Date Last Revised: April 18, 2018
1.1. “AISP” means account information service provider, a regulated payment service provider that provides consolidated information on one or more Payment Accounts held by End User with either another payment service provider or with more than one payment service provider.
1.2. “Applicable Laws” means:
- the General Data Protection Regulation (EU) 2016/679 and any other similar or equivalent laws, regulations or rules in force from time to time relating to the privacy, processing and use of Personal Data;
- the revised Payment Services Directive (PSD2 - EU Directive 2015/2366), together with all regulatory technical standards, codes of practice, guidelines and/or formal interpretations issued by a regulator with jurisdiction over the Services, and all laws or regulations in force from time to time in ASPSP’s jurisdiction giving effect to PSD2; and
- all laws, statutes, rules, regulations, decrees, orders or directives in force from time applicable to the Services.
1.3. “ASPSP” means account servicing payment service provider, a payment service provider (such as bank, credit institution or electronic money institution) that provides and maintains a Payment Account for End User.
1.4. “Authenticator” means the mobile application Priora Authenticator that may be provided by Salt Edge to End User as a strong customer authentication solution compliant with PSD2 requirements.
1.5. “Consent” of End User means any freely given, specific, informed and unambiguous indication of End User’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.
1.6. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
1.7. “Metadata” means all ancillary information, metadata, usage data, service data, relationships, trends, metrics, logs and all other information derived from use of the Services and Priora Platform.
1.8. “Minimum Terms of Service for End User” means Salt Edge’s minimum terms of service which govern End User’s use of the Services set out at https://priora.saltedge.com/pages/min_terms_of_service_end_user as the same may be amended from time to time for the purposes of compliance with changes in the Applicable Laws or good industry practice.
1.9. “Payment Account” means an account held in the End User’s name by the ASPSP which is used for the execution of Payment Transactions.
1.10. “Payment Account Data” means data relating to End User’s Payment Account, particularly:
- account information (including without limitation account number, type, currency, balance);
- transactions information (including without limitation transaction amount, date, description, currency); and
- account holder information (including without limitation name, address, email, phone number), on the condition that the respective ASPSP in its sole discretion provides access to such additional information.
1.11. “Payment Order” means an instruction by End User to its respective ASPSP requesting the execution of a Payment Transaction.
1.12. “Payment Order Data” means data relating to the Payment Order, including without limitation amount, currency, status, description, payee details.
1.13. “Payment Transaction” means an act initiated by End User or on End User’s behalf of placing, transferring or withdrawing funds from End User’s Payment Account.
1.14. “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data includes, but is not limited to, Payment Account Data and Personalized Security Credentials.
1.15. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
1.16. “Personalized Security Credentials” means personalized features provided by ASPSP to End User for the purposes of authentication, including without limitation username, password, access number, security questions and answers, token/SMS codes, multifactor information, device information.
1.17. “PISP” means payment initiation service provider, a regulated payment service provider that initiates Payment Orders at End User’s request with respect to End User’s Payment Account held with the respective ASPSP.
1.18. “Priora Account” means End User’s account on the Website which is automatically created when End User starts using the Services.
1.19. “Priora APIs” means application programming interfaces that establish secure communication between TPPs and ASPSP during the provision of Services.
1.20. “Priora Platform” means the Website, Priora APIs, Authenticator and any and all materials, documentation, articles and/or guidelines prepared and/or provided by Salt Edge in connection with using the Services, Website, Priora APIs and/or Authenticator.
1.21. “processing” or “to process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, access, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.22. “Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
1.23. “Pseudonymization” means the processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific End User without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person.
1.24. “Services” means the services provided by Salt Edge via Priora Platform on behalf of End User’s respective ASPSP.
1.25. “Special Categories of Personal Data” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.
1.26. “TPP” means a third-party provider, such as AISP or PISP.
1.27. “Website” means the website https://priora.saltedge.com.
3. COLLECTION OF INFORMATION
When End User starts using the Services Salt Edge will collect information, including Personal Data, for the purpose of providing, maintaining and improving the Services, as well as meeting the compliance requirements set forth in the Applicable Laws with respect to the provision of Services. Salt Edge collects information primarily in four (4) ways:
Information collected through End User’s use of the Services.
Salt Edge collects information about: (i) the TPPs End User interacts with through the Services and a trail log of their actions with respect to access to End User’s Payment Account; (ii) any actions of End User within the Priora Account and Authenticator; (iii) any Payment Orders initiated through a PISP, including associated Payment Order Data; (iv) Payment Account Data to which an AISP has been granted access to; and (v) details of the Consent given by End User to TPPs, including without limitation scope and timestamp of such Consent. Salt Edge may store this information or part thereof in log files or other Metadata associated with End User’s Priora Account, and link it to other information Salt Edge collects and processes about End User.
Information collected from ASPSP and TPP.
Salt Edge collects information from End User’s respective ASPSP and TPPs for the purposes of providing the Services as follows:
- from ASPSP: Payment Account Data, Payment Order Data and confirmation of availability of funds in End User’s Payment Account; and
- from TPP: (i) Payment Orders initiated by End User through a PISP; and (ii) details of the Consent given by End User to TPP, including without limitation scope and timestamp.
Information Salt Edge collects automatically.
Section 4.b. “Use of Non-Personal Data”).
Besides first-party cookies set by Salt Edge itself, Salt Edge also uses third-party cookies. These third-party service providers with whom Salt Edge has contracted help analyze certain online activities and provide analytics services. Salt Edge uses the following third-party cookies:
- Google Analytics: Salt Edge has integrated Google Analytics, a web analytics service provided by Google Inc., in the Website in order to collect and analyze data about End Users’ behavior within the Website. The Google Analytics cookies collect information that allow Salt Edge to understand how End User interacts with the Website, including without limitation the IP address or other unique identifier for End User’s computer, mobile or other device used to access the Website, referral URL, what Website sub-pages End User visits, how often and the duration of such visits, the access time and location. Google Inc. uses the collected information to evaluate the use of the Website and provide online reports and other related services that help Salt Edge enhance user experience. The collected information is transferred and stored in the U.S.A. by Google Inc. or any third-party service providers acting on its behalf. If End User objects to the collection and processing of such data by Google Inc., End User must install a browser add-on (https://tools.google.com/dlpage/gaoptout) which will prevent further collection and transmission of information via Google Analytics. Further information about Google Analytics cookie usage can be found here.
- Fabric.io: Salt Edge has integrated Fabric, an analytics service for mobile applications provided by Google Inc., in the Authenticator in order to collect and analyze data about End Users’ behavior within the Authenticator and improve the Authenticator performance. The Fabric cookies collect information about how often End User uses the Authenticator, the IP address, timestamps, device model name, operating system and version number, and other performance data. The collected data is used to provide analytical reports, crash reports and other related services that help Salt Edge to resolve technical issues, improve the Authenticator and enhance user experience.
- Web beacons — web beacons are images (single-pixel gifs) embedded in a web page or email for the purpose of measuring and analyzing website usage and activity. Web beacons or similar technologies help Salt Edge better manage the Services, count End Users of the Services, monitor how End Users navigate the Services, count how many e-mails that Salt Edge sends are actually opened and, generally, measure performance. Salt Edge does not link the information gathered by web beacons to End Users’ Personal Data.
4. USE OF INFORMATION
Processing Personal Data.
Salt Edge processes Personal Data for the purpose of:
- providing, maintaining, supporting, protecting and improving the Services;
- meeting the regulatory compliance requirements set forth in the Applicable Laws;
- providing customer support;
- sending system alert messages;
- enforcing compliance with the Minimum Terms of Service for End User and Applicable Laws;
- protecting the rights and safety of End Users and third parties, of Salt Edge and End User’s respective ASPSP(s);
- troubleshooting, analyzing and solving service-related errors. In such cases, End Users’ Personal Data may be visible to and/or accessed by technicians, IT staff and/or system administrators authorized by Salt Edge; and
Use of Non-Personal Data.
Salt Edge may generate anonymous data derived from or based on Personal Data so that the results are no longer personally identifiable with respect to End User, and combine or incorporate such anonymous data with or into other similar data or information collected from other End Users or derived from other End Users’ use of the Services
“Anonymized Aggregate Data”).
Salt Edge may use such Anonymized Aggregate Data for any business purpose, including but not limited to:
- providing, supporting and improving the Services, including sharing such Anonymized Aggregate Data with the respective ASPSP for the purpose of conducting transaction risk analysis and/or compiling other statistical reports;
- conducting analytical research, compiling statistical reports and performance tracking;
- developing and/or improving other Salt Edge’s services and products; and
- sharing such Anonymized Aggregate Data with Salt Edge’s affiliates, agents or other third parties with whom Salt Edge has a business relationship.
Salt Edge will not sell Anonymized Aggregate Data.
5. CHILDREN’S PRIVACY
Protecting the privacy of young children is especially important to Salt Edge. The Services are not directed to children under the age of sixteen (16) years and Salt Edge does not knowingly collect or process Personal Data from persons under sixteen (16) years of age. If Salt Edge becomes aware of the fact that Personal Data of persons less than sixteen (16) years of age has been collected via the Services, Salt Edge will take the appropriate steps to delete this information.
6. DISCLOSURES AND TRANSFERS
- Disclosure to Third-Party Providers. Salt Edge has put in place contractual (including data protection, confidentiality and security provisions) and other organizational safeguards with its third-party service providers (“Third-Party Providers”) to ensure an adequate level of protection of Personal Data. Salt Edge may transfer Personal Data to such Third-Party Providers, including Salt Edge’s subcontractors and hosting providers engaged by Salt Edge in connection with the provision of Services, Website and/or Authenticator. Such Third-Party Providers may process, store and/or have access to Personal Data.
- Disclosure to ASPSP and TPPs. Salt Edge will disclose Personal Data to End User’s respective ASPSP and TPPs for the purpose of providing the Services as further described in the Minimum Terms of Service for End User.
Disclosure for Legal Reasons.
Salt Edge may disclose Personal Data without End User’s Consent, and End User hereby authorizes Salt Edge to do so, when Salt Edge believes in good faith that the disclosure of such information is reasonably necessary or appropriate:
- to comply with the Applicable Laws, any subpoena, enforceable request from the competent authorities or other legal process;
- to enforce Salt Edge’s rights against End User or in connection with a breach by End User of the Minimum Terms of Service for End User, including investigation of potential violations;
- to help detect, curb or investigate fraud or other prohibited or illegal activities that affect or hurt the interests of Salt Edge or other third parties;
- to identify, contact or bring legal action against someone who may be causing injury to, or interference with (either intentionally or unintentionally), Salt Edge’s rights or property, other End Users of the Services, or anyone else (including the rights or property of anyone else) that could be harmed by such activities; and
- to help Salt Edge comply with legal, accounting or security requirements, in which case Salt Edge may disclose such information to its auditors, professional consultants, accountants and/or legal advisors.
7. CONTROLLER AND PROCESSOR
In providing the Services Salt Edge acts as Processor and the respective End User’s ASPSP acts as Controller of Personal Data. While processing End User’s Personal Data Salt Edge shall at all times act on Controller’s behalf and according to Controller’s lawful instructions. Furthermore, Salt Edge shall adhere to the following principles with respect to Personal Data processing:
- not to collect more Personal Data than is necessary for the purpose of providing the Services;
- ensure that all employees authorized by Salt Edge to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- not to intentionally access, collect and/or process any Special Categories of Personal Data; and
- provide reasonable assistance to Controller to respond to requests for exercising End Users’ rights specified in Section 8.
8. END USER’S RIGHTS
Taking into account the nature of the processing, Salt Edge will provide reasonable assistance to Controller for the fulfilment of Controller’s obligation to respond to requests for exercising End User’s rights set forth below:
- the right to be informed: a. End User has the right to receive fair processing information about his/her Personal Data, including purpose of processing and lawful basis for processing, the identity of Controller and Processor, the categories of Personal Data collected and processed, the recipients to whom Personal Data has been or will be disclosed, details of transfers (if any) to third countries and applicable safeguards, Personal Data retention period, the existence of End User’s rights, the sources Personal Data originates from.
- the right of access: End User has the right to obtain: (i) confirmation that his/her Personal Data is being processed; and (ii) access to such Personal Data.
- the right to rectification: End User is entitled to have Personal Data rectified if it is inaccurate or incomplete. Salt Edge can’t, however, rectify any Payment Account Data, Payment Order Data or Personalized Security Credentials, as this information is provided by and collected from End User’s respective ASPSP.
- the right to erasure (right to be forgotten): End User has the right to request the deletion of his/her Personal Data when there is no compelling reason for its continued processing or End User withdraws Consent to such processing. End User can delete (all) his/her Priora Account(s) at any time, in which case End User’s Personal Data will be permanently deleted from Salt Edge’s production servers, except for the information that Salt Edge will retain in accordance with its Data Retention policy (see further Section 9 “Data Retention”).
- the right to restrict processing: End User has the right to block processing of Personal Data on the grounds specified in the Applicable Laws. In such case, throughout the duration of the restriction Salt Edge will no longer be able to process End User’s Personal Data and, consequently, provide the Services to End User.
- the right to data portability: End User may request to receive free of charge a copy of Personal Data stored in Salt Edge’s system in a structured, commonly used and machine-readable format or have Salt Edge transmit the data directly to another organization if this is technically feasible. Salt Edge will use commercially reasonable efforts to respond to any data portability requests without undue delay and at the latest within one (1) month, although in certain limited circumstances Salt Edge: (i) may not be able to make all relevant information available to End User where that information also pertains to another End User; in such case, Salt Edge will provide reasons for denial to comply with End User’s request or any part thereof; and (ii) may extend the reply period to two (2) months where the End User’s request is complex or Salt Edge receives a number of requests; in such case, Salt Edge will inform End User within one (1) month of the receipt of the request and explain why the extension is necessary. Salt Edge reserves the right to charge a reasonable administrative fee if End User’s request is manifestly unfounded or excessive, particularly if it is repetitive, and for further copies of the same information.
- the right to object: End User has the right to object to: (i) processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); (ii) direct marketing (including profiling); and (iii) processing for purposes of scientific/historical research and statistics. Salt Edge does not process End User’s Personal Data for any of the foregoing purposes.
- rights in relation to automated decision-making and profiling: End User has the right to object to processing of Personal Data for the purposes of automated individual decision-making (making a decision solely by automated means without any human involvement) and profiling (automated processing of Personal Data to evaluate certain things about an individual). Salt Edge does not process End User’s Personal Data for any of the foregoing purposes.
- the right to withdraw Consent: End User may withdraw Consent to Salt Edge’s processing of Personal Data at any time. However, withdrawing Consent may result in End User’s inability to continue using the Services.
9. DATA RETENTION
Salt Edge will delete End User’s Personal Data from its primary production servers when End User deletes (all) his/her Priora Account(s) or withdraws Consent to further processing of his/her Personal Data by Salt Edge. As a result, End User’s Personal Data will be excised permanently from Salt Edge’s production servers and further access to End User’s Priora Account(s) and use of the Services will be impossible. Notwithstanding the foregoing, Salt Edge shall retain End User’s Personal Data or portions thereof:
- in backup files on its backup servers for a period of up to one (1) year in order to ensure compliance with internal business continuity and disaster recovery procedures; and
- in log files in order to: (i) comply with the requirements of the Applicable Laws; (ii) exercise or defend (ongoing) legal claims; and (iii) assist End User’s respective ASPSP in meeting audit or statutory requirements. The retention period for such Personal Data shall be a minimum of five (5) years from the date of deletion, or such longer period as required by the Applicable Laws, unless subject to statutory or regulatory change.
Backup files are stored using strong TLS encryption and Salt Edge’s authorized personnel does not access such files in the ordinary course of business operations. Salt Edge will not use any Personal Data retained in backup files in everyday business activities.
10. DATA SECURITY
- Although Salt Edge will take reasonable steps to ensure that End User’s Personal Data is treated and stored securely, unfortunately, the sending of information via the Internet is not totally secure and on occasion such information can be intercepted. Therefore, Salt Edge can’t guarantee the security of Personal Data that End User chooses voluntarily to send to Salt Edge electronically. Salt Edge expressly disclaims all liability for any interception or interruption of any Internet transmissions sent by End User or any losses of or changes to data, including Personal Data, resulting from such interception or interruption.
- Notice of Security Breach. Nobody is 100% safe from hackers. If a security breach causes an unauthorized intrusion into Salt Edge’s systems, software or networks that leads to a Personal Data Breach resulting in a high risk to the rights and freedoms of End User, then Salt Edge will notify Controller of the Personal Data Breach without undue delay after having become aware of it, by describing the nature of the Personal Data Breach, the data that has been, or Salt Edge reasonably believes to have been, compromised and the immediate actions taken by Salt Edge with respect thereto. Salt Edge will later report to Controller the measures taken to mitigate potential adverse effects and prevent continuing or similar security breaches in the future.
- Personal Data Safeguards. Salt Edge is committed to maintaining the confidentiality, integrity and security of the Personal Data of End Users. Salt Edge employs advanced security techniques to safeguard Personal Data against unauthorized access, use and/or disclosure. Salt Edge strictly restricts access to Personal Data in accordance with specific internal procedures governing access to such information. Salt Edge carefully selects the individuals privileged with access to Personal Data in accordance with internal security policies and practices, and each such individual is bound by confidentiality obligations. The Services ensure secure communications with TLS encryption. To maintain the security of online sessions and protect Salt Edge’s systems from unauthorized access, Salt Edge uses a combination of firewall barriers, encryption techniques and authentication procedures, among others. Access to Salt Edge’s systems requires multiple levels of authentication, including biometric recognition procedures. Security personnel monitor the systems 24 hours a day, 7 days a week. Salt Edge databases are both physically and logically protected from general employee access. Salt Edge enforces physical controls on its premises. Salt Edge is routinely verified for its use of TLS encryption technologies and audited for its privacy practices. Salt Edge tests its systems, the Priora Platform and Services infrastructure for any failure points that might allow hacking.
- Data Pseudonymization. In addition to the technical and organizational security measures employed by Salt Edge to ensure security, confidentiality and integrity of Personal Data, Salt Edge also uses data Pseudonymization technique when processing and storing Personal Data in its systems by replacing the data fields which are the most identifying in a data record with pseudonyms. Personal Data which has undergone Pseudonymization can no longer be attributed to a specific End User without the use of additional information, and such additional information is kept by Salt Edge separately and is subject to technical and organizational security measures to ensure that such pseudonymized Personal Data is not attributed to an identified or identifiable natural person.
12. DATA PROTECTION OFFICER
Salt Edge’s data protection officer can be reached at any time by email at email@example.com in case of any questions with respect to Salt Edge’s collection, use, disclosure or processing of Personal Data.
Salt Edge Inc.
40 King Street West, Suite 2100