Version 2.

3
Finom Group

Privacy Policy
Contents

1. Introduction​ 3
1.1 Responsible entities (Group)​ 3
2. Legal basis for processing of your personal data​ 7
2.1 Contact​ 7
2.2 Legitimate interests​ 7
2.3 Consent​ 7
2.4 Legal obligation​ 8
3. When we process your personal data​ 8
3.1 Payment account opening​ 8
3.2 Identity verification​ 8
3.3 Card issue and delivery​ 9
3.4 Use of payment account​ 9
3.5 Google Pay and Apple Pay​ 9
3.6 Multibanking & payment initiation​ 9
3.7 Capital deposit & company registration​ 9
3.8 Online invoicing​ 10
3.9 When you contact us​ 10
3.10 When you visit our website​ 10
3.11 Analytics​ 10
3.12 Direct marketing​ 11
3.14 Facebook’s Like button, Comment plugin and Social Widgets​ 11
3.17 Phone number and call recording​ 13
4. Special categories of data​ 14
5. Sharing your data with third parties​ 15
6. Third-Party Data Usage​ 20
6.1 Google Services​ 20
6.2 Other Third-Party Services​ 20
6.3 Data transfers to third countries​ 20
6.4 Automated decision-making and profiling​ 21
7. How long we keep your data​ 21
8. Your rights​ 21
9. Information security​ 23
10. Changes and updates to this Privacy Policy​ 23
11. Solaris Addendum​ 24

Finom Group Privacy Policy v.2.3 Page | 2

1. Introduction
Finom is the trading name of the companies (“Group”) specified in the section of Responsible
entities (hereafter “Finom”, “we”, “us”, “our”). This Privacy Policy applies to each company within
the group, specified below.

Each company within the group adheres to the same standards of data protection, ensuring that
your personal data is handled securely and responsibly, regardless of which company you
interact with. By interacting with any of our companies, you agree to the terms of this Privacy
Policy as it applies across the entire group.

This Privacy Policy concerns the services provided by Finom as described in the Terms and
Conditions. This Privacy Policy informs you about the reason and scope of the collection and
processing of your personal data when you use the Finom platform www.finom.co and/or the
services available on the website or via the mobile application.

We are committed to ensuring the privacy and protection of your personal data in accordance
with the applicable data protection laws, including the General Data Protection Regulation
(“GDPR”) in the European Union, and any other local laws in the jurisdictions where we operate.

1.1 Responsible entities (Group)

The data controller responsible for the collection and processing of your personal data in
accordance with the EU DGPR is:

PNL Fintech BV

Jachthavenweg 109H,
1081KM Amsterdam
The Netherlands
Trade Register number: 74178784

Finom Payments BV

Jachthavenweg 109H,
1081KM Amsterdam
The Netherlands
Trade Register number: 78680751

Finom Group Privacy Policy v.2.3 Page | 3

 Finom Poland sp. z.o.o.

Aleje Ujazdowskie 41,

00-540 Warszawa, District Warszawa,
Commune Warszawa,
Poland
Trade Register number: 52511471100000

Finom Tech Ltd.

Agias Zonis & Thessalonikis,

Nicolaou Pentadromos Center, Floor 5,
Flat/Office 503A Block B 3026, Lemesos
Cyprus
Trade Register number: ΗΕ 416213

Finadvant Ltd.

1 Kings Avenue, London,

United Kingdom, N21 3NA,
Trade Register number: 12852382

Finom Fintech Spain SL.

Calle Trajano, 8 - Ed Jerez, Plt 35,

Urbanizaci, Spain,
Trade Register number: B67708313

Finom Growth BV

Jachthavenweg 109H,
1081KM Amsterdam
The Netherlands
Trade Register number: 96768010

Finom Growth GmbH

Münzstraße 12,
10178 Berlin, Germany
Trade Register number: HRB 273758 B

Finom Autonumerus GmbH

Münzstraße 12,
10178 Berlin, Germany
Trade Register number: HRB 272840 B

Stichting Finom

Finom Group Privacy Policy v.2.3 Page | 4

 Jachthavenweg 109 H, Amsterdam,
The Netherlands,
Trade Register number: 78684900

Finom offers a wide range of products and services. Some of these services we cannot offer
alone. Therefore, we use different types of arrangements, including but not limited to the
following arrangements:

1.​ PNL Fintech BV acts as a joint controller. This means that data processing is carried out
by Finom together with another company. Both data controllers have access to the
personal data and share the responsibility for handing the data and ensuring your rights
under the GDPR.

PNL Fintech BV is a joint controller with Solaris SE and/or its branch (“Solaris”) for
payment services in Germany and Italy. As a licensed credit institution, Solaris operates
the necessary infrastructure for the payment services, and PNL Fintech BV provides the
technology platform. Any collection, processing, and use of personal data for the
provision of payment services is within the responsibility of Solaris and Finom. By
subscribing to the use of payment services in Germany and Italy you agree to this
Privacy Policy and the Privacy Policy of Solaris.

PNL Fintech BV is a joint controller with Finom Payments BV with respect to personal
data collected for/in connection with payment services in The Netherlands and other
EU countries. This Privacy Policy equally covers the services provided by Finom
Payments BV and PNL Fintech BV.

2.​ PNL Fintech BV acts as a processor of personal data of the payment services
customers in France, where the data controller is Treezor SAS (“Treezor”). Treezor
authorizes PNL Fintech BV to process personal data needed for enabling an access to
the payment services. By subscribing to the payment services in France you agree to
this Privacy Policy and the Privacy Policy of Treezor.

3.​ PNL Fintech BV acts as a sole controller for online invoicing, capital deposit, company
formation, and other services not mentioned above, which are offered on Finom
platform.

Finom Group Privacy Policy v.2.3 Page | 5

 4.​ Finadvant Ltd. acts as a data controller for certain financial services provided in the UK.
5.​ Finom Tech Ltd. acts as a data controller for services provided in Cyprus.
6.​ Finom Fintech Spain SL. acts as a data controller for services provided in Spain.
7.​ Stichting Finom acts as a data controller in specific administrative and compliance
matters.
8.​ Finom Growth BV acts as a data controller for credit services provided in the
Netherlands.
9.​ Finom Growth GmbH acts as a data controller for credit services provided in Germany.
10.​Finom Autonumerus GmbH acts as a data controller for accounting and tax services
provided in Germany.

Please note: any responsible entity within the group can act as either a joint controller with
other company, or processor, or sole controller depending on the specific arrangements, as
well as the context of relationship with the client. In any case when two or more companies
determine the purposes and means of processing together, they will act as joint controllers.
When a company processes personal data on behalf of another entity (the data controller),
they will act data processors. When a company alone determines the purposes and means of
processing, they will act as a sole controller.

This Privacy Policy covers the use of Finom platform at website (https://finom.co, including web
application - app.finom.co) and the iOS and Android mobile applications (as soon as you
download them to your mobile device) as well as services accessible from the applications
above.
Should you have any questions, requests, or issues regarding your personal data, or if you need
more information about the roles and functions of our companies in data processing in relation
to your interactions with us, please contact our Data Protection Officer (DPO) at
[email protected].

Finom Group Privacy Policy v.2.3 Page | 6

2. Legal basis for processing of your personal
data
2.1 Contact
Opening a payment account via the partners mentioned above requires provision and
processing of your certain personal data. For instance, your address is needed for card delivery,
your phone number is needed for verification of payments, and your email for effective
communication with you. These and other data required for opening and maintaining your
payment account are processed by us, Solaris and any other third parties who help us to provide
you services. The legal basis for this processing is that it is necessary for the performance of a
contract to which you are a party or in order to take steps at your request prior to entering into
a contract (Art. 6(1)(b) GDPR).

Please note that for many of our services and features, without the necessary personal data we
will not be able to fulfill our contractual obligations, and, therefore, we will likely have to refuse
entering into contract relations with you, or would terminate them.

2.2 Legitimate interests

Sometimes we need to collect and process your personal data by virtue of legitimate interests
(Article 6(1)(f) GDPR).

Examples of such processing include:

●​ ensuring IT security;
●​ preventing criminal activity, such as fraud (we collect device and session data for this
purpose);
●​ push notifications or messages relating to your existing or new services and offers;
●​ user experience analytics and optimization;
●​ personalization of services and tariff options;
●​ defense against legal claims;

2.3 Consent
If you gave us consent to process your personal data for one or more specific purposes:

Finom Group Privacy Policy v.2.3 Page | 7

 ●​ adding a photo avatar and allowing us to show it to other clients, for example in their
contact lists, shared banking activities, or referral links (if you chose to become visible as a
client);
●​ For recording calls to assist in the quality monitoring of staff performance and help make
service improvements;
●​ to access contacts on your device;
●​ to place cookies on your device.

These data are processed according to Article 6(1)(a) GDPR. You can withdraw your consent at
any time, for example by removing the photo or clearing your browser cache. However, keep in
mind that the processing which took place before consent withdrawal remains in effect.

2.4 Legal obligation

When we or our partners are required to comply with any applicable laws, your personal data is
processed according to Article 6(1)(c) GDPR. Some examples of processing here include
verification of your identity and age, prevention of money laundering and fraud, as well as
statutory tax reporting obligations.

3. When we process your personal data

3.1 Payment account opening
In order for you to enter into an agreement to open a payment account, we collect the following
personal data including but not limited to: email, phone number, country of citizenship, country
of residency, place of birth, full name, date of birth, whether you’re a US tax resident,
employment status, address, Finom Customer ID (assigned by us), Tax ID, IP, browser and device
information, geolocation, details of your company.

3.2 Identity verification

To open a payment account and perform certain actions after opening, we are legally obligated
to verify your identity. Depending on the country and the type of verification that you select this
is done via one or more of the following: video identification procedure through a third-party
service provider, ID document verification, verification via a selfie picture, performing a
microtransaction, or qualified electronic signature. For this you need to provide a valid copy of
your government-issued ID, bank details of your payment account at another financial
institution, or your selfie picture.

Finom Group Privacy Policy v.2.3 Page | 8

3.3 Card issue and delivery
Once you’ve opened your payment account, you may wish to order a virtual or physical card. To
make and deliver a physical card to you, we process and transfer to our card delivery service
providers your name, address, phone number, email, device ID and the information about the
bank account the card is tied to. If it is a virtual card, we process all of the data mentioned
above, except your address.

3.4 Use of payment account

When you start using your payment account and Finom cards, in addition to some of the
personal data provided for opening of your account, we process the following:

●​ Transactions history (e.g. internal and external account numbers, card details, IBAN ,
sender/recipient name, amount, currency, date and time, customer ID, reference message,
merchant name, method of payment);
●​ History of logins, locations, and device data;
●​ History of communications with you.

3.5 Google Pay and Apple Pay

Adding your card to Google Pay or Apple Pay involves processing your card information and
Google or Apple wallet ID by us and our partners. Your card information is transferred to our
partner’s service provider Visa/Mastercard, where it is tokenized (encrypted) and then, together
with your address, phone number and the last four digits of the card number, we pass it on to
Google or Apple. They will use that encrypted card data to perform transactions whenever you
pay using your mobile phone.

3.6 Multibanking & payment initiation

When you use multibanking and/or payment initiation services you issue a permission to display
information about your other personal or business accounts in the Finom dashboard and initiate
payment from various accounts via open banking. In this case the data we process includes but
is not limited to: full name, transaction details (e.g. amount, date and time, sender/recipient
name, description), your account balance, customer ID.

3.7 Capital deposit & company registration

When you use company registration and capital deposit services, we together with our partners
supporting these services process your name, date of birth, place of birth, address, email, phone
number, employment status and other details necessary to establish a company in your country.

Finom Group Privacy Policy v.2.3 Page | 9

3.8 Online invoicing
When you use online invoicing services, Finom and its partners who make these features
possible for you process your name, customer ID, email, employment status, tax number, and
other data that is stated on the invoices you send for recognition or generate using the Finom
invoicing product.

3.9 When you contact us

When you contact us via support chat or by any other means, we may process such categories
of personal data as your email, phone number, customer ID, language, country, as well as any
information about the standing of your account or details of your transactions, depending on the
issue you are experiencing. We may also collect other information if you choose to share it with
us. Please do not share any additional personal data or documents, either concerning yourself or
other individuals, unless specifically requested by us.

Please note: Voice recordings associated with calls are made with our Customer Support and
Sales teams along with information about your call, as well as data that you share with us during
the call.

3.10 When you visit our website

When you visit our website, we may automatically collect some personal data from your device.
This information may include your IP address, date and time of the request, browser language
and version, operating system version or producer, information about your device, as well as
some data about how you interact with our website (e.g. which website you came from, pages
visited, links clicked). We do this to keep our website secure and to understand who visits it and
which pages they find interesting, so we can improve the site and provide relevant content.
Some of this data is collected using cookies. You can find more information about them in
our Cookie Policy.

3.11 Analytics
We process the personal data you provide us with, as well as the data created as a result of your
use of our application, for analytics purposes. For example, we analyze how you interact with the
app and make it more intuitive and easier for you to use, or to understand whether our products
and services are customized to your needs so we can make changes and develop new products
and services. In that case these data are stripped of direct identifiers to provide an additional
layer of protection.

Finom Group Privacy Policy v.2.3 Page | 10

3.12 Direct marketing
From time to time we will contact you to tell you about our new products or services which we
think may be of interest to you. This type of activity is considered direct marketing, and in this
case we rely on your consent or our legitimate interest to process your personal data for this
purpose. If you wish to withdraw your consent or object to this processing, you can switch off
notifications in your app preference center, or click on the “unsubscribe” link at the bottom of
the email you receive from us.

3.13 Browser Fingerprinting​

When consent is given on one of Finom’s domains, we use your browser’s fingerprint to apply the
cookies you selected to Finom’s other domains. This fingerprint contains browser attributes (for
example, IP, browser version) and is stored for the period of 2 (two) weeks, after that the
fingerprint is deleted.

Please Note: Browser fingerprinting helps us apply your cookie preferences across our domains.
You can manage your cookie settings at any time by visiting the following link:
https://support.google.com/chrome/answer/95647?hl=en&co=GENIE.Platform%3DDesktop.

3.14 Facebook’s Like button, Comment plugin and Social

Widgets
Our website uses Facebook’s Like button and Comment plugin to enable social interactions and
enhance your user experience. When you interact with these features, Facebook may collect
information such as your Facebook user ID, the content of your comments, and technical data
related to your browser and device. This data is used by Facebook to improve its services and
may be subject to Facebook’s own privacy policies. You can manage your privacy settings on
Facebook to control the data shared.

For more information, please refer to Facebook's privacy policy, available at:
https://www.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0.

Moreover, our website may include social widgets, such as "Share" buttons, "Like" buttons,
embedded social media feeds, or other social media functionalities provided by third-party
platforms (e.g., Facebook, LinkedIn). When you interact with social widgets, the following data
may be collected:

1.​ Information related to your interactions with social media widgets, including the content
you “Share” or "Like" and any comments you make.
2.​ Information about your device, browser, IP address, and browsing activity related to the
use of social widgets.

Finom Group Privacy Policy v.2.3 Page | 11

 3.​ If you are logged into the social media platform, your interaction data may be linked to
your social media profile.

3.15 Mailing Lists and Newsletters​

When you subscribe to our mailing list or newsletter, we collect personal information that you
provide, which may include email address, required to send you newsletters and updates, as well
as your preferences which help us tailor our content to your preferences. The personal
information collected is used for the following purposes:

1.​ To deliver periodic newsletters, updates, and promotional content;

2.​ To tailor the content of our communications based on your interests and preferences;
3.​ To analyse engagement with our emails to improve our communications.

You have the right to opt out of receiving marketing communications from us at any time. If you
no longer wish to receive our newsletters or promotional emails, you can easily unsubscribe.
Each email we send includes an unsubscribe link at the bottom. You should simply click on this
link to unsubscribe from our mailing list. If you encounter any issues with the unsubscribe
process or have any questions, please contact us at: [email protected].

3.16 Non-continuous geolocation​

Our website may collect non-continuous geolocation data to provide location-based services or
features. Non-continuous geolocation refers to the collection of your location information at
specific times or during particular interactions, rather than tracking your location continuously.
The following types of geolocation data may be collected:

1.​ Location Data about your geographic location, which may be obtained through your
device’s GPS, IP address, or other location-detection technologies.
2.​ Interaction Data collected during specific interactions or requests, such as when you use
location-based features or services.

The non-continuous geolocation data collected is used for the following purposes:

1.​ To provide and improve location-based services;

2.​ To enable specific features that rely on your location;
3.​ To analyse how location-based features are used and to enhance the accuracy and
relevance of our services.

Please note: Finom ensures that non-continuous geolocation data is used only for the purposes
stated and not for any other unrelated purposes.

Finom Group Privacy Policy v.2.3 Page | 12

3.17 Phone number and call recording
We may use your phone number to contact you for various purposes related to our services.

The data collected through our phone contact is used for the following purposes:

1.​ To assist you with inquiries, provide customer service, and resolve issues;
2.​ To assist in the quality monitoring of staff performance and help make service
improvements;
3.​ To inform you about important updates, changes to our services, or account-related
information;
4.​ To verify your identity as part of our authentication or fraud prevention measures;
5.​ To collect feedback or conduct surveys to improve our services.

Please note: In order to record conversations for training and quality purposes, the data subject
should provide his/her freely given, specific, informed, and unambiguous consent for the
specific purpose of recording the call.

Call recording will be carried out in the following cases:

1.​ Express consent: when all parties involved in the call have given explicit and informed
consent to the recording.
2.​ Legitimate interests: When the recording is necessary for the company’s legitimate
interests, provided that the fundamental rights and freedoms of the data subject do not
prevail.
3.​ Legal obligations: When the recording is necessary to comply with a legal obligation.
4.​ Performance of a contract: When the recording is necessary for the performance of a
contract to which the data subject is a party.
5.​ Protection of vital interests: Recording is necessary in exceptional cases to protect a
person’s vital interests.

In any case, the Finom’s Sales Team and/or Customer Support Service will inform you at the
beginning of the conversation about the upcoming recording, as well as identify the purpose of
recording the phone calls. Calls are recorded during interactions with our Customer Support
Team, Sales Team, and other relevant departments when required for the purposes outlined
below.

Please note: For inbound calls, your consent will be obtained through our Privacy Policy which
you are informed of at the start of your relationship with us. For outbound calls, your consent
will be verbally obtained at the beginning of each call.

In any case, you will be duly and properly informed and your consent will be obtained prior to
the recording of the call. In particular, recording begins once the call is connected and you have

Finom Group Privacy Policy v.2.3 Page | 13

 been informed and provided your consent, or as specified for outbound calls, where consent is
obtained at the start.

Your consent must be given freely, specifically, consciously and unambiguously for the specific
purpose of recording the conversation. Finom will provide more accurate and specific
information in a welcome voice message played before each call as a precondition for obtaining
informed consent in accordance with applicable EDPBs guidelines and best practices.

In this regard, Finom respects and guarantees the user's right to object. This right to object is
key to ensuring compliance with the consent thresholds. In order for consent to be given freely,
the data subject (user) will be informed of his/her right to object.

The recording will start only after you are informed and give your consent. If you do not agree
with the recording, you will be given the opportunity to end the conversation without further
recording. We will respect your preference, and the call will not be recorded.

Please note: We implement appropriate technical and organizational measures to protect call
recordings from unauthorized access, use, or disclosure. Call recordings occur over our secure
telephony systems and are stored in a secure digital environment, i.e. systems and servers that
meet appropriate security standards protect the personal data recorded, as well as encrypt the
data to prevent unauthorized access. The data will be stored only within the EU/EEA or in
countries with adequate data protection recognized by the European Commission. Recorded
calls are stored in a secure location and are only accessible by authorized personnel. Records
are retained only for as long as necessary to fulfil the purposes set out above and in
accordance with legal requirements.

You have the right to access the recordings of your calls. If you wish to request access to or a
copy of a recorded call, please contact us at: [email protected]. If you wish to request the
deletion (erasure) of call recordings, you may also contact us at the above-mentioned e-mail
address. We will review and process your request in line with GDPR requirements and ensure
that recordings are deleted once they are no longer needed for the purposes specified.

3.18 Invitation or Suggestion​

Our website may include features that allow you to invite or suggest friends to join our platform
or use our services. This feature may be used to share our site or app with your contacts
through various methods such as email, social media, or other communication channels.

4. Special categories of data

We do not intentionally ask you to provide information that belongs to a “special” category, like
racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union

Finom Group Privacy Policy v.2.3 Page | 14

 membership, genetic data, biometric data for the purpose of uniquely identifying an individual,
data concerning health or data concerning sex life or sexual orientation.

However, there may be circumstances where your transaction data reveals this more sensitive
information. For example:
●​ payments or recognition of invoices for medical services or treatments may reveal data
concerning your health;
●​ making contributions and donations to churches, NGOs, political parties, trade unions etc.
may reveal your religious or philosophical beliefs or political affiliation.

Taking into account this risk, we ensure that this information is fully protected in compliance
with the GDPR.

5. Sharing your data with third parties

In order to provide you with certain functions and services, we have to share your personal data
with partners, external third-party service providers, related and regulatory entities. They only
process your personal data on the basis of data processing agreements and in accordance
with strict instructions, which do not allow them to use your data for any other purposes
without notifying you or asking for your consent. Here are some of the categories of the parties
we may share your data with:

●​ payment services providers: Solaris, Treezor, Finom Payments;

●​ providers that make and deliver your cards;
●​ cloud computing and storage providers: like Google Cloud Storage, provided by Google
LLC and Google Ireland Limited, as well as Amazon Web Services, depending on how the
Owner manages the data processing. They collect various types of data as specified in
their privacy policy of the service for the purposes of hosting and backend infrastructure;
●​ consent database service providers: like Iubenda Consent Database provided by
Iubenda SRL for the purposes of hosting and backend infrastructure;
●​ system administration of infrastructure services providers: like Nixys (Nixys LLC),
collecting various types of data needed to provide services on installation, configuration,
and on-going system administration of infrastructure services on the Servers to facilitate
Finom’s web applications development process, deployment and optimal performance for
the purposes of platform services and hosting;
●​ analytics and business intelligence platforms: like Amplitude Inc. and Microsoft
PowerBI, collecting Trackers and Usage data for the purposes of providing analytics
services;
●​ analytics service providers: like Facebook Analytics for Apps and Google Analytics
(Universal Analytics);

Finom Group Privacy Policy v.2.3 Page | 15

 ●​ payment providers/processors: like Stripe and Klarna – a payment service, provided by
Klarna AB for the purpose of handling payments. Various types of data as specified in the
privacy policy of the service;
●​ partners supporting the electronic invoicing and digital preservation services: like
DocuMI. They collect various types of data needed to provide Services. In particular,
DocuMI SRL (Italy) enables and facilitates the integration of this Application with the
Italian Exchange System (SDI) for the fulfilment of legal obligations. In this framework,
Personal Data is shared with DocuMI for the purpose of creating, sending and digital
preserving electronic invoices;
●​ documents recognition tool providers: like Nano Nets provided by Nano Net
Technologies Inc., collecting various types of data as specified in the privacy policy of the
service for the purposes of connecting data and offering the best-in-class invoicing
service;
●​ providers that help us to ensure compliance with AML regulations: including User's
identification document and identity verification service providers like Onfido Limited
providing verification of identity services in the framework of on-boarding process;
●​ vendors supporting the company registration & capital deposit process;
●​ providers that help us to ensure your digital safety and security: while on Finom
platform;
●​ partners providing business intelligence services and other proprietary databases:
for instance business registers in countries across the EU, credit rating agencies, providers
of sanctions screening and others;
●​ companies that help us to send you service and marketing related messages;
●​ email address management and message sending service providers: like Mailjet
provided by SAS Mailjet. It collects email address, usage data, first name, last name, phone
number, username, company name, country;
●​ providers that help us to communicate with you: like Intercom provided by Intercom
Inc. and Twilio provided by Twilio, Inc. for the purpose of user database management,
managing contacts and sending messages.
In particular, Intercom is an AI assistant platform provided by Intercom Inc., collecting
email address, trackers, usage data, as well as other various types of data as specified in
the privacy policy of the service, that enhances the capabilities of the support and
communication channels available on Finom by making use of artificial intelligence (‘AI’)
techniques.
At the same time, Twilio is a phone numbers management and communication service
provided by Twilio, Inc.

●​ providers of software that we use for internal support and issue tracking: like
Salesforce Sales Cloud;

Based on your clear and explicit consent, we also process your data via Salesforce Sales
Cloud services, that is a cloud-based CRM solution that is a key tool for sales, partnership,
and account management. It is an important provider of software that we use for internal

Finom Group Privacy Policy v.2.3 Page | 16

 support. In particular, we use this internal support tool (software) in our business activities
to store and track the progress of specific transactions and customer data (such as your
first name, last name, email address, phone number, company name and conversation
details). These tools help manage customer interactions, track sales leads, and provide
support services efficiently. Our primary objective (purpose) of processing your data with
Salesforce and Intercom integration revolves around workflow enhancement and seamless
data transmission. We aim to facilitate customer care in efficiently generating
customers/leads within Salesforce through integrated and automated processes.
More useful information about integration, as well as how the integration works, you can
find at the following
link: https://www.intercom.com/help/en/articles/4497943-install-and-configure-the-sales
force-app.

●​ our affiliate companies: like Finom Tech Ltd to receive support in providing our services
to our clients;
●​ companies providing access to third-party accounts: like Salt Edge (Salt Edge Ltd). In
order to enable access to information on Users’ financial accounts and related data
enrichment services, Service Provider partners with a trusted third party, Salt Edge
Limited (hereinafter “Salt Edge”). Salt Edge is an account information service provider
registered in the United Kingdom, FCA reference number 822499, registered address:
71-75 Shelton Street, Covent Garden, London, England, WC2H 9JQ, United Kingdom. The
account information services provided by Salt Edge involve collection and processing of
Personal Data by Salt Edge as data controller. Such Personal Data processing is performed
by Salt Edge in accordance with its Privacy Policy and Terms of Service. By using the
account information services as part of the services, User agrees and consents to such
Personal Data processing by Salt Edge.
●​ mobile payment providers: like Google and Apple Pay;
●​ advertising and behavioral targeting service providers: like Facebook Ireland Ltd (‘Meta
Custom Audience’ and ‘Meta Lookalike Audience’), AdRoll, Inc., as well as LinkedIn Website
Retargeting service, provided by LinkedIn Corporation. They collect Trackers and Usage
Data for the purposes of remarketing and behavioural targeting.

AdRoll serves targeted advertising on any device connected to the Users, by processing
their email address using a security technique called hashing. Moreover, AdRoll may also
automatically collect certain types of data to serve personalized recommendations to the
User, as stated in its privacy policy.

At the same time, Meta Custom Audience connects the activity of Finom with the Meta
Audience Network, collecting email address and trackers in order to display ads to Users
with similar behaviour to Users who are already in a Custom Audience list on the basis of
their past use of Finom or engagement with relevant content across Meta's apps and
services. On the basis of these data, personalized ads will be shown to Users suggested by
Facebook Lookalike Audience.

Finom Group Privacy Policy v.2.3 Page | 17

 Please note: Users can opt out of Meta's use of Trackers for ads personalization by visiting
the following opt-out page:
https://accountscenter.facebook.com/?entry_point=app_settings.

●​ spam and bots protection service providers: like Google reCAPTCHA, provided by
Google Ireland Limited, collecting usage data and trackers. The use of reCAPTCHA is
subject to the Google privacy policy and terms of use. In order to understand Google's use
of Data, consult their partner policy and their Business Data page;
●​ web-based automation tool providers: like Zapier Inc. that connects various
applications and services to automate workflows;
●​ website optimization and personalization tools providers: like Google Optimize and
Google Optimize 360 which help Finom enhance user experience and achieve its goals
through experimentation and customization;
●​ traffic optimization and distribution providers: like Cloudflare Inc., collecting trackers
and other various types of data, as specified in the privacy policy of the service. The way
Cloudflare Inc. is integrated means that it filters all the traffic through Finom, i.e.,
communication between Finom and the User's browser, while also allowing analytical data
from Finom to be collected;
●​ contact form providers and call center software service providers: like CouldTalk s.r.o..
They collect various types of data, such as first name, last name, VAT number, company
name, country, email address, phone number, tax ID, User ID, etc. for the purposes of
contacting our Users. In particular, CloudTalk allows our customer support team to handle
inbound and outbound calls. At the same time, by filling in the contact form with their
data, the User authorizes Finom to use these details to reply to requests for information,
quotes or any other kind of request as indicated by the form’s header;
●​ advanced data analytics and omni-channel campaign execution service providers:
like Exponea and finance Ads Pixel, collecting contact details and usage data for the
purposes of analytics. In particular, Exponea is a platform combining advanced data
analytics and omni-channel campaign execution. The service is provided by Exponea sro
(acquired by Bloomreach in 2021). At the same time, financeAds Pixel is an analytics
service provided by financeAds International GmbH, collecting cookies and Usage Data,
that connects data from the financeAds advertising network with actions performed on
Finom. The financeAds pixel tracks conversions that can be attributed to ads on
financeAds network of partner sites;
●​ registration and authentication service providers: like Onfido (Onfido Limited);
Facebook Authentication service provided by Facebook, Inc.; Google OAuth service
provided Google LLC and Google Ireland Limited, as well as LinkedIn OAuth provided by
LinkedIn Corporation, for the purposes of registration and authentication, depending on
how the Owner manages the Data processing, and is connected to the Google, LinkedIn or
Facebook network. They collect various types of data as specified in the privacy policy of
the services;

Finom Group Privacy Policy v.2.3 Page | 18

 ●​ content commenting service providers: like Facebook Comments provided by Facebook
Ireland Ltd for the purpose of content commenting, and enabling the User to leave
comments and share them on the Facebook platform;
●​ form builder and data collection platform providers: like Typeform provided by
TYPEFORM S.L.. It collects first name; last name, email address, username, VAT number,
Company name, Tax ID, Country.
●​ Meta lead ads’ service: provided by Facebook, Inc. and Facebook Ireland Ltd as
advertising and data collection service providers for the purposes of managing data
collection and online surveys. They collect trackers, first name, last name, email address,
city, country, phone number, company name, allowing form-based ads to be shown to
Users pre-populated with Personal Data from their Facebook profiles. Depending on the
type of advertisement, Users may be requested to provide further information;
●​ Meta ads conversion tracking service: provided by Meta Platforms Ireland Limited
collecting tracking and usage data for the advertising and analytical purposes;
●​ Microsoft Advertising service: provided by Microsoft Corporation collecting tracking and
usage data for the advertising and analytical purposes;
●​ Google Tag Manager service: provided by Google Ireland Limited for the purpose of Tag
Management. Google Tag Manager is a tag management service provided by Google
Ireland Limited, collecting usage data. In order to understand Google's use of data, consult
their partner policy and their Business Data page;
●​ Group IB Fraud Hunting Platform: provided by Group-IB Europe BV for the purposes of
operations and fraud prevention. It collects IP address, version of the operating system,
brand and model of the device, unique identifiers of the device, browser used, information
about the time the Application was accessed, name and parameters of the network
connection, customer identifier, information about the geolocation of the User’s device.

We, our partners, service providers and others may also be required to share your personal data
with various financial institutions and/or enforcement agencies or court authorities to comply
with applicable laws, prevent fraud, enforce an agreement we have with you, or to protect our
rights, property or safety, or the rights, property or safety of our employees or agents.

Before entering into an agreement with any new partner, vendor or service provider that will
process your personal data, Finom verifies that the data transfer will be performed in
accordance with the GDPR.

Submitting the form results in the collection and processing of your data by the Owner
according to this privacy policy. We will use the collected data only for the specific purpose
outlined on the form and/or described in this privacy policy.

When processing personal data, we consider the balance between our legitimate interests and
your fundamental rights and freedoms. We are committed to ensuring that our processing
activities do not override your privacy and data protection rights.

Finom Group Privacy Policy v.2.3 Page | 19

 6.​ Third-Party Data Usage
When you interact with our website or use our services, certain third-party services, such as
Google Analytics, Google reCAPTCHA, Google Optimize, Google Tag Manager, Facebook Analytics,
and others, may collect and process your personal data. We are committed to transparency and
want to ensure you understand how these third parties use your data.

6.1 Google Services

When you consent to the use of our services, including those provided by Google, you are also
consenting to the processing of your data by Google in accordance with their policies. We utilize
Google services, such as Google Analytics, Google Cloud Storage, Google reCAPTCHA, Google
optimize, Google Tag manager and Google OAuth, which may involve the collection and use of
your personal data. Google may use your data for:

●​ Analytics: Understanding website traffic and user behavior.

●​ Advertising: Delivering personalized ads and measuring their effectiveness.
●​ Other purposes as outlined in Google’s policies.

For detailed information on how Google uses your data, please refer to Google’s Business Data
Responsibility Site: https://business.safety.google/privacy/

6.2 Other Third-Party Services

Similarly, other third-party providers listed above, such as Facebook, LinkedIn, AdRoll, etc., collect
and process data for purposes such as analytics, advertising, and service provision. You should
review the individual privacy policies of these third parties to understand how they use your
personal data. For example, Meta (Facebook) privacy policies can be found on their platform. We
encourage you to review the privacy policies of all third-party services we use to understand
their data processing practices.

6.3 Data transfers to third countries

Finom stores and processes your data in the European Union (EU), to be more specific in
Germany. But we cannot offer all our services by ourselves. A small number of our partners,
service providers or other parties may be processing the data in countries outside the EU or the
EEA.

In such cases of transferring data from the EU to third countries, to ensure that your personal
data receives a comparable level of protection, we employ appropriate safeguards, such as
adequacy decisions and frameworks or Standard Contractual Clauses approved by the European
Commission. This means that Data recipients have committed to process Personal Data in

Finom Group Privacy Policy v.2.3 Page | 20

compliance with the data protection standards set forth by EU data protection legislation. For
further information, Users are requested to contact the Owner through the contact details
provided in the present document.

The European Commission adopts adequacy decisions for specific countries whenever it
considers that country to possess and provide Personal Data protection standards comparable
to those set forth by EU data protection legislation. Users can find an updated list of all
adequacy decisions issued on the European Commission's website. The third countries which
ensure an adequate level of protection are: Andorra, Argentina, Canada (only commercial
organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland,
Uruguay, Japan, the United Kingdom and South Korea. Data transfer to these countries is
expressly permitted.

6.4 Automated decision-making and profiling

We process your data partially automatically in order to evaluate certain personal aspects
(profiling). For example, we use machine learning and other techniques to prevent fraud, combat
money laundering, terrorist financing and asset-polluting crimes. Our monitoring model
combines information from transaction details, customer profile data and device session data.
The approach is based on current fraud trends, best practices from our partners and other
sources. These measures serve to protect your interests and keep your deposits secure.

7.​How long we keep your data

We keep your personal data for as long as it is necessary to achieve the purpose for which it was
collected, usually for the duration of our contractual relationship plus any period thereafter as
required by anti-money laundering or other applicable laws, or in case of potential or ongoing
court litigation. When the purpose for processing is fulfilled, but we are required to keep the
data, it will be restricted and stored in a secure archive. This period could range depending on
the purpose, from 2 to 15 years after termination of your business relationship with us. Once that
period is over, the data is anonymized/pseudo anonymized.

Recorded calls will be deleted after 12 months, unless it is necessary to extend the retention
period of a specific recording to investigate a specific service event, misuse or as part of
criminal investigation. The recordings will be securely destroyed after the retention period
expires.

8.​ Your rights

Data protection laws provide you with substantial rights to help you understand and control how
your personal data is used. As a result, you have the right:

Finom Group Privacy Policy v.2.3 Page | 21

 ●​ to be informed about why and how we are processing your personal data - this Privacy
Policy fulfills this right.
●​ to have access to your data - you have the right to ask us if we are processing your
personal data, why we are doing so, under what lawful basis, the categories of your
personal data, whether the data is being sent outside the EU, who we share your data with,
how long we keep it, and request a copy of the data we are processing.
●​ to rectification - if any of your personal data that we hold is inaccurate, you can request
to have it corrected. You can correct a significant number of your personal data via the
app or by contacting our customer support via the chat.
●​ to object to some processing - direct marketing, call recording, or if processing is based
on legitimate interests.
●​ to have your data deleted - also known as the “right to be forgotten”. You can exercise
this right if you withdraw your consent and there is no further legitimate interest in our
processing of your data. Please note that Finom has the right to reject this request if the
processing is based on the basis of legal obligation or contract execution.
●​ to restrict processing - if the personal data we are processing is inaccurate, if our
processing is unlawful, if the data is no longer necessary for the original purpose of
processing but needs to be kept for potential legal claims, or you have objected to
processing carried out under legitimate interests and we’re still in the process of
determining whether there is an overriding need to continue processing.
●​ to ask us about automated decision-making - you have the right to ask us to explain the
logic involved in making any automated decisions and for the decision to be reviewed by a
human being, if that decision had an effect on your rights or freedoms.
●​ of data portability - you can ask for your data that we process by using a computer,
which you provided to us on the basis of consent or because it was necessary for a
contract.
●​ to lodge a complaint with the competent data protection authority if you have concerns
about how we process your personal data (a list of national data protection authorities is
available on the website of the European Data Protection Board). We encourage you to
contact us first and give us an opportunity to understand and resolve the issue before
filing an official complaint. This way your issue will be resolved much faster and with the
FINOM personal touch.

If you would like to exercise any of these rights, or find out more about how we process your
personal data, please contact us at [email protected]. Reasonable access to your personal data
will be provided at no cost. When you decide to exercise one of the rights mentioned above, we
have 30 days from the time that you submitted your request to fulfill it or provide a reasonable
explanation for why we cannot fulfill it, or if we cannot fulfill it in time.

Users may exercise their rights, at any time, including the right to withdraw their consent to the
processing of their data, as specified in the section containing information about User rights in
this privacy policy.

Finom Group Privacy Policy v.2.3 Page | 22

If you have any questions or require further clarification regarding any provisions in this Privacy
Policy, please do not hesitate to contact our DPO at [email protected]. It is important to us that
our users fully understand how their data is used and processed, as well as the purposes for
which it is processed. We are committed to ensuring that our users have a clear understanding
of our data practices and are available to provide any additional information or support needed,
as much as it is possible and practicable.

9.​ Information security

To help protect the privacy of personal data you provide through the use of our website or
mobile app, we maintain physical, technical and administrative safeguards to secure your
information from unauthorized access and use, alteration and destruction. We update and test
our security technology on an ongoing basis; carefully assess security risks, including those
associated with personal data, and work to mitigate them. Our approach is based on best
practices of IT Security and industry requirements.

We restrict access to your personal data to those employees who need to know that information
to provide services to you. In addition, we train our employees about the importance of
confidentiality and maintaining the privacy and security of your data. We commit to taking
appropriate disciplinary measures to enforce our employees' data protection responsibilities.

Also, we ensure that our partners and vendors have sufficient IT security measures and
standards in place to process your data securely.

10.​Changes and updates to this Privacy

Policy
As our products and services develop over time, this Privacy Policy may change as well. While we
reserve the right not to send you a notification every time, we will update this Privacy Policy at all
times. We may email periodic reminders of our notices and terms and conditions and will notify
you of material changes thereto, but we invite you to periodically check our site or the app to
see the current Privacy Policy and any updates that may have been made to it.

Finom Group Privacy Policy v.2.3 Page | 23

 11.​ Solaris Addendum
Fraud prevention and anti-money laundering checks​
When you register via our Finom.co website or Finom app to use the banking services provided
by Solaris SE, Cuvrystraße 53, 10997 Berlin, Germany (“Solaris”), and on an ongoing basis while
you use such services, Solaris will perform a risk assessment for fraud prevention and
anti-money laundering purposes. For such purposes, Solaris uses SEON Technologies Kft.
(Rákóczi út 42. 7. em., Budapest 1072, Hungary) as a service provider under a data processing
agreement with Solaris in accordance with Art. 28 GDPR. For the processing activities described
in this section, we have entered into a joint controllership agreement with Solaris (Art. 26 GDPR).
We will provide you with further information at any time upon request.

In order to perform the risk assessment, we collect and transfer to Solaris the following browser
data, device data, traffic data and location data from your device: IP address including type (e.g.
commercial, mobile line, university) and whether it is listed as harmful, TOR value, VPN, proxy,
number of accessories attached to your device, whether your phone is muted or not, device
system’s volume, country code and name of carrier (a) associated with the SIM card and (b) the
device is currently using, device model type and unique identifier, system uptime, iCloud token,
version and name of device given by the user in iOS settings, when the device last booted in
UNIX time format and UTC time zone, country code and ID associated with device, cookie
session ID, and browser details / settings including scrolling behavior.

Solaris may add additional information and will then transfer such data to SEON along with your
email address, name and phone number for performance of a risk analysis regarding potential
fraudulent or other illicit activities.

SEON analyses this personal data based on a mathematically-statistically recognised and

proven procedure and will provide Solaris with a fraud risk score. As part of the analysis, SEON
may perform email analysis, social media lookup or address profiling.

Based on the analysis and risk score, you will be able to complete your registration, be rejected
as a new customer, or may be guided through an extended registration process. The
decision-making process is automated. If you want to challenge the automated decision and
want to have a human review of this automated decision, you can get in touch with us by
contacting [email protected]. Once you have given your consent and are onboarded, Solaris will
continuously collect the above data and perform additional risk analysis via SEON for ongoing
fraud risk assessment.

The legal basis of the processing is your consent and the implementation of necessary steps for
entering into a contract requested by you (Art. 25 TTDSG, Art. 6 (1) lit. a, Art. 22 (2) lit. a GDPR).
While you are free to give your consent, you cannot use the banking service provided by Solaris
without consenting, because the fraud prevention and anti-money laundering check is

Finom Group Privacy Policy v.2.3 Page | 24

necessary for a secure provision of the banking services by Solaris. As a licensed bank, Solaris
has a statutory obligation to fight money laundering by setting up a functioning risk management
system and internal security measures as well as an ongoing screening of customers’ activities
(sections 4, 6 and 10 of the German Anti-Money-Laundering Act). You can withdraw your
consent at any time by email to [email protected], but without consent you will not be able to
continue using Solaris’ services.

Your personal data will be stored until the purposes of processing these data as set forth above
have been achieved, and be deleted within 12 months after performance of the risk assessment
at the latest, unless statutory retention obligations apply (e.g. under anti-money laundering,
commercial or tax law).

Finom Group Privacy Policy v.2.3 Page | 25