Privacy Notice
Version 2.3
Last updated: 27.05.2024
1. INTRODUCTION
FinKratt OÜ (“FinKratt”, “our”, “we”, or “us” as applicable) provides a free financial report generation service (the “Service”) as further specified in Section 1.3 of FinKratt’s Terms and Conditions (the “Terms”).
This Privacy Notice (“Notice”) clarifies how we process your personal data, including usage, storage, and disclosure under various circumstances: (i) when you utilise our Service; (ii) when you interact with our website at https://finkratt.com/ (“Website”); (iii) if you opt-in to receive any of our marketing materials; (iv) through communications with us via our Website or other channels like email or social media; or (v) during any other engagement with us that involves processing your personal data. We will specify if any data processing practices are particularly relevant to certain interactions or services.
We process your data in accordance with this Notice and the General Data Protection Regulation (2016/679) (“GDPR”). If you provide third-party personal data, ensure they are aware of this Notice.
FinKratt does not knowingly process data from those under 18 years of age. If such data is collected, we’ll promptly delete it. For concerns regarding minors’ data, contact us at privacy@finkratt.com.
If you have consented to the usage of cookies, please refer to our Cookies Notice.
2. CONTROLLER
For the personal data processing activities described in this Notice, FinKratt OÜ, a private limited company based in Estonia with registry code 16712820, serves as the controller of your personal data.
3. CATEGORIES AND SOURCES OF PERSONAL DATA
Personal data refers to any information related to an identified or identifiable natural person. Data that is anonymised, rendering it unable to be associated back to you, does not qualify as personal data.
We collect and process various categories of personal data during the provision of our Service, Marketing, and under other circumstances as outlined in Section 1 of this Notice. Below are the details of the personal data we may collect:
3.1. SERVICE PROVISION
During the provision of our Service, we may collect and process the following types of your personal data:
- Identification Data: Includes your name, email address, age, and location.
- Financial Data: Comprises information such as your gross salary, details of any additional income, and totals for housing, utilities, transportation, groceries, other necessities, dependants, children’s funds, debts, savings, investments, pension, and details regarding your participation in pension pillars (II Pillar/PIA), including whether you have maximised contributions to these pillars.
- Technical Data: Captures the submission date and submission token associated with your use of our Service.
3.2. MARKETING
- Marketing Data: Subject to your express consent, we may collect your email address to send you marketing communications and updates regarding our services, promotions, and other relevant information that may interest you.
3.3. OTHER CIRCUMSTANCES
Beyond the provision of our Service, we may process additional personal data as recognised under other circumstances detailed in Section 1 of this Notice. The specific types of personal data processed in these situations will depend on your interactions with us and may include, but are not limited to, Communications Data, and other information you provide when engaging with us outside the direct use of our Service.
4. PURPOSES OF PROCESSING AND LEGAL BASES
At FinKratt, we are committed to processing your personal data lawfully, in a transparent manner, and only where we have a legal basis for doing so. The legal bases for processing your personal data depend on the purposes for which we collect it. Below, we outline the processing purposes, linked to the specific data categories and legal bases for processing:
4.1. SERVICE PROVISION
- Processing Purpose: Processing relevant data to deliver our Service.
- Legal Basis: Article 6.1(b) GDPR — Performance of the contract to which you are a party, or in order to take steps at your request before entering into a contract.
- Data Categories: Identification Data, Financial Data, and Technical Data.
4.2. MARKETING
- Processing Purpose: Sending updates and promotional offers regarding our Service to users who have consented to receive such communications.
- Legal Basis: Article 6.1(a) GDPR — Your consent.
- Data Categories: Marketing Data.
4.3. OTHER PURPOSES
Other purposes may include, but are not limited to, the following:
4.3.1. RESPONDING TO INQUIRIES, FEEDBACK, AND PROVIDING SUPPORT
- Processing purpose: Ensuring user satisfaction and improving our Service.
- Legal Basis: Article 6.1(f) GDPR — Our legitimate interests in improving our Service.
- Data Categories: Communications Data.
4.3.2. COMPLYING WITH APPLICABLE LAWS AND LAW ENFORCEMENT REQUESTS
- Processing Purpose: Complying with applicable laws, regulations, and requests from law enforcement or other authorities.
- Legal Basis: Article 6.1(c) GDPR — Compliance with our legal obligations.
- Data Categories: As necessary under applicable law.
4.3.3. DEFENDING AGAINST LEGAL CLAIMS
- Processing Purpose: Disclosing data to our legal advisors and establishing, exercising, or defending legal claims.
- Legal Basis: Article 6.1(f) GDPR — Our legitimate interest in seeking legal advice and managing legal claims.
- Data Categories: As necessary under applicable law.
4.3.4. IMPROVING OUR WEBSITE, SERVICE, OFFERINGS, AND OVERALL SOLUTION
- Processing Purpose: Analysing the use of the Website and Service to assess their suitability and to develop new features and functionalities.
- Legal Basis: Article 6.1(f) GDPR — Our legitimate interest in understanding the use of our Website and Service to improve our offerings and overall solution.
- Data Categories: Identification Data (only email address) and Financial Data (only generic data derived from provided information).
Be aware that your personal data may be processed for additional purposes. We will inform you of these purposes as they arise, ensuring that either you have given your consent, there are other legal bases for the processing, or the new purposes are compatible with the original purposes brought up above.
5. RECIPIENTS OF YOUR PERSONAL DATA
We may share your personal data with trusted third-party Service Providers who assist us in delivering our Service, including the operation of our Website. These entities may act as separate controllers, processing your personal data for their own purposes, or as processors, processing personal data on our behalf. For a comprehensive list of the third-party Service Providers with which we may share your data, please refer to our List of third-party Service Providers we use.
Please note that other categories of recipients may include:
- Public Sector Authorities: For compliance with legal obligations, responding to court orders, or to protect our rights.
- Professional Advisors: Such as auditors and legal advisors, to ensure our proper economic activity, legal compliance, and defend against any legal claims.
6. DATA TRANSFERS AND SAFEGUARDS
The personal data we collect is primarily processed within the European Economic Area (EEA). However, based on your interactions with FinKratt, we may need to transfer and process your data in countries outside the EEA that may not have been deemed to provide an equivalent level of data protection by the European Commission. In these instances, FinKratt commits to implementing stringent technical, physical, and organisational security measures to safeguard your personal information. We guarantee a standard of data protection comparable to that of the EEA by utilising GDPR-compliant data transfer mechanisms. By providing your personal data to us, you consent to its potential transfer and processing under this Notice.
In case you would like to receive further information about the specific data transfer mechanisms utilised, please email us at privacy@finkratt.com.
7. SECURITY AND HANDLING OF PERSONAL DATA
We take reasonable technical and organisational security measures designed to protect your personal data against accidental or unlawful destruction, loss or alteration, unauthorised disclosure, abuse or other processing in violation of applicable law. These measures vary based on the sensitivity of the personal data we process and the current state of technology.
For the Service, specific practices include data pseudonymisation and anonymisation, alongside rigorous device and application security measures. These practices are comprehensively detailed in our POC Data Handling & Security Practices document.
However, please be advised that no security measure can be 100% effective, and we cannot guarantee the security of your data, including against unauthorised acts, access, hacking or data breaches by third parties.
8. DATA RETENTION PERIODS
We are committed to retaining your personal data only for the minimum time necessary to fulfil the purposes outlined in Section 4 of this Notice or as mandated by law. The retention period is determined by considering the data’s quantity, nature, and sensitivity, the potential risk of harm from unauthorised use or disclosure, our processing purposes, and whether these purposes can be achieved through other means, alongside legal requirements. We also consider the need to resolve disputes, enforce our agreements, or the possibility of anonymising your data for indefinite retention.
8.1. SERVICE PROVISION
For Service Provision, specific retention periods and detailed procedures, including the steps for data anonymisation and the handling of backups and logs, are outlined in our POC Data Handling & Security Practices document.
8.2. MARKETING
For Marketing activities, data is retained until you withdraw consent, at which point it is promptly deleted.
8.3. OTHER PURPOSES
We will inform you of the relevant retention periods as they arise, ensuring clarity and compliance with legal requirements.
9. YOUR DATA PROTECTION RIGHTS
- Right to withdraw your consent: You have the right to withdraw any consent that you have given us at any time.
- Right to access: You have the right to get access to the personal data we process about you and to get a copy of it. Depending on the case we may need to charge you a reasonable fee.
- Right to rectification: You have the right to request that we correct any information we hold on you that you deem inaccurate, incorrect, or out of date. You also have the right to request us to complete information that you believe is incomplete.
- Right to erasure: Under certain conditions you have the right to request us to erase your personal data.
- Right to restriction of processing: Under certain conditions you have the right to request us to restrict the processing of your personal data.
- Right to object to processing: Under certain conditions you have the right to object to the processing of your personal data.
- Right to data portability: You have the right to request us to transfer your personal data to another organisation or to you in a structured, commonly used and machine-readable format.
- Right not to be subject to a decision based solely on automated processing: We do not currently make automated decisions about any data subject, but you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces effects on you.
If you decide to enforce any of your data protection rights, please contact us at privacy@finkratt.com. We have one month (which can be extended to two further months where necessary) to respond to you starting from the receipt of your request.
10. CHANGES TO THIS PRIVACY NOTICE
FinKratt keeps this Notice under regular review and posts any updates on this page. This Notice was last updated on the date specified on the header of this page.
11. HOW TO CONTACT US
If you have a question about our Privacy Notice, the data we hold on you, or you would like to exercise any of your rights, please do not hesitate to contact us at privacy@finkratt.com.
12. HOW TO FILE A COMPLAINT
If you are not satisfied with our activities or feel that we have not addressed your questions or concerns adequately, you may make a complaint with the Estonian Data Protection Inspectorate.