PRIVACY POLICY
In accordance with Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council
of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the
free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter
referred to as „GDPR”) The Controller has appointed a Data Protection Officer, whom you can contact by
sending an email to: [email protected]
I. Definitions
- Controller –
- Finunion limited liability company with its registered office in Warsaw at ul. Wilcza 51/41,
Warsaw 00-679, entered in the Register of Entrepreneurs kept by the District Court for the Capital
City of Warsaw in Warsaw, 12th Commercial Division of the National Court Register under KRS number:
0000990847, NIP (Tax Identification Number): 5273018094, REGON (National Business Registry Number):
523048565; - Mobile Application –
- software designed for installation on mobile devices (smartphones, tablets) running on iOS and
Android operating systems, enabling users to access financial services offered by Finunion. The
application provides functionalities related to account management, transactions, monitoring of
financial operations, and communication with customer service; - Personal Data –
- personal data of Customers and Users within the meaning of the GDPR provided in connection with the
use of the Service; - Exchange Office –
- a stationary point enabling the exchange of fiat currencies (e.g., PLN, EUR, USD) for
cryptocurrencies and vice versa. Transactions may be carried out in cash or by electronic payment,
in accordance with applicable law; - Customer –
- natural or legal persons who have accepted the Terms and Conditions of the Service and have
concluded a contract with the Administrator for the provision of the Service; - Processing –
- means any operation or set of operations performed on personal data or sets of personal data in an
automated or non-automated manner, such as collection, recording, organization, structuring,
storage, adapting or modifying, downloading, viewing, using, disclosing by transmission,
dissemination or otherwise making available, aligning or combining, restricting, erasing or
destroying; - Crypto Assets Regulation –
- Regulation (EU) 2023/1113 of the European Parliament and of the Council of May 31, 2023, on
information accompanying transfers of funds and certain crypto assets and amending Directive (EU)
2015/849; - Website –
- the website available at https://app.finunion.pl/ and its subdomains;
- Services –
- a service provided by Finunion, consisting in the exchange of digital currencies (cryptocurrencies)
into other cryptocurrencies or fiat currencies (e.g. PLN, EUR, USD) and vice versa, in accordance
with the applicable exchange rates using Exchange Offices and the Mobile Application; - AML Act –
- Act of March 1, 2018, on counteracting money laundering and terrorist financing;
- User –
- a natural or legal person using the Administrator’s services. The provisions of this Policy relating
to the Customer shall, in principle, apply mutatis mutandis to the User;
The Administrator can be contacted via:
- mailing address: ul. Wschowska 8, 01-239 Warsaw
- e-mail address: [email protected]
II. What are the purposes and basis for processing your personal data?
| PURPOSE OF DATA PROCESSING | LEGAL BASIS | DATA RETENTION PERIOD | SCOPE OF DATA PROCESSING |
|---|---|---|---|
| Provision of the Service by the Controller | – Article 6(1)(b) of the GDPR; – Article 6(1)(c) of the GDPR; | Until the end of cooperation, i.e. for the period required by law (e.g. tax, accounting, AML Act) or until the expiry of claims. |
– Identification data (first and last name, PESEL number); – Contact details (email address, telephone number); – Address details (home address, residence address), Financial data (income information, bank transaction data, bank account statements, tax returns, declarations of residence); – Service-related data (cryptocurrency wallet data); – Biometric and Technical data (biometric data, selfie identity verification (liveness check)); – Image, IP address, data on devices used for verification). |
| Verification in accordance with the requirements of the AML Act / sanction lists: – Customers; – Contractors; – Customer representatives and agents |
Article 6(1)(c) of the GDPR in conjunction with Article 37(1) of the AML Act |
For the period required by law, i.e. 5 years in accordance with Article 49(1) of the AML Act |
– Identification data (concerning natural persons, representatives of legal persons and beneficial owners): name and surname, citizenship, PESEL number or date of birth and country of birth – if no PESEL number is available, series and number of identity document; – Address details (if the obligated institution has this information): address of residence, registered office or place of business – in the case of legal persons and organizational units; – Business entity data (concerning natural persons conducting business activity and legal persons): name (company name), organizational form, tax identification number (NIP), and if unavailable – country of registration, name of the relevant register, registration number and date. |
| – Establishment and defense of own claims – Internal accounting |
– Article 6(1)(c) of the GDPR in conjunction with Article 74(2) of the Accounting Act; – Article 6(1)(f) of the GDPR; |
For the period required by law, i.e. – 6 years for most property claims; – 3 years for relations between entrepreneurs; – for 5 years from the end of the calendar year in which the tax obligation arose. |
– Identification data (concerning natural persons) first name and surname, PESEL number; – Address details (residential address, registered office or business address); – Business entity data (for natural persons conducting business activity and legal persons): name, NIP (tax identification number), REGON (statistical number), KRS (National Court Register number). |
| Use of the Website | Article 6(1)(f) of the GDPR | For the duration of the storage of cookies on the website visitor’s device or until objection to processing is expressed. |
– Information about visited pages (visited pages and subpages, time spent on each of them); – Technical data (IP address, device ID, browser and operating system data); – Location and search data (location, search history). |
| – Contractor data – Contractor Representatives’ Data Aimed at establishing cooperation and during Cooperation |
– Article 6(1)(f) of the GDPR; – Article 6(1)(b) of the GDPR | For the duration of the Cooperation and after its termination until objection to processing is expressed. |
– Identification data (concerning natural persons, representatives of legal persons) first name and surname, position held; – Address details (registered office or business address); – Business entity data (regarding natural persons conducting business activity and legal persons): name, tax identification number (NIP), statistical identification number (REGON), National Court Register number (KRS); – Contact details – email address, telephone number. |
| Conducting marketing activities, including positioning, marketing, and online advertising |
Article 6(1)(f) of the GDPR | Until objection is raised | – Identification data – first and last name; – Business entity data (regarding natural persons conducting business activity and legal persons) – name, tax identification number, REGON number, KRS number; – Contact details – email address, telephone number. |
| Sending newsletters and text messages | Article 6(1)(a) of the GDPR | Until consent is withdrawn. | – Identification data – first and last name; – Business entity data (concerning natural persons conducting business activity and legal persons) – name, tax identification number, REGON number, KRS number; – Contact details – email address, telephone number. |
| Transaction monitoring | – Article 6(1)(c) of the GDPR; – Article 6(1)(f) of the GDPR | Until the end of cooperation, i.e. for the period required by law or until the expiry of the limitation period for claims. |
– Identification data of the parties to the transaction (name and surname or name, address, account number or identifier, ID card number – if required); – Transaction data (transaction value, currencies or crypto assets being transferred). |
| Application of the Travel Rule | Article 6(1)(c) of the GDPR | Until the end of the cooperation, i.e. for the period required by law or until the expiry of the limitation period for claims. |
– Identification data of the parties to the transaction (name and surname or name, address, account number or identifier, ID card number – if required); – Transaction data (value of the transaction, currencies or crypto assets being transferred). |
| Recruitment | – Article 6(1)(b) and (c) of the GDPR; – in the case of consent to future recruitment – Article 6(1)(a) of the GDPR |
Until the end of the recruitment process, and in the case of consent to future recruitment – until its withdrawal or in accordance with the retention period resulting from legal provisions. |
– Candidate identification data (name and surname, contact details, address, professional experience, education); – Other data contained in the application documents (CV, cover letter, references, recruitment test results – if required); – Information about the recruitment process (e.g., interview results, competency assessments); – If consent is given for future recruitment, personal data will be stored until consent is withdrawn, but no longer than for the period specified in the recruitment policy. |
Taking into account the nature, scope, context and purposes of the processing and the risk of varying
likelihood and severity of the risk to the rights and freedoms of natural persons, the Controller
implements appropriate technical and organizational measures to ensure that the processing is performed
in accordance with the Regulation and to be able to demonstrate this. These measures are reviewed and
updated as necessary. The Administrator uses technical measures to prevent unauthorized persons from
obtaining and modifying personal data transmitted electronically.
III. Who does your data get shared with?
The administrator processes personal data solely for the purpose of fulfilling its obligations towards
users. The data is not disclosed to third parties unless the user consents to this or it is required by
law (e.g. at the request of law enforcement authorities). Personal data is not used for profiling or
automated decision-making.
- Accounting, auditing, and consulting service providers – based on personal data processing
agreements. - Banks and payment institutions – to the extent necessary to execute financial transactions.
- IT and hosting service providers – to ensure the proper functioning of IT systems and data security.
- Public and supervisory authorities – when required by law, including tax, regulatory and law
enforcement authorities. - Accounting and tax service providers – for the purpose of financial settlements.
- Law firms – for the purpose of pursuing claims and providing legal services.
- Courier and postal companies – for the purpose of sending documents.
- Cryptocurrency exchange operators and payment service providers – to the extent necessary to process
transactions. - Other entities within the capital group to which the Administrator belongs, and their authorized
personnel. - Our authorized personnel and the authorized personnel of our subcontractors.
The Administrator may transfer personal data outside the European Economic Area, in particular when
using IT tool providers based outside the European Union.
The Administrator conducts ongoing risk analysis to ensure that personal data is processed by it in a
secure manner, ensuring in particular that access to the data is limited to authorized persons and only
to the extent necessary for the performance of their tasks. The controller ensures that all operations
on personal data are recorded and carried out only by authorized employees and associates.
IV. Is your data transferred outside the EEA?
Personal data may be transferred outside the European Economic Area (EEA), in particular to IT and
analytics service providers such as Google LLC and Meta Platforms, Inc. In such cases, the transfer of
data is carried out in accordance with the GDPR, on the basis of:
- EU Standard Contract Clauses
- European Commission decisions confirming an adequate level of protection
- EU-US Data Privacy Framework – in the case of data transfers to the US
V. Social media
Meta Platforms (Facebook, Instagram) We use Meta Platforms plugins on our Website. Clicking on
the link will take you to our Facebook or Instagram profile. In this case, your data, such as
information about the web browser or app you are using, online identifiers (e.g., IP addresses, mobile
advertising identifiers of the operating system), and data about your interaction with ads, will be
transmitted to Facebook or Instagram.
With regard to this data, Meta Platforms Ireland Limited and the Administrator act as joint
controllers in accordance with Article 26 of the GDPR.
For detailed information on Facebook’s data processing and your rights, please refer to Facebook’s
privacy policy: https://www.facebook.com/about/privacy. For more information on joint
data control, please visit: https://www.facebook.com/legal/controller_addendum.
TikTok Our Website may contain links to our profile on the TikTok platform. When you click on the
link, TikTok Technology Limited may process your data, such as your IP address, device data, web
browser, and interactions with content and advertisements. TikTok processes data based on its own
privacy policy, which can be found at: https://www.tiktok.com/legal/privacy-policy.
Telegram Our Website may contain links to our Telegram profile. Clicking on the link establishes
a connection to the servers of Telegram Messenger Inc., which may process data such as your IP address,
browser type, and information about your interactions with our website. Detailed information on data
processing by Telegram is available in its privacy policy: https://telegram.org/privacy.
VI. What are your rights in relation to the processing of personal data by the
controller?
- Right of access to data (Article 15 of the GDPR) – the possibility to obtain information
about the data being processed and to receive a copy thereof. - Right to rectification (Article 16 of the GDPR) – the possibility to correct inaccurate or
incomplete data. - Right to erasure („right to be forgotten,” Article 17 of the GDPR) – the possibility to
request the erasure of data if it is no longer necessary for the purposes of processing, consent has
been withdrawn, or the data is being processed unlawfully. - Right to restriction of processing (Article 18 of the GDPR) – the possibility to request
temporary suspension of data processing in specific cases. - Right to data portability (Article 20 of the GDPR) – the possibility to receive your data in
a structured format and transfer it to another controller (applies to processing based on consent or
a contract). - Right to object to data processing (Article 21 of the GDPR) – the possibility to object to
data processing based on the legitimate interest of the controller or the use of data for marketing
purposes. - Right to withdraw consent (Article 7(3) of the GDPR) – in the case of data processing based
on consent, the possibility to withdraw it at any time. - Right to lodge a complaint with a supervisory authority (Article 77 of the GDPR) – if you
believe that the processing of your data violates the law, you may lodge a complaint with the
President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warsaw, [email protected].
Exercising your rights: Requests to exercise the above rights can be sent to the following email
address: [email protected].
The controller will consider the request within one month, with the possibility of extending this period
to two months in special cases.
VII. Do we use cookies?
The Website uses cookies (small text files, so-called cookies) or technologies with similar
functionality to cookies, which are stored by your browser on your device (e.g. laptop, smartphone).
We use two types of cookies: session cookies and persistent cookies. Session cookies are
temporary files that are stored on your device until you log out or leave the Website. Persistent
cookies are stored on your end device for the time specified in the cookie parameters or until they are
deleted.
The following types of cookies may be used on the Website:
- Essential cookies – you cannot disable these cookies because they are necessary for the
Website to function. We use them to ensure the proper functioning of the website and its safe use –
without them, it would be impossible to use the Website. - Functional cookies – require your consent. They help analyze how the Website is used. Thanks
to them, it is possible, for example, to determine the number of people visiting the website, as
well as to detect and remove irregularities in its functioning. - Analytical cookies – require your consent. They help to ensure an efficient and user-friendly
Website, tailored to your preferences. They allow, among other things, to check how you use the
Website or the Mobile Application. - Marketing cookies – require your consent. These cookies are used to tailor marketing content
to your needs and interests, and may also be used to tailor the content and advertisements presented
by third parties.
Detailed information on the cookies used on the Website is available in the table below:
| Cookie | Domain | Description | Type |
|---|---|---|---|
| pll_language | finunion.pl | The pll_language cookie is used by Polylang to remember the language selected by the user when returning to the website, as well as to obtain information about the language when it is not available in any other way. |
functional |
| burst_uid | finunion.pl | None | other |
| _gcl_au | finunion.pl | Google Tag Manager sets this cookie to experiment with the effectiveness of ads on websites using their services. |
analytical |
| _ga_* | finunion.pl | Google Analytics sets this cookie to store and count page views. | analytical |
| _ga | finunion.pl | The _ga cookie, installed by Google Analytics, calculates visitor, session, and campaign data and tracks website usage for the website’s analytics report. The cookie stores information anonymously and assigns a randomly generated number to identify unique visitors. |
analytical |
| _ga_* | finunion.pl | Google Analytics sets this cookie to store and count page views. | analytical |
| _fbp | finunion.pl | Facebook sets this cookie to store and track interactions. | analytical |
| lastExternalReferrerTime | finunion.pl | None | other |
| lastExternalReferrer | finunion.pl | None | other |
| wpEmojiSettingsSupports | finunion.pl | WordPress sets this cookie when a user interacts with emojis on a WordPress website. It helps determine whether the user’s browser can correctly display emojis. |
essential |
| _ga_* | finunion.pl | Google Analytics sets this cookie to store and count page views. | analytical |
| _ga | finunion.pl | The _ga cookie, installed by Google Analytics, calculates visitor, session, and campaign data and tracks website usage for the website’s analytics report. The cookie stores information anonymously and assigns a randomly generated number to identify unique visitors. |
analytical |
Obtaining and storing information using cookies, except when necessary to ensure the proper functioning
of the Website and your use of its functionality, is only possible with your consent.
You can withdraw your consent to the use of cookies via your browser settings. Detailed information on
this can be found at the following links:
You can verify your current privacy settings in your browser at any time using the tool available at https://optout.aboutads.info/?c=2&lang=EN
Withdrawing your consent will not affect the lawfulness of any processing activities carried out based
on your consent before its withdrawal. Restricting the use of cookies may affect some of the features
available on the Website, prevent or significantly hinder the proper use of the Website.
