Skip to content

Privacy Policy 

In this document, for readability purposes, we use the generic masculine form. All genders are equally meant. This usage is for simplification only and does not entail any discrimination.

In accordance with the General Data Protection Regulation (GDPR, General Data Protection Regulation - EU Regulation 2016/679, hereinafter referred to as "GDPR"), and in particular with the Article 13 of the GPDR, Prestatech GmbH ("Company", “Controller”, "we", "us", or "our") invites you to carefully read the following information, which will support you in expressing your consent regarding the processing of your personal data when you use Finioo® (“Finioo” or “Service”), found at the web site, www.finioo.com, or through this integration platform (the “Site” or “webapp”). Personal data refers to any information relating to an identified or identifiable natural person. By accepting the terms and conditions and using our webapp, you (also “user”) agree to the collection and use of your personal data in accordance with this Privacy Policy.

Finioo is a platform that allows to generate a report (the "Finioo Report") based on the financial and personal information (the "Application Information") of an applicant (“Applicant”). The purpose of the Finioo Report is to demonstrate the Applicant reliability and financial trustworthiness, simplifying the interactions with the parties involved in the process and allowing data subjects the complete control over their data. Together with the Applicant, the other parties involved may include landlords, property managers, real estate professionals, credit brokers, and similar individuals or entities.

 

Data Controller and DPO

The Data Controller is Prestatech GmbH, with registered office at Rosenthaler Straße 46/47, 10178 Berlin, Germany, represented by its managing director Christian Nothacker.

The Company has appointed Peter Hense (Spirit Legal Rechtsanwaltsgesellschaft mbH) as Data Protection Officer (DPO). The DPO can be contacted either via email at dpo@prestatech.com or via regular mail at Neumarkt, Messehof-Passage 16-18/Aufgang E, 04109 Leipzig, Germany.

Additionally, for Applicants that have been invited to use the Site by a landlord, a property manager, a real estate professional, a credit broker, or similars via a dedicated link, the Company acts as a Joint Controller in collaboration with such party (defined also Authorized Party). In such cases, a Joint Controller Agreement has been established to outline the respective roles and responsibilities of each Joint Controller regarding the processing of personal data. This agreement ensures compliance with data protection regulations and the safeguarding of your rights as data subject. Details of the Joint Controller Agreement can be made available upon request or can be accessed via the Terms & Conditions of Landlords and Brokers

 

Categories of data processed of an Applicant

This section and the following section are relevant only for Applicants. If you are not an Applicant, please proceed to the section “Categories of data processed for other users different from an Applicant” and "Mode and place of processing data for other users different from an Applicant".

 

We collect and process your Application Information from you and from third parties as specified below. Data collected and processed by the Company include the following:

Identifying and registration data collected during the use of the webapp

  • Name, surname, place and date of birth, address, tax code, national insurance number and (if applicable) VAT number.
  • Contact information (mobile phone number, mailing address, email address).
  • Identity documents (i.e. ID Card or Passport) and related data (e.g., document number, place, date, and issuing authority).

Information about your current and potential housing situation

  • Information about your current housing situation (e.g., address, incurred costs, potential deposits, receipt of social benefits, reasons for prospective changes to your residence).
  • Data related to individuals who are part of the prospective housing unit (i.e., name, relationship type and email), for whom you confirm having their consent to use their data in the webapp and that they are aware of and understand how their personal data will be processed by us. In the specific case of minors under 16 years old, the relevant consent must come from parents and/or legal guardians.
  • Information on how you plan to use the housing unit (e.g., partial or commercial use of the apartment, intention to share the apartment with others, owned pets).
  • Past and ongoing legal actions against the current Landlord.

Information about your financial and professional situation

  • Banking information (e.g. sort code/account number, IBAN, SWIFT, account name, nickname, type, balance, currency)
  • Transaction history (e.g., transactions made, including amounts paid, date and time of the transaction, transaction descriptions, etc.).
  • Professional information (e.g., profession, employer (if any), industry, job title, department, employment status, etc.).
  • Financial information about your professional activity (e.g., salary and/or income, seniority, length of service, costs incurred for your professional activity).
  • Other financial Information (e.g. data related to income, expenses, self-employment income, investments, dividends, capital gains, deductions, tax payments and tax credits, etc.)

Information about interactions with the webapp and related electronic devices used to access the Service

  • Interactions with the webapp: data on how you interact with our webapp, including the features you use, buttons clicked, pages visited, and other actions taken within the app.
  • Cookie information: the Company uses cookies and similar technologies to help us collect information on how you interact with the webapp. The Site may also include cookies and similar tracking technologies of third parties, which may collect data about you via the Site and across other websites and online services. For more details about how the Company uses these technologies, and your opt-out opportunities and other options, please see our Cookies Policy.
  • Electronic Device Details: data about the electronic devices used to access the Service (e.g., browser type/version, used operating system, language and version of the browser software, date and time of the access, hostname of the accessed terminal device, IP address, content of the request (particular website), access status/HTTP status code, websites called over your website, HTTP referrer's URL (the previously visited website), notification whether the request was successful, the amount of transferred data, time difference to GMT).

Sensitive Data

In the context of using the requested service under certain circumstances, the Company may incidentally process data classified as 'sensitive' because they may reveal information about your health status, membership in groups or associations, racial or ethnic origin, political opinions, religious beliefs, or sexual orientation. This will only occur unintentional for the provision of our services. We will always ensure that stringent safeguards are in place to protect this data and that such information is not specifically used in the processing activities.

 

Biometric Data

The Company processes data concerning the physical, physiological, or behavioral characteristics of an individual that allows their unique identification, such as your face or signature. Such data may be acquired during the use of the webapp, for example, as part of the verification process of your identification document. We ensure that stringent safeguards are in place to protect this data, and it will only be used for the purpose of verifying your identity and preventing fraud.

 

User-Submitted Information

We may collect and process any information that you voluntarily submit through the relevant sections of our webapp or via other channels provided by the Company. This could include additional information about your housing situation, financial circumstances, or preferences that you voluntarily choose to share with us to enhance your use of our services.

 

Mode and place of processing data of an Applicant

This section and the preceding section are relevant only for Applicants. If you are not an Applicant, please proceed to the section “Categories of data processed for other users different from an Applicant” and "Mode and place of processing data for other users different from an Applicant".

Methods of processing

The Company takes appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data. We take data security seriously and have implemented robust security measures to protect your personal data. These measures include encryption of data in transit and at rest, regular security audits, and ISO27001 compliant practices. We also have procedures in place to deal with any suspected data security breach and will notify you and any applicable authorities of a suspected breach where we are legally required to do so. Additional information on the security measures can be consulted in the relevant section of the Site provided or may be requested from the Company at any time.

The Company uses artificial intelligence and machine learning technologies to process your personal data. Our automated processes are designed to provide accurate and efficient analysis while maintaining the highest standards of data protection and privacy. By using our webapp, you acknowledge and agree to the processing of your personal data through automated systems. The processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated.

Legal basis of processing

The Company may process Application Information on the following legal basis:

  • Processing for Contractual Obligations: we may process your Application Information when it is necessary for the performance of our Service and to fulfill our contractual obligations to you. This includes processing activities that are directly related to providing the Service you have requested.
  • Processing based on Legal Requirements: we may process your Application Information to comply with obligations provided by laws, regulations, and European Union legislation, as well as provisions issued by authorities duly authorized by law.
  • Processing for Legitimate Interests: we may process your Application Information based on our legitimate interests. Our legitimate interests may include a) developing, improving and implementing the Service and conducting service performance monitoring, b) conducting analytical and statistical research, c) developing other services and products. We will always ensure that your rights and interests are duly considered and protected.
  • Processing with Your Consent: for specific purposes and, in particular, for the “Commercial and marketing activities” as provided in the Terms & Conditions, we will seek your explicit consent to process your Application Information. In such cases, you have the right to withdraw your consent at any time using this Form.

In any case, the Controller will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into the Contract.

Retention time

Application Information is processed and stored for as long as required by the purpose they have been collected for. Therefore:
  • Application Information collected for purposes related to the performance of contractual obligations between the Controller and the user is retained for 3 months.
  • If you agreed to processing Application Information for specific purposes and, in particular, for the “Commercial and marketing activities”, we will retain your personal data for 5 years or until you withdraw your consent or request deletion of your data (via the provided means of communication in the Contacts section of the Contract), if before.
  • Retention time for other legal basis of processing (i.e., Processing based on Legal Requirements or Processing for Legitimate Interests) fall within the two scopes identified above.

Once the retention period expires, personal data is deleted. Therefore, the right of access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period. Before the deletion of your personal data, we take measures to anonymize the data in a manner that ensures it can no longer be attributed to an individual in an irreversible way. This anonymization process involves removing any identifiable information that could link the data to you or any other individual. Once data is anonymized, it no longer falls within the scope of personal data under the GDPR.

Who we share your information with

We will not share your Application Information other than as outlined in this Privacy Policy without obtaining your consent beforehand.

We will share your Application Information with the parties you authorized us to share it with, as is necessary to carry out the purposes for which the information was supplied or collected.

Personal data will also be shared, on a need-to-know basis, with our staff, third-party service providers, data processors and their affiliates, sub-contractors or delegates who assist with the running of our webapp and provision of our services, e.g., IT services providers, cloud infrastructure providers, accountants, marketing partners (where the consent was given), and email hosting services. Our data processors are subject to security and confidentiality obligations and are only permitted to process your personal information for specified purposes and in accordance with our instructions.

In addition, the Controller may disclose personal data about you:

  • to our professional advisers including lawyers, auditors and insurers,
  • if we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets,
  • if we are under a duty to disclose or share your personal data to comply with any legal or regulatory obligation or for the prevention of crime,
  • if necessary, to protect the vital interests of a person, and
  • to enforce or apply our terms and conditions or to establish, exercise or defend the rights of any member of the group of companies, our staff, clients or others.

The updated list of these parties may be requested from the Company at any time.

 

Place

The data is processed at the Controller’s operating offices and in any other places where the parties involved in the processing are located. Depending on the user's location, data transfers may involve transferring the user's Data to a country other than their own. The updated list of these countries may be requested from the Company at any time.

Users are also entitled to learn about the legal basis of Data transfers to a country outside the European Union or to any international organization governed by public international law or set up by two or more countries and about the security measures taken by the Controller to safeguard their Data.

If any such transfer takes place, users can find out more by checking the relevant sections of this document or enquire with the Controller using the information provided in the Contacts section of the Contract.

 

Categories of data processed for other users different from an Applicant

This section and the following section are relevant for users different than Applicants. If you are an Applicant, please proceed to the section “Categories of data processed of an Applicant” and "Mode and place of processing data of an Applicant", if not done already.

The Company collects and processes your including business and personal data from you and from third parties as specified below. Personal data collected and processed by the Company include the following:

Identifying and registration data collected during the use of the webapp

  • Name, surname, place and date of birth, address, tax code, national insurance number and (if applicable) VAT number.
  • Contact information (mobile phone number, mailing address, email address).
  • Identity documents (i.e. ID Card or Passport) and related data (e.g., document number, place, date, and issuing authority).
  • Contact information of users who are going to collaborate with you in Finioo such (but not limited to, employees, associates, consultants, and business partners) for whom you confirm having the rights to provide us within the webapp.

Information about the listings you are proposing to Applicants

  • Information about the apartment you are proposing to Applicants such as address, expected rent and related data.
  • Other Identifying Information such as a description of the property and how you are related to the listing (e.g., landlords, property manager, real estate professional, etc.).

Payment information

Payment information such as billing address, payment method information (bank account information, or the image of the selected payment card), merchant and location, purchase amount, purchase date, and, in some cases, some information about past purchases, phone number, and previous purchases.

Information about interactions with the webapp and related electronic devices used to access the Service

  • Interactions with the webapp: data on how you interact with our webapp, including the features you use, buttons clicked, pages visited, and other actions taken within the app.
  • Cookie information: the Company uses cookies and similar technologies to help us collect information on how you interact with the webapp. The Site may also include cookies and similar tracking technologies of third parties, which may collect data about you via the Site and across other websites and online services. For more details about how the Company uses these technologies, and your opt-out opportunities and other options, please see our Cookies Policy.
  • Electronic Device Details: data about the electronic devices used to access the Service (e.g., browser type/version, used operating system, language and version of the browser software, date and time of the access, hostname of the accessed terminal device, IP address, content of the request (particular website), access status/HTTP status code, websites called over your website, HTTP referrer's URL (the previously visited website), notification whether the request was successful, the amount of transferred data, time difference to GMT).

Biometric Data

The Company processes data concerning the physical, physiological, or behavioral characteristics of an individual that allows their unique identification, such as your face or signature. Such data may be acquired during the use of the webapp, for example, as part of the verification process of your identification document. We ensure that stringent safeguards are in place to protect this data, and it will only be used for the purpose of verifying your identity and preventing fraud.

 

Mode and place of processing data for other users different from an Applicant

This section and the preceding section are relevant for users different than Applicants. If you are an Applicant, please proceed to the section “Categories of data processed of an Applicant” and "Mode and place of processing data of an Applicant", if not done already.

Methods of processing

The Company takes appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data. We take data security seriously and have implemented robust security measures to protect your personal data. These measures include encryption of data in transit and at rest, regular security audits, and ISO27001 compliant practices. We also have procedures in place to deal with any suspected data security breach and will notify you and any applicable authorities of a suspected breach where we are legally required to do so. Additional information on the security measures can be consulted in the relevant section of the Site, provided or may be requested from the Company at any time.

The Company uses artificial intelligence and machine learning technologies to process your personal data. Our automated processes are designed to provide accurate and efficient analysis while maintaining the highest standards of data protection and privacy. By using our webapp, you acknowledge and agree to the processing of your personal data through automated systems. The processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated.

Legal basis of processing

The Company may process your data on the following legal basis:

  • Processing for Contractual Obligations: we may process your data when it is necessary for the performance of our Service and to fulfill our contractual obligations to you. This includes processing activities that are directly related to providing the Service you have requested.
  • Processing based on Legal Requirements: we may process your data to comply with obligations provided by laws, regulations, and European Union legislation, as well as provisions issued by authorities duly authorized by law.
  • Processing for Legitimate Interests: we may process your data based on our legitimate interests. Our legitimate interests may include a) developing, improving and implementing the Service and conducting service performance monitoring, b) conducting analytical and statistical research, c) developing other services and products. We will always ensure that your rights and interests are duly considered and protected.
  • Processing with Your Consent: for specific purposes and, in particular, for the “Commercial and marketing activities” as provided in the Terms & Conditions, we will seek your explicit consent to process your account information. In such cases, you have the right to withdraw your consent at any time via this Form.
In any case, the Controller will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.

Retention time

Your data is processed and stored for as long as required by the purpose they have been collected for. We retain personal data for as long as the User maintains an active account with the platform. Additionally, we will retain specific data (e.g., invoicing data) for a longer time period, as per legal requirements applicable to our Company. Therefore, the right of access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period. Before the deletion of your personal data, we take measures to anonymize the data in a manner that ensures it can no longer be attributed to an individual in an irreversible way. This anonymization process involves removing any identifiable information that could link the data to you or any other individual. Once data is anonymized, it no longer falls within the scope of personal data under the GDPR.

Who we share your information with

We will not share your business data other than as outlined in this Privacy Policy without obtaining your consent beforehand.

We will share your data with the Applicants and with the parties you authorized us to share it with as is necessary to carry out the purposes for which the information was supplied or collected.

Personal data will also be shared, on a need-to-know basis, with our staff, third-party service providers, data processors and their affiliates, sub-contractors or delegates who assist with the running of our webapp and provision of our services, e.g., IT services providers, cloud infrastructure providers, accountants, marketing partners (where the consent was given), and email hosting services. Our third-party service providers and data processors are subject to security and confidentiality obligations and are only permitted to process your personal information for specified purposes and in accordance with our instructions.

In addition, the Controller may disclose personal data about you:

  • to our professional advisers including lawyers, auditors and insurers,
  • if we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets,
  • if we are under a duty to disclose or share your personal data to comply with any legal or regulatory obligation or for the prevention of crime,
  • if necessary, to protect the vital interests of a person, and
  • to enforce or apply our terms and conditions or to establish, exercise or defend the rights of the Company, any member of the group of companies, our staff, clients or others.

The updated list of these parties may be requested from the Company at any time.

Place

The data is processed at the Controller’s operating offices and in any other places where the parties involved in the processing are located. Depending on the user's location, data transfers may involve transferring the user's Data to a country other than their own. The updated list of these countries may be requested from the Company at any time.

Users are also entitled to learn about the legal basis of Data transfers to a country outside the European Union or to any international organization governed by public international law or set up by two or more countries and about the security measures taken by the Controller to safeguard their Data.

If any such transfer takes place, users can find out more by checking the relevant sections of this document or enquire with the Controller using the information provided in the Contact section of the Contract.

 

Collection of Data from Third Parties

With your consent, we may collect information from third parties. In particular, we may collect:

  • Banking information and transaction history,
  • Information about events (e.g., protests, seizures, etc.) and trends in relationships with financial intermediaries (e.g., defaults, overdrawn accounts, etc.),
  • Evaluations issued by third parties.

We encourage you to review the privacy policy of such providers, to understand how they handle and protect your personal data. These privacy policies may include details on the types of data collected, the purposes for collection, the lawful basis for processing, data retention practices, and your rights as a data subject.

 

Your rights

You may exercise certain rights regarding their Data processed by the Company. In particular, to the extent permitted by law, you have the right to do the following:

  • Withdraw your consent at any time: you have the right to withdraw consent to the processing your data.
  • Object to processing of your data: you have the right to object to the processing of your Data if the processing is carried out on a legal basis other than consent.
  • Access your data: you have the right to learn if your data is being processed by the Controller, obtain disclosure regarding certain aspects of the processing and obtain a copy of the data, in a structured, commonly used, and machine-readable format, undergoing processing.
  • Verify and seek rectification: you have the right to verify the accuracy of your data and ask for it to be updated or corrected.
  • Restrict the processing of your data: you have the right to restrict the processing of your data. In this case, the controller will not process your data for any purpose other than storing it.
  • Have your data deleted or otherwise removed: you have the right to obtain the erasure of your data.
  • Receive your data and have it transferred to another controller: you have the right to receive your data in a structured, commonly used and machine readable format and, if technically feasible, to have it transmitted to another controller without any hindrance.
  • Lodge a complaint: you have the right to bring a claim before their competent data protection authority. Few examples of the relevant authorities are provided below.

Details about the right to object to processing

Where personal data is processed for a public interest, in the exercise of an official authority vested in the Controller or for the purposes of the legitimate interests pursued by the Controller, users may object to such processing by providing a ground related to their particular situation to justify the objection.

You must know that, however, should your personal data be processed for commercial and marketing purposes, you can object to that processing at any time, free of charge and without providing any justification.

How to exercise these rights

Any requests to exercise your rights can be directed to the Controller through the contact details provided in the Contract or via the dedicated form. These requests can be exercised free of charge and will be answered by the Controller as early as possible and always within one month, providing users with the information required by law. Any rectification or erasure of personal data or restriction of processing will be communicated by the Controller to each recipient, if any, to whom the personal data has been disclosed unless this proves impossible or involves disproportionate effort. At the users’ request, the Controller will inform them about those recipients.

 

Additional information about Data collection and processing

Legal action

The user's personal data may be used for legal purposes by the Controller in Court or in the stages leading to possible legal action arising from improper use of this Website or the related Services. The user declares to be aware that the Controller may be required to reveal personal data upon request of public authorities.

Additional information about user's personal data

In addition to the information contained in this privacy policy, this Website may provide the user with additional and contextual information concerning particular Services or the collection and processing of personal data upon request.

Information not contained in this policy

More details concerning the collection or processing of personal data may be requested from the Controller at any time. Please refer to the Contacts information provided in the Contract.

How “Do Not Track” requests are handled

This Site does not support “Do Not Track” requests. To determine whether any of the third-party services it uses honour the “Do Not Track” requests, please read their privacy policies.

Changes to this privacy policy

We may update this privacy policy from time to time. If significant changes are made, we will notify you in advance through your email address and/or with a prominent notice on our website. You will have the opportunity to review and understand the changes before they take effect. By continuing to use our services after being notified, you accept the revised policy. If you do not agree with the changes, you can choose to stop using our services and request the deletion of your personal data.