Version 1.6 | May 10, 2022
You must be curious how we handle your personal data. In this Privacy Statement we explain how we handle your personal data and why we do so. We believe it's important that you check this and understand our statement. Any questions left? Reach out out to us via [email protected]
Our principles are:
- We will keep your personal data safe and private at all times
- We will not sell your data
- We always give you the option to adjust your marketing preferences
This is the Privacy Statement of Flow Money Automation B.V. and we do our best to help you get a grip on your financial affairs. In this Privacy Statement we describe which personal data we process and why we need it. We want to be clear and transparent in this. We have set up our company in such a way that your privacy is always guaranteed first according to the principles of privacy by design and privacy by default. Flow has been assessed by an independent auditor and is ISO27001 certified. This is the standard in information security. In this way we can demonstrate that information security is an important element at Flow. Every year we are assessed on this by independent auditors who keep us sharp. You can find our certificate here.
We shall among others:
- Limit the use of your personal information to the minimum necessary to run Our Services
- Continuously inform us and let us advise on the obligations under privacy legislation
- Raise awareness and train involved staff to ensure your privacy
- Collaborate with the national regulators (AFM, DNB, AP, FIOD)
- Have strict security standards and procedures to prevent unauthorized access to your data by anyone, including our staff
- Only work with partners who comply with our strict information security policy so that we can guarantee your privacy
2. About us
Flow is responsible for processing your personal data. We take this job very seriously. And of course you want to know who we are. Here you have our data:
Flow Money Automation B.V. Riperwei 54 8406 AK Tijnje Chamber of Commerce: 72829796 E-mail: [email protected]
Flow has a so-called "PSD2 license". This is a license from the Dutch Central Bank with which we can offer our payment services. PSD2 stands for "Payment Services Directive 2" and is a guideline that ensures that European consumers can ask their bank to share data with companies such as Flow, in a safe and responsible manner. From July 13, 2020, Flow has a license to view your account information (Service 8) and to perform payment initiations (Service 7). You can find us in the DNB Register of Payment Institutions under number: R166735
4. Type of data we collect
We collect and process data about you. There are several reasons why we process this information. Below is an explanation of what for, why and how long we keep the information:
- ID data: Personal details (name, date of birth, place of birth, gender), ID document, address, company details (Chamber of Commerce number, UBO information)
- Communication data: Social media profile, email address, mobile phone number
- Identification data: Your email address, mobile phone number
- Bank information: Details of your bank account, linked banks, your name known to the bank, IBAN number (s), balances
- Transaction information: Per transaction (date and time, transaction amount, description (s), IBAN number (s), transaction attachments, counterparty (s)) and general (Balances)
- Technical information: A unique identification number, IP address, time zone setting, operating system and platform, device information, session information, URLs you view on our Site, errors, duration of your visit, page interaction information (scroll behavior, mouse clicks)
- Anti Money Laundering (AML): Background checks, transaction analysis and payment initiations
|ID data||- Identification|
- Provide our services
- App usage analysis
|- Legal obligation|
|- When connecting the App to your bank|
- When using the App
|Communication data||- Provide our services||- Legitimate interest||- By communicating with Flow|
- During registration
|Identification details||- Identification|
- Provide our services
|- Legitimate interest|
- Execution of the Agreement
|- During registration|
|Bank information||- Provide our services||- Permission||- While connecting the App to your bank|
|Transaction information||- Provide our services|
- Against money laundering and terrorist financing
|- Permission||- While connecting the App with your bank|
|Technical Information||- Our services|
- App usage analysis
|- Execution of the Agreement|
|- While using the Site and App|
|Anti Money Laundering (AML)||- Against money laundering and terrorist financing||- Legal obligation||- After verifying your ID|
- With every incoming transaction
- At every payment initiation
5. Storing information
The data we collect (ID data, communication data, identification data, bank information, transaction information, technical information, anti money laundering) is sent to and stored at a location in the European Economic Area (“EEA”): Amazon Web Services in Frankfurt, Germany. We only work with partners who meet the security requirements and comply with our Privacy Statement.
- We store the information we collect on secure servers. Sending encrypted data is done through Transport Layer Security technology (“TLS”).
- We have taken appropriate (technical and organizational) measures to protect your information. We protect our equipment with passwords, security procedures such as two-step verification and encryption of the storage medium.
- Much of the storage of the data is legally required under the Wwft (Money Laundering and Terrorist Financing Prevention Act). This means that we have to check all transactions and report them to the regulator if they are suspicious.
Some of the data (communication data) is stored with our suppliers (including Whatsapp, Google, Facebook, Twitter) because we use their services. To the extent possible, we will require this to be stored within the European Economic Area (“EEA”).
As you can see, we will do our utmost to keep your personal information secure. We have internal procedures and policies regarding the security of our product to prevent unwanted access.
When do we remove your data?
|Type of information||How long do we keep it?||Why?|
|ID data||- 5 years||- Legal obligation|
|Communication data||- 1 year||- GDPR|
|Identification details||- 1 year||- GDPR|
|Bank information||- 5 years||- Legal obligation|
|Transaction information||- 5 years||- Legal obligation|
|Technical Information||- 1 year||- GDPR|
|Anti Money Laundering (AML)||- 5 years||- Legal obligation|
Protocol Data Leaks
We have taken strict measures to protect your personal information. In addition, the Data Leaks Protocol of the AP is active at Flow. Based on this protocol it is determined whether there is a data breach and under what conditions this must be reported to the Dutch Data Protection Authority (AP). We communicate transparently and honestly about this with you.
6. Sharing your data
We exchange personal information with the following authorities in order to provide Flow services:
We are required by law to report unusual transactions to the authorities. We may restrict or exclude you from using Flow based on unusual transactions.
Banks and financial service providers
We can work with these parties to provide services. Our role is to protect your personal data and we will never exchange data without a legitimate reason. Your data will only be sent to these service providers when you have asked us to use their service.
For the accountant
In some cases we may also share data with your accountant. If your accountant uses SnelStart, your accountant can ask for your permission to share data from your Flow account with him or her through our cooperation partner SnelStart.
By linking your data in Flow to the SnelStart environment of your accountant, your accountant can optimize their provided service and your Flows. By getting access to your data in Flow, your accountant can also share their own flows with you so that you can make use of them.
We only share data with your accountant if you give us permission to do so. The permission you give your accountant via our app can always be easily withdrawn via the Flow app so that your accountant can no longer view the data in your Flow account.
By sharing your Flow data with your accountant, your accountant will have insight into your personal Flows, the name of your account(s), IBAN numbers, details of the contra account, amounts and transaction descriptions in his or her SnelStart environment.
For more information on the collaboration between Flow and SnelStart visit this page.
Advertising and analysis service providers
We use a third party to analyze the use of the Site (Google Analytics) and the App (Mixpanel). We do not exchange personal data, but draw up a profile of your use so that we can define different types of user groups. We anonymize your data to protect your privacy.
We believe it is important to explain how we use your data to communicate with you and to state that you have the right to unsubscribe. You can unsubscribe from our mailings at any time by clicking unsubscribe at the bottom of the email, or by contacting [email protected].
8. Your rights
You have rights regarding the personal data we collect. You can contact Flow at [email protected] to make your request.
The right to access
You have the right to request access to the personal data that we process. We will provide a copy of the personal data being processed.
The right to rectification
If your details are incorrect, you can request us to adjust the details. We will then correct this.
The right to erasure (oblivion)
By using the services of Flow we process your data. You have the right to ask us to delete this data from our systems. We will comply with this requirement without unreasonable delay, and when it is reasonably within our control.
If you no longer use your account, you can contact [email protected] to request that your data be removed from our system.
The right to portability (data portability)
You can request us to transfer your personal data in a structured, commonly used and machine-readable format. That way you can transfer your data to a new service provider without any obstacles.
The right to object or to restrict processing
In some cases, you can object to the use of your data or have the right to restrict processing.
You have the right to ask us to stop using your personal data in two situations. This is called the right to object. Firstly, when we use your data for direct marketing. Secondly, you can object to the use of your personal data because of your specific situation.
The right to restrict processing applies, for example, when your data are incorrect, the processing is unlawful or when the processing of personal data is no longer necessary.
Processing of requests
We will try to fulfil legitimate requests within one month. In exceptional cases, it may take longer than one month, please understand.
If we need your permission
If we process your data on the basis of consent, you always have the right to withdraw your consent. You can do this simply by sending an e-mail to [email protected]. If we have no other basis for the data we process on the basis of consent, we will no longer use and delete that data.
If you have a complaint about, for example, the way we use your data or how we respond to your privacy-related questions, you can lodge a complaint with the Dutch Data Protection Authority.