Developers API

Privacy Policy

In General

  • This privacy policy (the “Privacy Policy”) governs the processing of personal data by Debitdirect ApS, with registered address at Åbogade 15, 8200 Aarhus N, Denmark. ("Debitdirect", "we", "us" or "our").

  • This Privacy Policy applies to the processing of personal data you provide to us or that we collect through our websites, including www.debitdirect.io (the "Site") and through our other online services, websites, applications, and related services that link to this Privacy Policy (collectively with the Site, the “Services”). Please note that terms defined in the Debitdirect Terms of Service are applicable to this Privacy Policy when such defined terms are used. In this Privacy Policy, “personal data” means any information relating to an identified or identifiable individual.

  • This Privacy Policy describes the personal data we collect, the purposes for which we collect that personal data, the other parties with whom we may share it and the measures we take to protect the security of the data. It also tells you about your rights and choices with respect to your personal data, and how you can contact us about our privacy practices.

Data Controller

  • Debitdirect is the data controller for any personal data processed in the context of the Services.

What personal data is collected and for what purposes?

Profile / account registration

  • Data

    • When creating a profile with the Services, you must as a minimum enter your e-mail address and password. One-time users do not have to create a profile. You may further complete your profile with financial information and identity information (such as name, date of birth, address, social security number, PEP role, company shares).

    • We store information, also regarding one-time users, on the authorizations you granted us, e.g. allowing us to collect Account Information from your Accounts, and to transfer this information to third-party services of your choice. When you make use of Payment Initiation, due to anti-money laundering legislation, we will electronically collect information about you from your Account provider. We may also collect information such as your identity, identity of the beneficial owners and/or senior management, including copies of documents if necessary.

  • Purpose

    • Your personal data is collected in order to register and identify you as a user and to provide our Services to you. We use your e-mail address to forward single-use passwords to you. We also collect your personal data to be able to contact you if it is necessary to confirm your information, answer your questions, and provide customer service to you, and with your consent we may also send newsletters, messages about new features and other material related to Debitdirect to your e-mail address and/or via push messages.

    • We also collect your personal data in order to comply with applicable legislation, comply with governmental requirements, comply with internal policies, and to enforce our Terms of Use. Finally, we collect your personal data in order to pursue available legal remedies and limit liability in case of any disputes.

  • Legal basis

    • Our legal basis for processing said personal data is that the processing of the data is required for us to provide our Services to you (GDPR art. 6 (1)(b)).

    • When we collect information about you, due to anti-money laundering legislation, the legal basis for this is the Danish Act on Measures to Prevent Money Laundering and Financing of Terrorism, section 11 (GDPR art. 6 (1)(c)).

Payment Initiation

Data

  • When you use the Services to initiate payments, we store information on your requests to initiate payments on your behalf.

  • The data used for initiating a payment on your behalf and which is your personal data is: identification information, e.g. name, contact information, information on your Account provider and account number, information about the payee of the payment you initiate, as well as data needed for communication with your Account provider.

Purpose

  • Your personal data is collected in order to identify you as a user and to provide our Payment Initiation Services to you.

  • We also collect your personal data in order to comply with applicable legislation, comply with governmental requirements, comply with internal policies, and to enforce our Terms of Use.

  • When you choose “remember me” after a payment has been initiated, we will remember your bank and in some cases your account number in a safe way such that it is faster for you to pay next time.

Legal basis

  • Our legal basis for processing said personal data is that the processing of the data is required for us to provide our Services to you (GDPR art. 6 (1)(b)).

  • When choosing “remember me”, we process such data based on your consent (GDPR art. 6 (1)(a)).

  • When we collect information about you, due to anti-money laundering legislation, the legal basis for this is the Danish act on anti-money laundering § 11 (GDPR art. 6 (1)(c)).

Anonymisation and statistics

Data

  • We may make an anonymous copy of your Account Information. Such anonymous copy of your Account Information is not referable to you and is after anonymisation no longer personal data.

Purpose

  • The purpose of making an anonymous copy of your Account Information is for us to be able to make statistics.

Legal basis

  • The legal basis for making an anonymous copy of your Account Information, is our legitimate interest in doing so (GDPR art. 6(1)(f)).

Logging and fraud detection

Data

  • Debitdirect logs whenever the Services are used by you or anyone else. The log contains information on which profile is logged into, or which one-time user is used, the IP-address used, your overall geographical location, the time and date, which action has been performed and device information, i.e. information on operating system, browser information and settings.

  • Further, whenever a third-party service accesses the Services a similar log is created.

  • Debitdirect also monitors Payments Initiations for anomalies such as unusually high frequency of failed initiations, unusually high frequency of successful initiations, unusually high amount of initiated payments or if payments are initiated from an unusual geographical location.

Purpose

  • The purpose of logging access to the Service is for us to make technical analysis, improvements and optimization of our Services.

  • Further, logging and fraud detection is performed by us, to track and hinder any possible illegal activities and abuse of the Services, including detecting and investigating possible fraud.

Legal basis

  • The legal basis for our logging is our legitimate interest in making improvements and optimisation of our Service, as well as our legitimate interest in preventing and pursuing any illegal activities and possible abuse of our Services (GDPR art. 6(1)(f)).

  • When logging and collecting personal data to detect and investigate possible fraud and abuse, the legal basis is the Danish act on payments § 126 (GDPR art. 6(1)(c)).

Support and error correction

Based on your enquiry, we provide support in connection with your use of our Services. We always strive to correct errors in the Services.

Data

  • When providing support, we may have a need for accessing any information in your profile, information on which third-party services you have associated with your profile, which payment you may have initiated, which Accounts you have associated with which third-party services, and logs.

  • If we have a need for accessing your Account information or payments which you have initiated when providing support, we will ask for your explicit consent for this by e-mail to the e-mail address which is associated with your profile. Without such explicit consent, we may not be able to assist you.

  • When performing error correction, select employees of ours are authorised to access any information, in order to perform such assignment.

Purpose

  • The purpose of accessing your information is to provide support and resolve any challenges you may have encountered using the Services, or to correct errors in the Services.

Legal basis

  • The legal basis for accessing your information, is our legal interest in supporting your need for assistance or conducting error correction (GDPR art. 6(1)(f)).

  • If we access your Account Information or information on initiated payments, when providing you support, the legal basis is consent (GDPR art. 6(1)(a)).

Recipients and data disclosure

  • The personal data which we process will be disclosed in the following circumstances: without your consent, with third-party services that you have associated with your profile on the Services; with third-party service providers that we employ to provide services on our behalf (e.g., for marketing, security, hosting, customer support); when we are legally required to disclose the data to comply with the law, an investigation, or other legal process, such as a court order or a subpoena, if disclosure is necessary for us to protect ourselves or to enforce legal claims or to service providers, advisors, potential transactional partners, or other third parties in connection with the consideration, negotiation, or completion of a corporate transaction in which we are acquired by or merged with another company or we sell, liquidate, or transfer all or a portion of our assets.

  • When you add third-party services to our Services, we will transfer the agreed Account Information to such third-party service, in accordance with your choosing. For one-time users, we will only forward the agreed Account Information to such third-party service used.

  • When using payment initiation, we will transfer your payment initiation order to your Account provider. Such information is identification information on you, your account number, the amount and your log-in credentials or security credentials, information on the payee, and the account number of the payee. We may also transfer information about the payment initiated by you, including a reference number of the transaction and other information related to the initiated payment and amount to the payee.

Data retention

  • We generally store your personal data until your Debitdirect profile is deleted, unless otherwise stated below. Information on one-time users is generally stored for up to 24 hours.

  • Information on which authorizations and consents you have granted us is stored for as long as it is relied on + 3 years.

  • Account Information, i.e. information on transactions, is deleted no later than 2 years after the date of entry of the transaction in question. However, if your Debitdirect profile is deleted, all your Account Information is deleted. For one-time users we may store your Account Information for up to 24 hours.

  • Information regarding Payment Initiation, including payment requests, user IP, payment initiation consent, identity of the end user, account information of receiver account, account information of sender account, is stored for 15 months.

  • Information collected due to anti-money laundering legislation is stored for 5 years after the business relation terminated, according to the statutory requirements in the Danish act on anti-money laundering § 30.

  • Information in logs is stored for up to 1 year.

  • If required to comply with legal requirements or to protect our legal interests, we may store data for longer periods in specific situations.

  • In some cases, instead of deleting your personal data, Debitdirect may anonymize this, cf. also section 3.4. When such data has been anonymized, it will no longer be attributable to you, and hence no longer be personal data.

Data Security

  • The security of your personal data is important to us. We are committed to protecting the information we collect. We maintain reasonable administrative, technical and physical safeguards designed to protect the personal data you provide or we collect against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use.

Children’s Privacy

  • Our Services are not directed to, or intended for, children under the age of 16.

Privacy Rights

  • In accordance with the General Data Protection Regulation, you have certain legal rights to your personal data. These rights are:

    • At any time, you have the right to know what personal data we process about you; the purpose of the processing; from where your personal data was obtained; and the identity of any recipients of your personal data.

    • At any time, you have the right to rectify incorrect personal data that we are processing about you. You can correct personal data, such as your name, e-mail address, etc. in your profile on the Site.

    • In certain cases, you have the right to request the restriction of the processing of your personal data.

    • In certain cases, you may require that the personal data we are processing about you are deleted.

    • At any time, you have the right to request access to your personal data and obtain a copy of it. You are also entitled to receive a copy of the personal data you have provided to us, in a commonly used and machine-readable format to transmit it to another company.

    • You may at any time object to us processing your personal data due to your particular circumstances.

    • At any time, you may object to our use of your personal data for direct marketing purposes, e.g. forwarding newsletters.

    • At any time, you can withdraw the consent you have provided to us without this affecting the lawfulness of the processing based on your consent before its withdrawal (e.g., by deleting your Debitdirect profile on the Debitdirect website or by contacting Debitdirect). This includes withdrawing any consent for the processing of Account Information on the Site. If you withdraw your consent(s) you may no longer be able to use the Services in whole or in part, or one or more of the third-party services, you have associated with your profile may not work correctly or as expected. Please be aware that when having initiated a payment such payment cannot be revoked.

    • You can choose not to provide personal data to us by refraining from using our Services and from submitting personal data directly to us. When we collect personal data from you, we indicate whether and why it is necessary to provide it to us, as well as the consequences of failing to do so. If you do not provide personal data, you may not be able to benefit from the full range of our Services, and we may not be able to provide you with our Services if that information is necessary to provide you with them, or if we are legally required to collect it in relation to the provision of such Services.

  • If you wish to make use of one or more of legal rights, as mentioned above in section 7.1, or wish for us to assist you with this, please contact our DPO, cf. section 12. Please note that your rights may be limited in certain circumstances under applicable law. Where applicable, you may lodge a complaint with your relevant supervisory authority or regulator.

Transfer of personal data outside the EU/EEA

  • We may transfer your personal data outside of the EU/EEA to countries which may not have the same data protection laws as the country in which you initially provided your data to us, but we will protect your personal data in accordance with this Privacy Policy, or as otherwise disclosed to you.

  • We comply with applicable legal requirements when transferring personal data to countries other than the country where you are located. If you are located in the EEA, we will transfer your personal data in accordance with adequacy decisions (see list of countries for which the European Commission has issued an adequacy decision here), standard contractual clauses, and other data transfer mechanisms.

  • Debitdirect uses certain data processors located outside the EU/EEA. Below are the entities and legal bases for the transfer of personal data.

  • Debitdirect may make transfers to countries outside the EU/EEA if necessary to fulfil your request for such transfer, e.g. transfer to a non-EU/non-EEA payee. In such situations, the legal basis for the transfer will be your consent and/or the necessity of the transfer for the performance of a contract (GDPR art. 49(1)(a) and (b)).

Confidentiality

  • Debitdirect handles your personal data confidentially. Appointed employees with Debitdirect have the authority to access data where it is necessary to solve operational or technical issues. If you ask for support, Debitdirect employees may, with your consent, access your Account Information and/or information on payments initiated by you. All our employees are subject to strict confidentiality requirements when processing personal data.

Changes to the policy

  • We reserve the right to change this privacy policy at any time to reflect changes in our privacy practices. You will be informed of such changes to the policy either in the Services or by e-mail, to the e-mail address registered in your profile.

  • If we make substantial changes to our Privacy Policy, we will notify you of such changes prior to them being effective. In certain circumstances, we may seek your consent.

Data Protection Officer

  • If you have any questions about this Privacy Policy or the processing of your personal data you may contact our Data Protection Officer by contacting Debitdirect ApS, Att.: DPO, dpo@debitdirect.io

Version

  • This Privacy Policy was last updated on August 17th 2022.

PreviousMandatesNextTerms of service

Last updated