PRIVACY POLICY

(updated on 14th April, 2020)

This privacy policy will explain howNordigenuses the personal data we collect fromYou once You register to use services available in Gateway and Analytics System (as defined in Terms)

1. INTRODUCTION

2. DEFINITIONS OF TERMS USED IN THIS PRIVACY POLICY

3.WHEN THIS POLICY APPLIES?

4. WHAT DATA DOES NORDIGEN COLLECT AND HOW DOES NORDIGEN COLLECT IT?

5. HOW WILL NORDIGEN USE YOUR DATA?

6.HOW AND FOR HOW LONG DOES NORDIGEN STORE YOUR DATA?

7. WHAT ARE YOUR DATA PROTECTION RIGHTS?

8. WHAT ARE COOKIES?

9.WHAT TYPES OF COOKIES NORDIGEN USES AND HOW DOES NORDIGEN USE THEM?

10.HOW TO MANAGE COOKIES?

11.THIRD PARTIES AND TRANSFER OF PERSONAL DATA

12.CHANGES TO OUR PRIVACY POLICY

13. HOW TO CONTACT US?

14. HOW TO CONTACT THE APPROPRIATE AUTHORITY?

INTRODUCTION

Gateway and Analytics System services are provided by SIA "Nordigen Solutions", a private limited liability company registered under the laws of the Republic of Latvia, company registry code 40103982535 (hereinafter referred to as Nordigen). Nordigen is committed to protect your personal data and to respect your privacy. By registering to use services in Gateway and Analytics System You agree to the data processing practices described in this Privacy Policy.

DEFINITIONS OF TERMS USED IN THIS PRIVACY POLICY

" Account Aggregators" means licensed account information service providers that perform account information services and aggregate data from financial institutions (Account Aggregation)

" Applicable data privacy laws" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the GDPR ) or any national or internationally binding data privacy laws or regulations that may be applicable at any time during the term of this Privacy Policy.

" Data Controller" means the natural or legal entity/entities whichdetermines the purposes and means of the processing of Personal Data;

"Data Processor" means the legal entity processing Personal Data on behalf of the Data Controller(s);

"Personal Data" means any information relating to an identified or identifiable natural person;

"Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

" Services" means bank account statement analysis, transaction categorisation, behaviour factor generation and other services available within the Gateway and Analytics System.

" Sub-processor" means a third party subcontractor engaged by the Data Processor which, as part of the subcontractor's role of delivering the services, will process Personal Data on behalf of the Data Controller.

" You" means Client as defined in Terms.

WHEN THIS POLICY APPLIES?

This Privacy Policy applies once You register to access Gateway and Analytics System and accept Terms.

This Privacy Policy does not apply to third party service integrations available within the Gateway and Analytics System like account aggregation. When requesting Account Aggregation services You will be asked for a consent to third party privacy policy which performs the Account Aggregation.

WHAT DATA DO*ES NORDIGENCOLLECTAND HOW DOES NORDIGEN COLLECT IT?*

Nordigen only collects information You voluntarily provide us with.

When You register an account - we collect only mandatory account data:

  • Email address

Nordigen might also ask you to provide some optional data:

  • First name
  • Last name
  • Phone number
  • Company name
  • Address
  • City
  • Country
  • Postal Code

When You use Services available on Gateway and Analytics System, upload transaction data or import transaction data via Account Aggregators, we receive and process Your financial account details including but not limited to:

  • name
  • personal identity number
  • bank account number
  • bank account records (transaction date, amount and/or payment recipient/sender, transaction details)
  • information on loans and their repayment status
  • information on other financial products.

To support Account Aggregation Nordigen provides You access to licensed Account Information Services Providers (Account Aggregators) within the Gateway and Analytics system. Nordigen has engaged and the following Account Aggregators are available in Gateway and Analytics system:

Tink AB , company registration number 556898-2192, with office address Vasagatan 11, 111 20 Stockholm, Sweden.

KONTOMATIK UAB with its registered office in Vilnius at Upės 23, LT-08128 Vilnius, Lithuania, holding a legal entity identifier: 304852516, VAT number: LT100011837810, a payment institution providing only the account information service, supervised by the Bank of Lithuania;

KONTOMATIK Sp. z o.o. with its registered office in Warsaw at Prosta 51, 00-838 Warsaw, Poland, registered in the Business Register of the National Court Register kept by the District Court for the capital city of Warsaw, 12th Commercial Division of the National Court Register under number KRS 0000338706, holding Tax Identification Number (NIP): 5213542911, Statistical Number (REGON): 142043500.

When You use Account Aggregation services, these services will be provided according to respective Account Aggregators privacy policy.

HOW WILLNORDIGENUSE YOUR DATA?

Nordigen collects Your data to provide You Services pursuant to Terms(to fulfill contract between Nordigen and You), specifically:

  • to provide transaction categorisation, behaviour identification and insights generation services;
  • to carry out support (including customer support), maintenance and other operational services as well as in order to derive statistical models for future data enrichment purposes;
  • to improve the performanceand accuracy of Gateway and Analytics System;
  • to transfer account information from Account Aggregators after Account Aggregation which includes the transfer and normalization of financial datafor consistent storage and display purposes, enrichment (categorisation), statistics calculation and insights generation, changing data formats;
  • improve Your experience while using Gateway and Analytics System and Services available within the Gateway and Analytics System;

Nordigen also will use Your e-mail and contact information to provide You relevant information regarding Services and personalized offers. If You do not want Nordigen to process Your personal data for direct marketing, You may notify Nordigen thereof in writing. Contact details for such notifications to Nordigen are provided in section "How To Contact Us?".

HOW AND FOR HOW LONG DOES NORDIGEN STORE YOUR DATA?

All personal data in electronic format (e-mail address, Your account data, etc) are stored and processed on cloud based servers. For cloud computing, data storage and service hosting services Nordigen has engaged a sub-processor - Amazon Web Services EMEA SARL, registered address 5 rue Plaetis, L-2338, Luxembourg, with data centres located in Dublin, Ireland (European Union).

Nordigen only keeps Your personal data for the time necessary to fulfil the purpose of collection or further processing, namely providing the required Services. You can request to delete Your account and the personal data You have provided to Nordigen if you wish to, by sending an e-mail to: info@nordigen.com.Upon expiry of the Terms and this Privacy Policy, Nordigen shall delete all personal data.In case of inactivity for more than three years Nordigen may delete Your account at its sole discretion.

In order to protect Your personal data, Nordigen has put in place a number of technical and organisational measures. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons under confidentiality agreements with a legitimate need to process personal data for the processing purposes stated in this policy.

WHAT ARE YOUR DATA PROTECTION RIGHTS?

Nordigen would like to make sure You are fully aware of Your data protection rights. Every user is entitled to the following:

The right to access – You have the right to request Nordigen for copies of Your personal data.

The right to rectification – You have the right to request that Nordigen correct any information You believe is inaccurate. You also have the right to request Nordigen to complete information You believe is incomplete.

The right to erasure – You have the right to request that Nordigen erase Your personal data.

The right to restrict processing – You have the right to request that Nordigen restrict the processing of Your personal data.

The right to data portability – You have the right to request that Nordigen transfer the data that Nordigen has collected to another organization or directly to You.

If You make a request, Nordigen will answer You within one month. If You would like to exercise any of these rights, please contact us at our email: info@nordigen.com.

In case of requests that are manifestly unfounded or excessive, in particular because of their repetitive character, Nordigen is entitled to charge an administrative fee. In such cases You will be notified thereof beforehand.

WHAT ARE COOKIES?

Cookies are text files placed on Your computer to collect standard internet log information and visitor behaviour information. When you visit Gateway and Analytics system, Nordigen may collect information from You automatically through cookies or similar tracking technology (pixels, etc.). Cookies can enable Nordigen to track and target the interests of our users to enhance the experience on Gateway and Analytics system.

WHAT TYPES OF COOKIES NORDIGEN USES AND HOW DOES NORDIGEN USE THEM?

Nordigen uses different types of cookies and similar technology in a range of ways, including but not limited to:

Essential:

  • For Gateway and Analytics system and Services to function properly;

Preferences:

  • To remember Your settings and preferences, such as language and location;

Analytics:

  • To better understand how You interact with Gateway and Analytics system and Services so that Nordigen can improve them;
  • To determine if You have interacted with certain content or features;

Advertising:

  • To display advertisements and make them more relevant to You and to track efficiency of any advertising campaigns;

Usage of cookies is no way linked to any personally identifiable information in Gateway and Analytics system. The cookies and other similar technologies Nordigen use may be operated by Nordigen itself or by third parties.

HOW TO MANAGE COOKIES?

You may also choose whether to accept Cookies. If You do not agree to the use of cookies, You may configure Your web browser not to accept cookies. However, Cookies can be an important part of Nordigen services and Your experience using Gateway and Analytics system. If You remove or reject Cookies, this could affect the availability and functionality of Gateway and Analytics system.Although most browsers and devices accept cookies by default, You can manage settings to remove or reject browser cookies manually within your browser's configuration settings.

THIRD PARTIES AND TRANSFER OF PERSONAL DATA

Your personal data may be disclosed if it is required by the Applicable data privacy laws or competent authority in order to fulfill Nordigen's legal obligations.

Nordigen may also provide personal data to companies that process personal data on behalf of Nordigen such as marketing service providers. Nordigen will be responsible for the correct processing of Your personal data.

Your personal data may be transferred or stored in countries outside of the European Economic Area / European Union, if legal grounds for such transfer exist and there is an adequate level of protection. Nordigen and its data processors shall enter into a binding agreement based on the applicable EU model clauses (Commission Decision on standard contractual clauses for the transfer of Data to third countries). Adherence to "the Privacy Shield Framework", adopted by the European Commission on 12 July 2016, form an alternative to the EU model clauses for the Data Processors located in the U.S. By registering to access Gateway and Analytics System You agree that personal data may be transferred and stored outside of the EU/EEA according to the above.

CHANGES TO OUR PRIVACY POLICY

Nordigen keeps this privacy policy under regular review and places any updates on this web page. Nordigen will inform You about any upcoming changes to this privacy policy. Nordigen has the right to change this privacy policy solely at any time. You will be asked to accept any changes made to this privacy policy. If You do not accept the changed privacy policy Nordigen has the right to terminate the contract (Terms) with You and close Your account.

HOW TO CONTACT US?

If You have any questions about this privacy policy, the data Nordigen holds on You, or You would like to exercise one of Your data protection rights, please do not hesitate to contact us.

E-mail: info@nordigen.com

Address: Gustava Zemgala gatve 74, Riga, Latvia, LV-1039

HOW TO CONTACT THE APPROPRIATE AUTHORITY?

Should You wish to report a complaint or if You feel that Nordigen has not addressed Your concern in a satisfactory manner, You may contact the Data State Inspectorate of the Republic of Latvia.

E-mail: info@dvi.gov.lv

Phone: +371 67223131