1. INTRODUCTION
1.1 Welcome to Access to Account web application (the “User Interface”).
1.2 Capitalised terms used in this End User Licence Agreement (“EULA”) shall have the meaning given in clause 16.1.
1.3 In this EULA:
(a) “we”, “us” and “our” means CRIF Realtime Ireland Limited, a company registered in the Republic of Ireland under company number 641672 with its registered office at 3rd Floor, Block D, Adelphi Plaza, Dun Laoghaire, Co. Dublin
(b) “you” and “your” means the entity identified in the Identification Form which is entering into an Agreement with us to enable it to use the Service.
1.4 By downloading or otherwise accessing the User Interface you agree to be bound by this EULA which together with our privacy notice available below at the end of the present EULA (“Privacy Notice”) form a legally binding agreement between you and us relating to our provision of the Services to you (“Agreement”). If you do not agree with any of the terms of the Agreement, you should stop using the User Interface immediately.
1.5 The person entering into the Agreement:
(a) warrants and represents that he / she has the authority to act on your behalf;
(b) acknowledges that he / she has read and understood this EULA;
(c) acknowledges that he / she has read and understood our Privacy Notice; and
(d) is deemed to have agreed to the terms of the Agreement on your behalf.
2. ABOUT US
2.1 We are authorised and regulated by the Central Bank of Ireland (“CBI”) as an “account information service provider” under Statutory Instrument number 6 of 2018 - European Union Payment Services Regulations 2018 (“PSRs 2018”) with reference number C190092.
2.2 Subject to this EULA we shall provide you via the User Interface with an account information service, under which we will obtain Account Data directly from the Designated Payments Accounts from Financial Institutions, provide this Account Data to you and to you through the third party service providers specified by you so that they can provide their services to you (each such third party being a “Third Party Service Provider”).
3. TERM AND TERMINATION
3.1 The Agreement is effective when you accept the present Agreement authorizing us to provide you with the Services (“Effective Date”).
3.2 Either you or we may terminate the Agreement at any time by giving written notice to the other party.
3.3 On termination of the Agreement for any reason:
(a) the licences granted under clause 6.1 shall immediately terminate;
(b) your data will be handled in accordance with the Privacy Notice; and
(c) any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination including the right to claim damages in respect of any breach of the Agreement which existed at or before the date of termination shall not be affected or prejudiced.
4. ACCESS TO ACCOUNT DATA AND SENDING ON TO THIRD PARTY SERVICE PROVIDERS
4.1 When you make a request via the User Interface for us to retrieve your Account Data, in order for us to provide the Services, via the User Interface you must:
(a) according to PSD2 Article 67, section 2 (f), give us your explicit consent for us to access transaction and other account data from all of your Designated Payment Accounts (“Account Data”) and process them solely in accordance with the Permitted Purposes outlined in clause 5.2 of the present Agreement and in the Privacy Notice;
(b) identify yourself to the relevant Financial Institutions where requested;
(c) declare that during the Term you have given your consent for us to obtain Account Data from all your eligible banking accounts and agree to notify us immediately if this declaration ceases to be true;
(d) give explicit consent for the processing of special categories of personal data as defined under GDPR article 9, that could be processed within the Services; and/or
(e) confirm the Third Party Service Providers to whom you wish to receive the Account Data and tell us of any changes in the list of Third Party Service Providers to whom you want to receive the Account Data.
4.2 If the consent you give us to access and use the Account Data expires, we may ask you via the User Interface to renew your consent, and/or re-identify yourself to the relevant Financial Institution(s).
4.3 You may at any time via the User Interface, revoke or amend the consent you have given us to access and use all or part of the Account Data, but if you do so and we need to use such data to perform the Services, we may immediately cease providing the Services to you.
4.4 You are responsible for maintaining the confidentiality and security of any Security Credentials, and will inform us immediately if you become aware of any loss, theft or unauthorised use of the same. We reserve the right to deny access to the User Interface (or any part thereof) if we reasonably believe that any loss, theft, or unauthorised use of Security Credentials has occurred. Such denial of access may without limitation enable us to investigate said loss, theft or unauthorised use of any Security Credentials.
5. PROVISION OF THE SERVICES
5.1 When you make a request for an updated set of Account Data using the User Interface, subject to your compliance with this EULA we shall use reasonable endeavours to:
(a) collect all available Account Data directly from your Designated Payment Accounts using an account information service within the meaning of the PSRs 2018;
(b) provide to you a copy of the Account Data in a report (and we shall use reasonable endeavours to provide this report within 1 Business Day of you successfully identifying yourself with the relevant Financial Institution for the purpose of granting us access to the Account Data); and
(c) provide the Account Data to the Third Party Service Providers you have indicated, together, the “Services”.
However, we shall not verify, audit or carry out any due diligence analysis in relation to the Account Data and/or its accuracy, quality or completeness, whether before or after passing it to Third Party Service Providers, and you are solely responsible for any actions you take on the basis of such information.
5.2 We shall only use the Account Data or any other data you provide to us as follows:
(a) to provide you with the Services and any additional services you consent to as described in the Privacy Notice;
(b) to create aggregated data (including in combination with other customers’ data, provided that your data does not identify any individual), that we can then use for statistical analysis, to improve the User Interface, the Services and our services generally, or for our other reasonable business purposes; and/or
(c) to anonymize Account Data and use them for statistical purposes;
(d) share it with third parties only as described in the Privacy Notice and only for the purposes described in the Privacy Notice;
(e) to share the Account Data, provided that your data does not identify any individual, (i) with third parties for statistical purposes and/or (ii) to third parties (for example lenders or professional service companies) for the assessment of your company’s eligibility for their offerings, together, the “Permitted Purposes”.
6. GRANT OF LICENCE
6.1 Subject to your compliance with this EULA, we grant You, a limited, non-exclusive, non-transferable, non-sublicensable, revocable licence during the Term to permit you to use the User Interface, and to use any documentation or user guides we may provide to assist in using the User Interface.
6.2 You shall not:
(a) sublicense to any third party any rights in or to the User Interface;
(b) use the User Interface for any commercial purpose whatsoever other than to obtain the Services for your own internal business purposes;
(c) sell, transfer, license, rent, lease, loan, provide, distribute or otherwise allow access to the User Interface to third parties or host the User Interface in a multi-tenant arrangement, in each case without our prior written consent;
(d) use the User Interface in any unlawful manner, for any illegal or unauthorised purpose or in a manner which promotes or encourages illegal activity including (without limitation) copyright infringement;
(e) attempt to gain unauthorised access to: (i) the User Interface; or (ii) any networks, servers or computer systems connected to the User Interface; or
(f) modify, adapt, translate or reverse engineer any part of the User Interface or re-format or frame any portion of the pages comprising the User Interface, save to the extent expressly permitted by this EULA or by law.
7. REPRESENTATIONS AND WARRANTIES
7.1 As of the Effective Date and at all times during the Term you warrant and represent that:
(a) you are the account holder for the Designated Payment Accounts and have the authority to permit us to access, use and transmit the Account Data in accordance with this EULA;
(b) any information you provide to Us via the User Interface (including any Security Credentials) contains no Viruses or material which is unlawful, harmful, threatening, defamatory, obscene, infringing, harassing, facilitates illegal activity or causes damage or injury to any person or property;
(c) you will ensure that your use of the User Interface and the Services does not breach any violate any applicable law, or any applicable terms and conditions, policies, guidelines, regulations, restrictions of the relevant Financial Institution(s) and we hereby expressly disclaim any liability arising from any failure by you to do so;
(d) CRIF Realtime Ireland and the third parties listed in our Privacy Notice may legitimately process all the Personal Data to which we may have access by providing the Services, as listed under the Privacy Notice, and the data processing, performed in accordance to the EULA and the Privacy Notice, does not involve a violation of any applicable law; and
(e) at all times when using the User Interface you shall comply with all Applicable Laws.
8. INTELLECTUAL PROPERTY
8.1 We or our licensors own all rights including Intellectual Property Rights in the Materials. You may not use, copy, edit, vary, reproduce, publish, display, distribute, store, transmit, commercially exploit or disseminate in any form whatsoever the Materials except:
(a) as expressly permitted in this EULA; or
(b) with our prior written consent.
8.2 We and our licensors reserve all rights in and to the Materials not expressly licensed to you under clause 6.1.
9. LINK TO THIRD PARTIES
The User Interface may contain links to websites operated by third parties (“Third Party Websites”). We do not have any influence or control over any such Third Party Websites and, unless otherwise stated in the User Interface, are not responsible for and do not endorse any Third Party Websites or their availability or contents.
10. CONFIDENTIALITY
10.1 Each party may be given access to Confidential Information from the other party in order to perform its obligations under the Agreement. Each party shall hold the other’s Confidential Information in confidence and, unless required by law, not make the other’s Confidential Information available to any third party or use the other’s Confidential Information for any purpose other than the implementation of the Agreement. Each party shall take all reasonable steps to ensure that the other’s Confidential Information to which it has access is not disclosed or distributed by its employees or agents in violation of the terms of the Agreement. Neither party shall be responsible for any loss, destruction, alteration or disclosure of Confidential Information caused by any third party. A party’s Confidential Information shall not be deemed to include information that: (i) is or becomes publicly known other than through any act or omission of the receiving party; (ii) was in the other party’s lawful possession before the disclosure; (iii) is lawfully disclosed to the receiving party by a third party without restriction on disclosure; (iv) is independently developed by the receiving party, which independent development can be shown by written evidence; or (v) is required to be disclosed by law, by any court of competent jurisdiction or by any regulatory or administrative body.
10.2 Other than as set out in the Agreement, no party shall make, or permit any person to make, any public announcement concerning the Agreement without the prior written consent of the other parties (such consent not to be unreasonably withheld or delayed), except as required by law, any governmental or regulatory authority (including, without limitation, any relevant securities exchange), any court or other authority of competent jurisdiction.
11. PRIVACY NOTICE
For the purposes of Data Protection Legislation, we are the Controller of Personal Data which you submit to us via the User Interface. We will only use Personal Data provided by you in accordance with the Privacy Notice.
12. LIMITATIONS OF LIABILITY; INDEMNITIES
12.1 Nothing in the Agreement shall limit or exclude our liability (i) for death or personal injury caused by our negligence, (ii) for fraud or fraudulent misrepresentation or (iii) to the extent that such liability cannot be limited or excluded by Applicable Laws.
12.2 Subject to clause 12.1, neither party shall be liable to the other under or in relation to the Agreement (whether such liability arises in contract, tort (including negligence), or otherwise) for any loss of profits, sales, turnover, contracts, customers, business, anticipated savings, reputation, software, data or information (in each case whether direct or indirect) or for any indirect or consequential loss or damage, in each case regardless of whether the relevant party was aware of the possibility of such matter.
12.3 Subject to clauses 12.1 and 12.2 our total liability to you under or in connection with the Agreement (whether in contract, tort (including negligence), for breach of statutory duty, or otherwise) shall be limited, in respect of all events occurring during the Term to €1,000 (one thousand euros) save that our liability in connection with any unauthorised or fraudulent access to, or use of, your Bank Account Data shall be limited (whether in contract, tort (including negligence), for breach of statutory duty, or otherwise) to the level of our professional indemnity insurance, prorated as between you and any other users of our services who are affected by the same incident which gives rise to the relevant liability.
12.4 Except as expressly and specifically provided in this EULA and to the fullest extent permitted by Applicable Laws:
(a) the User Interface and the Services are provided to you on an “as is” basis; and
(b) all warranties, representations, conditions and all other terms of any kind whatsoever implied by statute, common law or otherwise are excluded from the Agreement, including without limitation any warranty, term or condition as to the accuracy, availability, timeliness, completeness, satisfactory quality, performance and/or fitness for purpose of the User Interface and/or the Services.
12.5 We shall not be in breach of the Agreement or liable for failure to provide the Services due to circumstances beyond our reasonable control. We are not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the internet, and you acknowledge that the Services may be subject to limitations, delays and other problems inherent in the use of such communications facilities. In addition, we shall not be in breach of the Agreement or liable for failure to provide the Services in circumstances where we are unable to access any part of the Account Data, either because you have not given or re-applied the relevant consent, or because the relevant Financial Institution is restricting access or unable to provide access for reasons outside our control).
12.6 We do not carry out any due diligence nor audit the Account Data for its accuracy or completeness (including as to whether or not all relevant information has been provided by you). We shall have no liability for any loss caused by (i) errors or omissions in any data, information or instructions provided by you in connection with the User Interface or the Services or (ii) any actions taken by us at your direction.
12.7 You assume sole responsibility for results obtained from your use of the User Interface and the Services and for conclusions drawn from such use. Any usage of your Account Data by a Third Party Service Provider shall be governed by the arrangements in place between you and such Third Party Service Provider, and we expressly disclaim any responsibility or liability in relation to such usage.
12.8 You shall indemnify us from and against damages, losses, costs, expenses and liabilities (including reasonable legal fees related thereto) which are directly or indirectly incurred by us as a result of or in connection with:
(a) your use of the User Interface and/or the Services otherwise than in accordance with this EULA and Applicable Laws; and/or
(b) any claim made by any third party arising from your access to and/or use of the User Interface and/or the Services.
12.9 You shall have sole control and authority with respect to the defence, settlement or compromise of any third party claim to which the indemnity in clause 12.8 applies provided that, unless we are fully released from any claim and are not required to make any admission of liability, you must obtain our prior written consent for any such settlement or compromise.
13. SERVICE SUSPENSION
If we know or reasonably suspect that you are in breach of any term of this Agreement, or reasonably believe that we must do so in order to comply with Applicable Laws, we reserve the right to suspend or cease providing your access to the User Interface and/or any of the Services, with or without notice, and shall have no liability or responsibility to you in any manner whatsoever if we choose to do so.
14. COMPLAINTS
14.1 If you have a complaint, please write to us at the email address dpo@crifrealtime.ie or such other email address as we may notify to you from time to time.
14.2 We will aim to resolve your complaint and issue you with our final response within 15 Business Days from our receipt of the complaint. In exceptional situations, we may not be able to respond within 15 Business Days and, if this is the case, we will inform you of the reasons for a delay. In any event we will provide you with a response to your complaint within 35 Business Days from our receipt of the complaint. Requests to exercise your Data Subject rights, as defined under Data Protection Legislation, will be dealt with in accordance with our Privacy Notice and anyway with Data Protection Legislation.
14.3 Depending on the nature of your complaint and if you remain dissatisfied with our response, you may have the right to refer your case to the Financial Services and Pension Ombudsman at Lincoln House, Lincoln Place, Dublin 2; telephone: 00353 1567 7000.
15. GENERAL
15.1 Force Majeure. We shall have no liability to you under the Agreement if we are prevented from or delayed in performing our obligations under the Agreement or from carrying on our business by acts, events, omissions or accidents beyond our reasonable control, provided that we notify you of any such event and its expected duration.
15.2 Variation. We reserve the right to update this EULA from time to time. If we do so, the updated version will be effective immediately and the current EULA is available through a link in the User Interface to this page. You are responsible for regularly reviewing this EULA so that you are aware of any updated version of this EULA and you will be deemed to have accepted any updated version of this EULA upon your continued use of the User Interface.
15.3 No Waiver. No failure or delay by a party to exercise any right or remedy provided under the Agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
15.4 Rights and Remedies. Except as expressly provided in the Agreement, the rights and remedies provided under the Agreement are in addition to, and not exclusive of, any rights or remedies provided by law.
15.5 Severance. If any provision (or part of a provision) of the Agreement is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable or illegal, the other provisions shall remain in force. If any invalid, unenforceable or illegal provision would be valid, enforceable or legal if some part of it were deleted, the provision shall apply with whatever modification is necessary to give effect to the commercial intention of the parties.
15.6 Entire Agreement. The Agreement, and any documents referred to in it, constitute the whole agreement between the parties and supersede any previous arrangement, understanding or agreement between them relating to the subject matter they cover. Each of the parties acknowledges and agrees that in entering into the Agreement it does not rely on any undertaking, promise, assurance, statement, representation, warranty or understanding (whether made negligently or innocently and whether in writing or not) of any person (whether party to the Agreement or not) relating to the subject matter of the Agreement, other than as expressly set out in the Agreement.
15.7 Assignment. Neither party shall, without the prior written consent of the other party (not to be unreasonably withheld or delayed), assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under the Agreement, except for the right that we have to assign the contract to any company belonging to the CRIF group of companies, that can be done without any prior consent. However, we use technical service providers acting as Data Processor to help us to provide the User Interface and the Services to you; to this end, you agree that such technical providers may access, store and use your Account Data solely in order for them to provide their services to us, and we will remain responsible and liable for their compliance with the terms of this Agreement.
15.8 No Partnership or Agency. Nothing in the Agreement is intended to or shall operate to create a partnership between the parties, or authorise either party to act as agent for the other, and neither party shall have the authority to act in the name or on behalf of or otherwise to bind the other in any way (including, but not limited to, the making of any representation or warranty, the assumption of any obligation or liability and the exercise of any right or power).
15.9 Third Party Rights. A person who is not a party to the Agreement shall not have any rights to enforce any term of the Agreement. The rights of the parties to terminate, rescind or agree any variation, waiver or settlement under the Agreement are not subject to the consent of any other person.
15.10 Notices. Any notice required to be given under the Agreement shall be in writing and shall be delivered by email as follows:
-
- to us at the email address dpo@crifrealtime.ie; and
- to you at the email address you provide to us in the Identification Form,
or such other email address as either party notifies to the other party from time to time. A notice sent by email shall be deemed to have been received at the time the email enters the information system of the intended recipient provided that no error message indicating failure to deliver has been received by the sender.
15.11 Governing Law. The Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of the Republic of Ireland.
15.12 Jurisdiction. Each party irrevocably agrees that the courts of the Republic of Ireland shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with the Agreement or its subject matter or formation (including non-contractual disputes or claims).
16. DEFINITIONS AND INTERPRETATION
16.1 The following definitions apply for the purposes of the Agreement:
“Account Data” has the meaning given in clause 1(a).
“Agreement” has the meaning given in clause 4.
“Applicable Laws” means all applicable laws and regulations in the Republic of Ireland and other jurisdictions, including the local laws in any country in which you use the User Interface or obtain the benefit of the Services.
“Business Day” means a day other than a Saturday, Sunday or public holiday in Ireland.
“Confidential Information” means information that is proprietary or confidential and is either clearly labelled as such or identified as Confidential Information in accordance with clause 1.
“Controller” has the meaning given to such term in applicable Data Protection Legislation.
“Data Protection Legislation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) and the Data Protection Act 2018, in each case as amended, extended or re-enacted from time to time and all subordinate legislation made thereunder from time to time.
“Data Subject” has the meaning given to such term in applicable Data Protection Legislation.
“Designated Payment Account” means a banking account which is accessible online and constitutes a payment account within the meaning of the PSRs 2018, for which you are the account holder and in respect of which you submit account details via the User Interface and/or the Identification Form.
“Effective Date” has the meaning given in clause 1.
“EULA” has the meaning given in clause 2.
“Financial Institution” means, in respect of each Designated Payment Account, the financial institution (such as a bank or e-money wallet provider) that operates that Designated Payment Account.
“Identification Form” means the online order form completed by you which you submit to us via the User Interface.
“Intellectual Property Rights” means patents, applications for patents, utility models, applications for utility models, domain names, trade marks or trading names (whether or not registered or unregistered rights, including rights to prevent passing off), rights in know-how (including trade secrets, technology, methods of manufacture, specifications and other information), designs (registered or unregistered and including applications for registered designs), database rights, rights to use and protect the confidentiality of confidential information, copyright (including rights in any design or computer software), topography rights and other rights in semi-conductor chips, rights in inventions, the right to claim damages for past infringements of any or all such rights and all rights having equivalent or similar effect wherever situated (whether or not the same are registered or capable of registration).
“Materials” means the User Interface (including its underlying software code) and any related documentation or user guides.
“Permitted Purposes” has the meaning given in clause 2.
“Personal Data” has the meaning given to such term in applicable Data Protection Legislation.
“Privacy Notice” has the meaning given in clause 4.
“Processor” has the meaning given to such term in applicable Data Protection Legislation.
“PSD2” means the DIRECTIVE (EU) 2015/2366 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC
“Security Credentials” means any security or access information used by you to access a Designated Payment Account, including but not limited to username, access number, password, security questions and answers, or biometric information.
“Services” means (i) the services described in clause 1; and (ii) any other services we provide to you from time to time in connection with the User Interface.
“Term” means the duration of this Agreement.
“Third Party Service Provider” has the meaning given in clause 2.
“User Interface” has the meaning given in clause 1.
“Virus” means any program, routine, device or harmful code which (i) is designed to delete, disable, deactivate, provide unauthorised access to, interfere with or otherwise harm any software, program, data, device, system or service; (ii) is intended to provide unauthorised access or to produce unauthorised modifications; or (iii) causes data to be inaccessible, any part of the Service to become inoperable or otherwise incapable of being used in the full manner for which it is being provided.
16.2 Interpretation: References to clauses are to the clauses of this EULA. Clause headings shall not affect the interpretation of the Agreement. Words in the singular include the plural and in the plural include the singular. A person includes an individual, corporate or unincorporated body (whether or not having separate legal personality) and that person’s legal and personal representatives, successors or permitted assigns. Any reference to any statute, enactment, order, regulation or other similar instrument will be construed as a reference to the statute, enactment, order, regulation or instrument as amended or replaced by any subsequent statute, enactment, order, regulation or instrument or as contained in any subsequent re-enactment thereof. A reference to a statute or statutory provision shall include all subordinate legislation made from time to time under that statute or statutory provision. Any phrase introduced by the words “including”, “include”, “in particular”, “for example” or any similar expression shall be construed as illustrative only and shall not be construed as limiting the generality of any preceding words.
ACCOUNT ACCESS USER INTERFACE - PRIVACY NOTICE
CRIF Realtime Ireland Limited (“we”, “us”) respects your privacy and is committed to protecting your personal data. This privacy notice tells you how we look after your personal data when you use our Access to Account User Interface (the “User Interface”) and about your privacy rights and how the law protects you.
1. IMPORTANT INFORMATION AND WHO WE ARE
This privacy notice aims to give you information on how we collect and process your personal data through your use of the User Interface.
It is important that you read this privacy notice together with any other fair processing notice or privacy notice we may provide on specific occasions when we collect or process personal data about you, so you are fully aware how and why we are using your data. This privacy notice supplements such other notices and does not replace them.
For the purposes of data protection legislation, including the General Data Protection Regulation, we are the controller of your personal data. Our contact details are:
CRIF Realtime Ireland Ltd., Third Floor, Block D, Adelphi Plaza, George's Street, Dun Laoghaire, Co. Dublin support@crifrealtime.ie
We have appointed a Data Protection Officer who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this notice, including any request to exercise any of your legal rights, please contact the data protection officer using the contact details below:
Postal Address: Unit C1, Nutgrove Office Park, Rathfarnham, Dublin D14 V5Y2, Ireland.
This version was last updated on June 2022. We may change this privacy notice from time to time and any changes will be posted on this page.
It is important that the personal data we hold about you is accurate and up-to-date. Please let us know if any of your personal data changes during your relationship with us.
The User Interface may include links to third party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third parties and are not responsible for their privacy policies. When you leave this page we recommend that you read the privacy notice of every website you visit and every plug-in or application you use.
2. THE DATA WE COLLECT ABOUT YOU
Personal data means any information about a living individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
- Identity data including your first name, last name, username or other identifier, title;
- Contact data including, for example, your business registered address, billing address, email address, telephone numbers;
- Bank account data, being transaction and other account data from all your banking accounts which is accessible online and which is submitted to or retrieved by us via the User Interface where such data may identify you directly or indirectly. Within Bank account data there may be special categories of personal data as defined under GDPR sction 9 (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation). For the processing of special categories of personal data, we will separately ask you for your explicit consent, unless one of the other exceptions listed under GDPR Article 9 paragraph 2 applies;
- Technical data including your internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other details about the devices you use to access the User Interface, as recorded by our web server logs; and
- Usage data including information about how you use the User Interface, products and services.
We also collect, use and share aggregated data such as statistical or demographic data. Aggregated data may be derived from your personal data but is not considered to be personal data in law as it does not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific feature of the User Interface. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, the combined data is personal data and we deal with it in accordance with the applicable data protection laws, including obtaining your consent or providing you with advance notification, if necessary.
3. HOW YOUR PERSONAL DATA IS COLLECTED
We collect data from and about you in different ways, including by:
Direct interaction with you. You may give us identity, contact and/or financial data by filling in forms or by communicating with us by email or via the User Interface. This includes data you provide when you order our products or services or create an account, request marketing information, use interactive features on the User Interface or give us feedback.
Automated technologies. When you use the User Interface, our server logs may automatically collect technical data about your equipment.
Accessing your bank account data. When you use our service we will process your transaction and other account data.
4. HOW WE USE YOUR PERSONAL DATA
We will only use your personal data when the law allows us to do so. Our most common uses of your personal data will be:
- in order for us to perform the End User Licence Agreement, collecting, processing and delivering your personal data to you directly, or indirectly via the third parties who you have selected to provide you with further services;
- if it is necessary to do so for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; and/or
- in order for us to comply with a legal or regulatory obligation.
We do not generally rely on your consent as a legal basis for processing your personal data except in relation to the processing of special categories of personal data, according to GDPR article 9. You have the right to withdraw your consent at any time by contacting us at the email or postal addresses provided above.
The table below sets out all the ways in which we use your personal data, which of the legal bases we rely on to do so and, where relevant, what the legitimate business interests are. We may process your personal data on the basis of more than one lawful ground depending on the specific purpose for which we are using your data.
Purpose/activity | Type of data | Lawful basis for processing |
To register you as a new user | IdentityContact | Performing the End User Licence Agreement with contractual consent |
To collect, process and deliver data relevant to your use of the service, either directly via our User Interface /website or indirectly via third parties who you have selected to provide service to you | IdentityContactBank account data | Performing the End User Licence Agreement with contractual consent |
To manage our commercial relationship with you | IdentityContactUsage | Our legitimate interests:(a) Managing payment, fees & charges(b) Collecting and recovering money due to us(c) Notifying you of changes in our termsComplying with our legal obligations |
To administer and protect our business especially the User Interface (including troubleshooting, data analysis, testing, system maintenance, support, reporting & hosting data) | IdentityContactTechnical | Our legitimate business interests (running our business, providing admin & IT services, network security, preventing fraud).Complying with our legal obligations |
To deliver services to Third Party Service Providers that you have selected under the User Interface to provide you with services related to your Account Data | IdentityContactTechnicalUsageBank account data | Performing the End User Licence Agreement |
To transfer your Bank Account Data, additional data, identity and contact data to a third party so that you can avail of relevant offers and services | IdentityContactBank account dataAdditional Data | Our legitimate interest in carrying out the data transfer at your request so that your company can avail of the offered services. |
Anonymising Bank Account data for statistical purposes and for sharing with third parties (for example lenders or professional service companies) for the assessment of your company’s eligibility for their offerings. | Bank account data | Consent |
To generate anonymous data derived from or based on the Data so that the results are no longer personally identifiable with respect to any individual and/or to generate synthetic data | Bank account data | When we anonymise your data we do so pursuant to a further processing in line with the original purpose for which the personal data was collected. We then use this anonymised data for our legitimate interests to:(a) providing, supporting and improving the Services(b) conducting analytical research, compiling statistical reports and performance tracking;(c) developing other services and products(d) (d) sharing such data with our affiliates, agents or third parties with whom we have a business relationship. |
5. COOKIES
We use the following categories of cookies:
- Strictly necessary cookies: These are cookies that are required for the operation of our User Interface. They include, for example, cookies that enable you to load webpages.
More information about the individual cookies we use and the purposes for which we use them is set out in the table below:
Cookie name
|
Category |
Description |
Expiry Period |
cgSessionId |
Strictly necessary cookies |
session cookie for session management |
20 minutes since the cookie is dropped or, if longer, for the time you use the User Interface |
JSESSIONID |
Strictly necessary cookies |
session cookie for session management |
|
cg-navigationId |
Strictly necessary cookies |
session cookie for the widget |
|
cgWidget-jwt |
Strictly necessary cookies |
session cookie for the widget |
You can set your browser to refuse some or all browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, some parts of our User Interface may become inaccessible or may not function properly.
6. DISCLOSURES OF YOUR PERSONAL DATA
We may share your personal data with the parties set out below for the purposes set out above:
- Internal third parties: other companies in our group who provide, inter alia, connector platforms that enable us to access your bank account, IT and system administration services, delivery services, and complaints handling services. The list of the data processors appointed by the Company is available upon request; and
- External third parties:
- the Third Party Service Providers to whom you have asked us to send the Account Data;
- service providers (acting as processors) who provide, inter alia, connector platforms that enable us to access your bank account, IT and system administration services, delivery services, and complaints handling services. The list of the data processors appointed by the Company is available upon request;
- third party so that you can avail of relevant offers and services;
- professional advisers, including lawyers, accountants, auditors, bankers, insurers, who provide legal, accountancy, audit, banking, insurance or consultancy, or other services to us;
- Regulators and other authorities who require us to report on processing activities in certain circumstances;
- fraud prevention agencies;
- other third parties: if we transfer any part of our business or assets to them or acquire any part of their business or assets, or otherwise merge any part of our and their businesses; in any of these cases, the new owners of our business may use your personal data in the same ways and for the same purposes as set out in this privacy notice.
Where any service provider acts as a data processor under Data Protection Legislation, they will be subject to a contract that is binding on the processor with regard to the controller (us) and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.
7. INTERNATIONAL TRANSFERS
When and where your personal data may be transferred outside the EEA
Some of the third parties with whom we work may be based outside the European Economic Area (EEA), so their processing of your personal data will involve a transfer of this data outside the EEA, if we were to use cloud-based platforms to store personal data, this may involve the use of geographically-distributed data centres including data centres outside the EEA.
How we protect your personal data outside the EEA
When you ask us to connect to a payment account held by a branch of a payment institution located in Italy, Germany, Poland, Austria, Czech Republic, Slovak Republic or Ireland we will not transfer your personal data to any country which is outside the EEA.
When you ask us to connect to a payment account held by a branch of a payment institution located in any other countries except the ones mentioned above mentioned in paragraph 7.4 [Belgium, Bulgaria Croatia, Cyprus, Denmark, Estonia, Finland, France, Greece, Hungary, Iceland, Latvia, Lichtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Portugal, Romania, Slovenia, Spain, Sweden, Switzerland] your personal data may be processed by some of the third parties with whom we work, only for troubleshooting and debugging purposes, from outside the EEA as follows:
- in Canada and United Kingdom, pursuant to article 45 of the GDPR (on the basis of an adequacy decision);
- in Moldavia, pursuant to article 46 lett. C) of the GDPR (on the basis of standard data protection clauses adopted by the Commission).
8. DATA SECURITY
We have put in place appropriate security measures to protect your personal data from being accidentally or unlawfully destroyed, lost or altered or disclosed or accessed in an unauthorised way. For example, we limit access to this information to authorised employees and contractors who need to know that information in order to operate, develop or improve our User Interface. Please be aware that although we endeavour to provide reasonable security for information we process and maintain, no security system can prevent all potential security breaches.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any relevant regulator of a breach if we are legally required to do so.
9. HOW LONG WILL YOU USE MY PERSONAL DATA FOR
We will only retain your personal data for as long as necessary to fulfil the purposes we collected and processed it for. Upon expiry of this period your personal data will be deleted.
- Bank account data, Technical data and Usage data will be retained for a period of maximum 30 days and, upon expiry of this period, they will be anonymized according to paragraph 4 or deleted;
- Identity data and Contact data will be retained for a period of maximum of 7 years or as long as required by Law.
10. YOUR LEGAL RIGHTS
As a result of us collecting and processing your personal data, you may have the following legal rights:
- to access personal data held about you;
- to request us to make any changes to your personal data if it is inaccurate or incomplete;
- to request your personal data is erased where we do not have a compelling reason to continue to process such data in certain circumstances;
- to receive your personal data provided to us as a controller in a structured, commonly used and machine-readable format where our processing of the data is carried out by automated means and is based on: (i) your consent; (ii) our necessity for performance of a contract to which you are a party; or (iii) steps taken at your request prior to entering into a contract with us;
- to object to, or restrict, our processing of your personal data in certain circumstances;
- if we use your personal data for direct marketing, you can ask us to stop and we will comply with your request;
- if we use your personal data on the basis of having a legitimate interest, you can object to our use of it for those purposes, giving an explanation of your particular situation, and we will consider your objection;
- to object to, and not be subject to a decision which is based solely on, automated processing (including profiling), which produces legal effects or could significantly affect you; and
- to lodge a complaint with a data protection supervisory body, although we would welcome the prior opportunity to respond to any complaint.The supervisory authority in the Republic of Ireland is the Data Protection Commission – 21 Fitzwilliam Square South Dublin 2, D02 RD28, Ireland – who may be contacted at https://www.dataprotection.ie/
To exercise any of your rights set out above, including to withdraw your consent where we have stated we are processing your personal data based on your consent, please contact us using the contact details above.