1.1. At Oval Money, we are committed to respecting and protecting your privacy. This document explains what information we collect, how we use it, your rights if you want to change how we use your personal information and what we do with that information. The terms set out should be read together with our Terms and Conditions.
2. Data Controller
2.2. We are also registered with the Information Commissioner, where you can also find our Data Protection Officer (DPO) details, under registration number: ZA219393.
2.3. You may contact us and ask your questions to our DPO writing at: firstname.lastname@example.org.
3. Data Processors
3.1. The following are the companies that help Oval to provide the service you use, and need to process details about you for this reason.
- Amazon Web Services (AWS). AWS provides the processing service of the Data collected through the use of the App. The processing of Data is carried out in respect of AWS Security Standards at all times.
- Google Cloud, cloud computing power and storage providers.
- Google Analytics is an analytics service provided by Google, Inc.
- Airtable. Airtable is an appointed Data Processor by Oval. Airtable provides the processing service of the Data collected through TypeForm.
- Know Your Customer (KYC) service providers that help us with identity verification or fraud checks like Onfido.
- Task automation companies like Zapier.
- Software companies that we use, to send and receive text messages like Twilio and
Whatsapp and for processing and storing email communications with you like
- Card producers (Oval Pay)
3.2 The service also requires the processing in read only mode of your bank account details and financial data such as your transaction history and balance. To ensure the maximum level of protection of your personal data, Oval collaborates with the following service providers that store and process your data:
- Salt Edge Inc. is an account aggregation service that allows the user to store its credit card and bank accounts’ credentials. Salt Edge will allow you to connect with your bank account(s) using your online login credentials and will store them through a bank-level security system.
- Mangopay is the Application Programming Interface (‘API’) provided by Mangopay SA to issue and manage the distribution of e-money (as defined by Directive 2009/110/EC ‘E-Money Directive’) directly to the User.
- Banca 5 is an Italian bank registered at the Italian Bank registry with number 5692. Banca 5 is a service provider that reads user transactions through PSD2. Oval will share with the Banca5 the relevant information on your account, including, as the case may be, the transaction history and the availability of funds, the initiation of the payment transaction on your behalf and the execution of such payment transaction. The data received by Banca5 will include your personal data (for example, your ID, your account balance and currency and your payment transaction history details. Oval will transfer the personal data described in this section to follow up any of your request and to comply with the legal obligations established for all payment services providers.
3.3 We do not share your personal data with any third-party advertisers or ad networks except for hashed IDs or device identifiers. However, if you view or click on an ad on or off our Services, the ad provider will get a signal that someone visited the page that displayed the ad, and they may, through the use of mechanisms such as cookies, determine it is you. Advertising partners can associate personal data collected by the advertiser directly from you with hashed IDs or device identifiers received from us.
An example of how we may use social media for marketing purposes is through Facebook’s ‘Custom Audience’ tool, the terms of which are available here.
You can contact us at any time, either through the Oval app or by emailing email@example.com if you do not want us to share your anonymised behavioural data for advertising purposes. Remember you can also opt-out from the newsletters you receive from us or directly through any social media provider that you have an account with.
3.4 In the event of a reorganisation of Oval, or merger, acquisition, sale, joint venture, assignment or other disposition of all or any portion of Oval business, assets and stock, with your consent data will be transferred to a third party which may be processing your data.
4.1. Additionally, the data may be accessible to certain types of persons in charge, involved with Oval’s operation (administration, sales, marketing, legal, system administration) or external parties (such as third party technical service providers, mail carriers, hosting providers, IT companies, communications agencies). The updated list of these parties may be requested from the Data Controller at any time.
5. Personal Data we collect about you
5.1. When you register for an Oval account, you give us data including your name, phone number, home address, date of birth, tax residency, and ID. A video of yourself (for Oval App) and a photo of your ID, the login credentials and settings you choose for your app and your card. A profile picture if you add one. Details about your financial circumstances. Your tax codes and citizenships. Any information that can be considered personal data you give us via chat so we can help you. Answers you give to surveys so we can improve our services.
5.2. When you use the app and our services we collect details about payments to and from your Oval account, information about your visit, including the links you have clicked on, through our site (including date and time), services you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling and clicks), and methods used to browse away from the page; technical information, including the internet protocol (IP) address used to connect your computer to the internet, your log-in information, the browser type and version, the time-zone setting, the operating system and platform, the type of device you use, a unique device identifier (for example, your device identifier, number, or the mobile phone number used by the device), mobile network information, your IP address and device ID for security reasons (we’ll link your mobile phone number with your device), your mobile operating system, the type of mobile browser you use and so on; information stored on your device, including if you give us access to contact information from your address book, log-in information, photos, videos or other digital content, check-ins. Oval will regularly collect this information in order to stay up to date and information on transactions (for example, payments into and out of your account), including the date, time, amount, currencies, exchange rate, beneficiary details, details of the merchant or ATMs associated with the transaction, IP address of sender and receiver, sender's and receiver's name and registration information, messages sent or received with the payment, details of device used to arrange the payment and the payment method used.
5.3. If you get in touch we collect your email address and your public details from social media profiles (Facebook, Instagram) so we can answer your questions.
5.4. When you register, we search your record and we may collect information about you from public sources for AML reasons or market research. We collect information from third parties, such as credit reference agencies, fraud-prevention agencies and partners who help us to provide our services. This includes your credit record, information to help us check your identity, and information relating to your transactions.
5.5. In cases where, in order to provide our service, personal data is to be collected from third parties who can be considered as autonomous data controllers, such as, for instance, likes on Facebook, Instagram or Twitter put by the Users, we guarantee to process this data exclusively for the fulfilment of contractual obligations related to our service.
5.6 Depending on your use of the service, we may also collect fitness data through Apple Health Kit or Google Fit. This data will be limited to activity data and will be used only to provide additional savings options. Apple Health Kit data and Google Fit data will not be used for any marketing purposes.
6. Fraud prevention, transaction monitoring, and account monitoring
6.2. If you have been affected by the automated decision making, you may request human intervention or challenge the decision of the algorithm which results in the automated decision making by sending an email to firstname.lastname@example.org with the words ‘automated decision making’ in the subject.
6.3. In addition to this we will use your personal information to help prevent fraud in a more general manner, by: trying to stop you from becoming a victim of fraud; confirming you are eligible to use our services; and complying with financial crime laws. The data we will use for these purposes comes from the information you have provided us, the information from your device, and/or the information from third parties. Our legal basis for this activity is in complying with our legal obligations, complying with agreements between you and us, and/or legitimate interests (to develop and improve how we deal with financial crime and meet our legal responsibilities).
7. Data collection purpose
7.1. Collecting and processing your data is necessary for the performance of the contract between you and Oval so we can provide you our service.
- Registration. Through User registration or authentication, you give Oval your consent to be identified and to access the App’s services.
- Analytics. The services described in this section allow the Data Controller to control and analyse traffic data. The services also allow the tracking of the User’s behavior.
- Email and Contact Management. These services allow the managing of email contacts and other contacts used to communicate with the User. The services may also allow the collection of Data concerning the date and time of display of the message by the User.
7.2. We use your data to comply with regulations, and our regulated partners might need this to comply with regulations also and can in specific instances ask us to provide them with such data as:
- confirming your identity when you sign up or get in touch.
- checking your records.
- preventing illegal activities like money laundering, tax evasion and fraud.
- adhering to banking laws and regulations (these mean we sometimes need to share customer details with regulators, tax authorities, law enforcement or other third parties).
- for legal purposes, in Court or in the stages leading to possible legal action arising from improper use of Oval.
- requesting to reveal personal data upon request of public authorities.
7.3. We also use your data for legitimate interest like marketing purposes. Such legitimate interest is the relevant and proportionate relationship between the data subject and the Controller. Even though e-mail marketing is generally allowed without consent, at least for existing customers, you are free to untag yourself as recipient of Oval newsletters through Intercom, or you can contact our support at email@example.com.
8. Mode and Place of Processing the Data
8.1. Security Measures - Oval processes Users’ Personal Data in a proper manner and shall adopt appropriate security measures to prevent unauthorised access, disclosure, modification, or unauthorised destruction of the Data. Even where all precautions are adopted we cannot guarantee complete security in all events. The Data processing is carried out using computers and/or IT enabled tools, following organisational procedures and modes strictly related to the purposes indicated.
8.2. Place of processing - The Data is processed at the Data Controller's operating offices and where the Data Processor’s operating offices or other parties involved with the processing are located. If we or our service providers transfer personal data outside of the EU, we always require that appropriate safeguards are in place to protect the information when it is processed.
9. Rights of Users
You have the right, at any time, to:
9.1. Know whether your Personal Data has been stored and may consult the Data Controller to learn about their contents and origin (right of access);
9.2. Verify your Personal Data accuracy or ask for them to be supplemented, updated or corrected (right to rectification);
9.3. Request the erasure of your Personal Data or their transformation into anonymous format (right to erasure);
9.4. Request the restriction of processing of your Personal Data for any and all legitimate reasons (right to restriction of processing);
9.5. Receive your Personal Data in a structured, commonly used and machine-readable format and to transmit those data to another controller (right to data portability);
9.6. Withdraw the consent to the processing of your Personal Data at any time, without prejudice to the lawfulness of the processing based on consent before its withdrawal;
9.7. Object to the direct marketing activities carried out by Oval Money, including any segmentation for marketing purposes.
Requests should be sent to the Data Controller at: firstname.lastname@example.org
11. How to make a complaint
If you have a complaint about how we use your personal information, please contact us through the app or send an email to email@example.com and we’ll do our best to fix the problem. If you’re still not happy, you can refer your complaint with a data protection supervisory authority in the EU country you live or work, or where you think a breach has happened. The UK’s supervisory authority is the Information Commissioner’s Office (ICO). For more details, you can visit their website at ico.org.uk.