Privacy Notice
How Couponix AB processes personal data in Expo Pay, Xhibitor and on expopay.se.
Last updated: 8 July 2026
Introduction
Couponix AB (“we”, “us” or “our”) respects your privacy and is committed to protecting your personal data. This notice explains how we collect, use and safeguard personal data when you visit expopay.se, use our apps Expo Pay (for visitors) and Xhibitor (for exhibitors), or otherwise engage with us. We comply with the EU General Data Protection Regulation (GDPR) and applicable Swedish data protection law.
Data controller and contact
Couponix AB (reg. no. 559470-1731), registered address Flädie vagnmakarväg 7, 237 91 Bjärred, Sweden, is the data controller for the processing described here. Contact for privacy matters is provided under “Contact us” below.
Our roles: controller and processor
Couponix AB is the data controller for app users’ accounts (visitors and exhibitors) – e.g. registration, balance and completed transactions. Towards the organiser of an event we act as a data processor or joint controller for the transaction and settlement data the organiser receives about its exhibitors. The applicable role is governed by the agreement with each organiser.
Personal data we process
- Visitors (Expo Pay app): mobile number for registration/login, and transaction data (balance, top-ups, purchases and refunds).
- Exhibitors (Xhibitor app): email for registration, and sales/transaction data including settlement and refund records.
- Payment data: data related to payments via Swish, PayPal and Stripe. We do not store full card numbers.
- Technical data and app permissions: device ID, push token and – in the Xhibitor app – location data (GPS). The camera is used to scan QR codes; images are not stored.
- Contact data: if you contact us via form, email or phone (name, email, phone, message content).
- Website usage data: aggregated/anonymised analytics and cookie data on expopay.se (see Cookies).
Processing overview
| Processing | Legal basis | Retention |
|---|---|---|
| Providing the payment and event service (account, balance, payment, refund) | Performance of a contract | Duration of the customer relationship and until refunds are completed |
| Accounting of transactions | Legal obligation (Swedish Accounting Act) | 7 years |
| Anti-fraud and anti-money-laundering (AML) | Legal obligation and legitimate interests | As long as required by law |
| App notifications | Consent | Until consent is withdrawn |
| Enquiries via web form/email | Legitimate interests | Up to 12 months if no customer relationship arises |
| Operations, security and web analytics | Legitimate interests | Limited period / aggregated |
Payments and payment providers
Payments are handled by our payment providers Swish, PayPal and Stripe. When you make a payment, your payment details are processed by the respective provider under their own terms and privacy policies. We do not store full card numbers. Payment providers may act as independent controllers or as processors for their part of the processing.
Recipients and sharing
- Organisers – receive transaction and settlement data relating to their exhibitors.
- Payment providers – Swish, PayPal and Stripe to process payments.
- IT and operations providers – processing data on our behalf under data processing agreements.
- Authorities – where we are required by law, e.g. anti-money-laundering or lawful requests.
Third-party providers and sub-processors
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| Swish (Getswish AB) | Payments | Sweden/EU | Data processing agreement |
| Stripe (Stripe Payments Europe) | Payments | EU + US | SCC / EU–US Data Privacy Framework |
| PayPal (PayPal Europe) | Payments | EU + US | SCC / adequacy |
| Google Cloud (Finland) | Operating the Expo Pay platform (app and payment service) | Finland/EU | EU region, data processing agreement |
| Twilio | SMS (e.g. login codes) | EU + US | SCC |
| Microsoft 365 (Microsoft) | Email and communication | EU/EEA | SCC, EU Data Boundary |
| Sentry | Error tracking and logging | EU + US | SCC |
| Amazon Web Services (Lightsail, Stockholm) | Website hosting | Sweden/EU | EU/EEA hosting, data processing agreement |
International transfers
We primarily use providers that process data within the EU/EEA. Some providers (e.g. Stripe, PayPal, Twilio, Sentry) may process data in the US or another country outside the EEA. In such cases protection is ensured through the EU Commission’s Standard Contractual Clauses (SCC), the EU–US Data Privacy Framework, or other approved safeguards and, where necessary, supplementary measures.
Data security
We apply appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure or destruction – e.g. encryption, HTTPS/TLS, access controls, firewalls and logging. In the event of a personal data breach that requires it, we notify the Swedish Authority for Privacy Protection (IMY) and, where required, affected individuals without undue delay.
Retention
We retain personal data for the periods set out in the processing overview and only for as long as necessary for the purpose or to meet legal requirements. When the retention period ends we securely delete or anonymise the data.
Your rights under the GDPR
- Access – confirmation of and a copy of the data we process about you.
- Rectification – correction of inaccurate or incomplete data.
- Erasure – deletion in certain cases (“right to be forgotten”).
- Restriction – restricting the processing in certain situations.
- Data portability – receiving data you provided in a machine-readable format.
- Objection – to processing based on legitimate interests, and always to direct marketing.
- Withdraw consent – where processing is based on consent, without affecting prior processing.
- Complaint – to the Swedish Authority for Privacy Protection (IMY), our supervisory authority.
Contact us to exercise your rights. We respond as soon as possible and no later than one month. We may need to verify your identity before disclosing data.
Cookies
On expopay.se we use necessary cookies for basic functionality and security. With your consent we may also use cookies for analytics and marketing. You manage your choices via the cookie settings on the website and can change or withdraw consent at any time.
Contact us
Couponix AB
Flädie vagnmakarväg 7, 237 91 Bjärred, Sweden
Email: support@expopay.se
Phone: +46 70 324 81 28
