Dashboard Privacy Policy

Date Last Revised: January 14, 2021

Welcome to Dashboard, a platform provided by the Contracting Party specified in Section 1.5 below (also referred to as "Company", "we", "our" or "us"), allowing to view financial information relating to payment accounts and payment account data in a consolidated way. This Dashboard Privacy Policy ("Privacy Policy") describes and summarizes the policies and procedures employed by the Company with respect to the collection, use, storing, processing, disclosure, sharing, transfer and protection of personal data provided or acquired through your use of the Services made available to you via Digest and Dashboard (all such terms as defined below).

The Company takes the privacy of individuals very seriously. We are committed to maintaining the security, confidentiality, availability and integrity of the personal data in our custody or control, and protecting such data in accordance with the applicable legislation. The technological developments in the information society are continually evolving, along with the threats that such innovations pose to the privacy of individuals and the security of their personal data. The Company continually assesses the employed security measures, both technical and organizational, in order to determine the appropriate level of protection. We regularly review our privacy and security practices and adapt them as necessary to deal with new regulatory requirements, changes in legislation and/or security standards.

To make it easier for you to navigate through this Privacy Policy and find the relevant information quickly, we have divided it into the following sections for convenience:

Section 1 – DEFINITIONS
Section 2 – APPLICATION
Section 3 – ACKNOWLEDGEMENT
Section 4 – COLLECTION OF PERSONAL DATA
Section 5 – USE OF INFORMATION
Section 6 – CHILDREN'S PRIVACY
Section 7 – DISCLOSURES AND TRANSFERS
Section 8 – LEGAL BASES FOR PROCESSING
Section 9 – PARTNER’S ROLE UNDER DATA PROTECTION LAWS
Section 10 – SPECIAL CATEGORIES OF PERSONAL DATA
Section 11 – ANTI-SPAM LEGISLATION
Section 12 – THIRD PARTY WEBSITES
Section 13 – YOUR RIGHTS UNDER GDPR
Section 14 – DATA RETENTION AND DELETION
Section 15 – PERSONAL DATA SECURITY
Section 16 – NOTIFICATION OF PERSONAL DATA BREACH
Section 17 – PRIVACY POLICY UPDATE
Section 18 – CONTACT INFORMATION

1. DEFINITIONS

For the purposes of this Privacy Policy, in addition to the capitalized terms defined elsewhere in this Privacy Policy, the following terms shall have the meanings ascribed to them as follows:

1.1. "Account Information Services" means an online service to provide consolidated information on one or more Payment Accounts held by you with either another payment service provider or with more than one payment service provider.

1.2. "Analytical Report" means a report generated by the Company based on the processing of your Payment Account Data, comprising analyses of your Payment Account Data for specified Payment Accounts, periods and analytical items, such as balance, income, expenses and savings.

1.3. "Account Provider" means the payment service provider that provides and maintains a Payment Account for you (e.g., bank, building society, electronic money institution).

1.4. "Consent" means any freely given, specific, informed and unambiguous indication of your wishes by which you, by a statement or by a clear affirmative action, signify agreement to the processing of your Personal Data.

1.5. "Contracting Party" means the party identified in the table below:

Payment Account held by: Contracting Party Contracting Party details Supervisory Authority
an Account Provider in the United Kingdom Salt Edge Limited
Registered address: 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, England, United Kingdom
Registration number: 11178811
Information Commissioner’s Office
Head office address:
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Contact details:
0303 123 1113
https://ico.org.uk/
an Account Provider in a member country of the European Union/European Economic Area BudgetBakers s.r.o.
Registered address: Radlická 180/50, Smíchov 150 00 Praha 5, Czech Republic
Company identification number: 02882957
The Office for Personal Data Protection
Address:
Pplk. Sochora 27
170 00 Praha 7
Czech Republic
Contact details:
+420 234 665 111
https://www.uoou.cz/en/
an Account Provider in a member country of the European Union/European Economic Area Spendee a.s.
Registered address: Namesti I.P. Pavlova 1789/5, 120 00 Prague, Czech Republic
Company identification number: 05912890
The Office for Personal Data Protection
Address:
Pplk. Sochora 27
170 00 Praha 7
Czech Republic
Contact details:
+420 234 665 111
https://www.uoou.cz/en/

1.6. "Controller", "Data Subject", "processing" (including its derivatives), "Processor" and "Supervisory Authority" as used in this Privacy Policy have the meanings given to such terms in the GDPR.

1.7. "Dashboard" means the online platform located at https://www.saltedge.com/dashboard accessed by you with your User Account credentials in order to use the Services, including without limitation any content, images, text and icons within such platform.

1.8. "Digest" means an online widget providing you with a summary overview of your Payment Account Data at a given date, as a result of your use of the Services.

1.9. "Data Protection Laws" means the GDPR and its implementation in the national law of, as applicable, the United Kingdom (Data Protection Act 2018) or the Czech Republic (Act No. 110/2019 Coll., on personal data processing), as well as the laws implementing or supplementing the GDPR in each EU Member State, and which are applicable to the Company as regards the privacy, protection, processing, collection, use or disclosure of your Personal Data, as amended, replaced or superseded from time to time.

1.10. "GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

1.11. "GDPR Consent to Share Data" means a freely given, specific, informed and unambiguous indication of your wishes by which you, by a clear affirmative action, give explicit consent to the Company to share your Payment Account Data and/or Analytical Reports with the designated Partner.

1.12. "Partner" means the third party that redirects you to the Services with whom you instruct and authorize the Company to share your Payment Account Data, based on your GDPR Consent to Share Data.

1.13. "Payment Account" means an account accessible online held in your name by the respective Account Provider, including but not limited to current account, e-money account, flexible savings account and credit card account.

1.14. "Payment Account Data" means the information made available from your Account Provider relating to your Payment Account, including without limitation account details (account name, number, balance, currency, etc.), transactions details (transaction amount, currency, date, description, etc.), account holder details (name, address, email, phone number), and features and benefits of your Payment Account, that is accessed and automatically retrieved by the Company through the Services and presented to you in the Digest or Dashboard after processing.

1.15. "Payment Regulations" means PSD2 and all applicable laws or regulations in force from time to time in the Company’s jurisdiction giving effect to PSD2, together with all regulatory technical standards, codes of practice, guidelines and/or formal interpretations issued by the relevant national competent authority with respect to PSD2 implementation.

1.16. "Personal Data" has the meaning given to it in GDPR and includes without limitation Registration Information, Payment Account Data, Analytical Reports and Personalized Security Credentials.

1.17. "Personalized Security Credentials" means the personalized features, including without limitation Account Provider’s API access tokens, username, password, access number, security questions and answers, token/SMS codes, and multifactor information, provided to you by your Account Provider for the purposes of authentication, including but not limited to strong customer authentication.

1.18. "PSD2" means the Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC.

1.19. "PSD2 Consent" means the explicit consent given by you to the Company to access your Payment Account for the purpose of providing Account Information Services to you.

1.20. "Registration Information" means the information that you provide to the Company (or, in relation to your email address, that the respective Partner provides to the Company on your behalf) for the purpose of setting up a User Account, including without limitation email address, password, phone number and any other information that the Company may be required by law or regulation to collect for identity verification during or subsequent to User Account registration (as provided directly by you or, under certain circumstances, by the relevant Partner on your behalf during registration), as the same may be updated by you from time to time.

1.21. "Services" means the Account Information Services, whether provided via Digest or Dashboard, and, as applicable, the functionalities (including consent management functionalities), content, features, tools or services as made available by the Company from time to time in the Dashboard.

1.22. "Special Categories of Personal Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.

1.23. "User Account" means the unique user account in the Dashboard set up with the Company.


2. APPLICATION

The Company recommends that you read this Privacy Policy carefully and entirely to ensure that you are aware of all the practices and policies of the Company in respect of Personal Data collection, use, disclosure, processing and protection. This Privacy Policy applies to all users of the Services, whether via Digest or Dashboard.


3. ACKNOWLEDGEMENT

By accessing and using the Services and agreeing to the Dashboard Terms of Service you hereby: (i) acknowledge and confirm that you are at least eighteen (18) years old, or of the legal age of majority in the jurisdiction in which you reside, and (ii) consent to the collection, use, and processing of your Personal Data as described in this Privacy Policy. Except as set forth in this Privacy Policy, the Company will not use your Personal Data for any other purpose without your Consent. The Company will only disclose your Personal Data to third parties strictly in accordance with, and for the purposes set forth in, this Privacy Policy. The Company does not, and will not, sell, lease, license or rent your Personal Data to any third party, nor will the Company use the collected Personal Data for advertising or marketing purposes unless you give your Consent for such use.


4. COLLECTION OF PERSONAL DATA

When you use the Services, the Company will collect information, including Personal Data, for the purpose of providing, maintaining and improving the Services and/or generating Analytical Reports, as well as complying with applicable laws or regulations. The Company collects Personal Data primarily in four (4) ways:

  1. Information you provide to the Company voluntarily:
    1. When you contact the Company’s support team (by email or contact form in the Dashboard) with respect to any issues relating to the Services or communicate with the Company in any other way, you voluntarily give the Company information that the Company collects and processes for the purposes as described in the Dashboard Terms of Service and this Privacy Policy. The provided information may include Personal Data such as: name, email address, phone number and financial data. When you voluntarily submit Personal Data with your enquiry or request, the Company will process any such Personal Data in accordance with this Privacy Policy. In some cases, the Company may require additional information, including Personal Data, in order to identify you while processing your enquiry or request. The Company may also maintain records of such communications with you, including any follow-ups and subsequent feedback, for internal purposes.
    2. In order to be able to use the Services in the Dashboard you must create a User Account. During the registration process you will have to supply your Registration Information.
    3. In accordance with regulatory requirements applicable to the Company with respect to anti-money laundering, terrorist financing and related customer identity, status and operations checks, you may be required from time to time to provide additional Personal Data in order to establish matters such as identity, affiliation, public exposure, ownership of Payment Accounts, purpose of transactions and origin of funds on your Payment Accounts.
    4. In order for the Company to be able to provide the Account Information Services and, as applicable, generate Analytical Reports, you will have to authenticate yourself towards your respective Account Provider with your Personalized Security Credentials. The Personalized Security Credentials are always stored encrypted. The Company will use the Personalized Security Credentials provided by you in order to establish a secure connection to your Payment Account in the respective Account Provider and retrieve the associated Payment Account Data in accordance with the Payment Regulations and as further described in the Dashboard Terms of Service.
  2. Information the Company collects from Account Providers: For the purposes of providing the Account Information Services to you and, as applicable, for the purposes of generating Analytical Reports, the Company will access your Payment Account held by the respective Account Provider in read-only mode based on your PSD2 Consent in order to retrieve, use, store and process your Payment Account Data.
  3. Information the Company receives from Partner: If you have been redirected to the Dashboard from a Partner, the Company will receive your email address from such Partner in order to automatically set up your User Account when you start using the Services. We may also receive your email address from the Partner, who has redirected you to the Digest. Under certain circumstances, some of the additional information (such as your full name, date of birth, residence address, type of Payment Account – own, shared or legal, etc.) that we require for compliance with applicable anti-money laundering, terrorist financing and performing related customer identity, status and operations checks as prescribed by law, may be provided to the Company by the relevant Partner during the registration of your User Account.
  4. Information the Company collects through your use of the Services:
    1. Information the Company collects automatically. Each time you use the Services, the Company collects information relating but not limited to: (i) which Services are being used, (ii) all the areas within the Services that you visit, (iii) the time of day when you access and use the Services, (iv) actions taken by you when using and interacting with the Services, (v) which Services or parts thereof generate error messages, and (vi) your browser, operating system, geolocation data and internet protocol ("IP") address. The Company collects this information automatically as part of its technical log files or other metadata, as well as through the use of cookies, web beacons and other similar tracking technologies. All personally identifiable information collected through your use of the Services is treated as Personal Data in accordance with the terms of this Privacy Policy. The Company may also use the collected information in an anonymized aggregated way (i.e., in such a manner that the Data Subject is no longer identifiable, directly or indirectly, from such data) for a variety of purposes, including but not limited to improving user experience, enhancing the Services and developing new services (see further Section 5.b. “Use of Non-Personal Data”).
    2. Information collected by cookies. A cookie is a data file placed on a device when it is used to access a service. Cookies or similar technologies may be used for many purposes, including without limitation remembering you and your preferences and tracking your access to the Services and your visits to the Dashboard. Cookies work by assigning a number to users that has no meaning outside of the assigning website or application. The Company uses cookies for various purposes, including, without limitation, analyzing trends, gathering statistical data, improving user experience and the overall quality of the Services and tracking your movements within the Dashboard. The Company encodes and encrypts the cookies so that only the Company can interpret the information stored in them. Cookies can be disabled or controlled by setting a preference within your web browser or on your device. Thus, if you do not want information to be collected through the use of cookies, you can restrict or limit the use of cookies at the individual browser or device level. However, if you choose to disable cookies some features of the Services may not function properly or the Company may not be able to customize the delivery of information to you. For detailed guidance on how to control, manage and delete cookies, you are advised to visit https://www.aboutcookies.org/.
      • First-party cookies: The Company uses session cookies and persistent cookies when you use the Services. These types of cookies are essential to the operation of Digest and Dashboard and the provision of Services. The session cookie is stored in temporary memory and is not retained after the browser is closed. Session cookies do not collect information from your computer. They store information in the form of a session identification that does not personally identify you. The persistent cookies are set with expiration date and are stored on your hard drive until they expire or you delete them. The Company does not collect any Personal Data in the session and persistent cookies. The Company uses session and persistent cookies for technical purposes, including but not limited to verifying the origin of requests, distributing requests among multiple servers, authenticating you and determining what functionality of the Services you are allowed to access.
      • Third-party cookies: The Company also uses third-party cookies. These third-party service providers with whom the Company has contracted help analyze certain online activities and provide analytics services. The Company uses the following third-party cookies: Google Analytics and Google Tag Manager. The Company has integrated Google Analytics and Google Tag Manager, analytics tools provided by Google Inc., in the Digest and Dashboard in order to collect and analyze data about users’ activity. Google Analytics and Google Tag Manager use cookies that collect information allowing the Company to understand how you interact with Digest and Dashboard. Such information contains online identifiers, including cookie identifiers, IP addresses and device identifiers, which may be considered Personal Data under the applicable Data Protection Laws. The Company has enabled the IP address anonymization feature that prevents the storage of full IP address information in Google Analytics cookies. Google Inc. uses the collected information to evaluate the use of Digest and Dashboard and provide online reports and other related services that help us enhance user experience. The collected information may be transferred to and stored in the U.S.A. by Google Inc. or any third-party service providers acting on its behalf. If you object to the collection and processing of such data by Google Inc., you must install a browser add-on (available at https://tools.google.com/dlpage/gaoptout) which will prevent further collection and transmission of information via Google Analytics cookies. Additional details about Google Analytics cookie usage can be found here.
    3. Information collected by web beacons. Web beacons are images (single-pixel gifs) embedded in a web page or email for the purpose of measuring and analyzing website usage and activity. Web beacons or similar technologies help the Company better manage the Services, count users of the Services, monitor how users navigate the Services, count how many emails that we send are actually opened and, generally, measure performance. The Company does not link the information gathered by web beacons to your Personal Data. Web beacons do not collect Personal Data.

5. USE OF INFORMATION

  1. Use of Personal Data: The Company may use the collected Personal Data for the following purposes:
    • to provide, maintain, administer, support, protect and improve the Services;
    • to meet the regulatory compliance requirements set forth in the applicable laws;
    • to generate Analytical Reports;
    • to share Payment Account Data and/or Analytical Reports with your Partner;
    • to provide customer support;
    • to handle and process enquiries submitted by you;
    • when you use the Services via Dashboard, to send system alert messages relating to the Services and your User Account;
    • to enforce compliance with the Dashboard Terms of Service;
    • to investigate any illegal activity or wrongdoing in connection with the Services;
    • to protect the rights, property and safety of users, the Company and third parties;
    • to transfer the Personal Data in case of a sale, merger, consolidation, or acquisition. In such case, any acquirer will be subject to the Company’s obligations under this Privacy Policy;
    • to store the Personal Data, in order to be able to provide the Services and/or to generate Analytical Reports, on the Company’s servers or servers provided by third parties, whom the Company has contracted and who are committed to complying with the Company’s obligations set forth in this Privacy Policy;
    • to troubleshoot, investigate and fix service-related errors. In such cases, your Personal Data may be visible to and/or accessed by technicians, IT staff and/or system administrators authorized by the Company;
    • to combine Personal Data with information obtained through the use of cookies, web beacons or similar technologies, in order to improve the Services and user experience;
    • to comply with legal obligations to which the Company is subject;
    • to establish compliance with the Data Protection Laws during an audit or inspection conducted by an appropriate Supervisory Authority, provided that at all times the Personal Data will remain subject to the provisions of this Privacy Policy;
    • to generate Anonymized Data and/or Anonymized Aggregated Data (as defined below); and
    • to respond to your requests for exercising your rights under the applicable Data Protection Laws.
  2. Use of Non-Personal Data: The Company may generate anonymous data derived from or based on Personal Data collected from you or acquired from your use of the Services, which anonymous data can no longer be used to identify, directly or indirectly, a natural person ("Anonymized Data"), and may combine or incorporate such Anonymized Data with or into other similar data or information collected from other users or derived from other users’ use of the Services ("Anonymized Aggregated Data"). The Company may use such Anonymized Data and Anonymized Aggregated Data for various business purposes, including, but not limited to:
    • providing, maintaining, supporting and improving the Services;
    • conducting analytical research, compiling statistical reports and performance tracking;
    • developing and/or improving other the Company’s services and products; and
    • sharing such Anonymized Data and Anonymized Aggregated Data with the Company’s affiliates, agents and/or Subcontractors (as defined below in Section 7.a).
  3. Anonymized Data and Anonymized Aggregated Data are not Personal Data, and consequently the provisions in this Privacy Policy are not applicable to such data. For the avoidance of doubt, the Company will not sell Anonymized Data and Anonymized Aggregated Data.


6. CHILDREN’S PRIVACY

Protecting the privacy of children is especially important to the Company. The Services are not directed to children under the age of eighteen (18) years and the Company does not knowingly solicit, collect or process Personal Data from persons under eighteen (18) years of age. If we become aware of the fact that Personal Data of persons less than eighteen (18) years of age has been collected via the Services, we will take the appropriate steps to delete such information without undue delay.


7. DISCLOSURES AND TRANSFERS

By using the Services and submitting any Personal Data to the Company, you acknowledge and agree that your Personal Data may be processed in and transferred to jurisdictions other than your country of residence which may have data privacy and protection laws different than those in your country. Personal Data may be accessed by staff authorized by the Company or acting on Company’s behalf from a country (including a third country) other than your country of residence for the purposes of troubleshooting and debugging. Your Personal Data will only be stored within the EU and will only be transferred outside the EU as set forth in the GDPR. The Company will take all adequate measures to ensure that Personal Data is at all times treated securely and in accordance with this Privacy Policy. The Company will only transfer and/or disclose Personal Data (i) as specified in this Privacy Policy, and (ii) as otherwise authorized by you by giving Consent to the disclosure and/or transfer to any other third party.

  1. Disclosure and/or Transfer to Subcontractors: The Company has put in place adequate contractual (including data protection, confidentiality and security provisions) and other technical and organizational measures with subcontractors that we may engage from time to time in connection with the provision, operation, security and/or maintenance of the Services or part thereof and/or with the generation of Analytical Reports ("Subcontractors"). We will restrict access, disclosure and/or transfer of Personal Data to Subcontractors to what is strictly necessary for the performance of such Subcontractors’ contractual obligations towards us. The Company will ensure that each Subcontractor complies with the provisions in this Privacy Policy. At the date of this Privacy Policy the Company engages the following Subcontractors:
    • Salt Edge Inc., 251 Laurier Ave. West, Suite 900, Ottawa, Ontario K1P 5J6, Canada
  2. Disclosure and/or Transfer to Processors: The Company may disclose and/or transfer Personal Data to Processors engaged by us to carry out the processing of Personal Data on our behalf in connection with the provision of Services and/or with the generation of Analytical Reports. The Company will ensure that any engaged Processor provides sufficient guarantees that appropriate technical and organizational measures are implemented and that processing of Personal Data by Processor will meet the requirements set forth in this Privacy Policy and the applicable Data Protection Laws. If processing of Personal Data by Processor will involve transfer by The Company of Personal Data to a third country, such transfer will take place either (i) on the basis of an adequacy decision by the European Commission, or (ii) by entering into the standard contractual clauses adopted by the European Commission, and subject to any other applicable transfer requirements set forth in Chapter V of the GDPR. At the date of this Privacy Policy the Company engages the following Processor:
    • Salt Edge Inc., 251 Laurier Ave. West, Suite 900, Ottawa, Ontario K1P 5J6, Canada
  3. Disclosure to Account Providers: In order to provide the Account Information Services and, as applicable, to generate Analytical Reports, we will disclose to your respective Account Provider certain Personal Data (particularly, Personalized Security Credentials and in certain cases, depending on the Account Provider, your Payment Account number).
  4. Disclosure by Sharing with Partner: We will share your Payment Account Data (after processing, including without limitation data enrichment, carried out by the Company on such data) and/or Analytical Reports with the designated Partner based on your GDPR Consent to Share Data.
  5. Disclosure for Legal Reasons: We may disclose Personal Data without your Consent when we believe in good faith that the disclosure of such information is reasonably necessary or appropriate:
    • to comply with the Data Protection Laws, any subpoena, enforceable request from the competent authorities, or other legal process;
    • to enforce our rights against you or in connection with a breach by you of the Dashboard Terms of Service, including investigation of potential violations;
    • to help detect, curb or investigate fraud or other prohibited or illegal activities that affect or hurt the interests of the Company or third parties;
    • to identify, contact or bring legal action against someone who may be causing injury to, or interference with (either intentionally or unintentionally), the Company’s rights or property, other users of the Services, or anyone else (including the rights or property of anyone else) that could be harmed by such activities; and
    • to help us comply with a legal obligation to which the Company is subject, or accounting or security requirements, in which case we may disclose such information to our auditors, professional consultants, accountants and/or legal advisors.

    In all the foregoing cases, the Company will disclose Personal Data only as required or permitted by the applicable Data Protection Laws.

  6. Transfer of Ownership: Your Personal Data may be disclosed and/or transferred upon change of control as a result of a sale of all or a substantial portion of the Company’s assets or stock, merger, acquisition or reorganization, including any due diligence process carried out in relation to the same, provided that the Personal Data disclosed continues to be used by the entity acquiring access to such information solely for the purposes permitted by, and subject to the provisions of, this Privacy Policy. If the entire or substantial ownership of the Company or Services were to change, your Personal Data may be transferred to the new owner to ensure continuity of the Services. In any such transfer of ownership your Personal Data will remain subject to the provisions of the then current Privacy Policy. Where at the relevant time you are using the Services via Dashboard, the Company will provide reasonable advance notice to you via the Services and/or by email notification of any such change in ownership or control of your Personal Data or in case such Personal Data becomes subject to a different privacy policy.

8. LEGAL BASES FOR PROCESSING

The Company acts as Controller of your Personal Data processed in connection with the provision of Services and, as applicable, the generation of Analytical Reports. The Company will adhere to the following general principles with respect to Personal Data processing:

  1. not collect more Personal Data than reasonably necessary for the purpose of providing the Services and, as applicable, generating Analytical Reports;
  2. not use Personal Data for any other purposes than those specified in this Privacy Policy;
  3. ensure that all personnel authorized by the Company to process Personal Data have committed themselves to confidentiality obligations which are materially consistent with the Company’s obligations under this Privacy Policy, or are under an appropriate statutory or professional obligation of confidentiality; and
  4. not knowingly solicit, access, collect and/or process any Special Categories of Personal Data, except when required for compliance with applicable anti-money laundering, terrorist financing and performing related customer identity, status and operations checks as prescribed by law.

The Company’s legal bases for processing the Personal Data collected as described in this Privacy Policy will depend on the type of Personal Data and the circumstances under which it is collected. We will collect and process Personal Data based on the following legal bases:

  1. processing is necessary for the performance of a contract to which you are a party, particularly for the provision of the Services and the generation of Analytical Reports under the Dashboard Terms of Service;
  2. processing is based on your GDPR Consent to Share Data, pursuant to which the Company discloses by sharing with the designated Partner the Personal Data and/or Analytical Reports, as indicated in, and authorized by you through, such GDPR Consent to Share Data;
  3. processing is necessary for compliance with a legal obligation to which the Company is subject; and/or
  4. processing is necessary for the purposes of the legitimate interests pursued by the Company as the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require the protection of Personal Data.

If there is another legal basis for us to collect and process Personal Data, we will provide the required notification to you at or before the time the Personal Data is collected.

If you voluntarily submit or provide Personal Data to the Company when contacting us with an enquiry or request relating to the Services, Digest, Dashboard, your User Account or otherwise, you will be deemed to have given your Consent to the collection, use and processing of Personal Data by the Company as reasonably necessary to carry out the specific purpose(s) for which you have provided the Personal Data. The Company will rely on such implied Consent as if it were given to the Company under normal circumstances.


9. PARTNER’S ROLE UNDER THE DATA PROTECTION LAWS

By sharing your Payment Account Data and/or Analytical Reports with the Partner designated in the GDPR Consent to Share Data, such Partner, as the receiving party, will act as an independent Controller with respect to the Personal Data so shared. Therefore, the Partner is solely responsible for complying with its obligations as Controller as set forth in the applicable Data Protection Laws, including without limitation with respect to the processing, confidentiality and security of your Personal Data by Partner after the Company shares such data with the Partner. The Company will not be responsible for any subsequent processing carried out by any Partner with whom the Company shares your Personal Data based on your GDPR Consent to Share Data. The Company will only be responsible for the sharing of your Personal Data and ensuring that it is shared securely and with the intended recipient.


10. SPECIAL CATEGORIES OF PERSONAL DATA

You acknowledge that we do not, manually or automatically, analyze, filter, map or perform any other similar type of processing operations for the purpose of identifying Special Categories of Personal Data that may be included in your Payment Account Data. Therefore, the Company will not be deemed to process Special Categories of Personal Data by virtue of such data possibly being included in your Payment Account Data. However, under certain circumstances prescribed by law and in accordance with regulatory requirements applicable to the Company with respect to anti-money laundering, terrorist financing and related customer identity, status and operations checks, we may require you to provide additional Personal Data that may include Special Categories of Personal Data (e.g., passport information). We will process any collected Special Categories of Personal Data in order to comply with the legal obligations to which the Company is subject. You are requested at all times to refrain from voluntarily providing any Special Categories of Personal Data by any means of communication to the Company unless we expressly request you to provide such data.


11. ANTI-SPAM LEGISLATION

If you use the Services via Dashboard, the Company may, from time to time, send you informational emails. We are committed to controlling unsolicited commercial email, or “spam”. In this respect, we will include an “unsubscribe” or “opt-out” link in any informational emails sent to you. You can opt out of receiving such informational emails by following the instructions included in the emails. The Company will not sell, lease or rent its email subscribers lists to any third party, nor will we use the collected email addresses for purposes other than those for which they were initially collected without your Consent. You cannot opt out of receiving any emails that we are required by law or regulation to provide to you in connection with the Services used via the Dashboard, such as system notification emails, notification on changes or updates to this Privacy Policy or the Dashboard Terms of Service, or other important mandatory notifications relating to your use of the Services.


12. THIRD-PARTY WEBSITES

The Services may include links to, or otherwise direct your attention towards, websites operated and controlled by third parties (including without limitation Partners and Account Providers) and not by the Company. Access to any third-party website is at your own risk, and you must be aware of the fact that linked websites have terms and privacy policies different from those of the Company. If you decide to provide any Personal Data when accessing such links or using the services provided by such third parties, the respective third parties, and not the Company, will be responsible for complying with the obligations set forth in the applicable Data Protection Laws in respect of any Personal Data you submit to them and any processing activities carried out by such third parties on such Personal Data.


13. YOUR RIGHTS UNDER GDPR

Taking into account the nature of the processing and the type of Personal Data processed, you have the right to exercise the following rights as set forth in the GDPR:

  1. the right to be informed: you have the right to receive fair processing information about your Personal Data processed by us, including without limitation the recipients or categories of recipients to whom the Personal Data has been or will be disclosed, in particular transfers to recipients in third countries or international organizations, and the appropriate safeguards relating to such transfers;
  2. the right of access: you have the right to obtain: (i) confirmation that your Personal Data is being processed, and (ii) access to such Personal Data;
  3. the right to rectification: you are entitled to have Personal Data rectified if it is inaccurate or incomplete;
  4. the right to erasure (right to be forgotten): you have the right to request the deletion of your Personal Data when there is no compelling reason for its continued processing or, where the Consent is the legal basis for processing, you withdraw Consent to such processing;
  5. the right to restrict processing: you have the right to block processing of your Personal Data on the grounds specified in the GDPR;
  6. the right to data portability: you may request to receive free of charge a copy of Personal Data stored in our systems in a structured, commonly used and machine-readable format, or have us transmit the data directly to another organization, if this is technically feasible;
  7. the right to object: you have the right to object to (i) processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling), (ii) direct marketing (including profiling), and (iii) processing for purposes of scientific/historical research and statistics;
  8. rights in relation to automated decision-making and profiling: you have the right to object to processing of Personal Data for the purposes of automated individual decision-making (making a decision solely by automated means without any human involvement) and profiling (automated processing of Personal Data to evaluate certain things about an individual);
  9. the right to lodge a complaint with a Supervisory Authority: you have the right to lodge a complaint about the Company’s data protection or privacy practices, or the exercise of any of your rights with respect to your Personal Data, with your local Supervisory Authority;
  10. the right to withdraw Consent: provided that the Consent is the legal basis for processing, you may withdraw Consent to our processing of your Personal Data at any time. You may also withdraw your GDPR Consent to Share Data at any time by contacting us or by using the consent management tools available in the Dashboard.

You may exercise any of the foregoing rights at any time by contacting the Company (see further Section 18 for contact details). The Company will endeavor to respond to any requests submitted by you in the manner and as set forth in the GDPR. Where your requests for exercising your rights under GDPR are manifestly unfounded or excessive, in particular because of their repetitive character, or further copies of the Personal Data undergoing processing are requested, we may charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested.


14. DATA RETENTION AND DELETION

The Company will retain Personal Data for no longer than strictly necessary for the purposes for which such Personal Data is collected and processed. The retention period depends on the requirements of the applicable laws or regulations we must comply with, the purposes of the collection and processing of Personal Data, and the legitimate interests of the Company to establish, exercise or defend our legal rights.

We will delete your Personal Data from our production systems when:

  1. the provision of Services is terminated under the Dashboard Terms of Service. For clarity, Services provided to you via Digest are terminated at the end of the day following the day on which you have given the PSD2 Consent associated to that instance of Services provision;
  2. you delete your User Account or such account is terminated by the Company as described in the Dashboard Terms of Service;
  3. the Company deletes your User Account due to inactivity; or
  4. you exercise the right to be forgotten or, if applicable, withdraw Consent.

As a result of the deletion, your Personal Data associated with your User Account will be deleted and excised permanently from the Company’s production systems, subject to our right to generate Anonymized Data and Anonymized Aggregated Data prior to such deletion. Further use of the Services by you will be impossible. Notwithstanding anything to the contrary in this Section 14, the Company will retain your Personal Data or portions thereof:

  1. in backup files on our backup servers for a period of up to one (1) month from the date of deletion from the production systems, in accordance with general internal retention procedures;
  2. in log files in order to: (i) comply with the requirements of the applicable laws or regulations, (ii) exercise or defend (ongoing) legal claims, and (iii) meet audit or statutory requirements. The retention period for Personal Data retained in log files will be a minimum of five (5) years from the date of deletion from the production servers, or such longer period as required by the applicable laws, unless subject to statutory or regulatory change; and
  3. in our internal systems, to the extent such Personal Data is part of the Company’s records generated by applying know-your-customer and anti-money laundering checks, including, without limitation, copies of identity documents, conducted monitoring and analyses, information obtained by electronic identification means, as required for the Company to comply with applicable anti-money laundering, counter-terrorist financing and similar regulatory requirements. The period of such retention shall be a minimum of five (5) years from the date of deletion of your User Account or last use of the Services in Digest mode, as applicable, unless otherwise provided by applicable laws or unless competent authorities extend such period in accordance with applicable laws.

Backups and log files containing Personal Data are stored separately from the production servers. All Personal Data retained in backup files and log files will be treated in accordance with the terms of this Privacy Policy for as long as it is retained before being automatically deleted after the retention period has elapsed.

Backup files are stored using strong asymmetric encryption and the Company’s authorized personnel don’t access such files in the ordinary course of business operations, nor will we actively process any Personal Data retained in backup files anymore.


15. PERSONAL DATA SECURITY

  1. Online Confidentiality:
    1. You must keep secure the access credentials for your User Account and never disclose them to any third party. You are solely responsible for maintaining the confidentiality of such access credentials. If you suspect that the access credentials have been stolen or become known to others, you must change them immediately and notify us without undue delay. The Company shall not be responsible for any loss or damage resulting from access to your User Account through Registration Information or access credentials obtained from you or through violation of this Privacy Policy or the Dashboard Terms of Service.
    2. Although we will take appropriate measures to ensure that your Personal Data is treated and stored securely, unfortunately, the sending of information via the Internet is not totally secure and on occasion such information may be intercepted. Therefore, we cannot guarantee the security of Personal Data that you choose to voluntarily send to us via electronic means. The Company expressly disclaims all liability for any interception or interruption of any Internet transmissions sent by you or any losses of or changes to data, including Personal Data, resulting from such interception or interruption.
  2. Personal Data Safeguards: The Company is committed to maintaining the confidentiality, integrity and security of the Personal Data of users. We employ advanced security techniques to safeguard Personal Data against unauthorized access, use and/or disclosure. The Company strictly restricts access to Personal Data in accordance with specific internal procedures governing access to such information. We carefully select the individuals privileged with access to Personal Data in accordance with our internal security policies and practices, and each such individual is bound by confidentiality obligations. The Services ensure secure communications with TLS encryption. To maintain the security of online sessions and protect our systems from unauthorized access, we use a combination of firewall barriers, encryption techniques and authentication procedures, among others. Access to our systems requires multiple levels of authentication, including biometric recognition procedures. Security personnel monitor the systems 24/7. The Company databases are both physically and logically protected from general employee access. We also enforce physical controls on our premises. We are routinely verified for our use of encryption technologies and audited for our privacy practices. The Company tests its systems, Dashboard, Digest and Services for any failure points that might allow hacking.

16. NOTIFICATION OF PERSONAL DATA BREACH

If a security breach causes an unauthorized intrusion into the Company’s systems, software or networks that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by the Company ("Personal Data Breach"), we will notify the relevant Supervisory Authority(ies) unless the Personal Data Breach is unlikely to result in a risk to the rights and freedoms of affected users. The Company will report the Personal Data Breach to the relevant Supervisory Authority without undue delay after having become aware of it and in any case within the timeframes as provided for in the applicable Data Protection Laws. When the Personal Data Breach is likely to result in a high risk to the rights and freedoms of affected users, or if required by the relevant Supervisory Authority, we will also communicate the Personal Data Breach to the affected users without undue delay.


17. PRIVACY POLICY UPDATE

The Company reserves the right to change this Privacy Policy at any time and from time to time in order to reflect changes in the Services, the Dashboard Terms of Service or the applicable laws. If we decide to change this Privacy Policy in the future, we will post an appropriate notice at the top of this Privacy Policy page and/or, if you use the Services via Dashboard, give you reasonable advance notice through the Services or by email. Any non-material change (such as clarifications) to this Privacy Policy will become effective on the date the change is posted and any material changes will become effective thirty (30) days from their posting on this webpage. Unless stated otherwise, this Privacy Policy applies to all Personal Data collected and processed by the Company in connection with the Services and the generation and sharing of Analytical Reports. The date this Privacy Policy was last revised appears at the top of this webpage. You are advised to print a copy of this Privacy Policy for reference and revisit this Privacy Policy from time to time to ensure that you are aware of any changes. Your continued use of the Services after the changes to this Privacy Policy become effective signifies your acceptance of any such changes.


18. CONTACT INFORMATION

If you have any questions, comments or feedback regarding this Privacy Policy or our collection, use, disclosure or processing of Personal Data, or any other privacy or security concern, please address them to the Company using the following contact details:

Contracting Party Contact details Data Protection Officer
Salt Edge Limited
Mailing address:
Level 39, One Canada Square,
Canary Wharf
London E14 5AB
United Kingdom
Email: privacy@saltedge.com
Mailing address:
Level 39, One Canada Square,
Canary Wharf
London E14 5AB
United Kingdom
Email: dpo@saltedge.com
BudgetBakers s.r.o.
Mailing address:
Radlická 180/50, Smíchov
150 00 Praha 5
Czech Republic
Email: dashboard@budgetbakers.com
Mailing address:
Radlická 180/50, Smíchov
150 00 Praha 5
Czech Republic
Email: dpo@budgetbakers.com
Spendee a.s.
Mailing address:
Namesti I.P. Pavlova 1789/5
120 00 Prague
Czech Republic
Email: dashboard@spendee.com
Mailing address:
Radlická 180/50, Smíchov
120 00 Prague
Czech Republic
Email: dpo@spendee.com