Privacy Policy

This privacy policy explains how are your personal data processed by the controller, Finax o.c.p, a.s, which is the provider of the Finbot application, and hereby provides you, as a person to whom we process personal data (hereinafter referred to as “data subject” or “client”), information pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR). 

1. Identification and contact details of controller

The controller of Finbot application is Finax o.c.p, a.s., company with registered office address, Bajkalská 19B, 82101 Bratislava, Slovakia, Business ID: 51 306 727, registered in Business Register of the Municipal Court Bratislava III, Section: Sa, Insert No. 6713/B (further referred to only as “Finax” or “controller”).

Controller contact details: 

Address for correspondence: Finax, o.c.p., a.s., Bajkalská 19B, 82101 Bratislava. 

Email: client@finbot.eu 

Telefón: +421 2 2100 9985

2. Data Protection Officer 

The controller has entrusted with the supervision of the processing of personal data a Data Protection Officer, which you can contact in case of any questions related to the processing of your personal data by email to dpo@finax.eu or in writing on address: Tibor Šiška, Data Protection Officer, Finax, o.c.p., a.s., Bajkalská 19B, 82101 Bratislava.

3. Purpose of processing of personal data

The controller processes personal data for the following purposes: 

3.1 Provision of payment account information service and services related to tracking and managing personal finances, expenses and income through the Finbot application, signing, recording and management of contracts, setting up and using an account in Finbot application, including client care, managerial analyses and complaints handling. 

Legal basis: the processing of personal data is necessary under a special regulation, together with the fulfilment of the contract of which the data subject is a party or to take measures, before the conclusion of contract, at the request of the data subject. 

The source of the personal data of the data subject is the data subject, in relation to payment data, the provider that manages the payment account is the source of data; in relation to login data, the data source may be third parties through which the data subject registers. 

The personal data of the data subject are made available to the following recipients or categories of recipients: payment institutions through which access to payment data is provided, National Bank of Slovakia, bailiffs, law enforcement authorities, courts, accounting company, external financial audit, information technology providers including CRIF - Slovak Credit Bureau, s.r.o.. 

Provision of personal data from the data subject is in part a legal and in another part a contractual obligation.

The controller does not perform automated individual decision making for the purpose of processing personal data. The controller may perform profiling for the purpose of analysing or predicting the economic situation and behaviour of the data subject in order to manage personal finances in Finbot application. This profiling does not lead to automated decision making, which legal effects concern or similarly significantly affect the data subject. 

The controller processes the following categories of the data subject’s personal data: first name, last name, personal identification number, date of birth, place of birth, phone number, email address, nationality, type, number and validity of an identification card or passport, permanent residence, address of correspondence, politically exposed person, sanctioned person, method and language of communication, signature, age, AML risk category, geolocation information, transaction information, financial situation (e.g. income, expenses, budget, details of savings, investment and other accounts which client enters into Finbot application, savings goals), economic profile, demographic data, marital status, housing situation, education and employment, leisure activities, details of assets, login details and permissions needed to access the payment account, information related to the payment account (account name, number, balance, currency, etc.), account holder (name, address, email, phone number), transaction details (e.g. transaction amount, currency, date, description, note) and payment account details and features (e.g. account type), technical details including Internet Protocol (IP) address, login details, browser type and version, time zone setting and location, types and versions of browser plug-in, operating system and platform and other device details for the purposes of using services, data related to the use of the Finbot application and user interface, facial image, copies of issued documents, including ID cards (including the photograph from the ID card).

3.2 Purpose of processing: fulfilment of obligations in the field of prevention of legalisation of proceeds from criminal activity and financing of terrorism, registration and management of reports about unusual trading operations and identification of the client in order to care for the client.

Legal basis: the processing of personal data is necessary under a special regulation.

The source of the personal data of the data subject is the data subject. 

Personal data of the data subject are made available to the following recipients or categories of recipients: Financial intelligence unit, National criminal agency, external financial audit, National Bank of Slovakia, currier services, financial institutions providing ancillary services (e.g. insurance company acting in respect of group insurance). 

Provision of personal data of the data subject is a legal obligation.

The controller does not perform automated individual decision making or profiling for the purpose of processing personal data. 

The controller processes the following categories of the data subject’s personal data: first name, last name, personal identification number, date of birth, place of birth, nationality, type, number and validity of an identification card or passport, permanent residence, address of correspondence, politically exposed person, sanctioned person, AML risk category, facial image and copies of issued documents, including ID card (including the photograph from the ID card), data for assessing an unusual business operation (including data related to transactions and accounts).

3.3 Purpose of processing: processing of personal data of clients in regard to accounting and external audits.  

Legal basis: the processing of personal data is necessary under a special regulation. 

The personal data of the data subject are made available to the following recipients or categories of recipients: accounting company, external financial audit, Financial Administration of the Slovak Republic, National Bank of Slovakia, controlling bodies. 

Provision of personal data of the data subject is a legal obligation. The controller does not perform automated individual decision making or profiling for the purpose of processing personal data. 

The controller processes the following categories of the data subject’s personal data: first name, last name, permanent residence, address of correspondence, name of the company (employer), employee identification number, transaction information (payments and deposits) and current card balance.

3.4 Purpose of processing: provision of products and services and sharing information as a part of a direct marketing and personal finance advisory

Legal basis: consent of data subject and legitimate interest of the controller. 

The legitimate interest pursued by the controller in processing of the personal data of existing clients for the purpose of direct marketing is the offer of products and services similar to those already used by the client. 

The controller processes personal data for the purpose of direct marketing also with the consent of the data subject particularly in case of the processing of payment data, or in case the data subject has subscribed to the marketing communication (i.e. newsletter). The consent may be withdrawn at any time by the data subject. 

The personal data of the data subject are made available to the following recipients or categories of recipients: financial agents, information technology providers, marketing agencies encompassing analytical and statistical indicators of the web

Provision of personal data by the data subject - client is a legitimate request of the controller. The provision of personal data by the data subject - the person who has subscribed to the marketing communication as well as in case of the processing of payment data for the purpose of providing advisory services on the management of personal finances and the offering of products and services to reduce expenditure and increase income is their consent.

The controller processes the following categories of the data subject’s personal data: email, financial situation (e.g. income, expenses, budget, details of savings, investment and other accounts, which client enters into Finbot application, savings goals), economic profile, demographic data, marital status, housing situation, education and employment, free time activities, details of assets, login details and permissions needed to access the payment account, information related to the payment account (account name, number, balance, currency, etc.), account holder (name, address, email, phone number), transaction details (e.g.+ transaction amount, currency, date, description, note) and payment account details and features (e.g. account type).

The controller does not perform automated individual decision making for the purpose of processing personal data. The controller may perform profiling for the purpose of analysing or predicting the economic situation and behaviour of the data subject in order to provide advisory services, suggestions and offers to reduce expenditures and increase income. This profiling does not lead to automated decision making, which legal effects concern or significantly affect the data subject. 

For the purposes of providing personal finance management advice/proposals, the Controller creates anonymized data and anonymized aggregated data from the client's data, including transaction data.  

3.5 Purpose of processing: marketing communication regarding the campaign refer a friend 

Legal basis: legitimate interest of the controller. 

The personal data of the data subject are made available to the following recipients or categories of recipients: information technology providers. 

Personal data is not obtained directly from the data subject but from another person who thinks that the data subject would be interested in the services of the controller. The controller shall always inform the data subject of the source from which the personal data were obtained.

The controller does not perform automated individual decision making or profiling for the purpose of processing personal data. 

The controller processes the following categories of the data subject’s personal data: email.

3.6 Purpose of processing: improvement and development of services, creation of statistical reports, problem solving, development and improvement of other products and services, fraud prevention and detection purposes, IT security

Legal basis: legitimate interest of the controller, personal data processing is necessary according to a specific regulation. 

The personal data of the data subject are made available to the following recipients or categories of recipients: information technology providers, National Bank of Slovakia. 

The source of the personal data of the data subject is the data subject. 

The controller does not perform automated individual decision making or profiling for the purpose of processing personal data. The controller may perform profiling for the purpose of analysing or predicting the economic situation and behaviour of the data subject in order to develop and test new features, create statistical reports, solve problems, develop and improve other products and services of the Company. This profiling does not lead to automated decision making, which legal effects concern or similarly significantly affect the data subject. 

The controller processes the following categories of the data subject’s personal data: data obtained in connection with the use of the Finbot application (e.g. in-app activities, usage of various features, demographic data), however, where possible, the controller will process anonymised data, audio recordings (recordings of phone conversations with clients).

4. Processing of special categories of personal data

Financial transactions may reveal data subject information that is defined as special categories of personal data in Article 9 of the GDPR (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data or the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation). Such data may be processed, for example, in connection with transactions constituting a contribution to a church or a donation to an organisation, membership fees in a trade union, payments to specialist doctors. As an individual transaction may contain such data, unless one of the exemptions listed in Article 9(2) GDPR applies, the controller will ask for the data subject's explicit consent to the processing of special categories of personal data. 

Such consent is to be granted for the purpose of provision of services in the Finbot application and is necessary for the provision of services in the Finbot application. 

The data subject grants their consent to the processing of special categories of personal data for the duration of provision of services in the Finbot application. The data subject has the right to withdraw their consent at any time, but the controller will no longer provide services in the Finbot application. 

The personal data of the data subject are made available to the following recipients or categories of recipients: payment institutions through which access to payment data is provided, information technology providers.

 The source of the personal data of the data subject is the data subject (in relation to the data which client enters into Finbot application), in relation to payment data, the provider that manages the payment account is the source of data. 

The controller does not perform automated individual decision making for the purpose of processing personal data. The controller may perform profiling for the purpose of analysing or predicting the economic situation and behaviour of the data subject in order to manage personal finances in Finbot application. This profiling does not lead to automated decision making, which legal effects concern or significantly affect the data subject.

5. Legal basis for personal data processing

The legal basis regarding the processing of personal data is in particular the standard fulfilment legal obligations, the conclusion and fulfilment of the contract, the legitimate interest (e.g., in the case of direct marketing in relation to existing clients) and the data subject's consent (e.g., in the case of direct marketing in relation to those, who have signed up for the marketing communications). 

The controller operates in a highly regulated field of financial market, resulting in a number of obligations imposed on by specific regulations. Therefore, your personal data are being processed even if a specific law imposes this obligation on us, particularly but not exclusively

• Act No. 492/2008 Coll. Act on payment services and amending certain laws 
• Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication 
• Act No. 297/2008 Coll. on the Prevention of Legalization of Proceeds of Criminal Activity and Terrorist Financing 
• Act No. 431/2002 Coll. on Accounting 
• Act No. 395/2002 Coll. on Archives and Registries 
• Act No. 595/2003 Coll. on Income Tax 
• Regulatory rulings and methodological guidelines of National Bank of Slovakia 
• Regulatory rulings and methodological guidelines of European Banking Authority (EBA)

6. Transfer of personal data to third countries

Personal data shall be the subject of cross-border transfer to the Member State of the European Union or to the third countries that do ensure an adequate level of personal data protection as well as to the third countries that do not ensure an adequate level of personal data protection on the understanding that the controller had taken measures directed at personal data protection. 

7. Personal data retention period

Controller is authorized to process the personal data of the concerned person necessary for the purpose of provision the services and retain them for a period defined, which applies for the duration of the contract and after the termination of it for the necessary amount of time, capped at the maximum of 10 years, unless the government regulations state otherwise.

The processing of personal data in the case of consent is only possible for the period for which the consent was granted or as the case may be until the consent withdrawal. 

In the case of processing of personal data for the purpose of direct marketing based on the legitimate interest of the controller, the personal data will be processed until the data subject has objected to the processing in question. 

Personal data retention is also defined by other laws described in the section 5, based on which we are obliged to retain our records accordingly:

• to the Act No. 297/2008 art. 19, sec. 2, for the period of 5 years after a termination of the contract and in regard to art. 19, sec. 3, for longer than 5 years if the financial intelligence unit requests it, capped at maximum of 10 years,  
• to the Act No. 492/2009 – for a period of at least 5 years from the termination date of the contracts or the original date of records related to the provision of payment services, 
• to the Act No. 595/2003 time periods defined in sec./ art. 39and sec./ art. 40 of the act depending on taxation period, 
• to the Act No. 431/2002 in respect to art. 35 sec. 3 – 10 years after the year to which is the documentation related to, 
• to the Act No. 395/2002 – 10 years after the year to which is the documentation related to, with NBS having a right to extend this period.

8. Rights of the data subject 

In connection with the processing of your personal data, you have the following rights stated below. If you exercise any of the rights below, we will notify you of your request being processed within 30 days of its receipt. In justified cases, we may extend this period to 60 days, which we will inform you about. 

Right of access by the data subject

You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the following information: the purposes of the processing; the recipients or categories of recipient to whom the personal data have been disclosed, in particular recipients in third countries; the envisaged period for which the personal data will be stored. The data subject also has the right to obtain a copy of the personal data that are being processed.

Right to rectification

If you believe Finax is processing incorrect, inaccurate or outdated personal data about you, you have the right to obtain the rectification of personal data. It is important for us to process the accurate personal data about you, so be sure to use this right whenever any of your personal data, that is important to your relationship with us, changes. Based on your corrected or up-to-date information, we will rectify the personal data we process about you.

Right to erasure (‘right to be forgotten’)

You shall have the right to obtain from the controller the erasure of personal data concerning him or her where one of the following grounds applies and there are no statutory exclusions: 

• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; 
• the data subject withdraws consent on which the processing is based, and where there is no other legal basis for the processing; 
• the data subject objects to the processing pursuant to processing of personal data, processing on legitimate grounds and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to direct marketing purposes;
• the personal data have been unlawfully processed.

However, please be aware that, in regard to the legal obligations that Finax as a payment account information service provider has, in particular in the areas of payment services, combating money laundering, terrorist financing and fraud prevention, Finax is obliged to store personal data of their clients as well as potential clients even after the end of the business relationship and therefore this personal data can be deleted only after expiry of the set deadlines. For more information on the specific retention periods, see Chapter 7. Personal Data Retention Period. 

Right to restriction of processing

You shall have the right to obtain from the controller restriction of processing where one of the following applies: 

• if you contest the accuracy of the personal data being processed, for a period enabling the controller to verify the accuracy of the personal data; 
• the processing is unlawful and you oppose the erasure of the personal data and requests the restriction of their use instead; 
• we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; 
• you object the processing of personal data pending the verification whether the legitimate grounds of the controller override those of the data subject. 

In these cases, Finax will not delete your personal data, but will mark it and restrict its processing for certain purposes. 

Right to data portability 

You shall have the right to receive the personal data concerning you, which you have provided to a controller and the processing is carried out by automated means in a structured, commonly used and machine-readable format. You have the right to transmit those data to another controller. If it is technically feasible, we will directly transmit your personal data to another controller.

Right to object and automated individual decision-making

You shall have the right to object, on grounds relating to your particular situation, to processing of personal data concerning you which is based on our interest, including profiling based on those provisions. Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you. 

You also have the right to object if your personal data is processed automatically, which may result in a decision that has legal effects for you or otherwise affects you significantly. 

In the event of the objection of processing of your personal data that are being processed on a legal basis of Finax's legitimate interest, Finax will assess the situation on the basis of the information provided by you and inform you whether Finax's legitimate interest prevails in a particular situation and the processing will continue or your rights as a data subject prevail and the processing will be stopped.

Right to withdraw consent

If your personal data are being processed based on the consent, you are entitled to withdraw this consent at any time. However, withdrawal of consent has no impact on legality of processing resulting from consent before its withdrawal.

Right to lodge a complaint with a main supervisory authority

If you consider that the processing of personal data relating to you infringes this Regulation, you have the right to lodge a complaint with a main supervisory authority - the Office for Personal Data Protection of the Slovak Republic, 

Office for Personal Data Protection of the Slovak Republic 

Hraničná 12 820 07 Bratislava 27 

Slovak Republic 

https://dataprotection.gov.sk 

How to exercise your rights

The data subject may exercise his / her rights to Finax by e-mail sent to dpo@finax.eu or in writing to: Tibor Šiška, Data Protection Officer, Finax, o.c.p., a.s., Bajkalská 19B, 82101 Bratislava 

Please state your name, surname, e-mail address or as the case may be permanent address in your request. If you do not provide us with this information, your request will not be accepted. We require this additional information to verify your identity and not to disclose your personal information to an unauthorized person. 

In case that used rights are related to the access to the personal data or portability of the personal data of the data subject, his/her signature on the written request needs to be officially verified. If Finax has a legitimate suspicion in regard to the identity of the data subject, it has the right to ask the data subject to provide additional information needed for verification of the identity, e.g. such as a written request with an officially verified signature of the data subject.

9. Cookies

Finax website uses cookies. 

More information about cookies can be found here.