Introduction
Purpose of the Privacy Notice
This Privacy Notice outlines the information mandated by the EU's General Data Protection Regulation (EU) 2016/679 (hereafter referred to as the Data Protection Regulation) and the Finnish Data Protection Act (1050/2018). This notice is aimed at both data subjects and regulatory authorities.
When it comes to personal data associated with payer payments, the data controller is the merchant providing the online service, from where personal data is collected. Trumo Finance acts as the data processor for personal data that is relayed from the merchant's online service to Trumo Finance's payment service along with the payment information. The handling of the payer's personal data is agreed upon between the merchant and Trumo Finance through a separate Data Processing Agreement.
In the course of processing payments, Trumo Finance gathers information necessary for the provision of the payment service and for ensuring information security. This Privacy Notice pertains to that information, which will be elaborated in more detail in a subsequent section.
What Personal Data We Collect
Categories of Personal Data
Trumo Finance Collects following type of data from its customers:
Personal Data
Your personal details and contact data, including full name, date of birth, personal identification code, citizenship, residency, residential address, tax residency, e-mail address, mobile phone number, occupation, identification document data, photo and/or video footage which you have forwarded to Trumo Finance for the purpose of identifying yourself.
Due Diligence Data
Data that Company collects for the purpose of conducting due diligence under applicable anti-money laundering laws from customer and appropriate databases.
Transaction and Payment Card Data
Details of any transfers made to and from customer account, including the name and account number of the payer and the payee, the date, time, currency, amount and explanation of the transaction, merchants’ and ATMs’ locations, payment card’s number, cardholder name, the expiry date of payment card and the CVV number of payment card.
Device Data
Information regarding the device on which customres are using application and/or Website, including the device’s model, name, or any other identifier and the IP address of the network from which customers are using the application and/or the Website, including location information.
Preference Data
Customers preferences in the application and/or on the Website (language preferences, transaction limits, etc).
Customer Support Data
Communication between customer and Trumo Finance customer support (telephone conversations, emails, and chats).
Other Data
Other data not listed above, generated as a result of using the application and/or the Website.
Following information is used to fetch data from Account Servicing Payment Service Providers (ASPSPs) on behalf of Payment Service Users (PSUs) and to share data with an application. Here are the types of data we collect:
Session Data
Application ID: An internal identifier of the partner application through which the PSU's data is accessed.
Session Timeline: This includes the date and time the session was created, optionally authorized, and potentially closed.
Session Status: This represents the current state of the session.
Connector ID: An internal identifier of our SDK connector used to access ASPSP APIs.
ASPSP Information: This includes the brand name and country of the ASPSP chosen by the PSU.
Scope of Access: Details about the extent of access requested through the partner application and confirmed by the PSU.
Auxiliary Authorization Data: This is temporary data stored during PSU authentication and removed when the session is authorised.
Token: This is necessary data for accessing ASPSP APIs on behalf of PSU.
Client Info: Optional data about the PSU indicating their current usage of the partner application.
Account Data: Information necessary to retrieve information about PSU accounts.
Access Data
Validity Period: The duration for which the PSU shares access to their account data.
Account Permissions: Flags indicating whether the PSU shares access to account balances and transactions.
Account Identifiers: Data needed to identify specific PSU accounts.
Token Data
Access Token: The token used to make requests to ASPSP’s APIs on behalf of the PSU.
Token Timeline: The date and time when the token was created or updated.
Refresh Token: Optional token used to create a new access token, if necessary.
Token Validity: The expected expiry time of the access token.
Consent ID: The identifier created by ASPSP for the PSU's consent.
Client Information
Client Timeline: The date and time the client info was recorded.
IP Address: The IP address used by the PSU to access the partner application and our API.
User Agent: The client application (browser or mobile application) being used by the PSU.
Referrer, Accepted Data Format, Charset, Encoding, and Language: Information provided by the PSU's client application.
Geo Location: The current geo location of the PSU.
Account Data
Resource ID: The identifier provided by ASPSP to request account information.
Identification Hash: The hashed account identification used for matching accounts.
Payment Data
Payment Timeline: This includes the date and time when payment initiation was requested, optionally authorized, checked, and completed.
Payment Status: The current state of the payment.
Payment Details: The list of payment details necessary for the initiation of payments.
Payment Transactions: The list of payment transactions being initiated and confirmed by the PSU.
Payment transaction data
Transaction Details: This includes the monetary amount and currency of the transaction.
Debtor Account Identification Hash: The hashed account identification of the payer’s account.
Creditor Account Identification Hash: The hashed account identification of the payee’s account.
Special Categories of Personal Data (if applicable)
Trumo Finance does not collect special categories of Personal Data
Why We Process Your Personal Data
Purposes for Processing Personal Data
Trumo Finance collects and processes personal data for following purposes:
Compliance Purposes — to perform any obligation under applicable laws, including the obligation to:
avoid money laundering, terrorist financing, and fraud;
ensure the fulfilment of international financial sanctions;
ensure the security of payment services;
provide tax authorities data as required under tax information exchange laws;
comply with the lawful inquiries and orders of public authorities Trumo Finance is obliged to cooperate with under applicable laws, such as courts, bailiffs, trustees in bankruptcy, the police, financial supervisory authorities, financial intelligence units, tax authorities, etc;
other financial institutions Company is obliged to cooperate with under applicable laws, including, upon your prior authorization, payment information service providers and payment initiation service providers.
Contractual Purposes — to perform or enter into an agreement between customer and Trumo Finance.
Fraud Monitoring Purposes — to monitor and prevent payment fraud.
Analytical Purposes — to gain a better understanding of the preferences of Trumo’s customers and the way customers interact with the application and/or the Website.
Marketing Purposes — to provide customer with marketing offers of Trumos services and additional features.
Lawful Bases for Processing
The lawful basis for processing of personal data is set out in Article 6 of the GDPR.
At least one of these must apply whenever personal data is processed. Trumo Finance processes data using the following legal basis:
Consent (Article 6 (1) (a) GDPR) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes
Performance of a contract and prior requests (Article 6 (1) (b) GDPR) - Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Compliance with a legal obligation (Article 6 (1) (c) GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
Legitimate Interests (Article 6 (1) (f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Who We Share Your Personal Data With
We only share your data when necessary and in accordance with GDPR requirements:
Service Providers: We share your data with third parties that provide us with services, under strict data protection terms.
Legal Obligations: If required by law or for safety reasons, we may disclose your personal data.
Business Transfers: Your data may be transferred in cases of business events like mergers or acquisitions.
Analytics and Advertising Partners: Your data may be shared with partners for analytics and personalized advertising, respecting your privacy and anonymity.
Third-party Integrations: If you use third-party integrations, they may receive your data; ensure to review their privacy policies.
Data transfers to non-GDPR compliant countries are done only when permitted by law and with appropriate data protection.
Any questions or concerns about this practice should be directed to our contact details provided in this notice. We're committed to your privacy.How We Secure Your Personal Data
How We Secure Your Personal Data
Safeguard measures:
All physical records containing personal data are stored in a locked cabinet or room with limited access.
Access to our office premises is restricted to authorized personnel only.
We ensure that all physical records containing personal data are securely disposed of when they are no longer needed.
Technical safeguards:
Access to personal data is restricted to authorised personnel with a need-to-know basis.
Company utilises up-to-date antivirus software, firewalls, and encryption techniques to protect our information systems from unauthorised access and malware attacks.
Company limits access to information systems through password-protected user accounts and two-factor authentication.
Company regularly performs vulnerability assessments and penetration testing to identify and mitigate potential security risks.
Data Breach Notification Procedures
Data breach notification to the supervisory authority
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
Following information shall be provided to the supervisory authority:
describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
describe the likely consequences of the personal data breach;
describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Data breach notification to the customer
When the personal data breach is likely to result in a high risk to the rights and freedoms of the customer, Trumo Finance shall communicate the personal data breach to the customer without undue delay.
The communication to the customer shall describe in clear and plain language the nature of the personal data breach and contain at least following information and measures:
communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
describe the likely consequences of the personal data breach;
describe the measures taken or proposed to be taken by the Company to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Data Retention
Trumo Finance only stores customers data for as long as is necessary for the respective purpose of the data processing (e.g. processing your request or legal retention periods).
How Long We Keep Your Personal Data
Identity verification data
retention period applicable to customer information and documents, as applicable, is 5 years from the end of the customer relationship or individual transaction. If the customer was identified remotely, information on the procedure or sources used in the verification must be retained.
Anti-money laundering data
Anti-money laundering data must be stored for at least 5 years after the end of the customer relationship
Accounting records
The documents for the financial year, correspondence regarding everyday business transactions, and other possible confirming accounting documents/materials for transactions must be retained for at least 6 years after the end of the year during which the financial year ended. The financial statements, annual management report, ledgers, chart of accounts and the list of ledgers and materials must be retained for at least 10 years from the end of the financial year. The data must be stored in a systematic manner.
Your Rights Regarding Your Personal Data
Data subjects have specific rights with respect to their personal data. The following section outlines the rights that data subjects have and the processes Company have in place to respond to requests related to these rights.
Lawfulness, fairness, and transparency: Personal data must be processed lawfully, fairly, and in a transparent manner. Organizations must have a lawful basis for processing personal data, such as the consent of the data subject or the legitimate interests of the organization. Data subjects must be informed about the processing of their personal data in a clear and understandable way.
Purpose limitation: Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Organizations must be transparent about the purposes for which they collect personal data and must not use it for any other purposes without a valid legal basis.
Data minimization: Personal data must be adequate, relevant, and limited to what is necessary for the purposes for which it is processed. Organizations must only collect and process personal data that is necessary to achieve the specified purposes.
Accuracy: Personal data must be accurate and, where necessary, kept up to date. Organizations must take reasonable steps to ensure that personal data is accurate and must rectify inaccurate data without undue delay.
Storage limitation: Personal data must be kept in a form that allows identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Organization must establish retention periods for personal data and must securely dispose of data when it is no longer needed.
Confidentiality and integrity: Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage. Organization must implement appropriate technical and organisational measures to ensure the confidentiality, integrity, and availability of personal data.
Data subject rights
Data subjects have specific rights with respect to their personal data. The following section outlines the rights that data subjects have and the processes Company has in place to respond to requests related to these rights.
Right to be informed: Data subjects have the right to be informed about the collection and use of their personal data. We will provide data subjects with transparent information about how their data is used, and we will do so in a concise, transparent, intelligible, and easily accessible form using clear and plain language.
Right of access: Data subjects have the right to obtain access to their personal data that we hold. Company will respond to requests for access without undue delay and within one month of receipt of the request. In some cases, period can be extended by a further two months if the request is complex or if Company receives a large number of requests.
Right to rectification: Data subjects have the right to have inaccurate or incomplete personal data corrected. Company will take reasonable steps to ensure that any inaccurate or incomplete data is rectified without undue delay.
Right to erasure: (also known as the right to be forgotten): Data subjects have the right to have their personal data erased under certain circumstances. Company will respond to requests for erasure without undue delay, except in cases where Company is required to retain data to comply with legal obligations or to establish, exercise, or defend legal claims.
Right to restrict processing: Data subjects have the right to restrict the processing of their personal data under certain circumstances. Company will respond to requests for restriction of processing without undue delay, except in cases where we are required to continue processing the data to comply with legal obligations or to establish, exercise, or defend legal claims.
Right to data portability: Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit the data to another controller.
Right to object: Data subjects have the right to object to the processing of their personal data under certain circumstances. Company will respond to requests for objection without undue delay, unless we have compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject.
Right to withdraw consent: Where the processing of personal data is based on consent, data subjects have the right to withdraw consent at any time. Company will make it as easy for data subjects to withdraw consent as it was to give it, and will cease processing data as soon as consent is withdrawn.
How to Exercise Your Rights
If a data subject wishes to exercise any of these rights, they should contact the Support Team in the first instance via support(at)trumo.com who will ensure the request if logged and dealt with by the DPO.
If preferred, they may also contact the Data Protection Officer (DPO) directly via dpo(at)trumo.com. The Company will respond to requests within the timeframes set out in GDPR, and will take appropriate steps to verify the identity of the data subject making the request before responding. If we are unable to comply with a request, we will explain the reasons why.
You can exercise your right of access by submitting a Data Subject Access Request (DSAR). This can be done by filling out our Data Subject Access Request Form.
You are not obliged to complete this form to make a request but doing so will make it easier for us to process your request quickly and accurately.
Complaints
If you are unsatisfied with the response of our customer support to your reclamation or claim, you can ask for a third party to solve the dispute.
Please contact Consumer Disputes Board at Hämeentie 3, PL 306, 00531 HELSINKI
Email: kril(at)oikeus.fi
Telephone: 029 566 5200 (switchboard)
Contact Details for Data Protection Authorities
The Data Protection Ombudsman is a national supervisory authority which supervises the compliance with data protection legislation.
Street address: Lintulahdenkuja 4, 00530 Helsinki
Postal address: PL 800, 00531 Helsinki, Finland
Switchboard: +358 29 566 6700
Registry: +358 29 566 6768
E-mail (registry): tietosuoja(at)om.fi