Delegated Account Information Services: Privacy and Cookies Notice (UK)
Dated: 6-Oct-2023
Salt Edge Limited ("we", "us", "our") collects, stores, uses and shares your personal data in connection with the provision to you of Account Information Services (the "Services") via Your App Provider under the Terms of Delegated Account Information Services (the "Terms"). In relation to such processing we are subject to the data protection laws and regulations of the United Kingdom. We take your privacy very seriously. In this Privacy and Cookies Notice (the "privacy notice") we describe our personal data processing activities and practices relating to the provision of the Services and explain your rights in relation to your personal data and how to contact us or the Information Commissioner if you have questions or complaints concerning the processing of your personal data. We also inform you of the cookies we use in connection with the provision of the Services in a separate section 'Cookies' below. Please read this privacy notice carefully and refer to the Terms for a better understanding of the Services and for any key terms that we do not explicitly define here.
Key terms
It would be helpful to start by explaining some key terms used in this privacy notice in relation to personal data:
| controller | a person, who, alone or jointly with others, determines the purposes and means of the processing of personal data. |
| Data Protection Laws | a country's laws, statutes, regulations and rulings with respect to the privacy, protection, processing, collection, use and disclosure of personal data, as amended, consolidated or replaced from time to time, as these may be applicable to the processing of personal data under the Terms. |
| data subject | an identified or identifiable individual. |
| Payment Account Data | Information made available from Your Account Provider relating to your payment account(s) that we access and retrieve from your payment account(s) to provide the Services, as described in the Terms. Payment Account Data may include without limitation payment account details (account name, number, balance, currency, etc.), payment transactions details (transaction amount, currency, date, description, etc.), account holder details (name, address, email, phone number, birth date), and features and benefits of your payment account(s). |
| personal data | any information relating to an identified or identifiable individual. |
| processing | any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
| processor | a person who processes personal data on behalf of a controller. |
| production systems | our programs, software and servers, by which we ensure the provision of the Services. |
| UK Data Protection Laws | the Data Protection Laws of the United Kingdom, which currently consist mainly of the Data Protection Act 2018 and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"). |
What personal data we collect about you
In connection with the provision of the Services, we will generate or collect, and process the following personal data about you:
- Personal data contained in your Payment Account Data, which we collect via our production systems when we access your payment account as described in the Terms. Such personal data may consist of, without limitation, payment account details (account name or number), payment transactions details (transaction description etc.), account holder details (name, address, email, phone number, social security number, birth date, etc.). This personal data is collected from Your Account Provider.
- Your payment account number or IBAN, if required by Your Account Provider to allow access to your payment accounts as described in the Terms ("Account Information"). We collect Account Information via our production systems either directly from you or from Your App Provider.
- Identifiers (unique alphanumeric sequences) attributed in your respect in our or Your App Provider's IT systems ("IT identifiers"). We either generate IT identifiers ourselves or receive IT Identifiers from Your App Provider.
- Personal data contained in the technical information about the use of our systems in connection with the Services ("Session Information"). The Session Information we collect relates, generally to (i) the time of day when you access our systems and use their services, (ii) which components of our systems you access or use, (iii) actions you make when interacting with our systems and the outcome of these actions (such as errors), and (iv) your browser type and version, operating system and version, user agent, device type and model, and internet protocol ("IP") address. We collect Session Information automatically when you use the Services.
- Identification and contact data (such as, without limitation, name, job title, address, email address, phone number), which we may collect from Your App Provider or from you directly, when you make requests or complaints in connection with the Services or the processing of your personal data ("Inquiry-related data").
We collect and use this personal data for the purposes described in section 'How and why we use your personal data' below. We do not necessarily always collect and process all the above categories of personal data. Some of this data we collect and process only if required in the circumstances of our interaction with you.
We would like you to know that there is no statutory or contractual requirement or obligation that you provide any personal data to us. Nevertheless, if you do not provide personal data we require, it may delay or prevent us from providing the Services to you and/or addressing your enquiries, requests, and complaints.
How and why we use your personal data
Under the UK Data Protection Laws, we can only process your personal data if we have a lawful basis, a proper reason for processing, which may be that:
- you have given consent for such processing for some specific purposes;
- we need to comply with legal and regulatory obligations;
- we require such processing to perform a contract with you; or
- we pursue our own legitimate interests or those of a third party. We may process your personal data based on legitimate interests whether we have a compelling justification for that or even when you should reasonably expect such processing to take place. In any case we can rely on legitimate interests as long as they are not overridden by your own rights and interests and to ensure this, we carry out an assessment to balance our interests against your own.
The table below explains in detail what we use your personal data for and why:
| Personal data we process | Processing operations we perform | Purposes of processing | Lawful basis for processing |
| Personal data that is part of Payment Account Data | - copying from payment account; - storage in our production systems; - normalising, cleaning and enrichment (categorization of transactions; identification of merchants) and similar operations on the data; - sharing data with Your App Provider; - consulting the data; - deletion | - to provide the Services; - to enable Your Account Provider to provide the Services and related support to you; - to troubleshoot, investigate and fix service-related errors, to provide support to Your App Provider. | Performance of contract with you under the Terms. Our legitimate interest to ensure that our contractual arrangements with Your App Provider are complied with. |
| - short-term storage of data copy in backup files - extraction from backup files in the case of a recovery event - deletion | - to ensure recovery of data lost during disruptions, outages and disasters - to ensure the continuous and non-disruptive provision of the Services | Compliance with our legal obligations to ensure continuity of our services and to ensure the integrity of personal data processed Our legitimate interest to ensure continuity and availability of our services, including in accordance with our contractual obligations | |
| Account Information | - collecting from you or Your App Provider; - storage in our production systems - providing to Your Account Provider; - deletion | - to provide the Services | Performance of contract with you under the Terms. |
| IT identifiers and Session Information (see section 'What personal data we collect about you' above) | - collecting IT Identifiers from Your App Provider or automatic generation of IT Identifiers in our systems - automatic collection of Session Information by our systems during your use of the Services - storage in our production systems and consulting upon need - deletion from production systems | - to ensure precise and adequate separation and structuring of records relating to you and your payment accounts in our systems, including for the purpose of sharing Payment Account Data with Your App Provider; - to provide the Services; - to improve the Services and user experience; - to enable identification to address your enquiries, complaints and data subject requests; - to keep count of the usage of our systems by Your App Provider under our business arrangements with them; - to compile statutory reports on our activity - to prevent and detect unauthorised access and fraudulent activity; - to protect security of our systems and data; - to assess and manage operational and security risks relating to the Services; - to monitor and report operational and security incidents regarding the Services. | Performance of contract with you under the Terms. Compliance with our legal obligations: - to prevent personal data breaches; - to provide statutory reports on our activity to regulators; - to facilitate supervision by competent authorities; - to prevent, detect, report and minimise fraud incidents; - to ensure due management of operational and security risks and to demonstrate compliance with statutory requirements. - to ensure the security of the Services. Our legitimate interests: - to ensure that we keep due track of the use of our systems and services; - to ensure that we adequately perform our obligations towards Your App Provider; - to ensure that we are billing and getting paid for our products and services; - to prevent and detect damaging and prejudicial activity; - to ensure that we carry out a customer-friendly business; - to ensure that we adequately maintain the Services at adequate standards of service provision and improve them overtime |
| - storage in logs - restricted need-based accessing and consultation - deletion from logs | - to maintain records of actions and services conducted in our systems; - to investigate illegal activity in connection with the Services; - to address and resolve complaints received from you - to enforce legal rights or defend or undertake legal proceedings in relation to the Services provided | Compliance with our legal obligations to keep records of our regulated services. Our legitimate interest: - to ensure that we provide high-efficiency products and services and operate at high industry and security standards - to ensure that we carry out a customer-friendly business and that complaints and other requests are adequately addressed - to protect our business, interests and rights against unfunded claims or breaches of our legal or contractual rights. | |
| Inquiry-related data (see section 'What personal data we collect about you' above) | - collecting - using to address your enquiries, requests and complaints - sending related communications and responses | - to properly handle enquiries, complaints and requests (including data subject requests) submitted to us or in our respect | Compliance with our legal obligations to respond to complaints and data subject requests. Our legitimate interest to ensure that we carry out a customer-friendly business and that complaints and other requests are adequately addressed. |
| - storage in our internal systems | - to demonstrate compliance with the applicable legal provisions regarding addressing complaints and data subject requests - to enforce legal rights or defend or undertake legal proceedings in relation to the Services provided | Our legitimate interest to demonstrate compliance with our legal obligations and protect our business against unfunded claims and allegations. |
No automated decision-making. Anonymization.
We do not engage in automated decision-making in your respect as a result of processing your personal data in accordance with the Terms and this privacy notice.
While we process personal data in accordance with the purposes and legal bases described above in section 'How and why we use your personal data', we may, at any time, render any such data anonymous by ensuring that you can no longer be identified from such data, and further combine such anonymized data with similar anonymous data collected or derived from the use of our services by other users. We may use the anonymized data for various business purposes, including, but not limited to: providing, maintaining, supporting and improving the Services; conducting analytical research, compiling statistical reports and performance tracking; developing and/or improving other services and products. In connection with this, we can share the anonymized data with members of our group and our subcontractors. Our legal basis for the anonymization operations resides in our legitimate interest to deliver the best services, increase efficiency and realise or grow the value in our business and assets. Anonymized data is not itself personal data, and consequently the provisions in this privacy notice are not applicable to it. For the avoidance of doubt, we will not sell anonymized data.
Special categories of personal data
The UK Data Protection Laws establish special rules for the processing of special categories of personal data, which include: personal data revealing an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data and biometric data processed for the purpose of uniquely identifying an individual; data concerning an individual's health, sex life or sexual orientation.
We do not require to process special categories of personal data in order to provide the Services to you and we do not deliberately solicit, access, collect or process any such data. Special categories of personal data may be occasionally and incidentally contained in the Payment Account Data that we retrieve from your payment accounts. Insofar as this may happen, please be assured that we do not analyse, filter, map, or perform any other processing to identify or single out special categories of personal data. You are requested at all times to refrain from voluntarily providing to us any special categories of personal data by any means of communication, unless we expressly request you to provide such data.
Where and how long do we keep your personal data
We store your personal data processed for the purpose of providing the Services on our own and third-party servers located in the European Economic Area ("EEA"). We take all adequate measures to ensure that your personal data is at all times treated securely and in accordance with this privacy notice.
We will not keep your personal data for longer than we need it for the purposes described above in section 'How and why we use your personal data'. The retention period will depend on the requirements of the laws or regulations that apply to us, as well as on the legal bases and the purposes of the collection and processing of personal data.
We will delete your Payment Account Data and Account Information from our production systems:
- in their entirety, when our agreement with you for the provision of the Services is terminated in accordance with the Terms or when you validly exercise your right to be forgotten under the applicable Data Protection Laws. As a result of the deletion, your Payment Account Data, Account Information and connections to payment accounts associated with your use of the Services will be deleted and excised permanently from our production systems. Further use of the Services by you will be impossible.
- in the part relating to a specific connection to your payment account(s), when (i) such connection is deleted either by you or by Your App Provider, or (ii) automatically, if no data refreshes were requested by you or Your App Provider for more than nine months. As a result of the deletion, this specific connection to your payment accounts and your Payment Account Data and Account Information associated with it will be deleted and excised permanently from our production systems. Further use of the Services by you via such connection will be impossible.
We will delete from our production systems the IT Identifiers associated with any particular connection(s) to your payment accounts within six (6) months after the deletion of the relevant connection(s).
Regardless of the above, we will retain your personal data or portions thereof contained in the Payment Account Data and Account Information, as well as relevant IT Identifiers and your IP address in backup files on our backup servers for a period of up to one (1) month from the date of deletion from our production systems, in accordance with general internal retention procedures.
We will retain some of your IT Identifiers and Session Information in log files as explained in more detail in the section 'How and why we use your personal data' above. We archive such data into log files each month and the retention period for data in log files is five (5) years from the date of their archiving or such longer period as required by the applicable laws and regulations.
Backups and archived log files containing personal data are stored on servers separate from our production servers, using strong asymmetric encryption. The files are not actively processed and are not accessible to personnel in the ordinary course of business operations. All personal data retained in backup files and log files will be automatically deleted after the retention period has elapsed and until such deletion will be treated in accordance with the terms of this privacy notice.
We will retain your Inquiry-related data (please see section 'How and why we use your personal data' above) in our internal systems for a period of at least six (6) years from the date of submission or receipt, as applicable, of the last of the replies in the communication thread to resolve the respective enquiry, request or complaint.
Recipients of your personal data
We routinely share personal data with:
- Your App Provider. Mainly, we share with them your Payment Account Data and IT Identifiers in order to ensure that the Services are provided to you in Your App. It is Your App Provider that ultimately makes sure that you can view the information regarding your payment accounts in Your App. We may also share with Your App Provider Inquiry-related data you provide to us when you send us enquiries, requests and complaints, as may be needed to duly resolve them.
You should be able to determine who Your App Provider is and their relevant details by checking the terms and conditions on which Your App is provided to you. Additionally, you can check Your App Provider's details by checking the heading “Who is this firm connected to?” in our record in FCA's Financial Service Register.
Following the sharing of your Payment Account Data with Your App Provider for them to provide you with the Services in Your App, Your App Provider becomes controller in respect of their processing of your personal data shared with them, and are responsible to comply with their obligations as controller under the applicable Data Protection Laws. For certain processing activities related to the provision of the Services we and Your App Provider act as joint controllers. You can find out more information on how we jointly use your personal data in the section 'Joint controllers' below. - Your Account Provider. Occasionally, we may be required by Your Account Provider to disclose to them particulars of your payment account(s), such as account number or IBAN, before you are redirected to them for authentication in order provide to us access to your payment account. Note that Your Account Provider is the original source of such personal data.
- Salt Edge Inc., who is our parent company and, as a subcontractor and data processor, provides us with the technology, facilities and personnel required to provide the Services to you. Salt Edge Inc. is a Canadian corporation with its registered office at 150 Elgin Street, Floor 10, Ottawa, ON, K2P 1L4, Canada, registered under number 874389-4. The sharing of your personal data with Salt Edge Inc. takes place mainly as automatic collection and processing of your personal data on servers located within the European Economic Area, where we host our software solutions that enable us to provide the Services.
We may occasionally also share your personal data:
- with regulatory bodies, competent authorities, courts, tribunals and law enforcement agencies, to comply with our legal and regulatory obligations or with any subpoena, enforceable request or other legal process.
- with third parties, such as Your App Providers, Your Account Providers, professional advisers (such as lawyers), law enforcement agencies, courts, tribunals, and regulatory authorities, to investigate any potential violations of the Terms, or of applicable laws, and/or to enforce our legal rights or to undertake or defend legal proceedings.
- with members of our group or third parties that have or may acquire control or ownership of our business (and with our or their professional advisers), if necessary in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency. Any such recipient of any of your personal data will be bound by appropriate confidentiality obligations. Our legal basis for such transmission resides in the need to comply with applicable legal and regulatory obligations as well as our legitimate interests to protect, realise and grow the value of our business and assets.
If you would like more information about who we share your data with and why, please contact us (see 'How to contact us' below).
Transferring your personal data out of the UK
We have informed you of the location of storage of your personal data in section 'Where and how long do we keep your personal data' above and of routine recipients of your personal data in connection with the Services in section 'Recipients of your personal data' above.
As we and Your App Provider are based in the United Kingdom, while our software solutions that enable us to provide you with the Services are hosted on servers in the EEA, we envisage that your personal data will be routinely transferred between the UK and the EEA.
The UK, the EEA countries, and other countries outside the UK and EEA have differing Data Protection Laws, some of which may provide lower levels of privacy protection. Under the UK Data Protection Laws, we rely on adequacy regulations for transfers of your personal data from the UK to the EEA, whereby the UK government has decided that the countries of the EEA ensure an adequate level of protection of personal data (known as 'adequacy regulations') further to Article 45 of the UK GDPR. A list of countries currently covered by UK adequacy regulations is available here.
Depending on the way Your App Provider operates Your App, in order for you to be able to receive the Services in Your App, Your App Provider may retrieve your Payment Account Data to countries outside the UK and the EEA. We expect that, as controller, Your App Provider duly informed you of the locations where they keep and process your personal data as part of providing Your App to you. Please refer to Your App Provider for more detailed information in this respect.
Occasionally, to ensure troubleshooting, debugging, support, error-fixing of the Services or addressing your requests, inquiries and complaints, your personal data may be remotely accessed, viewed and used by the authorised personnel of our subcontractor, Salt Edge Inc., who may be located in third countries in relation to the United Kingdom and the EEA. In particular, it is expected that such remote access and viewing may be conducted by personnel located in the Republic of Moldova.
In cases we have to resort to transfers of your personal data to countries, we will do so in compliance with the requirements of the UK Data Protection Laws designed to ensure the privacy of your personal data. Under the UK Data Protection Laws, we can only transfer your personal data to other countries, where there is an adequacy regulation in respect of such country or where we ensure that there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for you as a data subject. Should we resort to such a transfer, we will do so on the basis of an adequacy regulation or (where it is not available) on the basis of legally approved standard data protection clauses recognised or issued further to Article 46(2) of the UK GDPR.
As there is adequacy regulation in respect of the Republic of Moldova, we have taken appropriate safeguards under the UK Data Protection Laws to ensure that Salt Edge Inc. treats any of your personal data they may remotely access from outside the UK securely and in accordance with this privacy notice at all times.
If you would like further information about whether there your personal data may be subject to transfers outside the UK/EEA and the safeguards we put in place in connection with such transfers, please contact us (see section 'How to contact us' below).
Keeping your personal data secure
We are committed to maintaining the confidentiality, integrity and security of your personal data. We employ advanced security techniques to safeguard personal data against accidental loss, unauthorized access, use and/or disclosure. We rigorously limit access to personal data to those who have a genuine need to access it and our databases are both physically and logically protected from general employee access. We carefully select the individuals privileged with access to personal data in accordance with our internal security policies and practices, and each such individual is bound by confidentiality obligations. We enforce physical controls on our premises. Security personnel monitor our systems 24/7. Access to our systems requires multiple levels of authentication. To maintain the security of online sessions and protect our systems from unauthorized access, we use, among others, a combination of firewall barriers, encryption techniques and authentication procedures. We test our systems for any failure points that might allow hacking. We are routinely verified for our use of encryption technologies and audited for our privacy practices. We regularly review our privacy and security practices and adapt them as necessary to deal with new regulatory requirements, changes in legislation and/or security standards.
We ensure that we apply adequate contractual (including data protection, confidentiality, and security provisions) and other technical and organisational measures with subcontractors that we may engage from time to time in connection with the provision, operation, security and/or maintenance of the Services. We will restrict access, disclosure and/or transfer of personal data to subcontractors to what is strictly necessary for the performance of their contractual obligations towards us and will ensure that each subcontractor complies with the provisions in this privacy notice.
Although we take appropriate measures to ensure that your personal data is treated and stored securely, unfortunately, the sending of information via the Internet is not totally secure and on occasion such information may be intercepted. Therefore, we cannot guarantee the security of personal data that you choose to voluntarily send to us via electronic means. We expressly disclaim all liability for any interception or interruption of any Internet transmissions sent by you or any resulting losses of, or changes, to data, including personal data.
Your rights
Under the UK Data Protection Laws, you have the following rights, which you can exercise free of charge:
| Right of access | You have the right to obtain: (i) confirmation as to whether or not we process your personal data, (ii) access to such personal data and (iii) fair information on its processing by us, such as the purposes of processing and recipients or categories of recipients of your personal data, transfers to recipients in third countries or international organisations, and the appropriate safeguards relating to such transfers. |
| Right of rectification | You have the right to require us to correct any mistakes or gaps in your personal data that we process. |
| Right of erasure (also known as "the right to be forgotten") | You can require us to delete your personal data—in certain situations: such as when there is no compelling need for us to further process your personal data or where you withdraw your consent (if consent was the legal basis for our processing). |
| Right to restriction of processing | You can demand from us to restrict the processing of your personal data in certain situations: such as when you contest the accuracy of the data or where you object against the processing and await for us to verify whether we have overriding legitimate interests to continue to process your data. In such cases, our processing of your personal data will be restricted to storage, processing for the establishment, exercise or defence of legal claims, for reasons of important public interest and for the protection of the rights of another person. |
| Right to data portability | Where you have provided to us your personal data and our processing of such data is based on your consent, you may request us to provide you with a copy of such personal data, in a structured, commonly used and machine-readable format, and/or to transmit that data to a third party, if this is technically feasible. |
| Right to object | You have the right to require us to stop processing your personal data: — if the processing is carried out for direct marketing purposes (including profiling); —if the processing is based on our legitimate interests and we do not demonstrate that we have compelling legitimate grounds for the processing to continue, which override your rights and interests, or that the processing is required for the establishment, exercise or defence of legal claims. |
| Right not to be subject to automated individual decision-making | You have the right to demand that you are not subject to decisions that legally or otherwise significantly affect you, and which are based solely on automated processing of your personal data (without human involvement). Such automated processing may consist of profiling, which aims to evaluate, analyse or predict certain personal aspects in your respect. |
| Right to withdraw consent | If our processing of your personal data was based on your consent, you can withdraw that consent at any time. Withdrawing a consent will not affect the lawfulness of our use of your personal data in reliance of that consent before it was withdrawn. |
For more information on each of your rights described above, including the circumstances in which they apply, please contact us (see 'How to contact us' below) or see Guidance from the UK Information Commissioner's Office (ICO) on individuals' rights.
If you would like to exercise any of those rights, please:
- email, call or write to us—see below: 'How to contact us'; and
- let us know what right you want to exercise and the information to which your request relates; and
- provide information which you reasonably consider enough to identify yourself.
We do not need to directly identify you to provide the Services to you and have set our processes to collect as few personal data about you as possible. We organise records in your respect based on IT Identifiers (rather than on data that directly identifies you, such as your name, email address or any identification number assigned to you by institutions). As a result we are not able to readily identify you in order to handle any of your inquiries, complaints or requests to exercise your data subject rights. To address such inquiries, complaints and requests we may need that you provide us with additional identification information and/or may request such information from Your App Provider. It may be easier for you to address your queries and requests directly to Your App Provider, in accordance with the joint controllers arrangement we have described in section 'Joint controllers' below. This does not prevent you from submitting such complaints and requests directly to us and we will do our best to resolve them and ensure that your rights are complied with.
Joint controllers
Following the sharing of your Payment Account Data and IT Identifiers with Your App Provider for them to provide you with the Services in Your App, Your App Provider acts as controller for the processing of your personal data so shared. Your App Provider is thus solely responsible for complying with their obligations as controller as set forth in the applicable Data Protection Laws, including without limitation with respect to the processing, confidentiality and security of your personal data. We will not be responsible for any subsequent processing carried out by Your App Provider. We are only responsible for the sharing of your personal data with Your App Provider and ensuring that it is shared securely and with the intended recipient.
Nevertheless, we work so close with Your App Provider to provide the Services in Your App, that in respect of the related processing of your personal data we and Your App Provider act as joint controllers by virtue of jointly determining the purposes of such processing.
As part of our joint controllers arrangement, we and Your App Provider have agreed on who is responsible for which obligations under the UK Data Protection Laws and who will fulfil which obligations in respect of your rights under articles 15-22 of UK GDPR (see section 'Your rights' above). You can find in the below table more information on the categories of your personal data which we and Your App Provider process as joint controllers:
| Category of personal data | Processing by Your App Provider | Processing by us | Joint purpose of processing |
| IT Identifier in Your App Provider's systems (see section 'What personal data we collect about you' above) | Assigning the IT Identifier to you and transmitting it to us | Associating the received IT Identifier with our own IT Identifier for your records in our systems. Storage and use to request your further identification as needed. | Provision of the Services to you. Handling and resolution of your enquiries, complaints and requests. |
| IT Identifiers assigned in our systems (see section 'What personal data we collect about you' above) | Collection from us, storage and use to request and manage connections to your payment accounts and ensure due separation of your Payment Account Data from that of the other users. | Generation, storage and use of IT Identifier to keep separate records of your data processed in connection with the provision the Services. | The provision of the Services to you. Ensuring billing of services agreed between us and Your App Provider to achieve the provision of Services in Your App. Ensuring that the provision of the Services is in compliance with the applicable regulations. |
| Personal data that is part of Payment Account Data (see section 'What personal data we collect about you' above) | Collection from Salt Edge systems; storage and display to you in Your App. | Collection by retrieval from your payment account; storage and processing enabling Your App Provider to retrieve such data into their systems. | The provision of the Services to you. |
| Inquiry-related data (see section 'What personal data we collect about you' above) | Collection from you, storage and use for the declared purposes; provision to Salt Edge upon request | Collection from you or Your App Provider, as applicable, storage and use for the declared purposes | Addressing enquiries, complaints and requests related to the provision of the Services and making mandatory notifications of personal data breaches relating to the Services. Ensuring your identification as required for the above purpose. |
For a better understanding of our processing of your personal data specified in the above table please check additionally sections 'What personal data we collect about you' and 'How and why we use your personal data' above.
For the processing of your personal data for joint purposes, we and Your App Provider have assigned between us the responsibilities for compliance with data protection obligations as follows:
| Data Protection Responsibility | Responsible Controller |
| Information obligations (art. 13 and 14 of UK GDPR) | Each of us and Your App Provider |
| Ensuring appropriate technical and organisational measures to protect your personal data (art. 32 UK GDPR) | Each of us and Your App Provider, according to the processing activities conducted |
| Notification of personal data breaches (art. 34 UK GDPR) | Your App Provider |
| Addressing your requests to exercise your rights under applicable Data Protection Laws (see section 'Your rights' above) (art. 15 to 22 UK GDPR) | Your App Provider |
Your App Provider is accordingly designated as a single contact point for data subjects in respect of matters relating to the processing of personal data processed by us and Your App Providers as joint controllers. You should be able to find their contact data in the terms of service and privacy notice under which they provide you with Your App. Additionally, you can check Your App Provider's details by checking the heading “Who is this firm connected to?” in our record in FCA's Financial Service Register.
Notwithstanding the joint controller arrangement described above, we and Your App Provider are separately and independently responsible for the processing by each of us of your personal data. You can always address your requests to exercise your rights relating to personal data directly to us as set forth in section 'Your rights' above.
A cookie is a small data file placed on a browser or device (such as computer or mobile phone) when it is used to access a service. Cookies or similar technologies may be used for many purposes, including without limitation remembering you and your preferences and tracking your access and use of information technology services. Cookies work by assigning a number to users that has no meaning outside of the assigning website or application.
We use session cookies and persistent cookies when you use the Services. These types of cookies are essential to their provision. We use them for technical purposes such as verifying the origin of requests to our systems and distinguishing you among other users of the Services during such use. The session cookies are stored in temporary memory and are not retained after you close the browser. Session cookies do not collect information from your computer. They are used to identify the session during which you interact with our systems only for the duration of that session. The persistent cookies are set with an expiration date and are stored on your hard drive until they expire, or you delete them. The persistent cookies we use expire within an hour from the last time you access our systems in any given session of interaction. We use these cookies to remember for a short while your preferences in terms of device theme settings (light/dark) and a presumably more convenient language of the interface; as well as to remember Your App Provider who redirected you to our systems, to ensure that you are redirected back to them when you finish your interaction with us. We do not collect any personal data in our cookies. The cookies we use do not identify you as an individual. All the cookies we use are first-party cookies. We do not use third-party cookies to provide the Services, nor do we use analytical or advertising cookies or social media plugins.
You can disable or control cookies by setting a preference within your web browser or on your device. Thus, if you do not wish that cookies are used in your respect, you can restrict or limit the use of cookies at the individual browser or device level. However, since the cookies we use are necessary for the provision of the Services to you, if you choose to disable cookies some features of the Services may not function properly or we might not be able to provide the Services to you at all. For detailed guidance on how to control, manage and delete cookies, you are advised to visit https://www.aboutcookies.org/.
Changes to this privacy notice
This privacy notice was published on Dated: 6-Oct-2023.
We may change this privacy notice from time to time. When we do so, we will post an appropriate update notice at the top of this privacy notice page. You are advised to print a copy of this privacy notice for reference and revisit it from time to time to ensure that you are aware of any changes.
How to complain
Please contact us if you have any queries or concerns about our use of your personal data (see below 'How to contact us'). We hope we will be able to resolve any issues you may have.
You also have the right to lodge a complaint with the Information Commissioner. The Information Commissioner may be contacted using the details at https://ico.org.uk/make-a-complaint or by telephone: 0303 123 1113.
How to contact us
Keep in mind that Your App Provider is designated as a single contact point for data subjects in respect of matters relating to the processing of personal data processed by us and Your App Provider as joint controllers, as explained in section 'Joint controllers' above. You should be able to find their contact data in the terms of service and privacy notice under which they provide you with Your App. Additionally, you can check Your App Provider's details by checking the heading “Who is this firm connected to?” in our record in FCA's Financial Service Register.
Regardless of such joint controllers arrangement, you can contact us and/or our Data Protection Officer by post or email if you have any questions about this privacy notice or the information we hold about you, to exercise a right under the UK Data Protection Laws or to make a complaint regarding our processing of your personal data.
Our contact details are shown below:
| Our contact details | Our Data Protection Officer's contact details |
| Mailing address: 2nd Floor Amba House, 15 College Road, Harrow, HA1 1BA, England, United Kingdom Email: privacy@saltedge.com | Mailing address: 2nd Floor Amba House, 15 College Road, Harrow, HA1 1BA, England, United Kingdom Email: dpo@saltedge.com |