← Back to Home

Privacy Notice

Version: 1.0 · Effective Date: March 27, 2026

1. GENERAL INFORMATION

1.1. This Privacy Notice (the "Notice") describes how FINAST sp. z o.o. (the "Service Provider"), a company incorporated under the laws of the Republic of Poland, with registration number (KRS) 0001164432, tax identification number (NIP) 5214111567, and with its registered office at ul. Jana Heweliusza 11, lok. 811, 80-890 Gdańsk, Poland, handles the personal data of its customers and prospective customers (the "Customer"), how such information is collected and used, and what rights and choices the Customer has regarding their personal data.

1.2. The Service Provider operates as a Small Payment Institution (Mała Instytucja Płatnicza - MIP/SPI) with registration number MIP 282/2025 and is supervised by the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego - KNF). The register of payment service providers is available at: https://e-rup.knf.gov.pl/index.html.

1.3. The Services are provided exclusively to business customers (legal entities) within the territory of the Republic of Poland. The Service Provider does not provide Services to consumers (natural persons acting outside their business or professional activity).

1.4. The Service Provider is committed to protecting Customer privacy and processes personal data in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR"), the Polish Act on Payment Services (Ustawa o usługach płatniczych), and any other applicable laws.

1.5. All employees, agents, and authorized parties with access to personal data are bound by confidentiality obligations that remain in effect even after the termination of any contractual relationship.

2. LEGAL BASIS FOR PROCESSING PERSONAL DATA

2.1. The Service Provider collects and processes personal data strictly for lawful purposes and in accordance with GDPR principles and other relevant data protection requirements.

2.2. The legal grounds for processing may include:

Performance of a contract. The Service Provider requires certain data to fulfil the agreement and provide Services to the Customer, including opening and maintaining payment accounts and executing payment transactions.

Compliance with legal obligations. Processing is necessary to comply with legal obligations, including anti-money laundering (AML) and counter-terrorist financing (CTF) requirements under Polish law, as well as obligations under the Polish Payment Services Act and KNF regulations.

Legitimate interests. Processing is necessary for the legitimate interests pursued by the Service Provider or by a third party, such as fraud prevention, security monitoring, and initiating or defending legal claims.

Consent. When the Customer has provided explicit consent to process their personal data for specific purposes (e.g., marketing communications).

2.3. The Customer is not required to provide personal data; however, refusal to do so may result in the inability to open an Account or use the Services, as the Service Provider is obligated to comply with AML/KYC requirements.

3. PERSONAL DATA WE COLLECT AND SHARE

3.1. Categories of Personal Data

3.1.1. Information provided directly by the Customer (as a business entity):

Company identification. Company name, legal form, registration number (KRS), tax identification number (NIP), National Business Registry Number (REGON), registered address.

Representative / beneficial owner information. Name, surname, date of birth, nationality, country of residence, position in the company.

Identification documents. Passport number, ID card number, copy of identification document.

Contact information. Business email address, business phone number.

Financial information. Bank account details, transaction data.

3.1.2. Information collected via service usage and the website:

Technical data. IP address, geolocation (country-level), browser type, operating system, device information.

Transaction data. Payment methods, transaction amounts, transaction dates, recipient details, fraud detection data.

Usage data. Pages visited, interaction with the Website, visit duration, error logs, response times.

Communication records. Correspondence between the Customer and the Service Provider (email, chat, phone recordings).

3.1.3. Information obtained from other sources:

Public registers. National Court Register (KRS), CEIDG, tax registers.

AML/KYC service providers. Sanctions lists, politically exposed persons (PEP) databases, adverse media screening.

Financial institutions. Payment processing data, transaction verification.

3.2. Data Sharing

3.2.1. The Service Provider may share personal data with third parties only when permitted by law and when necessary to fulfil contractual or regulatory obligations. The Service Provider ensures that such parties offer an adequate and comparable level of data protection.

3.2.2. Personal data may be disclosed in the following circumstances:

to partners or suppliers involved in the provision, maintenance, or improvement of Services (e.g., banks, correspondent banks, payment processors, IT service providers);

to regulatory authorities (including KNF) and law enforcement agencies when required by law;

to third-party service providers performing AML/KYC screening, fraud detection, or identity verification;

in the context of corporate restructuring, such as mergers, asset transfers, financing, acquisitions, or business dissolution.

3.2.3. The Service Provider does not sell or rent Customer personal data to third parties for marketing purposes.

4. DATA TRANSFERS OUTSIDE THE EU/EEA

4.1. Customer data may be transferred to countries outside the EU/EEA when necessary for contract fulfilment, legal compliance, or when the Customer has given prior consent. Such countries may have different data protection standards.

4.2. In all cases, the Service Provider implements appropriate safeguards to ensure GDPR compliance, using either:

European Commission adequacy decisions (for countries with adequate data protection standards);

EU Standard Contractual Clauses (SCCs) as adopted by the European Commission.

4.3. A copy of the appropriate safeguards may be obtained by contacting the Service Provider.

5. DATA PROTECTION MEASURES

5.1. All personal data processed by the Service Provider is handled with strict confidentiality and protected through technical and organizational security measures, including:

encryption of data in transit and at rest;

access controls and authentication mechanisms;

regular security assessments and vulnerability testing;

employee training on data protection and confidentiality.

5.2. Systems and infrastructure are secured through robust network architectures and internal security controls, which are regularly reviewed and updated.

5.3. Customers who access services via login credentials are responsible for maintaining the confidentiality and security of their authentication data.

6. DATA ACCURACY AND DATA RETENTION

6.1. The Service Provider will take reasonable steps to ensure that Customer personal data is accurate, complete, and up to date, as required for the purposes for which it is processed.

6.2. The Customer is responsible for notifying the Service Provider of any changes to the provided information.

6.3. Personal data is retained for as long as the Customer maintains a business relationship with the Service Provider. After the relationship ends, data is stored only for the period required by applicable laws, including:

AML/CTF obligations (Polish AML Act). 5 years after termination of business relationship.

Tax obligations (Polish Tax Ordinance). 5 years from the end of the calendar year in which the tax obligation arose. Up to 6 years for contractual claims.

6.4. After the applicable retention period, personal data will be securely deleted or anonymized.

7. CUSTOMER RIGHTS

7.1. Under applicable data protection laws, the Customer (acting as a business entity) has the following rights:

Right of access. To obtain confirmation of data processing and a copy of personal data.

Right to rectification. To correct inaccurate or incomplete information.

Right to erasure. To request deletion of personal data under specific circumstances (e.g., data no longer necessary for the purposes for which it was collected).

Right to restrict processing. To limit data processing as allowed by GDPR.

Right to data portability. To receive personal data in a structured, commonly used format or request transfer to another controller (where processing is based on consent or contract and carried out by automated means).

Right to withdraw consent. At any time, without affecting prior processing.

Right to object. To object to processing based on legitimate interests.

Right to opt-out of marketing. By using unsubscribe links or contacting the Service Provider.

7.2. The Customer may also lodge a complaint with the supervisory authority - the President of the Personal Data Protection Office (Urząd Ochrony Danych Osobowych - UODO) if they believe that their personal data is processed in violation of applicable law.

8. EXERCISING YOUR RIGHTS

8.1. To exercise any rights under this Notice, the Customer may contact the Service Provider via email at support@finastpay.com.

8.2. Requests for access to personal data must be submitted in writing. The Service Provider will respond within one month or within three months for complex requests. Proof of identity (or authority to act on behalf of the business entity) may be required.

8.3. Some requests may not be fulfilled in the following situations:

if complying with the request would expose another person's personal information;

if the Service Provider is obligated by law to retain certain data (e.g., AML obligations);

if the Service Provider has a valid legal basis to continue processing even after the Customer submits a request.

9. COOKIES

9.1. When the Customer accesses the Service Provider's website or uses online services, cookies may be placed on the Customer's device (with consent where legally required). These cookies help improve service quality, store user preferences, and optimize the performance of the platform.

9.2. More information about how the Service Provider uses cookies and similar technologies is provided in the Cookie Notice, which is an integral part of this Privacy Notice.

10. EXTERNAL WEBSITES

10.1. The Service Provider's website may contain links to external websites or services. While the Service Provider aims to reference only reliable sources, it does not oversee and cannot be held responsible for their content, security standards, or privacy practices.

10.2. Once the Customer navigates to a third-party site, they become subject to that site's own policies and terms. The Service Provider strongly advises reviewing those documents before sharing any personal data.

11. CHANGES

11.1. The Service Provider may update or modify this Privacy Notice from time to time. The latest version will always be published on the website.

11.2. Customers are encouraged to review this Notice periodically to stay informed about how their personal information is handled and safeguarded.

11.3. In case of material changes, the Service Provider will notify Customers through the Website or via email.

12. CONTACT INFORMATION

12.1. For any questions regarding this Privacy Notice, the processing of personal data, or to exercise Customer rights, please contact:

FINAST sp. z o.o.

Address: ul. Jana Heweliusza 11, lok. 811, 80-890 Gdańsk, Poland

Email: support@finastpay.com

KRS: 0001164432

NIP: 5214111567