experience, we access:

(a)  Shopify data (if connected): Sales revenue, transaction volumes, refunds, chargebacks, payout schedules, and store metrics;

(b)  Accounting software data (if connected): Financial statements, expense data, and accounting records;

(c)  Bank account data (if connected): Transaction history and account balance data accessed via PSD2-licensed account information service providers (AISPs);

(d)  Advertising platform data (if connected): Ad spend, campaign performance metrics, impressions, and clicks from Google Ads API, Meta Ads API, and/or TikTok Ads API.

3.1.4  Technical and Usage Data

(a)  IP address, browser type, device information, and operating system;

(b)  Login credentials, session data, and platform usage logs;

(c)  Cookies and similar tracking technologies (see Clause 10).

3.2  Additional Data Collected from Financing Applicants Only

If you apply for financing, we collect the following additional data categories (all mandatory for financing applications):

3.2.1  Enhanced Identity Verification Data

(a)  Date of birth, nationality, and personal identification number (where required for KYC/AML);

(b)  Identification documents (passport, national ID card, driver’s license) for identity verification;

(c)  Selfie or video verification (where required by our KYC provider).

3.2.2  Beneficial Ownership (UBO) Information

(a)  Names, dates of birth, nationalities, and shareholding percentages of all individuals owning 25% or more of the company;

(b)  Identification documents for beneficial owners;

(c)  Corporate ownership structure diagrams and shareholder agreements.

3.2.3  Mandatory Financial Connections

(a)  Shopify store connection (mandatory): All data listed in Clause 3.1.3(a);

(b)  Business bank account connection (mandatory): Transaction history, account balance, and cash flow data accessed via PSD2-licensed AISP.

3.2.4  Credit and Risk Assessment Data

(a)  Credit scores, payment behaviour, and credit history from credit reference agencies;

(b)  Risk assessment scores generated by our underwriting models;

(c)  Historical financing performance data (for repeat customers).

3.2.5  AML, Sanctions, and PEPs Screening Data

(a)  Data from sanctions lists (EU, UN, OFAC, etc.), including name, date of birth, place of birth, aliases, and reason for listing;

(b)  Politically exposed persons (PEPs) status and related information;

(c)  Adverse media screening results.

3.3  We do not collect or process special categories of personal data (sensitive data such as racial or ethnic origin, political opinions, religious beliefs, trade union membership, health data, genetic data, biometric data, or data concerning sex life or sexual orientation) except where such data incidentally appears in sanctions or PEPs screening databases as part of our legal AML obligations.

4.   HOW WE COLLECT PERSONAL DATA

4.1  We collect personal data from the following sources:

(a)  Directly from you when you register for an account, connect data sources, submit a financing application, or communicate with us;

(b)  From third-party platforms and APIs you connect to our service, including Shopify, accounting software, business bank accounts (via PSD2-licensed AISPs), and advertising platforms (Google Ads, Meta Ads, TikTok Ads);

(c)  From external service providers, including credit reference agencies, KYC/AML verification providers, sanctions screening databases, and PEPs databases (financing applicants only);

(d)  From publicly available sources, including company registries, trade registers, and official sanctions lists.

5.   PURPOSES AND LEGAL BASIS FOR PROCESSING

5.1  We process your personal data for the following purposes and on the following legal bases under Article 6(1) GDPR:

5.1.1  Providing the Zenny Platform and Dashboard Services

Legal basis: Article 6(1)(b) GDPR — Performance of contract

Data processed: Identity and contact data (Clause 3.1.1), company data (Clause 3.1.2), optional connected platform data (Clause 3.1.3), technical and usage data (Clause 3.1.4).

This processing is necessary to provide you with access to the Zenny dashboard, analytics, and insights based on the data sources you choose to connect. All API connections are optional for dashboard use.

5.1.2  Processing Financing Applications and Credit Assessment

Legal basis: Article 6(1)(b) GDPR — Performance of contract

Data processed: All data categories in Clause 3.1 and Clause 3.2, including mandatory Shopify and bank account connections, enhanced identity verification, UBO information, and credit reference data.

This processing is necessary to assess your eligibility for financing, determine credit terms, manage credit risk, and fulfill our contractual obligations under any Financing Agreement. This processing applies only to financing applicants.

5.1.3  AML, KYC, KYB Compliance and Sanctions Screening

Legal basis: Article 6(1)(c) GDPR — Compliance with legal obligation

Data processed: Enhanced identity verification data (Clause 3.2.1), UBO information (Clause 3.2.2), AML/sanctions/PEPs screening data (Clause 3.2.5).

This processing is required by Swedish anti-money laundering legislation (Penningtvättslagen 2017:630) and EU AML Directives (4AMLD, 5AMLD, 6AMLD). We are legally obligated to conduct customer due diligence, verify beneficial ownership, and screen against sanctions lists before providing financing services. This processing applies only to financing applicants.

5.1.4  Accounting, Tax, and Regulatory Reporting

Legal basis: Article 6(1)(c) GDPR — Compliance with legal obligation

Data processed: Identity and contact data, company data, financial transaction records from financing relationships.

This processing is required by Swedish accounting legislation (Bokföringslagen 1999:1078), tax law, and financial services regulation. This processing applies primarily to financing customers.

5.1.5  Fraud Prevention and Platform Security

Legal basis: Article 6(1)(f) GDPR — Legitimate interests

Our legitimate interest: Protecting our platform, customers, and business from fraud, financial crime, unauthorized access, and security threats.

Data processed: Technical and usage data, financial and transactional data, identity verification data.

We have assessed that this processing is necessary to maintain a secure and trustworthy service and is not overridden by your interests, rights, or freedoms.

5.1.6  Platform Improvement and Analytics

Legal basis: Article 6(1)(f) GDPR — Legitimate interests

Our legitimate interest: Improving our services, developing new features, and understanding how users interact with the platform.

Data processed: Technical and usage data, aggregated and anonymized financial data.

We use aggregated and anonymized data that does not identify individual users or companies. We have assessed that this processing is not overridden by your interests, rights, or freedoms.

5.1.7  Customer Support and Communication

Legal basis: Article 6(1)(b) GDPR — Performance of contract

Data processed: Identity and contact data, technical data, support correspondence.

This processing is necessary to respond to your inquiries, provide technical support, and fulfill our obligations to assist you in using the service.

5.1.8  Business Communications and Service Updates

Legal basis: Article 6(1)(f) GDPR — Legitimate interests

Our legitimate interest: Informing existing business customers about service updates, new features, and relevant product information.

Data processed: Identity and contact data.

This is limited to business-to-business communications with existing customers and does not include consumer marketing. You may opt out of these communications at any time. We have assessed that this processing is not overridden by your interests, rights, or freedoms.

5.2  You have the right to object to processing based on legitimate interests (Article 6(1)(f)) as set out in Clause 12.1.6. If you object, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

6.   ADVERTISING PLATFORM DATA (GOOGLE, META, TIKTOK ADS)

6.1  If you connect your Google Ads, Meta Ads, or TikTok Ads accounts to the Zenny platform, we retrieve advertising performance data (ad spend, impressions, clicks, conversions, campaign metrics) via these platforms’ APIs. This data is processed on the legal basis of contract performance (Article 6(1)(b) GDPR) to provide you with consolidated analytics and business insights within the Zenny dashboard.

6.2  We access this data in read-only mode. We do not modify, create, or manage advertising campaigns on your behalf through these APIs.

6.3  We may use aggregated and anonymized advertising performance data in combination with AI-powered analytics tools to generate business improvement recommendations and insights for you. Where such processing involves sharing data with third-party AI service providers, we ensure appropriate safeguards are in place, including data processing agreements and, where applicable, standard contractual clauses.

6.4  You retain full control over your advertising accounts. You may disconnect these integrations at any time via the Zenny platform settings.

7.   DATA RETENTION

7.1  We retain personal data for the following periods:

Account and customer relationship data: Duration of business relationship + 3 years

AML/KYC/KYB data and financing agreements: 5 years after end of relationship (minimum AML retention requirement under Swedish law)

Accounting and tax records: 7 years from end of fiscal year (Swedish accounting law requirement)

Declined financing applications: 12 months from date of decline

Marketing communications consent: Until account closure or opt-out

Technical and usage logs: 12 months (for security incident investigation and troubleshooting)

7.2  At the end of the applicable retention period, personal data is securely deleted or anonymized in accordance with our data retention and deletion procedures.

7.3  In certain circumstances we may retain personal data for longer periods where required by law (e.g., ongoing legal proceedings, regulatory investigations) or where necessary to establish, exercise, or defend legal claims.

8.   DISCLOSURE AND SHARING OF PERSONAL DATA

8.1  We do not sell personal data to third parties. We may share personal data with the following categories of recipients:

8.1.1  Service Providers and Processors

(a)  Cloud hosting and infrastructure providers (for data storage and platform hosting);

(b)  PSD2-licensed account information service providers (AISPs) for read-only access to bank account data (financing applicants only);

(c)  Payment service providers for payment collection (Autogiro, SEPA Direct Debit) for financing customers;

(d)  KYC, AML, and identity verification service providers (financing applicants only);

(e)  Credit reference agencies and risk assessment providers (financing applicants only);

(f)  Customer support and communication tools (e.g., email service providers, helpdesk software);

(g)  Analytics and business intelligence service providers.

8.1.2  Connected Platforms and APIs

We access data from platforms you explicitly connect (Shopify, accounting software, advertising platforms, bank accounts). We do not share your Zenny account data with these platforms beyond what is technically necessary for the API integration to function.

8.1.3  Legal and Regulatory Authorities

We may disclose personal data to law enforcement, regulatory authorities (including Finansinspektionen, the Swedish Financial Supervisory Authority), courts, or other public bodies where required by law, including for AML reporting, tax compliance, or in response to valid legal requests.

8.1.4  Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, personal data may be transferred to the successor entity. We will notify you of such transfer and ensure the successor entity is bound by equivalent data protection obligations.

8.2  All third-party service providers acting as data processors are contractually obligated to process personal data only in accordance with our documented instructions, to implement appropriate security measures, and to comply with GDPR and applicable data protection law. We conduct due diligence on all processors before engagement.

9.   INTERNATIONAL DATA TRANSFERS

9.1  Personal data is primarily processed and stored within the European Economic Area (EEA). However, some of our service providers and connected platforms (including Shopify Inc., advertising platforms, and cloud infrastructure providers) may process data outside the EEA, including in Canada and the United States.

9.2  Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place in accordance with Chapter V of GDPR, including:

(a)  European Commission adequacy decisions for countries determined to provide an adequate level of data protection (e.g., Canada for commercial organizations under PIPEDA, United Kingdom);

(b)  Standard Contractual Clauses (SCCs) approved by the European Commission, with appropriate supplementary measures where required following the Schrems II decision;

(c)  Binding Corporate Rules or other approved transfer mechanisms where applicable.

9.3  You may request information about the specific safeguards in place for international transfers and obtain copies of relevant transfer mechanism documents by contacting support@zenny.ai.

10.   COOKIES AND TRACKING TECHNOLOGIES

10.1  The Zenny website and platform use cookies and similar tracking technologies to provide functionality, improve user experience, and analyze usage patterns.

10.1.1  Types of Cookies We Use

Strictly necessary cookies: Required for the platform to function, including login, session management, and security. Legal basis: Article 6(1)(b) and 6(1)(f) GDPR.

Functional cookies: Enable enhanced features and personalization. Legal basis: Article 6(1)(f) GDPR (legitimate interest in providing enhanced user experience).

Analytics cookies: Help us understand how users interact with the platform. Legal basis: Article 6(1)(f) GDPR (legitimate interest in improving our service).

Advertising platform cookies: Used where you connect advertising platforms to display relevant campaign data. Legal basis: Article 6(1)(b) GDPR (contract performance).

10.1.2  Managing Cookies

You can manage cookie preferences through your browser settings. Please note that disabling strictly necessary cookies will prevent you from using core platform functionality. Disabling other cookies may affect certain features but will not prevent basic use of the service.

10.1.3  Third-Party Cookies

Some cookies are set by third-party service providers integrated into our platform. These third parties have their own privacy policies governing their use of cookies. Third-party cookies used on our platform may include analytics providers and, where applicable, connected advertising platforms.

11.   DATA SECURITY

11.1  We implement appropriate technical and organizational security measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:

(a)  Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent);

(b)  Access controls and authentication mechanisms, including role-based access control (RBAC) and multi-factor authentication (MFA) for administrative access;

(c)  Regular security assessments, vulnerability scanning, and penetration testing conducted by qualified third parties;

(d)  Secure software development practices, including code review, security testing, and dependency management;

(e)  Employee training on data protection, information security, and confidentiality obligations;

(f)  Incident response procedures and personal data breach notification processes in accordance with GDPR Articles 33 and 34;

(g)  Regular backups with encrypted storage and tested recovery procedures;

(h)  Network security measures including firewalls, intrusion detection, and DDoS protection.

11.2  While we take all reasonable precautions to protect personal data, no method of transmission over the internet or method of electronic storage is completely secure. You acknowledge that you provide personal data at your own risk.

11.3  In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority without undue delay (within 72 hours of becoming aware where feasible) and in accordance with GDPR requirements.

12.   YOUR DATA PROTECTION RIGHTS

12.1  Under GDPR, you have the following rights regarding your personal data:

12.1.1  Right of Access (Article 15 GDPR)

You have the right to obtain confirmation of whether we process your personal data and, if so, to access that data and receive information about the processing, including the purposes, categories of data, recipients, retention periods, and your rights.

12.1.2  Right to Rectification (Article 16 GDPR)

You have the right to request correction of inaccurate personal data and to have incomplete personal data completed.

12.1.3  Right to Erasure / Right to be Forgotten (Article 17 GDPR)

You have the right to request deletion of your personal data in certain circumstances, including where:

(a)  the data is no longer necessary for the purposes for which it was collected;

(b)  you withdraw consent (where processing is based on consent) and there is no other legal ground for processing;

(c)  you object to processing based on legitimate interests and there are no overriding legitimate grounds;

(d)  the data has been unlawfully processed.

This right is subject to exceptions, including where we are required to retain data for legal or regulatory purposes (e.g., AML obligations under Swedish law require 5-year retention, accounting law requires 7-year retention). We will inform you if an exception applies.

12.1.4  Right to Restriction of Processing (Article 18 GDPR)

You have the right to request restriction of processing in certain circumstances, such as where you contest the accuracy of the data, object to processing, or where processing is unlawful but you prefer restriction to erasure.

12.1.5  Right to Data Portability (Article 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., CSV, JSON) and to transmit that data to another controller where processing is based on consent or contract and carried out by automated means. We will provide the data within one month of your request.

12.1.6  Right to Object (Article 21 GDPR)

You have the right to object to:

(a)  Processing based on legitimate interests (Article 6(1)(f)) — we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms;

(b)  Processing for direct marketing purposes — we will cease such processing immediately upon your objection.

12.1.7  Right Not to Be Subject to Automated Decision-Making (Article 22 GDPR)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. Where we use automated credit scoring or risk assessment models in financing applications, we ensure:

(a)  Human review and oversight of all financing decisions;

(b)  The opportunity for you to express your point of view and contest the decision;

(c)  Transparency about the logic involved and the significance and consequences of such processing.

12.1.8  Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before withdrawal. You can withdraw consent by contacting support@zenny.ai or adjusting your settings in the Zenny platform.

12.1.9  Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority:

(a)  Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY): www.imy.se, imy@imy.se, Box 8114, 104 20 Stockholm, Sweden;

(b)  The supervisory authority in your EU/EEA member state of habitual residence, place of work, or place of alleged infringement.

12.2  Exercising Your Rights

12.2.1  To exercise any of these rights, contact us at support@zenny.ai. We will respond to your request without undue delay and in any event within one (1) month of receipt. In complex cases or where we receive multiple requests, we may extend this period by a further two (2) months and will inform you of the extension and the reasons for delay.

12.2.2  We may request additional information to verify your identity before processing your request. This is a security measure to ensure personal data is not disclosed to unauthorized persons. We may request a copy of identification documents or ask you to confirm information we already hold.

12.2.3  We will provide information and take action free of charge. However, where requests are manifestly unfounded or excessive (e.g., repetitive requests), we may charge a reasonable fee or refuse to act on the request.

13.   CHANGES TO THIS PRIVACY POLICY

13.1  We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or business practices. The effective date at the top of this policy indicates when it was last updated.

13.2  If we make material changes that reduce your rights or significantly change how we process your personal data, we will notify you by email to your registered address and/or via a prominent notice on the Zenny platform at least thirty (30) days before the changes take effect.

13.3  The current version of this Privacy Policy is always available at www.zenny.ai/privacy-policy/. We encourage you to review this policy periodically.

14.   CHILDREN'S PRIVACY

Our services are not directed at individuals under the age of 18, and we do not knowingly collect personal data from children. Our services are provided exclusively to business entities and their authorized representatives. If we become aware that we have inadvertently collected personal data from an individual under 18, we will delete it promptly.

15.   CONTACT INFORMATION AND DATA PROTECTION REQUESTS

For questions, concerns, or requests related to this Privacy Policy or our processing of your personal data, please contact us at:

Zenny AB

Organisation number: 559501-2237

Address: Mailbox 401, 111 37 Stockholm, Sweden

Email: support@zenny.ai

For data protection requests specifically (e.g., access requests, erasure requests, rectification requests), please clearly indicate in your email subject line the nature of your request (e.g., "GDPR Access Request" or "GDPR Erasure Request") to ensure prompt handling.

Last updated: 18.2.2026