Table of Contents

1. Introduction

2. Personal Data We Collect

3. Purposes and Legal Bases for Processing

4. How We Share Your Information

5. International Transfers

6. Retention Periods

7. Your Rights

8. Cookies and Similar Technologies

9. Children’s Personal Data

10. Automated Decision-Making

11. Changes to This Policy

12. Contact Information

1. Introduction

Way Sweden AB is committed to protecting your privacy. This Data Protection Policy explains how we collect, use, and safeguard your personal data, and what rights you have under the General Data Protection Regulation (GDPR) and other applicable laws.

By using Way’s services, you accept this Data Protection Policy and our processing of your personal data. You also consent to Way using electronic communication channels to send you information. It is important that you read and understand this Policy before using our services.

2. Personal Data We Collect

Data you provide to us:

• Personal and contact information: name, date of birth, personal identity number, billing and delivery address, email address, phone number.
• Payment information: credit and debit card details (card number, expiry date and CVV code), bank account number, invoicing details.

Data we collect when you use our services:

• Service information: details of trips, conferences, and events you have booked.
• Financial information: any credit assessment, payment history.
• History: purchases, payments, customer interactions.
• Device and technical information: IP address, language, browser type, time zone, operating system, screen resolution.
• Geographical information: location data based on IP address.

3. Purposes and Legal Bases for Processing

Purpose

• Booking and delivery of services
• Communication with you (e.g. confirmations, feedback, customer service)
• Customer analysis, troubleshooting, statistics
• Compliance with laws (e.g. anti- money laundering, accounting)
• Marketing and customer satisfaction surveys

Personal Data

• Name, contact, and payment details
• Contact details, purchase history
• Usage data, technical data
• Personal identity number, transactions
• Email, phone number

Legal Basis

• Performance of contract
• Performance of contract / Legitimate interest
• Legitimate interest
• Legal obligation
• Consent / Legitimate interest

Retention Period

• 7 years (accounting)
• Until case is closed + 24 months
• 24 months
• As required by law
• Until consent is withdrawn

4. How We Share Your Information

We may share your data with:

• Suppliers and subcontractors: e.g. booking systems, payment providers, IT support.
• Travel companies and partners: to enable your trip or participation in events.
• Public authorities: such as the Swedish Tax Agency, Police, or Financial Supervisory Authority where required by law.
• Business transactions: in the event of a merger, sale, or acquisition.

We do not sell your personal data to third parties.

5. International Transfers

We strive to process your data within the EU/EEA. If data is transferred to a third country (e.g. the United States), this is carried out with safeguards such as:

• EU Standard Contractual Clauses (SCCs)
• Transfer Impact Assessments
• Appropriate technical and organisational safeguards

6. Retention Periods

We store personal data only as long as necessary:

• To fulfil contractual obligations
• To comply with legal obligations
• For as long as consent is valid or the legitimate interest remains relevant

Examples:

• Accounting records: 7 years
• Marketing data: until consent is withdrawn

7. Your Rights

Under the GDPR you have the right to:

• Access your data (data subject access request)
• Rectify inaccurate or incomplete data
• Erasure (“the right to be forgotten”)
• Data portability
• Object to processing
• Restrict processing

Requests should be sent to info@way.se. We respond within 30 days.

8. Cookies and Similar Technologies

We use cookies to personalise content, analyse traffic, and provide enhanced functionality. Please refer to our Cookie Policy for more details.

9. Children’s Personal Data

Our services are not directed at individuals under the age of 16. We do not knowingly collect children’s data without parental consent.

10. Automated Decision-Making

Way does not use your personal data for automated decision-making, including profiling, that produces legal or similarly significant effects on you.

11. Changes to This Policy

We reserve the right to update this Policy. Significant changes will be notified by email or on our website. The latest version is always available at www.way.se.

12. Contact Information

Data Controller: Way Sweden AB
Corporate ID No.: 556650-1739
Address: Västerås, Sweden
Email: info@way.se
Data Protection Officer: Available via the contact details above
Website: www.way.se