Privacy policy

Zaktualizowano: 10 October 2025

PRIVACY POLICY

In accordance with Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as „GDPR”) The Controller has appointed a Data Protection Officer, whom you can contact by sending an email to: [email protected]

I. Definitions

Controller –: Finunion limited liability company with its registered office in Warsaw at ul. Wilcza 51/41, Warsaw 00-679, entered in the Register of Entrepreneurs kept by the District Court for the Capital City of Warsaw in Warsaw, 12th Commercial Division of the National Court Register under KRS number: 0000990847, NIP (Tax Identification Number): 5273018094, REGON (National Business Registry Number): 523048565;
Mobile Application –: software designed for installation on mobile devices (smartphones, tablets) running on iOS and Android operating systems, enabling users to access financial services offered by Finunion. The application provides functionalities related to account management, transactions, monitoring of financial operations, and communication with customer service;
Personal Data –: personal data of Customers and Users within the meaning of the GDPR provided in connection with the use of the Service;
Exchange Office –: a stationary point enabling the exchange of fiat currencies (e.g., PLN, EUR, USD) for cryptocurrencies and vice versa. Transactions may be carried out in cash or by electronic payment, in accordance with applicable law;
Customer –: natural or legal persons who have accepted the Terms and Conditions of the Service and have concluded a contract with the Administrator for the provision of the Service;
Processing –: means any operation or set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collection, recording, organization, structuring, storage, adapting or modifying, downloading, viewing, using, disclosing by transmission, dissemination or otherwise making available, aligning or combining, restricting, erasing or destroying;
Crypto Assets Regulation –: Regulation (EU) 2023/1113 of the European Parliament and of the Council of May 31, 2023, on information accompanying transfers of funds and certain crypto assets and amending Directive (EU) 2015/849;
Website –: the website available at https://app.finunion.pl/ and its subdomains;
Services –: a service provided by Finunion, consisting in the exchange of digital currencies (cryptocurrencies) into other cryptocurrencies or fiat currencies (e.g. PLN, EUR, USD) and vice versa, in accordance with the applicable exchange rates using Exchange Offices and the Mobile Application;
AML Act –: Act of March 1, 2018, on counteracting money laundering and terrorist financing;
User –: a natural or legal person using the Administrator’s services. The provisions of this Policy relating to the Customer shall, in principle, apply mutatis mutandis to the User;

The Administrator can be contacted via:

mailing address: ul. Wschowska 8, 01-239 Warsaw
e-mail address: [email protected]

II. What are the purposes and basis for processing your personal data?

PURPOSE OF DATA PROCESSING	LEGAL BASIS	DATA RETENTION PERIOD	SCOPE OF DATA PROCESSING
Provision of the Service by the Controller	– Article 6(1)(b) of the GDPR; – Article 6(1)(c) of the GDPR;	Until the end of cooperation, i.e. for the period required by law (e.g. tax, accounting, AML Act) or until the expiry of claims.	– Identification data (first and last name, PESEL number); – Contact details (email address, telephone number); – Address details (home address, residence address), Financial data (income information, bank transaction data, bank account statements, tax returns, declarations of residence); – Service-related data (cryptocurrency wallet data); – Biometric and Technical data (biometric data, selfie identity verification (liveness check)); – Image, IP address, data on devices used for verification).
Verification in accordance with the requirements of the AML Act / sanction lists: – Customers; – Contractors; – Customer representatives and agents	Article 6(1)(c) of the GDPR in conjunction with Article 37(1) of the AML Act	For the period required by law, i.e. 5 years in accordance with Article 49(1) of the AML Act	– Identification data (concerning natural persons, representatives of legal persons and beneficial owners): name and surname, citizenship, PESEL number or date of birth and country of birth – if no PESEL number is available, series and number of identity document; – Address details (if the obligated institution has this information): address of residence, registered office or place of business – in the case of legal persons and organizational units; – Business entity data (concerning natural persons conducting business activity and legal persons): name (company name), organizational form, tax identification number (NIP), and if unavailable – country of registration, name of the relevant register, registration number and date.
– Establishment and defense of own claims – Internal accounting	– Article 6(1)(c) of the GDPR in conjunction with Article 74(2) of the Accounting Act; – Article 6(1)(f) of the GDPR;	For the period required by law, i.e. – 6 years for most property claims; – 3 years for relations between entrepreneurs; – for 5 years from the end of the calendar year in which the tax obligation arose.	– Identification data (concerning natural persons) first name and surname, PESEL number; – Address details (residential address, registered office or business address); – Business entity data (for natural persons conducting business activity and legal persons): name, NIP (tax identification number), REGON (statistical number), KRS (National Court Register number).
Use of the Website	Article 6(1)(f) of the GDPR	For the duration of the storage of cookies on the website visitor’s device or until objection to processing is expressed.	– Information about visited pages (visited pages and subpages, time spent on each of them); – Technical data (IP address, device ID, browser and operating system data); – Location and search data (location, search history).
– Contractor data – Contractor Representatives’ Data Aimed at establishing cooperation and during Cooperation	– Article 6(1)(f) of the GDPR; – Article 6(1)(b) of the GDPR	For the duration of the Cooperation and after its termination until objection to processing is expressed.	– Identification data (concerning natural persons, representatives of legal persons) first name and surname, position held; – Address details (registered office or business address); – Business entity data (regarding natural persons conducting business activity and legal persons): name, tax identification number (NIP), statistical identification number (REGON), National Court Register number (KRS); – Contact details – email address, telephone number.
Conducting marketing activities, including positioning, marketing, and online advertising	Article 6(1)(f) of the GDPR	Until objection is raised	– Identification data – first and last name; – Business entity data (regarding natural persons conducting business activity and legal persons) – name, tax identification number, REGON number, KRS number; – Contact details – email address, telephone number.
Sending newsletters and text messages	Article 6(1)(a) of the GDPR	Until consent is withdrawn.	– Identification data – first and last name; – Business entity data (concerning natural persons conducting business activity and legal persons) – name, tax identification number, REGON number, KRS number; – Contact details – email address, telephone number.
Transaction monitoring	– Article 6(1)(c) of the GDPR; – Article 6(1)(f) of the GDPR	Until the end of cooperation, i.e. for the period required by law or until the expiry of the limitation period for claims.	– Identification data of the parties to the transaction (name and surname or name, address, account number or identifier, ID card number – if required); – Transaction data (transaction value, currencies or crypto assets being transferred).
Application of the Travel Rule	Article 6(1)(c) of the GDPR	Until the end of the cooperation, i.e. for the period required by law or until the expiry of the limitation period for claims.	– Identification data of the parties to the transaction (name and surname or name, address, account number or identifier, ID card number – if required); – Transaction data (value of the transaction, currencies or crypto assets being transferred).
Recruitment	– Article 6(1)(b) and (c) of the GDPR; – in the case of consent to future recruitment – Article 6(1)(a) of the GDPR	Until the end of the recruitment process, and in the case of consent to future recruitment – until its withdrawal or in accordance with the retention period resulting from legal provisions.	– Candidate identification data (name and surname, contact details, address, professional experience, education); – Other data contained in the application documents (CV, cover letter, references, recruitment test results – if required); – Information about the recruitment process (e.g., interview results, competency assessments); – If consent is given for future recruitment, personal data will be stored until consent is withdrawn, but no longer than for the period specified in the recruitment policy.

Taking into account the nature, scope, context and purposes of the processing and the risk of varying likelihood and severity of the risk to the rights and freedoms of natural persons, the Controller implements appropriate technical and organizational measures to ensure that the processing is performed in accordance with the Regulation and to be able to demonstrate this. These measures are reviewed and updated as necessary. The Administrator uses technical measures to prevent unauthorized persons from obtaining and modifying personal data transmitted electronically.

III. Who does your data get shared with?

The administrator processes personal data solely for the purpose of fulfilling its obligations towards users. The data is not disclosed to third parties unless the user consents to this or it is required by law (e.g. at the request of law enforcement authorities). Personal data is not used for profiling or automated decision-making.

Accounting, auditing, and consulting service providers – based on personal data processing agreements.
Banks and payment institutions – to the extent necessary to execute financial transactions.
IT and hosting service providers – to ensure the proper functioning of IT systems and data security.
Public and supervisory authorities – when required by law, including tax, regulatory and law enforcement authorities.
Accounting and tax service providers – for the purpose of financial settlements.
Law firms – for the purpose of pursuing claims and providing legal services.
Courier and postal companies – for the purpose of sending documents.
Cryptocurrency exchange operators and payment service providers – to the extent necessary to process transactions.
Other entities within the capital group to which the Administrator belongs, and their authorized personnel.
Our authorized personnel and the authorized personnel of our subcontractors.

The Administrator may transfer personal data outside the European Economic Area, in particular when using IT tool providers based outside the European Union.

The Administrator conducts ongoing risk analysis to ensure that personal data is processed by it in a secure manner, ensuring in particular that access to the data is limited to authorized persons and only to the extent necessary for the performance of their tasks. The controller ensures that all operations on personal data are recorded and carried out only by authorized employees and associates.

IV. Is your data transferred outside the EEA?

Personal data may be transferred outside the European Economic Area (EEA), in particular to IT and analytics service providers such as Google LLC and Meta Platforms, Inc. In such cases, the transfer of data is carried out in accordance with the GDPR, on the basis of:

EU Standard Contract Clauses
European Commission decisions confirming an adequate level of protection
EU-US Data Privacy Framework – in the case of data transfers to the US

V. Social media

Meta Platforms (Facebook, Instagram) We use Meta Platforms plugins on our Website. Clicking on the link will take you to our Facebook or Instagram profile. In this case, your data, such as information about the web browser or app you are using, online identifiers (e.g., IP addresses, mobile advertising identifiers of the operating system), and data about your interaction with ads, will be transmitted to Facebook or Instagram.

With regard to this data, Meta Platforms Ireland Limited and the Administrator act as joint controllers in accordance with Article 26 of the GDPR.

For detailed information on Facebook’s data processing and your rights, please refer to Facebook’s privacy policy: https://www.facebook.com/about/privacy. For more information on joint data control, please visit: https://www.facebook.com/legal/controller_addendum.

TikTok Our Website may contain links to our profile on the TikTok platform. When you click on the link, TikTok Technology Limited may process your data, such as your IP address, device data, web browser, and interactions with content and advertisements. TikTok processes data based on its own privacy policy, which can be found at: https://www.tiktok.com/legal/privacy-policy.

Telegram Our Website may contain links to our Telegram profile. Clicking on the link establishes a connection to the servers of Telegram Messenger Inc., which may process data such as your IP address, browser type, and information about your interactions with our website. Detailed information on data processing by Telegram is available in its privacy policy: https://telegram.org/privacy.

VI. What are your rights in relation to the processing of personal data by the controller?

Right of access to data (Article 15 of the GDPR) – the possibility to obtain information about the data being processed and to receive a copy thereof.
Right to rectification (Article 16 of the GDPR) – the possibility to correct inaccurate or incomplete data.
Right to erasure („right to be forgotten,” Article 17 of the GDPR) – the possibility to request the erasure of data if it is no longer necessary for the purposes of processing, consent has been withdrawn, or the data is being processed unlawfully.
Right to restriction of processing (Article 18 of the GDPR) – the possibility to request temporary suspension of data processing in specific cases.
Right to data portability (Article 20 of the GDPR) – the possibility to receive your data in a structured format and transfer it to another controller (applies to processing based on consent or a contract).
Right to object to data processing (Article 21 of the GDPR) – the possibility to object to data processing based on the legitimate interest of the controller or the use of data for marketing purposes.
Right to withdraw consent (Article 7(3) of the GDPR) – in the case of data processing based on consent, the possibility to withdraw it at any time.
Right to lodge a complaint with a supervisory authority (Article 77 of the GDPR) – if you believe that the processing of your data violates the law, you may lodge a complaint with the President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warsaw, [email protected].

Exercising your rights: Requests to exercise the above rights can be sent to the following email address: [email protected]. The controller will consider the request within one month, with the possibility of extending this period to two months in special cases.

VII. Do we use cookies?

The Website uses cookies (small text files, so-called cookies) or technologies with similar functionality to cookies, which are stored by your browser on your device (e.g. laptop, smartphone).

We use two types of cookies: session cookies and persistent cookies. Session cookies are temporary files that are stored on your device until you log out or leave the Website. Persistent cookies are stored on your end device for the time specified in the cookie parameters or until they are deleted.

The following types of cookies may be used on the Website:

Essential cookies – you cannot disable these cookies because they are necessary for the Website to function. We use them to ensure the proper functioning of the website and its safe use – without them, it would be impossible to use the Website.
Functional cookies – require your consent. They help analyze how the Website is used. Thanks to them, it is possible, for example, to determine the number of people visiting the website, as well as to detect and remove irregularities in its functioning.
Analytical cookies – require your consent. They help to ensure an efficient and user-friendly Website, tailored to your preferences. They allow, among other things, to check how you use the Website or the Mobile Application.
Marketing cookies – require your consent. These cookies are used to tailor marketing content to your needs and interests, and may also be used to tailor the content and advertisements presented by third parties.

Detailed information on the cookies used on the Website is available in the table below:

Cookie	Domain	Description	Type
pll_language	finunion.pl	The pll_language cookie is used by Polylang to remember the language selected by the user when returning to the website, as well as to obtain information about the language when it is not available in any other way.	functional
burst_uid	finunion.pl	None	other
_gcl_au	finunion.pl	Google Tag Manager sets this cookie to experiment with the effectiveness of ads on websites using their services.	analytical
_ga_*	finunion.pl	Google Analytics sets this cookie to store and count page views.	analytical
_ga	finunion.pl	The _ga cookie, installed by Google Analytics, calculates visitor, session, and campaign data and tracks website usage for the website’s analytics report. The cookie stores information anonymously and assigns a randomly generated number to identify unique visitors.	analytical
_ga_*	finunion.pl	Google Analytics sets this cookie to store and count page views.	analytical
_fbp	finunion.pl	Facebook sets this cookie to store and track interactions.	analytical
lastExternalReferrerTime	finunion.pl	None	other
lastExternalReferrer	finunion.pl	None	other
wpEmojiSettingsSupports	finunion.pl	WordPress sets this cookie when a user interacts with emojis on a WordPress website. It helps determine whether the user’s browser can correctly display emojis.	essential
_ga_*	finunion.pl	Google Analytics sets this cookie to store and count page views.	analytical
_ga	finunion.pl	The _ga cookie, installed by Google Analytics, calculates visitor, session, and campaign data and tracks website usage for the website’s analytics report. The cookie stores information anonymously and assigns a randomly generated number to identify unique visitors.	analytical

Obtaining and storing information using cookies, except when necessary to ensure the proper functioning of the Website and your use of its functionality, is only possible with your consent.

You can withdraw your consent to the use of cookies via your browser settings. Detailed information on this can be found at the following links:

You can verify your current privacy settings in your browser at any time using the tool available at https://optout.aboutads.info/?c=2&lang=EN

Withdrawing your consent will not affect the lawfulness of any processing activities carried out based on your consent before its withdrawal. Restricting the use of cookies may affect some of the features available on the Website, prevent or significantly hinder the proper use of the Website.