Last updated: 13 October 2022
This policy, together with our End User Terms of Service, describes how Finverse collects, uses, and shares personal data about you (the “end user” or “you”) to operate, develop and improve our services.
This policy applies to Finverse Technologies Limited and its subsidiaries (collectively, “Finverse”, “we, “our” or “us”).
By accessing Finverse’s services, you accept and consent to the practices described below.
ABOUT FINVERSE AND OUR SERVICES
Finverse Technologies Limited is a company incorporated in Hong Kong. Our registered office address is: Rm 2004-06, Strand 50, 50 Bonham Strand, Sheung Wan, Hong Kong.
Data services: Our data services enable you to easily share data from your financial account(s) to a party you have designated (the “Recipient”). This can help you, through services provided by the Recipient, to do things like open new accounts, apply for credit, monitor your finances, transfer money or make payments. The Recipient uses Finverse to access your data in easy-to-use digital formats, which helps it deliver its own services to you.
Payment services: Our payment services enable you to easily setup one-time or recurring payments from your financial account(s) to the Recipient. This can help you to send money to the Recipient in order to do things like repay loans or credit cards, top-up accounts or wallets, purchase goods or services, or transfer money to others. The Recipient uses Finverse to authenticate and initiate payments from your financial account, which helps it deliver its own services to you.
This policy does not cover what your Recipient does with the data we provide (or other data it collects about you from other sources). We encourage you to review the policies of the Recipient for more information about its privacy practices.
COLLECTION OF YOUR INFORMATION
We collect and process the following information (“End User Information”) about you:
Financial account information you or the Recipient provide: account information (such as your account number, accountholder name, account billing address or other account information, collectively referred to as your “Account Information”), which you or the Recipient provide to us when you choose to use our services to connect a third-party financial account, for example a bank, digital wallet or other financial institution account (your “Connected Account(s)”).
Financial account authorization information you or the Recipient provide: account authorization information (such as your username, password, one-time password or other credentials, collectively referred to as your “Authorization Information”), which you provide us when you connect your Connected Account(s).
By providing us your Account Information and/or Authorization Information, you give us the authority to access and transmit your End User Information (the “Access Authority”), in the following ways:
- to the relevant financial institution or other entity that maintains your Connected Account, and
- to the Recipient,
solely to the extent needed for us to provide our services.
You agree that providing us your Account Information or Authorization Information in an electronic format constitutes written permission and consent to transmit your End User Information.
Information we retrieve from your financial accounts: financial and personal information which we retrieve from your Connected Accounts, by accessing your financial institution’s internet banking website(s), mobile application(s) or data feeds (such as API connections). This includes information for all accounts and sub-accounts accessible with the Authorization Information you provide us, for example:
- Account information (including list of accounts, account names, account types, account numbers and account ownership);
- Account balances and balance history;
- Transactions (including historical transactions) and transaction details (including date, amount, description and payee/recipient details);
- Statements associated with your accounts (including historical statements from the current calendar year and previous 2 calendar years);
- Credit and loan information (including credit limits, balances, due dates, repayment dates and status, payment amounts and interest rates); and
- Account holder(s) information (including name, address, contact information and employment details).
Personal information you provide: personal information you provide us (which may include your name, email address, phone number or other personal information) when you contact us or enter such information in our services, for example:
- When you report any problem to us or request any support from us; or
- When you use certain features of our services.
Information we collect about you and your devices: information automatically collected when you use our services, for example:
- Technical and network activity information, including the Internet protocol (IP) address used to connect your computer to the Internet, your browser type and version, time zone setting, device location, browser plug-in types and versions, hardware model and operating system; or
- Information about your use of our services, including Uniform Resource Locators (URLs), clickstreams to, through and from our site, and page interaction information (such as scrolling, clicks, mouse-overs and length of visit).
Information we receive about you from third parties: personal information about you provided directly to us by Recipients (which may include your financial account information, name, email address, phone number or other personal information) when using our services.
Inferences about you derived from the data we collect: inferences about you derived from other End User Information (including inferences about your location, income or risk profile).
To the extent we rely on your consent to collect and process End User Information, you have the right to withdraw your consent at any time by following the instructions provided in this policy.
RECURRING COLLECTION OF YOUR INFORMATION
By default, we do not store your Authorization Information, which means we can access each Connected Account only once (i.e. at the time you provide us your Authorization Information).
Alternatively, our service allows you to opt-in to storing your Authorization Information, in order to enable us to access your Connected Account(s) on a recurring basis.
If you opt-in to storing your Authorization Information, you agree that the Access Authority you have given us will remain valid indefinitely and on a recurring basis (potentially even after you stop using or terminate the Recipient’s services), until you either indicate you wish to discontinue using our services by unlinking your Connected Account(s), or withdraw access by changing your Authorization Information.
Please refer to “Our Data Retention Practices” below for details on how to unlink your Connected Accounts.
USES OF YOUR INFORMATION
We use your End User Information for various business and commercial purposes, which include:
- Providing, maintaining and improving our services;
- Researching and developing new features, products or services;
- Protecting you, Recipients, Finverse and financial institutions from fraud, malicious activity and other security and privacy concerns;
- Communicating with you, responding to your questions or requests, and providing customer support to you or to Recipients;
- Investigating any misuse of our services or of Recipients’ services, including violations of our Developer Policy, criminal activity, or other unauthorized access to our services;
- Complying with our contractual obligations, and with applicable laws and regulations in any parts of the world;
- Responding or taking part in legal proceedings, including seeking professional advice;
- Other notified purposes with your consent, or purposes directly related to the above.
SHARING AND DISCLOSURE OF YOUR INFORMATION
We share your End User Information for various business purposes:
- With the financial institution who maintains your Connected Account(s) to help establish or update the connections you’ve made through our services;
- With the Recipient you have designated, and as directed by the Recipient (for example to third parties if directed by you);
- With our service providers, partners, contractors and other persons under a duty of confidentiality to us, in connected with the services they perform for us;
- With any member of our group, which means our subsidiaries, parents, ultimate holding company, affiliates and other companies under common control or ownership in any part of the world;
- In connection with a change in ownership or control of all or a part of our business in any part of the world (such as a merger, acquisition, reorganization or bankruptcy);
- To enforce any contract with you;
- If we believe in good faith that disclosure is required to comply with applicable laws, regulations or legal proceedings (such as a court order) in any part of the world;
- As we believe reasonably appropriate to protect the rights, safety, privacy or property of you, Recipients, Finverse and others;
- Other notified purposes with your consent.
We do not sell or rent your End User Information information, except to the Recipient you designated when using our services.
We may collect, use and share End User Information in an aggregated, de-identified or anonymized manner (which does not identify you personally, and which we believe in good faith cannot be tied back to you) for any purpose permitted under applicable law. This includes creating or using aggregated, de-identified or anonymized data based on the collected information to develop new services or to facilitate research.
OUR DATA RETENTION PRACTICES
We only retain End User Information for so long as it is necessary to fulfil the purposes for which it was collected or used, unless a longer retention period is required or permitted under applicable laws.
By default, we do not store any Authorization Information you provide us. Alternatively, our service allows you to opt-in to storing your Authorization Information, in order to enable us to access your Connected Account(s) on a recurring basis. In such case we may retain the Authorization Information until you indicate you wish to discontinue using the services, by unlinking your Connected Account(s).
At any time, you can terminate using our services by choosing to unlink your Connected Account(s). Any information directly retrieved from your Connected Account(s), and any Authorization Information you have chosen to store, will then be deleted. Please review the Recipient’s support information for more information about how to unlink a Connected Account. A Recipient may also request us directly to unlink your Connected Accounts.
If neither you nor the Recipient request us to unlink your Connected Accounts, we may continue to retain information directly retrieved from your Connected Account(s), as well as any Authorization Information you have chosen to store, potentially even after you stop using or terminate the Recipient’s services.
Please refer to “Your Data Protection Rights” below for options that may be available to you, including the right to request deletion of End User Information.
We use persistent cookies and session cookies. A persistent cookie stays in your browser and will be read by us when you return to our services or a partner site that uses our services. Session cookies only last for as long as the session (usually the current visit to our services or a browser session).
We may use the following cookies:
- Strictly necessary cookies – These are cookies that are required for the operation of our services. They include, for example, cookies that enable you to access secure areas of our services.
- Analytical/performance cookies – These allow us to recognise and count the number of end-users and to see how end-users navigate our services when they are using it. This helps us to improve the way our services work, for example, by ensuring that users are able to use our services easily.
- Functionality cookies – These are used to recognise you when you return to use our services. This enables us to personalise our content for you and remember your preferences (for example, your choice of language or region).
You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you do so, you may not be able to access all or parts of our services.
We may use third-party web services as part of our services. The providers that administer these services use technologies such as cookies (which are likely to be analytical/performance cookies), web server logs and web beacons to help us analyse how end-users use our services. The information collected through these means (including IP addresses) is disclosed to these providers. These analytics providers may use the data collected to contextualise and personalise the marketing materials of their own advertising network.
Our services or our communication with you may from time to time contain links to third-party websites over which we have no control. If you follow a link to any of these websites, please note that they have their own practices and policies. We encourage you to read the privacy policies or statements of these websites to understand your rights. We accept no responsibility or liability for any practices of third-party websites.
SECURITY OF YOUR INFORMATION
We have implemented technological, organizational and physical security measures designed to protect your data from unauthorized access. These include:
- Encrypting the information you provide during transit and at rest. We use additional encryption for highly sensitive data such as Authorization Information, financial account numbers, statements and personally identifiable information.
- Restrict access to our systems using network and other access controls, such as firewalls and multiple levels of authentication.
- Restricting access to personal information to our employees, service providers and contractors on a strictly need-to-know basis, and ensuring that those persons are subject to contractual confidentiality obligations.
- Reviewing our information collection, storage and processing practices from time to time to guard against unauthorised access, processing or use.
Please note, however, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our services. Any transmission is at your own risk, and we expressly disclaim all liability for any interception or interruption of any Internet transmissions you send, and for any resulting data losses.
INTERNATIONAL DATA TRANSFERS
We operate internationally and, as a result, may transfer your End User Information across international borders, for processing, storage or other purposes related to the use of our services. This includes transfers outside your country of residence or the country in which your Connected Account(s) is registered, to other countries (for example Singapore or Hong Kong). This may also include transfers to the Recipient or other persons referred to under “Sharing and Disclosure of your Information” above, who operate in other countries.
By submitting your personal data you agree to this transfer, storing or processing of data outside your country of residence or the country in which your Connected Account(s) are registered.
YOUR DATA PROTECTION RIGHTS
Under applicable law, you may have certain privacy rights in relation to the End User Information collected about you and how it is used, including under the following laws (depending on your citizenship or where you and your Connected Accounts are located):
- Hong Kong Personal Data (Privacy) Ordinance;
- Indonesia Personal Data Protection Act;
- Philippines Data Privacy Act of 2012;
- Malaysia Personal Data Protection Act of 2010 (PDPA)
- Singapore Personal Data Protection Act; and
- Vietnam Law on Cyber Information Security No. 86/2015/QH13.
Subject to limitations and exceptions provided by law, you may have the right to:
- Check whether we hold personal data about you;
- Access any personal data we hold about you;
- Request us to correct any inaccuracy or error in any personal data we hold about you;
- Request, under certain circumstances, that we restrict the processing of, or erase, your personal information;
- Where processing of your personal data is based on consent, withdraw that consent;
- File a complaint regarding our handling of your personal data, to us or to a nationally established body (such as the Philippines National Privacy Commission); and
- Claim damages in case of inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information.
To exercise any of your data protection rights, where applicable, you can contact us as described in the “Contact Us” section below.
You may be required to provide additional information necessary to confirm your identity before we can respond to your request.
Any such requests may be subject to a small administrative fee to meet our cost to process your request.
CHANGES TO THIS POLICY
We may update this policy from time to time, by posting the new policy on our website, www.finverse.com.
By continuing to use our services after the changes come into effect you agree to be bound by the revised policy.
In case of discrepancies between the English and other language versions of this policy, the English version shall prevail.
If you have any questions, comments or requests regarding this policy or your personal data, please contact us at at [email protected] or by mail at:
Finverse Technologies Limited
Attn: Data Protection Officer
Rm 2004-06, Strand 50
50 Bonham Strand, Sheung Wan