– The English version is purely for the sake of your convenience and not authoritative. You can find the German version here. –

Privacy policy for the use of finleap connect Initiation and/or Information services as well as finleap connect value-added services

Last updated: November 2019

finleap connect GmbH (“finleap connect” or “we”) is at all times aware of the importance of the data entrusted to us. The responsible handling, confidentiality and protection of your data is therefore of particular importance to us. Your personal data is processed exclusively within the framework of the statutory provisions, the applicable data protection law and this privacy policy. With this privacy policy we inform you of which personal data we collect within the scope of your use of finleap connect Initiation Services, finleap connect Information Services and finleap connect value-added services (collectively referred to as finleap connect Services), and finleap connect Partner Services and for which purpose the data is used. The overriding aim of processing your data is usually to enable the integration of your financial data (where appropriate refined by finleap connect) into finleap connect Partner services, or to facilitate the initiation of payments from finleap connect partner services, or to facilitate the account switch from an “old” or replaced bank to the finleap connect Partner (the “new” or receiving bank).

In the text below we will show you the type, scope and purpose of processing your personal data. You can access this information at any time on our ​website. In addition, we provide you with the data protection information pursuant to the EU General Data Protection Regulation, which summarises the contents of this data protection declaration, in a separate document.

We ask you to take not of the following information:

Controller/contact

finleap connect decides on its own responsibility about the technical means that finleap connect uses to deal with the different financial sources, such as communication with banks. The purposes of data processing are partly specified by legal regulations, as well as by finleap connect’s offer, and derive from the relevant use. For these reasons, finleap connect sees itself as the “controller” under Art. 4 no. 7 of the General Data Protection Regulation (GDPR), other data protection laws applicable in the member states of the European Union, and other data protection provisions.

finleap connect’s contact address is:

finleap connect GmbH
Gaußstraße 190c
22765 Hamburg Germany

Managing Directors: Taner Akcok, Patrick Dittmer, Ramin Niroumand, Cornelia Schwertner

External Data Protection Officer:

Marc Neumann
IBS data protection services and consulting GmbH Zirkusweg 1
20359 Hamburg
Germany

If you have any queries or suggestions regarding data protection, please do not hesitate to contact us by e-mail.

As finleap connect is the controller, there is no need for a Data Processing Agreement between finleap connect and you, for example, if ​your own use of finleap connect’s Initiation and/or Information Services ​also includes the data of third parties within the scope of a commercial relationship between you and the third party (in particular in the form of transaction data).

Subject of data protection

The subject of data protection is personal data. The law defines this as individual specifications about the personal or objective circumstances of an identified or identifiable natural person. Personal data is thus information that can be used to draw conclusions about an identified or identifiable natural person. In principle, all information about which a personal reference can be made also falls under the concept of personal data. A personal reference is, for example, a person’s name, address, e-mail address, telephone number, IBAN, IP address or earnings. Furthermore, usage data is also a personal reference. Usage data means data that is required to use our website. This includes, for example, information about the start, end and scope of your use.

General information on the use of finleap connect Initiation services, finleap connect Information services and finleap connect value-added services

The following information applies irrespective of whether you use finleap connect services once or permanently. For detailed additional information on permanent use, please refer to Section 4 “Additional information for the permanent use of finleap connect Initiation and Information Services”.

Automated data collection

When using finleap connect Services, your Internet browser or mobile phone automatically transmits data for technical reasons. The following data is collected:

  • Date and time of access
  • Internet browser type/version
  • Operating system used
  • Resource retrieved
  • Quantity of data transmitted
  • The user’s IP address

This data is stored exclusively for technical reasons and is not assigned to any person at any time.

The data is also stored in the log files of our system. This data is not stored together with other of your personal data.

Cookies

Cookies are small text files that make it possible to store specific information related to the device on the user’s end device. On the one hand, they increase the user-friendliness of websites, and thus benefit users. On the other hand, they are used to collect statistical data on website use for analysis of these for the purpose of improving the offer. The user can control the use of cookies. Most browsers have an option which limits or completely prevents the storage of cookies.

We use cookies to improve the user-friendliness of finleap connect Services. Some elements of the services require that the retrieving Internet browser can be identified even after a page change.
When providing finleap connect Services, we also use cookies which enable us to analyze our users’ surfing behavior.

The user data collected in this way is pseudonymized using technical means. It is therefore no longer possible to assign the data to the accessing user. The data is not stored together with the user’s other personal data. When opening our website (e.g. when opening the FAQs), users are informed by an info banner about the use of cookies for analysis purposes and referred to this data protection declaration. A note is also included in this context as to how the user can disable the storage of cookies in the settings of the Internet browser.

Use of Google Analytics with anonymisation function

This website uses Google Analytics, a web analysis service. The provider is Google Ireland Limited („Google“) Gordon House, Barrow St, Dublin 4, D04 E5W5, Ireland.

Google Analytics uses the aforementioned “cookies”, which are stored on your computer to enable an analysis of your use of the website. The information generated by the cookie about your usage will generally be transmitted to and stored on Google servers in the USA.

By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.

Legal basis for data processing

The legal basis for the temporary storage of data and log files, as well as for the processing of personal data using cookies, is Art. 6 (1) lit. f. GDPR.

Purpose of processing

The purpose of using technically necessary cookies is to simplify use of websites for users. Some features of our website will not be available without the use of cookies. In this case, it is required for the browser to be recognised even after a page change.

Analysis cookies are used to improve the quality of our website and its content. We use analysis cookies to find out how the site is used and allow us to constantly optimize our services.

Cookies are stored in log files to ensure the functionality of the finleap connect Services. No evaluation of data for marketing purposes is undertaken in this context. Ensuring functionality is our legitimate interest in data processing under Art. 6 (1) lit. f, GDPR.

Duration of storage

Cookies are stored on the User’s computer and transmitted from it to our site. Therefore, as a user you have full control of the use of cookies. By changing the settings in your Internet browser, you can disable or restrict the transmission of cookies. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all of the website’s features.

All data gathered by us is deleted as soon as it is no longer required to achieve the purpose for which it was collected.

Categories of recipients

Within finleap connect, the data is stored only in secure data centers accessible only to selected employees. finleap connect will pass on data to partners if you explicitly agree to this disclosure.

In addition, our processors may receive data to facilitate the provision of the service. These are contractually obligated to comply with the same data protection standards, and may process your personal data only to the same extent and for the same purposes as we do and are subject to our instructions. These can be companies in the categories accounting, IT services, logistics, and telecommunications. With regard to the transfer of data to other recipients outside the company (in addition to the processors), it must first be noted that we comply with the applicable data protection regulations. In addition, we may only pass on your data if required by law, you have consented, or we are authorized to provide information. Under these conditions, recipients of personal data can be public bodies and institutions (offices, authorities, etc.) in the presence of a legal or regulatory obligation.

Objection and cancellation options

You can prevent the collection of your data by Google Analytics by clicking on the following button. An opt-out cookie is set, which prevents the future collection of your data when visiting this website:

Optout button (disable Google Analytics)

The collection of other data to provide finleap connect Services and the storage of the data in log files is mandatory for the operation of the finleap connect Services. Consequently, the User does not have the option to object.

Transmission of data via finleap connect Services

By using the finleap connect Services and Partner Services of your choice and by entering the relevant data, you yourself determine which information you transmit to finleap connect or your chosen Partners. Naturally, any data input is voluntary.

Partner Services

You may only use the Services provided by finleap connect together with the services of a finleap connect Partner, e.g. an accounting service or your new bank, (“Partner”), in turn to facilitate its service via certain technical and content added values for Account Holders (“Partner Service”), or to facilitate the account switch to this Partner through the finleap connect value-added services. This means that in order to integrate the services offered by finleap connect into partner services, you will be forwarded to finleap connect by the respective partner.

If you use the finleap connect Initiation and/or Information Services, the data that you share with finleap connect will be transmitted to Partners separately authorized by you. During the authorization process you can determine which of your accounts the Partner is allowed to access. The Partner will gain access to your information and data only after you have given your explicit consent. The further use or processing of data within the Partner Service is in turn governed exclusively by the Partner’s applicable data protection provisions and is solely its responsibility.

For details on the processing of your data as part of the finleap connect value-added service, please read the following chapter “3.2.3. finleap connect value-added services”.

finleap connect Initiation and Information Services

You may use finleap connect Initiation and/or Information Services without registering with finleap connect after you have been redirected to finleap connect from a Partner’s front-end. The permanent use of finleap connect Initiation Services and/or finleap connect Information Services requires registration with finleap connect (see section “Additional Information for the Permanent use of finleap connect Initiation and Information Services”).

In order for finleap connect to provide its services to you, it is in all cases necessary for you to make your chosen financial sources at your banks, credit card companies and other payment providers available to finleap connect.
Eligible accounts are those which you maintain alone or jointly (subject to individual power of disposal and the consent of the other account holders) and as the beneficial owner with account servicing payment service providers. Any other authorized representatives or persons authorized to dispose of the account may only request its addition if they themselves are authorized to obtain information from the account servicing payment service provider. When you use the account we shall also assume that the other Account Holders have not objected to its use. Accounts that do not meet these requirements may not be added or removed.

In order to give us access, you must enter the login details for the relevant services (e.g. username and password, account number and bank code or PIN). Entry of this data allows us to access the financial data stored with the providers you have selected, such as account master data, account balance and turnover. After access has been granted, your login details will be deleted by finleap connect when used once (see otherwise the section “Additional Information for the Permanent Use of finleap connect Initiation and Information Services”). finleap connect uses a current, state-of-the-art encrypted connection for this data transmission. Of course, you can freely decide to which bank account or to how many accounts or to which financial sources you grant us access. All contact and bank data entered by you will be stored exclusively for the purpose of processing the desired functions of finleap connect Services and their monitoring and are kept separately from other data collected by us. In exceptional cases, technical log data that is kept for a limited period of time can be used to analyze possible errors. They are therefore used to improve the security, stability and availability of Initiation and Information services.

finleap connect value-added services

If you use the finleap connect value-added services, finleap connect may already receive information from the partner to allow to pre-fill the account switch service form. Therefore, if the receiving bank has activated this feature, finleap connect will receive personal data (first name, last name, address, date of birth, IBAN and BIC to the receiving bank, as well as your email address) on your behalf. This presupposes that you explicitly agree with the receiving bank in online banking that the receiving bank forwards the aforementioned personal data to finleap connect for the purpose of initiating the account switch.

During the account switch process, finleap connect retrieves data from your old bank. This is necessary to digitally capture information about existing direct debits, standing orders and cash receipts. To do this, you must log in to the online banking of your old bank. You will then be asked to enter your personal data (title, first name, last name, address, date of birth, telephone number (optional), IBAN at the receiving bank and email address). If a corresponding functionality has been activated for the receiving bank, the further input mask is already pre-filled with your personal data, so that this step may also be omitted.

Based on the information provided about existing direct debits, standing orders and cash receipts, the list of payment partners to be notified is displayed. Depending on the selection, the payment partners will then be notified by finleap connect on your behalf about the new account information.

In total, the following personal data are collected and processed by finleap connect as part of the account switch service: first name, last name, address, telephone number, date of birth, email address, bank account details (name of bank, IBAN, BIC). These data are collected and processed by finleap connect as part of the contract. The details are stored by finleap connect for 90 days and serve to allow the user to continue the account switch during that time period. At the end of the 90 day period the data will be completely deleted at finleap connect.

The Partner will not have direct access to your account information throughout the process. Instead, finleap connect provides certain employees of the receiving bank access to its backend system with selected personal data of the respective end customer/user (first name, last name, address, email address, telephone number, date of birth), and payment transaction data/account data (IBAN of the payment account at the receiving bank, the name of the replaced bank, IBAN and BIC of the payment account at the replaced bank, the name of the payee for direct debits, the name of the payment sender for credits; form, time, and processing status of an account change notification, number and processing status of existing standing orders). The further use or processing of the data within the partner service, in turn, is based exclusively on the applicable data protection provisions of the partner.

Special categories of personal data when using finleap connect services

In the context of the processing and provision of the transaction history or the initiation of payments, it may happen that also special personal data must be processed by finleap connect. Special personal data is data that may include information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health and sexual life. Such information may appear, for example, in connection with transfers to parties, trade unions or certain clubs in the payment note/intended use field. finleap connect uses this information exclusively to provide the desired payment service.
You must explicitly consent to the processing of special personal data in order for it to be processed by finleap connect for the purposes of the account switch. Since it is not technically possible to exclude the transfers that relate to special personal data when extracting the transaction history, the respective consent is required in order to use the services.
You have the right to revoke the consent and to prevent the processing of sensitive account data for the future at any time.

No further disclosure of your data to third parties

Your access and transaction data will only be passed on to data centres within the EU. Any further transfer of data to external service providers will only take place in exceptional cases if it is necessary for the provision of the Services or parts of the Services. These external service providers are always carefully selected and regularly checked by us to ensure that the protection and confidentiality of your data is guaranteed. The service providers may use the data exclusively for the purposes specified by us.

Furthermore, data may only be passed on to other third parties if this is necessary due to legal or official obligations.

Data transfer to third countries (states outside the eruopean economic area –
EEA) or to international organizations will only take place if you have given us your consent, or as part of order processing. If service providers are used in third countries, they are obliged to comply with the data protection level in Europe in addition to written instructions by the regulation of the Privacy Shield or the agreement of the EU standard contractual clauses. If required by law, we will inform you separately about the details.

Legal basis for data processing
The legal basis for processing is Art. 6 (1) lit. b. GDPR and Section 59 of the Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG). The legal basis for the processing of technical log data is our legitimate interest to identify and correct errors in our system, therefore Art. 6 (1) lit. f, GDPR.

Purpose of processing

Your data will be processed in order to ensure the functionality of our finleap connect Services.

Duration of storage

Data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. When using finleap connect’s Initiation and Information Services only once, this generally occurs a few hours after the end of your use. Technical log data collected for the purpose of data security and data protection control will be kept for at least 30 days and then deleted. However, deletion shall take place no later than after the processing of error corrections or security incidents.

Objection and cancellation options

You can revoke your consent to the processing of your data as part of the use of finleap connect Services at any time. You can send your revocation by ​e-mail to our support team​. We would like to point out that the use of the Services offered by finleap connect is not possible without your consent to the processing of your data.

Additional information for the permanent use of finleap connect’s Initiation and Information Services

Registration

The creation of a finleap connect User Account is required if you wish to use finleap connect Initiation Services and/or finleap connect Information Services permanently. For this purpose, you agree to deposit with finleap connect the user name used by the institution managing your account, as well as the list of accounts (name and account number) to which you grant finleap connect access. It is implicitly agreed that you will not be required to check the online availability and usability of your accounts (especially for multi-banking purposes) with different institutions each time you agree on the individual finleap connect Initiation services and/or finleap connect Information Services with us, depending on the technical availability of this information at your bank.

When using finleap connect value-added services, a user account will be created for you or you will be asked to do this yourself. This account is valid for 90 days and allows you to track the progress of your account switch, and to suspend the process for later resuming.

We require your e-mail address to create your finleap connect User Account. You must also assign a password.

Optional storage of PIN or password for access to your online banking access for permanently integrated finleap connect Initiation and Information Services

If you want finleap connect to automatically synchronize your account data four times a day (also known as “auto-synchronization”), you can also store the PINs/passwords required for access to your online banking in your finleap connect User Account. This can be useful if, e.g., it is important to you to always have up-to-date balance information on your accounts available via the Partner Service, or if you want to be kept informed about current account withdrawals or withdrawals via push messages, and for this purpose do not want to do the synchronization yourself by entering the PIN/password in each individual case. The automated reconciliation of account information without the re-entering of personalized security credentials for each payment account is possible only if access to your payment account does not already require strong customer authentication (i.e., a second factor such as a transaction number (TAN)). You will be informed of this at the appropriate point if necessary. Naturally, you can also remove the saved PIN and/or password at any time. If you ​decide against storing your login details, the account information will be updated and compared with the previously communicated data of the relevant service only when you re-enter your PIN or password.

No further disclosure of your data to third parties

Except for the aforementioned purposes, your personal data will not be passed on without your prior explicit consent.

Legal basis for data processing

The legal basis for processing is Art. 6 (1) lit. b GDPR.

Purpose of processing

Your data will be stored in order to ensure the functionality of our finleap connect Initiation and/or Information Services.

Duration of storage

Data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. As soon as you close your finleap connect User Account, for example, your data will be deleted immediately (if you use finleap connect value-added services, this happens automatically at the end of the 90 day period). Technical log data collected for the purpose of data security and data protection control will be kept for at least 30 days and then deleted. However, deletion will take place no later than after the processing of error corrections or security incidents.

Objection and cancellation options

You can revoke your consent to the processing of your data for the use of finleap connect Services and the associated storage of your data at any time. You can send your revocation by ​e-mail to our support team​. We would like to point out that the use of the finleap connect Services is not possible without your consent to the processing of your data.

Your rights as a “data subject”

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights with respect to finleap connect:

The right to be informed

As a data subject, you have the right granted by the European legislator to receive free information from finleap connect about your stored personal data and a copy of this information at any time. Furthermore, the European legislator has granted you, as the data subject, access to the following information:

  • the purposes of processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to rectification or erasure of the personal data concerning you or of a restriction of the processing by the person responsible or of the right to object to such processing;
  • the existence of the right to lodge a complaint with a supervisory authority;
  • where the personal data is not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling, under Article 22 (1) and (4), GDPR and – at least in these cases – meaningful information on the logic involved and the scope and intended effects of such processing for you.

Furthermore, you haves the right of access to information as to whether personal data has been transferred to a third country or to an international organisation. If this is the case, you have, in addition, the right to obtain information about the appropriate guarantees in connection with the transfer.

Right to the correction of data

You also have the right, granted by the European legislator, to request the immediate rectification of inaccurate personal data concerning you. You also have the right, taking into account the purposes of the processing, to request the completion of incomplete personal data, including by means of a supplementary declaration.

Right to restrict processing

You have the right granted by the European legislator to require finleap connect to restrict processing if one of the following conditions is met:

  • The accuracy of your personal information is contested by you for a period of time that allows us to verify the accuracy of your personal information.
  • The processing is unlawful, you refuse to delete the personal data and instead demand a restriction on the use of the personal data.
  • We no longer need the personal data for the purposes of processing, but you do need it to assert, exercise or defend legal claims.
  • You have objected to the processing pursuant to Art. 21 (1) GDPR and it is not yet clear whether finleap connect’s justified reasons will outweigh yours.

We would like to point out that this right does not apply if you use finleap connect’s Initiation and/or Information Services only once, as finleap connect does not store any of your data in these cases (unless storage is required by law).

Right to deletion

You have the right granted by the European legislator to require finleap connect to delete your personal data immediately, provided that one of the following reasons applies and insofar as the processing is not necessary:

  • The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
  • You revoke your consent on which the processing pursuant to Art. 6 (1) lit. a GDPR or Art. 9 (2) lit. a GDPR was based and there is no other legal basis for processing.
  • You submit an objection to processing under Art. 21 (1) GDPR, and there are no overriding legitimate grounds for processing, or you submit an objection under Art. 21 (2) GDPR.
  • The personal data has been unlawfully processed.
  • The personal data must be erased for compliance with a legal obligation under Union or Member State law to which the responsible person is subject.
  • The personal data has been collected in relation to services offered by the information Society under Art. 8 (1) GDPR.

If the personal data has been made public by us and our company is responsible under Art. 17 (1) GDPR to delete personal data, we will take appropriate measures, including technical measures, taking into account available technology and implementation costs, to inform other data processors who process the published personal data, that you have requested the deletion of all links to such personal data or of copies or replications of such personal data from those other data processors, where processing is not necessary. Our employees will do what is necessary in individual cases.

We would like to point out that this right does not apply if you use finleap connect’s Initiation and/or Information Services only once, as finleap connect does not store any of your data in these cases (unless storage is required by law).

Right to data portability
You have the right, granted by the European legislator, to receive the personal data concerning you that you have provided to finleap connect in a structured, common and machine-readable format. You also have the right to transfer this data to another competent person without any hindrance by us, provided that the processing is based on consent pursuant to Art. 6 (1) lit. a GDPR or Art. 9 (2) lit. a GDPR or in an Agreement pursuant to Art. 6 (1) lit. b GDPR, and processing is carried out by means of automated procedures, except where such processing is necessary for the performance of a task that is in the public interest or in the exercise of official authority conferred on finleap connect.

Furthermore, when exercising your right to data portability pursuant to Art. 20 (1) GDPR, the data subject has the right to require that the personal data be transmitted directly from one controller to another as far as this is technically feasible and provided that this does not impair the rights and freedoms of others.

We would like to point out that this right does not apply if you use finleap connect’s Initiation and/or Information Services only once, as finleap connect does not store any of your data in these cases (unless storage is required by law).

Right to object

At any time, you have the right, granted by the European legislator, to object to the processing of personal data relating to you, which may be processed on the basis of Art. 6 (1) lit. e or f GDPR, for reasons arising from your particular situation. This also applies to profiling based on these provisions.

finleap connect no longer processes personal data in the event of an objection, unless we can prove compelling reasons worthy of protection for the processing, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

Furthermore, you have the right to object, for reasons arising from your particular situation, to the processing of personal data concerning you which finleap connect uses for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 (1) GDPR, unless such processing is necessary to fulfill a task that is in the public interest.

In order to exercise your right of objection, you can contact any of our employees directly. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

Automated individual decision-making, including profiling
As finleap connect does not make automated decisions or conduct profiling on a case-by-case basis, your rights with respect to these transactions are not explained here.

Right to withdraw consent given under data protection law

You have the right, granted by the European legislator, to revoke your consent to the processing of personal data at any time.

Assertion of your rights

In order to assert your rights as described above, you can ​contact one of our support employees at any time. The employee will initiate all necessary measures and inform you about further steps.

The right to file a legal complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right of appeal to a supervisory authority, in particular in the Member State where you reside, work or where the infringement is suspected, if you believe that the processing of personal data that concerns you is in contravention of the GDPR.

The supervisory authority responsible for finleap connect is:

Free and Hanseatic City of Hamburg
The Hamburg Commissioner for Data Protection and Freedom of Information Prof. Dr. Johannes Caspar
Kurt-Schumacher-Allee 4, 20097 Hamburg,
6th floor
Phone: 040/428 54 – 4040
Fax: 040/428 54 – 4000
E-mail: mailbox@datenschutz.hamburg.de

The supervisory authority with which the appeal has been filed shall inform the appellant of the status and results of the appeal, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.