Finom Privacy Policy

Version: 2.1
Last Update: March 2023

Finom is the trading name of the companies PNL FINTECH BV (hereafter “Finom”, “we”, “us”, “our”). PNL Fintech BV together with Finom Payments BV and other entities form Finom Group.

This Privacy Policy concerns the services provided by Finom as described in the Terms & Conditions. This Privacy Policy informs you about the reason and scope of the collection and processing of your personal data when you use the Finom platform www.finom.co and/or the services available on the website or via the mobile application.

Responsible entities

The data controller responsible for the collection and processing of your personal data in accordance with the EU General Data Protection Regulation (“GDPR”) is:

PNL Fintech BV

Jachthavenweg 109H,
1081KM Amsterdam
The Netherlands
Trade Register number: 74178784

Finom Payments BV

Jachthavenweg 109H,
1081KM Amsterdam
The Netherlands
Trade Register number: 78680751

Finom offers a wide range of products and services. Some of these services we cannot offer alone. Therefore, we use 3 different types of arrangements:

PNL Fintech BV acts as a joint controller. This means that data processing is carried out by Finom together with another company. Both data controllers have access to the personal data and share the responsibility for handing the data and ensuring your rights under the GDPR.

PNL Fintech BV is a joint controller with Solaris SE and/or its branch (Solaris) for payment services in Germany and Italy. As a licensed credit institution, Solaris operates the necessary infrastructure for the payment services, and PNL Fintech BV provides the technology platform. Any collection, processing, and use of personal data for the provision of payment services is within the responsibility of Solaris and Finom. By subscribing to the use of payment services in Germany and Italy you agree to this Privacy Policy and the Privacy Policy of Solaris.

PNL Fintech BV is a joint controller with Finom Payments BV with respect to personal data collected for/in connection with payment services in The Netherlands and other EU countries. This Privacy Policy equally covers the serviced provided by Finom Payments BV and PNL Fintech BV.
PNL Fintech BV acts as a processor of personal data of the payment services customers in France, where the data controller is Treezor SAS (Treezor). Treezor authorizes PNL Fintech BV to process personal data needed for enabling an access to the payment services. By subscribing to the payment services in France you agree to this Privacy Policy and the Privacy Policy of Treezor.
PNL Fintech BV acts as a sole controller for online invoicing, capital deposit, company formation, and other services not mentioned above, which are offered on Finom platform.

This Privacy Policy covers the use of Finom platform at website (https://finom.co, including web application - app.finom.co) and the iOS and Android mobile applications (as soon as you download them to your mobile device) as well as services accessible from the applications above.

Should you have any questions, requests, or issues regarding your personal data, please contact our Data Protection Officer at privacy@finom.co.

Legal basis for processing of your personal data

Opening a payment account via the partners mentioned above requires provision and processing of your certain personal data. For instance, your address is needed for card delivery, your phone number is needed for verification of payments, and your email for effective communication with you. These and other data required for opening and maintaining your payment account are processed by us, Solaris and any other third parties who help us to provide you services. The legal basis for this processing is that it is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract (Art. 6(1)(b) GDPR).

Please note that for many of our services and features, without the necessary personal data we will not be able to fulfill our contractual obligations, and, therefore, we will likely have to refuse entering into contract relations with you, or would terminate them.

Sometimes we need to collect and process your personal data by virtue of legitimate interests (Article 6(1)(f) GDPR). Examples of such processing include:

ensuring IT security;
preventing criminal activity, such as fraud (we collect device and session data for this purpose);
push notifications or messages relating to your existing or new services and offers;
user experience analytics and optimization;
personalization of services and tariff options;
defense against legal claims;

If you gave us consent to process your personal data for one or more specific purposes:

adding a photo avatar and allowing us to show it to other clients, for example in their contact lists, shared banking activities, or referral links (if you chose to become visible as a client);
to access contacts on your device;
to place cookies on your device.

These data are processed according to Article 6(1)(a) GDPR. You can withdraw your consent at any time, for example by removing the photo or clearing your browser cache. However, keep in mind that the processing which took place before consent withdrawal remains in effect.

When we or our partners are required to comply with any applicable laws, your personal data is processed according to Article 6(1)(c) GDPR. Some examples of processing here include verification of your identity and age, prevention of money laundering and fraud, as well as statutory tax reporting obligations.

When we process your personal data

In order for you to enter into an agreement to open a payment account, we collect the following personal data including but not limited to: email, phone number, country of citizenship, country of residency, place of birth, full name, date of birth, whether you’re a US tax resident, employment status, address, Finom Customer ID (assigned by us), Tax ID, IP, browser and device information, geolocation, details of your company.

To open a payment account and perform certain actions after opening, we are legally obligated to verify your identity. Depending on the country and the type of verification that you select this is done via one or more of the following: video identification procedure through a third-party service provider, ID document verification, verification via a selfie picture, performing a microtransaction, or qualified electronic signature. For this you need to provide a valid copy of your government-issued ID, bank details of your payment account at another financial institution, or your selfie picture.

Onceyou’ve opened your payment account, you may wish to order a virtual or physical card. To make and deliver a physical card to you, we process and transfer to our card delivery service providers your name, address, phone number, email, device ID and the information about the bank account the card is tied to. If it is a virtual card, we process all of the data mentioned above, except your address.

When you start using your payment account and Finom cards, in addition to some of the personal data provided for opening of your account, we process the following:

Transactions history (e.g. internal and external account numbers, card details, IBAN , sender/recipient name, amount, currency, date and time, customer ID, reference message, merchant name, method of payment);
History of logins, locations, and device data;
History of communications with you.

Adding your card to Google Pay or Apple Pay involves processing your card information and Google or Apple wallet ID by us and our partners. Your card information is transferred to our partner’s service provider Visa/Mastercard, where it is tokenized (encrypted) and then, together with your address, phone number and the last four digits of the card number, we pass it on to Google or Apple. They will use that encrypted card data to perform transactions whenever you pay using your mobile phone.

When you use multibanking and/or payment initiation services you issue a permission to display information about your other personal or business accounts in the Finom dashboard and initiate payment from various accounts via open banking. In this case the data we process includes but is not limited to: full name, transaction details (e.g. amount, date and time, sender/recipient name, description), your account balance, customer ID.

When you use company registration and capital deposit services, we together with our partners supporting these services process your name, date of birth, place of birth, address, email, phone number, employment status and other details necessary to establish a company in your country.

When you use online invoicing services, Finom and its partners who make these features possible for you process your name, customer ID, email, employment status, tax number, and other data that is stated on the invoices you send for recognition or generate using the Finom invoicing product.

When you contact us via support chat or by any other means, we may process such categories of personal data as your email, phone number, customer ID, language, country, as well as any information about the standing of your account or details of your transactions, depending on the issue you are experiencing. We may also collect other information if you choose to share it with us. Please do not share any additional personal data or documents, either concerning yourself or other individuals, unless specifically requested by us.

When you visit our website, we may automatically collect some personal data from your device. This information may include your IP address, date and time of the request, browser language and version, operating system version or producer, information about your device, as well as some data about how you interact with our website (e.g. which website you came from, pages visited, links clicked). We do this to keep our website secure and to understand who visits it and which pages they find interesting, so we can improve the site and provide relevant content. Some of this data is collected using cookies. You can find more information about them in our Cookie Notice.

We process the personal data you provide us with, as well as the data created as a result of your use of our application, for analytics purposes. For example, we analyze how you interact with the app and make it more intuitive and easier for you to use, or to understand whether our products and services are customised to your needs so we can make changes and develop new products and services. In that case these data are stripped of direct identifiers to provide an additional layer of protection.

From time to time we will contact you to tell you about our new products or services which we think may be of interest to you. This type of activity is considered direct marketing, and in this case we rely on your consent or our legitimate interest to process your personal data for this purpose. If you wish to withdraw your consent or object to this processing, you can switch off notifications in your app preference center, or click on the “unsubscribe” link at the bottom of the email you receive from us.

Special categories of data

We do not intentionally ask you to provide information that belongs to a “special” category, like racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning health or data concerning sex life or sexual orientation.

However, there may be circumstances where your transaction data reveals this more sensitive information. For example:

payments or recognition of invoices for medical services or treatments may reveal data concerning your health;
making contributions and donations to churches, NGOs, political parties, trade unions etc. may reveal your religious or philosophical beliefs or political affiliation.

Taking into account this risk, we ensure that this information is fully protected in compliance with the GDPR.

Sharing your data with third parties

In order to provide you with certain functions and services, we have to share your personal data with partners, external third-party service providers, related and regulatory entities. They only process your personal data on the basis of data processing agreements and in accordance with strict instructions, which do not allow them to use your data for any other purposes without notifying you or asking for your consent. Here are some of the categories of the parties we may share your data with:

payment services providers (Solaris, Treezor, Finom Payments);
providers that make and deliver your cards;
cloud computing and storage providers like Amazon Web Services;
analytics and business intelligence platforms like Amplitude, Microsoft PowerBI;
identity verification providers;
payment providers/processors like Klarna, or Stripe;
partners supporting the Invoicing product, like DocuMI;
providers that help us to ensure compliance with AML regulations;
vendors supporting the company registration & capital deposit process;
providers that help us to ensure your digital safety and security while on Finom platform;
partners providing business intelligence services and other proprietary databases, for instance business registers in countries across the EU, credit rating agencies, providers of sanctions screening and others;
companies that help us to send you service and marketing related messages;
providers that help us to communicate with you, like Intercom or Twillio;
providers of software that we use for internal support and issue tracking;
mobile payment providers like Google and Apple Pay.

We, our partners, service providers and others may also be required to share your personal data with various financial institutions and/or enforcement agencies or court authorities to comply with applicable laws, prevent fraud, enforce an agreement we have with you, or to protect our rights, property or safety, or the rights, property or safety of our employees or agents.

Before entering into an agreement with any new partner, vendor or service provider that will process your personal data, Finom verifies that the data transfer will be performed in accordance with the GDPR.

Data transfers to third countries

Finom stores and processes your data in the European Union (EU), to be more specific in Germany. But we cannot offer all our services by ourselves. A small number of our partners, service providers or other parties may be processing the data in countries outside the EU or the EEA. In such cases, to ensure that your personal data receives a comparable level of protection, we employ appropriate safeguards, such as adequacy decisions and frameworks or Standard Contractual Clauses approved by the European Commission.

Automated decision-making and profiling

We process your data partially automatically in order to evaluate certain personal aspects (profiling). For example, we use machine learning and other techniques to prevent fraud, combat money laundering, terrorist financing and asset-polluting crimes. Our monitoring model combines information from transaction details, customer profile data and device session data. The approach is based on current fraud trends, best practices from our partners and other sources. These measures serve to protect your interests and keep your deposits secure.

How long we keep your data

We keep your personal data for as long as it is necessary to achieve the purpose for which it was collected, usually for the duration of our contractual relationship plus any period thereafter as required by anti-money laundering or other applicable laws, or in case of potential or ongoing court litigation. When the purpose for processing is fulfilled, but we are required to keep the data, it will be restricted and stored in a secure archive. This period could range depending on the purpose, from 2 to 15 years after termination of your business relationship with us. Once that period is over, the data is anonymized/pseudo anonymized.

Your rights

Data protection laws provide you with substantial rights to help you understand and control how your personal data is used. As a result, you have the right:

to be informed about why and how we are processing your personal data - this Privacy Policy fulfills this right.
to have access to your data - you have the right to ask us if we are processing your personal data, why we are doing so, under what lawful basis, the categories of your personal data, whether the data is being sent outside the EU, who we share your data with, how long we keep it, and request a copy of the data we are processing.
to rectification - if any of your personal data that we hold is inaccurate, you can request to have it corrected. You can correct a significant number of your personal data via the app or by contacting our customer support via the chat.
to object to some processing - direct marketing, or if processing is based on legitimate interests.
to have your data deleted - also known as the “right to be forgotten”. You can exercise this right if you withdraw your consent and there is no further legitimate interest in our processing of your data. Please note that Finom has the right to reject this request if the processing is based on the basis of legal obligation or contract execution.
to restrict processing - if the personal data we are processing is inaccurate, if our processing is unlawful, if the data is no longer necessary for the original purpose of processing but needs to be kept for potential legal claims, or you have objected to processing carried out under legitimate interests and we’re still in the process of determining whether there is an overriding need to continue processing.
to ask us about automated decision-making - you have the right to ask us to explain the logic involved in making any automated decisions and for the decision to be reviewed by a human being, if that decision had an effect on your rights or freedoms.
of data portability - you can ask for your data that we process by using a computer, which you provided to us on the basis of consent or because it was necessary for a contract.
to lodge a complaint with the competent data protection authority if you have concerns about how we process your personal data (a list of national data protection authorities is available on the website of the European Data Protection Board). We encourage you to contact us first and give us an opportunity to understand and resolve the issue before filing an official complaint. This way your issue will be resolved much faster and with the FINO personal touch.

If you would like to exercise any of these rights, or find out more about how we process your personal data, please contact us at privacy@finom.co. Reasonable access to your personal data will be provided at no cost. When you decide to exercise one of the rights mentioned above, we have 30 days from the time that you submitted your request to fulfill it or provide a reasonable explanation for why we cannot fulfill it, or if we cannot fulfill it in time.

Information security

To help protect the privacy of personal data you provide through the use of our website or mobile app, we maintain physical, technical and administrative safeguards to secure your information from unauthorized access and use, alteration and destruction. We update and test our security technology on an ongoing basis; carefully assess security risks, including those associated with personal data, and work to mitigate them. Our approach is based on best practices of IT Security and industry requirements.

We restrict access to your personal data to those employees who need to know that information to provide services to you. In addition, we train our employees about the importance of confidentiality and maintaining the privacy and security of your data. We commit to taking appropriate disciplinary measures to enforce our employees' data protection responsibilities.

Also, we ensure that our partners and vendors have sufficient IT security measures and standards in place to process your data securely.

Changes and updates to this Privacy Policy

As our products and services develop over time, this Privacy Policy may change as well. While we reserve the right not to send you a notification every time, we will update this Privacy Policy at all times. We may email periodic reminders of our notices and terms and conditions and will notify you of material changes thereto, but we invite you to periodically check our site or the app to see the current Privacy Policy and any updates that may have been made to it.

Solaris Addendum

Fraud prevention and anti-money laundering checks

When you register via our Finom.co website or Finom app to use the banking services provided by Solaris SE, Cuvrystraße 53, 10997 Berlin, Germany (“Solaris”), and on an ongoing basis while you use such services, Solaris will perform a risk assessment for fraud prevention and anti-money laundering purposes. For such purposes, Solaris uses SEON Technologies Kft. (Rákóczi út 42. 7. em., Budapest 1072, Hungary) as a service provider under a data processing agreement with Solaris in accordance with Art. 28 GDPR. For the processing activities described in this section, we have entered into a joint controllership agreement with Solaris (Art. 26 GDPR). We will provide you with further information at any time upon request.

In order to perform the risk assessment, we collect and transfer to Solaris the following browser data, device data, traffic data and location data from your device: IP address including type (e.g. commercial, mobile line, university) and whether it is listed as harmful, TOR value, VPN, proxy, number of accessories attached to your device, whether your phone is muted or not, device system’s volume, country code and name of carrier (a) associated with the SIM card and (b) the device is currently using, device model type and unique identifier, system uptime, iCloud token, version and name of device given by the user in iOS settings, when the device last booted in UNIX time format and UTC time zone, country code and ID associated with device, cookie session ID, and browser details / settings including scrolling behavior.

Solaris may add additional information and will then transfer such data to SEON along with your email address, name and phone number for performance of a risk analysis regarding potential fraudulent or other illicit activities.

SEON analyses this personal data based on a mathematically-statistically recognised and proven procedure and will provide Solaris with a fraud risk score. As part of the analysis, SEON may perform email analysis, social media lookup or address profiling.

Based on the analysis and risk score, you will be able to complete your registration, be rejected as a new customer, or may be guided through an extended registration process. The decision-making process is automated. If you want to challenge the automated decision and want to have a human review of this automated decision, you can get in touch with us by contacting hello@finom.co. Once you have given your consent and are onboarded, Solaris will continuously collect the above data and perform additional risk analysis via SEON for ongoing fraud risk assessment.

The legal basis of the processing is your consent and the implementation of necessary steps for entering into a contract requested by you (Art. 25 TTDSG, Art. 6 (1) lit. a, Art. 22 (2) lit. a GDPR). While you are free to give your consent, you cannot use the banking service provided by Solaris without consenting, because the fraud prevention and anti-money laundering check is necessary for a secure provision of the banking services by Solaris. As a licensed bank, Solaris has a statutory obligation to fight money laundering by setting up a functioning risk management system and internal security measures as well as an ongoing screening of customers’ activities (sections 4, 6 and 10 of the German Anti-Money-Laundering Act). You can withdraw your consent at any time by email to hello@finom.co, but without consent you will not be able to continue using Solaris’ services.

Your personal data will be stored until the purposes of processing these data as set forth above have been achieved, and be deleted within 12 months after performance of the risk assessment at the latest, unless statutory retention obligations apply (e.g. under anti-money laundering, commercial or tax law).