This privacy notice is available in several languages. The German version is the only authoritative and legally binding version. Other language versions are provided for your information only.
finAPI GmbH (hereinafter “finAPI”), Adams-Lehmann-Straße 44, D-80797 Munich (AG München, HRB
175250), email: kontakt@finapi.io.
finAPI’s Data Protection Officer can be reached at the above address (attn. Department Data Protection) or
by email at datenschutz@finapi.io.
a) finAPI is a payment institution supervised by the German Federal Financial Supervisory Authority (BaFin)
providing account information services and payment initiation services.
With the account information service, we provide a service via your service provider (e.g. online merchant,
lending bank, financial management platform, provider of creditworthiness assessments) that enables
you to retrieve your account information, to prepare it where applicable depending on the requested service
(e.g. data categorisation such as determining income, rental costs, number of chargebacks) and
to make it available to your service provider. To this end, you log in to your online banking via our web
interface or your bank’s web interface. finAPI then retrieves your account information
from your bank and transmits to the service provider you selected the account information
required for the respective service to be provided.
With the payment initiation service, we enable you to initiate payment orders and payment transactions with your
account provider. Before submission, your disposable limit may be checked.
In order to provide the account information and payment initiation services, processing of your personal data is
necessary.
The purpose of processing is first and foremost the fulfilment of our contractual obligations
towards you as an end user or prospect, as well as towards our customers (your service provider).
b) As a payment institution, finAPI is subject to specific supervisory requirements and regulatory obligations such as preventing, detecting and identifying fraud or preventing terrorist financing. When you use finAPI’s account information and payment initiation services, your personal data may also be processed by us for the fulfilment of such legal obligations.
c) As part of payment transactions and to increase your transaction security, we perform a verification of payee (= Verification of Payee (VOP) pursuant to the EU Instant Payments Regulation (EU) 2024/886). The recipient’s name and IBAN are automatically compared with the data stored at the recipient’s bank. This applies to SEPA credit transfers and SEPA instant credit transfers within the EU/EEA; other accounts that are not payment accounts are excluded from this requirement (e.g. savings accounts). Corporate customers (undertakings) may, as the payer, voluntarily opt out of payee verification for batch payments. The processing of these data serves solely to enable allocation and verification of the payee in line with security provisions for payment services.
d) Ensuring IT security and IT operations may, under certain circumstances, also require the processing of your personal data. In addition, we process the retrieved data to the extent permitted by law and required in each case for internal purposes. This includes processing for quality assurance (e.g. conducting evaluations and analyses of our services), to improve and expand our services (such as training the categorisation of account transactions) and the related research and development activities of finAPI or its affiliated companies. We may also process your personal data, where applicable, for our own receivables management or for direct marketing of our own services. If you contact us, e.g. by email, we process the data you provide for the purpose of handling the enquiry and any follow-up correspondence. Where possible, we anonymise or pseudonymise your data.
e) finAPI services are also available for accounts from the United Kingdom (hereinafter UK accounts). Connection of UK accounts takes place via the partner token.io Ltd. (hereinafter “partner token”), which holds an authorisation from the UK financial authorities to provide financial services (account information and payment initiation services). Via your selected service provider you will be directed to a finAPI web interface which uses token’s services in the background. To use the desired services, you will be redirected to the relevant bank’s website to log in to the respective online banking.
f) The partner token retrieves the required account information from your bank, forwards it to finAPI
for further agreed processing (e.g. categorisation) and makes the data required for the service available
to your service provider.
With the payment initiation service, we enable you to initiate payment orders and payment transactions with your
account provider in the UK via the partner token. For this purpose, we forward the data you provide to
our partner token for payment initiation.
For more information on data processing with token, please refer to Section 3 of this
privacy notice.
g) It may be necessary to process your personal data if your service provider contacts us in the event of technical issues or questions related to our service. Only the personal data necessary to clarify the matter will be processed.
h) If you, as an end user, contact us, your data will be processed solely for communication with you. This also applies if, as a consumer, you wish to exercise your data subject rights under the GDPR (see Section 4).
i) If you use our services to pay for your online purchases, your personal data may, in individual cases and in the course of audits by our supplier, be processed. This serves the purpose of verifying the accuracy of commission statements for payments. Where possible, we anonymise personal data.
j) Your personal data are also disclosed to authorities or institutions where there is a legal obligation to do so, or to selected third parties (e.g. in the case of legal advice).
We process personal data on the basis of the applicable data protection laws, in particular
the provisions of the General Data Protection Regulation (GDPR) and the new German Federal Data Protection Act
(BDSGneu), as well as
in accordance with the provisions of the German Payment Services Supervision Act (ZAG).
We process personal data on the basis of Art. 6(1)(b) GDPR and Sec. 59(2) ZAG
for performing pre-contractual measures, for fulfilling finAPI’s contractual obligations towards
our customers (your service provider) and towards you as an end user or prospect. Details can be found
in our Terms of Use governing your use of our account information and
payment initiation services.
Furthermore, we process your data, to the strictly necessary extent, on the basis of Art. 6(1)(c) GDPR
to comply with legal, in particular supervisory, obligations. Pursuant to Art. 6(1)(f) GDPR, we may process
your personal data where processing is necessary for the purposes of the legitimate interests pursued by finAPI
or by a third party, and where such interests are not overridden by the interests or fundamental rights and
freedoms of the data subject which require the protection of personal data. Personal data are processed only
where permissible after balancing all interests. The legitimate interest in processing arises from the
respective
purposes pursuant to Section 3.1 and may also be of an economic nature.
The account information to be made available to your service provider may, where applicable, contain special
categories of personal data (cf. Art. 9(1) GDPR). This may include information about
your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership,
health data or data concerning sex life or sexual orientation. For example, corresponding inferences could be
drawn
from payment references or payment beneficiaries. The permissibility of processing such data for the provision
of the service is agreed between you and your service provider.
You are under no obligation to provide us with personal data. However, without your data we cannot perform the
contractual relationship and thus cannot provide the contractually agreed services.
We process your personal data in the context of account information and payment initiation services. The personal data arising in this context originate from credit and financial institutions, card issuers and other financial data providers, which are accessed only with your consent and after you have logged into your online banking via our finAPI application or, for UK accounts, via the partner token. The source of the data may therefore vary depending on the service used. Since access to accounts always requires your consent, you are aware of the accounts enabled for access by finAPI and the personal data contained therein. Your personal data may also reach us via your service provider (e.g. in the event of technical issues) or directly from you (e.g. from your email enquiry).
We process your personal data in Germany or in the EU; see Section 3.6 for further information.
a) Recipients for the purposes referred to in Section 3.1(a) are customers of finAPI located in the European Economic Area and in Switzerland as well as, where applicable, in other third countries (provided that an appropriate adequacy decision by the European Commission exists for such countries or standard contractual clauses have been agreed, which can be viewed at https://www.finapi.io/datenschutz-dsgvo/) (i.e. the provider you have chosen). Other recipients for the purposes referred to in Section 3.1(b) may include external processors of finAPI under Art. 28 GDPR as well as external and internal units of finAPI. Furthermore, for the purposes referred to in Section 3.1(b), finAPI may disclose customer data to third parties, to the extent necessary and legally permissible (e.g. external service providers such as IT providers, operators of end-user applications based on finAPI services, affiliated companies or business partners, as well as account-holding institutions). Sensitive access data which enable access to account information at your account providers are disclosed by finAPI exclusively to the relevant account-holding institution and not to any other third parties. finAPI is also subject to statutory powers of intervention by public authorities.
b) We process your personal data in data centres in Germany or the EU via hosting by
Amazon Web Services. The service provider of Amazon Web Services is Amazon Web Services EMEA SARL, 5 rue
Plaetis, Luxembourg, L-2338, Luxembourg. We have concluded a data processing agreement with the service provider
pursuant to Art. 28 GDPR.
The provider is headquartered in the United States, so in exceptional cases data may be transferred between
Amazon Web Services EMEA SARL and its parent company. For processing we use a multi-layer encryption system.
Personal data are never accessible in unencrypted form on AWS servers and cannot be viewed by AWS itself or
other third parties
(including the US parent company). Encryption is performed according to the current state of the art and meets
the requirements
of the GDPR.
You can find more information about the data processed through the use of Amazon Web Services (AWS) in the
privacy policy at https://aws.amazon.com/de/privacy/.
c) For connecting some bank accounts from the EU, we process data via token GmbH, c/o
Industrious, Schicklerstraße 5, 10179 Berlin. For connecting UK accounts, we use
token.io Ltd., 4th Floor, 70 St Mary Axe, London, EC3A 8BE, England, whose data processing is contractually
carried out
in the EU. We have concluded a data processing agreement with the service provider pursuant to Art. 28 GDPR.
In exceptional cases, a data transfer may take place between token GmbH and token.io Ltd. with the affiliated
company
token Inc., 548 Market Street, STE 57805, San Francisco, CA, 94104-5401, USA. For any such transfer,
standard contractual clauses have been concluded between token GmbH, token.io Ltd. and token Inc. as appropriate
safeguards
pursuant to Art. 46(1) and (2)(c) GDPR. Further information on partner token’s privacy can be found at: https://token.io/policies/privacy-policy
d) Our services GiroIdent Plus, GiroIdent Youth Protection and GiroIdent GwG provide additional verification of name, address and date of birth; with GiroIdent GwG also the IBAN. For this purpose, we use a comparison with the database of SCHUFA Holding AG, Komoranweg 5, 65201 Wiesbaden. SCHUFA Holding AG is a reliable and secure credit reference agency. Only those personal data necessary for the service are transmitted to the provider. Further information on the provider SCHUFA’s data protection can be found at: https://www.meineschufa.de/de/datenschutzhinweis.
e) To provide quick and effective support in the event of technical problems or questions, we use, in handling,
our ticketing system, a software solution by Zendesk, 989 Market St, San Francisco, CA 94103,
USA. As soon as your service provider contacts our support, a ticket is created automatically.
We have contractually agreed with the provider that the processing of personal data takes place exclusively in
the EU.
For any possible data transfer to the USA, Zendesk uses standard contractual clauses which, as appropriate
safeguards pursuant to
Art. 46(1) and (2)(c), comply with data protection requirements. We have concluded a data processing agreement
with the service
provider pursuant to Art. 28 GDPR.
Further information on Zendesk’s data protection can be found at: https://www.zendesk.de/company/agreements-and-terms/privacy-notice/
In case of technical questions or malfunctions of banks’ FinTS interfaces which we obtain via B+S Banksysteme
Aktiengesellschaft, we contact B+S customer support (Banksysteme Aktiengesellschaft,
Elsenheimerstraße 45, 80687 Munich, or B+S Banksysteme Salzburg GmbH, Siezenheimer Straße 39a, A-5020
Salzburg). The customer, i.e. your service provider, receives information via the Zendesk ticketing system if
further data processing via B+S was necessary. We have concluded a data processing agreement
with the service provider pursuant to Art. 28 GDPR. Further information on the data protection of
B+S Banksysteme Aktiengesellschaft can be found at: https://bs-ag.com/wir-uber-uns/datenschutz/
We store personal data only for a certain period. The decisive criterion for determining this period is necessity. Personal data are therefore stored and processed for as long as is required for the respective purposes. It should be noted that the business relationship with you may be long-term and that finAPI processes data at least until the end of this contractual relationship. In addition, commercial, tax and supervisory retention, documentation and information obligations may apply, to which finAPI is bound. Such periods are usually up to ten years. Furthermore, processing may be required for longer, for example for the purposes of data protection control, data backup and legal defence. If the data are no longer required for the purposes of processing, they will be deleted.
Account information services and payment initiation services that relate to UK accounts are provided via the
partner token
(see 3.1(c) of this privacy notice), as the partner holds the necessary authorisation from the UK authorities.
For account access and retrieval of account information, as well as for payment initiation services, token.io
Ltd.,
4th Floor, 70 St Mary Axe, London, EC3A 8BE, England, is the controller within the meaning of the GDPR; the
partner token’s
Terms and Conditions apply (further information is provided in the Terms of Use).
finAPI performs the activities of providing the web interface or forwarding to
your bank’s web interface (to log in to your online banking for UK accounts) as well as receiving the
retrieved account information as a processor pursuant to the GDPR. A
data processing agreement exists between the partner token and finAPI for this purpose.
Further processing of account information (e.g. categorisation) in connection with UK accounts is carried out
by finAPI as the controller pursuant to the GDPR. The data processing described in Section 2
applies analogously in this section.
In this context, a transfer of data from finAPI to the partner token may be necessary, for example
in support matters. Such data transfers take place in your own interest pursuant to Art. 6(1)(b)
GDPR. There is an EU adequacy decision for the United Kingdom, so any
transfer of data to the UK offers the same level of data protection as in the EU.
Further information on the partner token’s data protection can be found at: https://token.io/policies/privacy-policy
In cases where finAPI acts as controller, you have the right of access under Art. 15
GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right
to restriction of processing under Art. 18 GDPR and the right to data portability under Art. 20
GDPR. You may exercise these rights at any time by contacting finAPI (for contact details see Section
1). You also have the option of contacting a supervisory authority. The supervisory authority responsible for
finAPI
is the Bavarian State Office for Data Protection Supervision.
You may revoke any consent granted at any time with effect for the future. This also applies to
consents granted before the GDPR entered into force. Revocation of consent does not affect
the lawfulness of the processing carried out on the basis of the consent before its revocation.
We are obliged to inform you that, pursuant to Art. 21(1) GDPR, you may object to the processing of data based on Art. 6(1)(e) and (f) GDPR on grounds relating to your particular situation. You may object at any time, in whole or in part, to the use of your personal data for marketing purposes pursuant to Art. 21(2) GDPR. The objection may be made informally and should be addressed to finAPI GmbH, Adams-Lehmann-Straße 44, D-80797 Munich.
If required by your selected service provider, after an account access triggered by you,
information from your online banking account may be processed via our application using automated data
processing
(categorisation) and transmitted to your service provider, allowing conclusions to be drawn about your
personal and economic situation (e.g. average income, rent, loan liabilities,
number of chargebacks). Automated data processing may also be carried out for designated services via
our systems that use algorithms of artificial intelligence. These systems are
implemented within the finAPI architecture, i.e. no data are transferred to third parties, in particular not to
providers of artificial intelligence.
We do not make any decision regarding any product conclusion that you may desire (e.g.
loan granting). This lies solely within the responsibility of your service provider. Your service provider will
inform you
about any profiling and automated decision-making taking place on its side.