Last Updated: May 31, 2020
Tapico powers connectivity in financial services. We make it easy to connect your financial products to other financial institutions and software applications so they can help you provide the best experience possible. We call the Financial Institutions that you are a customer of “platforms” and we call the Software Applications that connect to them “developers”.
2. Our Data Practices
Information you provide.
When you connect financial accounts with a developer application or otherwise connect your financial accounts through Tapico, where applicable, we collect identifiers and information required by the provider of your account, such as a security token. In some cases, we also collect your phone number, email address to help verify account ownership before connecting your financial accounts. When providing this information, you give the developer and Tapico the authority to act on your behalf to access and transmit your End User Information from the relevant platform that provides your financial accounts. You may also provide us with identifiers and other information, including your name, email address, and phone number, when you contact us or enter any such information on our websites.
Information we collect from your financial platforms.
The information we receive from the financial product platforms that maintain your financial accounts varies depending on the specific Tapico services developers use to power their applications, as well as the information made available by those providers. In general, we collect the following types of identifiers, commercial information, and other personal information from your financial product and service providers:
- Account information, including financial institution name, account name, account type, account ownership, branch number, IBAN, BIC, and account and routing number;
- Information about an account balance, including current and available balance;
- Information about credit accounts, including due dates, balances owed, payment amounts and dates, transaction history, credit limit, repayment status, and interest rate;
- Information about loan accounts, including due dates, repayment status, balances, payment amounts and dates, interest rate, guarantor, loan type, payment plan, and terms;
- Information about investment accounts, including transaction information, type of asset, identifying details about the asset, quantity, price, fees, and cost basis;
- Identifiers and information about the account owner(s), including name, email address, phone number, date of birth, and address information;
- Information about account transactions, including amount, date, payee, type, quantity, price, location, involved securities, and a description of the transaction; and
- Professional information, including information about your employer, in limited cases where you’ve connected your payroll accounts.
The data collected from your financial accounts includes information from all your accounts (e.g., checking, savings, and credit card) accessible through a single set of account credentials.
Information we receive from your devices.
Information we receive about you from other sources.
We also receive identifiers and commercial information about you directly from the relevant developer or other third parties, including our service providers, bank partners, and identity verification services. For example, developers may provide information such as your full name, email address, phone number, or information about your financial accounts and account transactions.
Inferences we derive from the data we collect.
We may use the information we collect about you to derive inferences. For example, we may infer your location or your projected income based on the information we have collected about you from other sources.
3. How We Use Your Information
We use your End User Information for a number of business and commercial purposes, including to operate, improve, and protect the services we provide, and to develop new services. More specifically, we use your End User Information:
- To operate, provide, and maintain our services;
- To improve, enhance, modify, add to, and further develop our services;
- To protect you, developers, platforms, our partners, Tapico, and others from fraud, malicious activity, and other privacy and security-related concerns;
- To develop new services;
- To provide customer support to you, or to developers, or to platforms, including to help respond to your inquiries related to our service, or developers’ applications, or platforms;
- To investigate any misuse of our service, or developers’ applications, or platforms including violations of our Policies, criminal activity, or other unauthorized access to our services; and
- For other notified purposes with your consent.
4. Our Lawful Bases for Processing
For individuals in the European Economic Area (“EEA”) or the United Kingdom (“UK”), our legal basis for processing your End User Information will depend on the information concerned and the context in which we collected or processed it. Generally, however, we will normally only collect and process End User Information where:
- we need to fulfill our responsibilities and obligations in any contract or agreement with you (for example, to comply with our marketplace or open banking services agreements);
- to comply with our legal obligations under applicable law;
- the processing is necessary for our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms (for example, to safeguard our services; to communicate with you; or to provide or update our services); and
- you have given your consent to do so.
To the extent we rely on consent to collect and process End User Information, you have the right to withdraw your consent at any time per the instructions provided in this Policy.
5. How We Share Your Information
We share your End User Information for a number of business purposes:
- With the developer of the application you are using and as directed by that developer (such as with another third party if directed by you);
- With the platform you are using and as directed by you;
- To enforce any contract with you;
- With our data processors and other service providers, partners, or contractors in connection with the services they perform for us, or developers, or platforms;
- If we believe in good faith that disclosure is appropriate to comply with applicable law, regulation, or legal process (such as a court order or subpoena);
- In connection with a change in ownership or control of all or a part of our business (such as a merger, acquisition, reorganization, or bankruptcy);
- As we believe reasonably appropriate to protect the rights, privacy, safety, or property of you, developers, platforms, our partners, Tapico, and others; or
- For any other notified purpose with your consent.
We may collect, use, and share End User Information in an aggregated, de-identified, or anonymized manner (that does not identify you personally) for any purpose permitted under applicable law. This includes creating or using aggregated, de-identified, or anonymized data based on the collected information to develop new services and to facilitate research.
We do not sell or rent personal information that we collect.
6. Our Retention Practices
We retain End User Information for no longer than necessary to fulfill the purposes for which it was collected and used, as described in this Policy, unless a longer retention period is required or permitted under applicable law. As permitted under applicable law, even after you stop using an application or terminate your account with one or more developer, we may still retain your information (for example, if you still have an account with another developer). However, your information will only be processed as required by law or in accordance with this Policy.
7. International Data Transfers
When we share data, it may be transferred to, and processed in, countries other than the country you live in. These countries may have laws different to what you’re used to. Rest assured, where we disclose personal data to a third party in another country, we put safeguards in place to ensure your personal data remains protected. These include restricting the countries in which we store data.
For individuals in the European Economic Area (EEA), this means that your data may be transferred outside of the EEA. Where your personal data is transferred outside the EEA, it will only be transferred to countries that have been identified as providing adequate protection for EEA data (like New Zealand), or to a third party where we have approved transfer mechanisms in place to protect your personal data – i.e., by entering into the European Commission’s Standard Contractual Clauses. For further information, please contact us using the details set out in the Contact us section below.
8. Tapico’s Subprocessors
We use a few different third party subprocessors to help us provide our services to you. These subprocessors process data that you input into the services, which may include personal data. Here we’ve set out some info on who these subprocessors are and what services they provide.
Google Cloud Platform
Cloud infrastructure service provider*
Transactional email processing
* This service provider may provide a range of services including data storage and processing, analytics, text extraction and other services.
9. The Data Subject’s Protection Rights
In certain circumstances, in relation to the personal data relating to you that we process, you have the following rights:
- Right to information – meaning you have the right to know whether your Personal Data is being processed; what data is gathered, from where it is obtained and why and by whom it is processed.
- Right to access – meaning you have the right to access the data collected from/about you. This includes your right to request and obtain a copy of your Personal Data gathered.
- Right to rectification – meaning you have the right to request rectification or erasure of your Personal Data that is inaccurate or incomplete.
- Right to erasure – meaning in certain circumstances you can request for your Personal Data to be erased from our records.
- Right to restrict processing – meaning where certain conditions apply, you have the right to restrict the Processing of your Personal Data.
- Right to object to processing – meaning in certain cases you have the right to object to Processing of your Personal Data, for example in the case of direct marketing.
- Right to object to automated Processing – meaning you have the right to object to automated Processing, including profiling; and not to be subject to a decision based solely on automated Processing. This right you can exercise whenever there is an outcome of the profiling that produces legal effects concerning or significantly affecting you.
- Right to data portability – you have the right to obtain your Personal Data in a machine-readable format or if it is feasible, as a direct transfer from one Processor to another.
- Right to lodge a complaint – in the event that we refuse your request under the Rights of Access, we will provide you with a reason as to why. If you are not satisfied with the way your request has been handled please contact us.
- Right for the help of supervisory authority – meaning you have the right for the help of a supervisory authority and the right for other legal remedies such as claiming damages.
- Right to withdraw consent – you have the right to withdraw any given consent for Processing of your Personal Data.
If you would like to exercise any of your rights, you can do so by emailing us at email@example.com. We’ll look to verify your identity and then we’ll work with you in relation to the right you’re looking to exercise.
If you are outside the UK, you can find your local data protection authority here.
11. Changes To This Policy
We may update or change this Policy from time to time. If we make any updates or changes, we will post the new policy here and update the effective date at the top of the page. We will also notify developers and platforms of any material changes in accordance with our agreements, as they are generally best positioned to notify their end users about such changes to this Policy, as appropriate.
12. Contacting Tapico
If you have any questions or complaints about this Policy, or about our privacy practices generally, you can contact us at firstname.lastname@example.org