When you use or access our site (the “Site”) or purchase our products or services through the Site we collect certain personal data and personally identifiable information (“Personal Information”).
Whether acting as a data controller, a data processor or data intermediary, Finastra is required to comply with all applicable laws and regulations protecting the privacy of Personal Information in the jurisdictions where Finastra conducts business.
We may amend this Policy from time to time, should it become necessary or advisable to do so to comply with regulatory requirements or best practices.
These definitions may vary slightly according to local data privacy laws.
“Personal Information” is any information relating to an identified or identifiable natural person (which in some jurisdictions may include individuals who are recently deceased, and whether or not the information is true) or to a legal entity (to the extent protected under applicable data protection law), recorded in any medium including but not limited to electronic, paper, or voice recordings. It may include information such as name, address, date of birth, identification numbers, financial information and any other identifiable personal information. Personal Information may include non-identifiable information which, when combined with other information to which Finastra is likely to have access, can be used to identify an individual.
Individuals or entities that are identified or identifiable by Personal Information are referred to as “data subjects”.
“Processing” means any operation that is performed on Personal Information, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, blocking, disabling or destruction.
“Sensitive Personal Information” is a subset of Personal Information, which due to its sensitive nature has been classified by law or policy as requiring additional privacy protection. Sensitive Personal Information may include, without limitation, race, ethnicity, health information, biometric information, religion, gender, sexual orientation, medical/health records, credit card information, dietary requirements, political beliefs and criminal history.
“Third Party” or “Third Party Service Provider” is any natural or legal person, public authority, agency, or other body apart from Finastra that processes or stores Personal Information solely on behalf of and under the instructions of Finastra.
FINASTRA PRIVACY PRINCIPLES
We take our responsibilities as a controller, processor, intermediary or custodian of Personal Information very seriously. We adhere to the following privacy principles:
We will provide notice and, where required by law, obtain consent, in order to Process Personal Information for the purposes set out in this Policy.
For Processing carried out by Finastra when acting as a data controller within the European Economic Area (“EEA”) or in respect of any Processing of Personal Information relating to data subjects in the EEA carried out by Finastra when acting as a data controller (“European Processing Activities”), please see our supplemental notice that meets applicable European data protection notice requirements (“Finastra EEA Privacy Notice”).
For more information regarding the privacy rights of California residents, please refer to the Finastra California External Privacy Notice.
We process Personal Information in a reasonable and lawful manner for our legitimate business interests and to fulfil our contractual obligations to you. Personal Information is retained for as long as is necessary for the purpose(s) for which it was collected. We request only the information necessary to fulfill the Service requested.
We collect Personal Information in several ways for different purposes, in particular the following:
- Direct Marketing: We may occasionally use direct marketing to introduce new Services that may be of interest, or to point out different ways that users may be able to take advantage of existing Services. Where required by law, we will obtain consent before using Personal Information for direct marketing purposes. We will also provide an “unsubscribe” or other mechanism to allow opt out from receiving direct marketing messages from us. However, because of the nature of our Services, users who elect not to receive direct marketing messages from us may still be contacted with messages relating to servicing an account with us, or with notifications about software upgrades or release availability, or of other information related to licensed products, if applicable.
- Service Delivery: In order to deliver the Services, we may gather specific information (contact, financial, and other general information), as well as information relating to business needs and preferences and non-identifiable information (such as core system, domain server, computer operating system, or web browser). We collect this information when we on-board a customer using methods described in this Policy and, to the extent permissible under applicable law, by other publicly available means (such as by accessing publicly available databases).
- Site: The Site requires users to create an account and choose a password. Passwords are for individual use only and may not be shared with others. We do not sell, rent or share Personal Information collected on the Site, except as described in this Policy. We may provide links to various third party websites. We do not control or access information users provided to other websites. We are not responsible for the privacy practices of unaffiliated websites to which a Finastra Site may link. We encourage users to become familiar with the privacy practices of such websites before providing them with Personal Information.
- Purchases and Fulfillment: When Services are purchased, additional Personal Information, such as credit card information may be collected by our e-commerce service provider, Shopify Inc., as necessary in order to process the payment transaction and in accordance with the privacy practices associated with that specific Service. You can read more about how Shopify uses your Personal Information here: https://www.shopify.com/legal/privacy/customers
We do not share Personal Information outside of Finastra unless we have been given permission to do so, on behalf of one of our customers who has authorized us to do so in order to provide that Service, or as permitted or required by law, or as described in this Policy.
- We will only collect, use or disclose Personal Information where we have consent to do so or where otherwise permissible under applicable law. Consent can be withdrawn at any time as described under “Rights”; however, the withdrawal of consent may affect our ability to provide the requested Services or information. Where Services are used by our customers to provide services to their customers, employees or other data subjects, and particularly where our customer provides us with its customers’, employees’ and other data subjects’ Personal Information, we may rely on our customers to obtain the consent of their customers, employees or other data subjects to the collection, use and disclosure of their Personal Information by Finastra.
- We may collect, use or disclose Personal Information we hold without consent in circumstances of emergency that threatens life, health or safety or as permitted or required by law.
We will limit the collection, use and disclosure of Personal Information to that which is reasonably necessary for the identified purposes for which it was collected. We will not collect, use or disclose any Personal Information that is provided to us, except as necessary to provide the Services that we have been contracted to provide or as permitted or required by law.
3. ONWARD TRANSFER
We are accountable for all Personal Information under our control or provided to us, including any Personal Information transferred to Third Party Service Providers for the purpose of providing the Services that we have been contracted to provide. When using Third Party Service Providers, we use contractual or other safeguards to provide a comparable level of protection.
- We take our obligation to protect and safeguard Personal Information seriously and we ensure that our Third Party Service Providers apply the same care when processing information on our behalf.
- Finastra may share Personal Information, consistent with this Policy, with Finastra’s group companies or related entities for the purposes of delivering our Services, managing your accounts, hosting, IT, security, support, billing, marketing and communications, provided those group companies or related entities apply at least the same level of protection as set out in this Policy.
- We use Shopify to power our online store. You can read more about how Shopify uses your Personal Information here: https://www.shopify.com/legal/privacy/customers
- To perform certain software upgrades or changes, or to provide certain Services, it may be necessary to allow Third Party Service Providers of Finastra to access Personal Information. If so, the Third Party Service Providers will have signed an appropriate Finastra non-disclosure agreement before receiving access to Personal Information and will be bound to treat that Personal Information in a manner consistent with our commitment to privacy and data security.
- If we become aware that a Third Party Service Provider is using Personal Information in a way that is contrary to this Policy, we will take the appropriate measures to prevent or stop such use of Personal Information.
- We will comply with requests to disclose Personal Information where required by local law or government authorities to comply with a legal obligation, and where permissible, we will provide advance notice of such disclosure to the individuals concerned.
- We may transfer Personal Information in connection with a contemplated reorganization, sale, bankruptcy or transfer of all or a portion of our business or assets, to the extent permitted by applicable law. Following such a sale or transfer, the entity to which we transferred Personal Information will be the data controller and point of contact for any inquiries concerning the processing of that Personal Information.
Finastra is a global business. To provide our Services, we may transfer Personal Information around the world, including to the United States and to countries outside of the EEA and Switzerland, which may have different data protection standards to those from the country in which the information was initially provided. Where information is transferred outside the EEA and Switzerland, and where this is to a group company or Third Party Service Provider in a country that is not subject to an adequacy decision by the EU Commission, data is adequately protected by EU Commission approved standard contractual clauses or Swiss standard contractual clauses, or a Third Party Service Provider’s Processor Binding Corporate Rules.
The security of Personal Information is extremely important to Finastra.
- We implement and maintain a data security program that includes appropriate standard administrative, technical, physical and operational safeguards designed to:
- Maintain the security and confidentiality of Personal Information entrusted to us; and
- Protect Personal Information against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use that could result in harm.
- We implement and maintain practices designed to secure the access, storage and transmission of Personal Information.
- We maintain appropriate security upon the disposal and destruction of records containing Personal Information.
- The nature and extent of protection maintained will correspond to applicable local laws and regulations.
- We restrict access to Personal Information to those employees of Finastra who need to know that information to provide our Services. In addition, we train our employees about the importance of confidentiality and maintaining the privacy and security of Personal Information. Our employees are also required to attest to the values embodied in our Code of Ethics and Business Conduct. We commit to taking appropriate disciplinary measures to enforce our employees' privacy responsibilities.
- We have implemented protocols to verify ongoing compliance with this Policy and to enforce disciplinary action against those who violate the privacy and security practices. To report a privacy violation, contact email@example.com.
5. DATA INTEGRITY
We endeavour to keep Personal Information accurate and current; and we update it whenever we receive a request to do so, as described below under “Rights”.
- We take reasonable steps to ensure the Personal Information we have collected is accurate, complete, and current.
- We rely on the accuracy and completeness of the Personal Information that has been provided to us to perform the Services requested.
- We will ensure that any changes that we are required to make to Personal Information be updated in a timely fashion.
We honour data subjects’ rights under applicable law to access, correct, update, erase, disable and block their Personal Information when lawfully requested to do so. In some circumstances, a data subject may have the right to obtain a copy of his or her Personal Information or object to processing of his or her Personal Information; to withdraw consent to the collection, use or disclosure of his or her Personal Information for any purpose; and/or to obtain information about how his or her Personal Information has been used or disclosed.
- We will provide data subjects with access to their Personal Information and honour other rights (such as withdrawal of consent) as applicable upon request sent to firstname.lastname@example.org.
- We will correct a data subject’s Personal Information upon request sent to email@example.com.
- Data subjects may also opt out of direct marketing by contacting firstname.lastname@example.org.
- Where we are processing Personal Information on behalf of one of our customers we will refer requests from data subjects for accessing, correcting, updating, erasing, disabling, and/or blocking their Personal Information to that customer for handling and we will assist our customers in responding to access requests we receive.
For more details in respect of our European Processing Activities, please see the “Finastra EEA Privacy Notice”.
For more information regarding the privacy rights of California residents, please see the “Finastra California External Privacy Notice”.
We have policies and procedures in place to implement and audit the privacy principles set forth in this Policy. We have adopted a procedure to receive and respond to complaints and inquiries about our policies and practices relating to the handling of Personal Information. We will investigate all complaints in respect of Personal Information. If a complaint is justified, we will take appropriate measures, including, as necessary, amending our policies and practices. Where we are collecting, using or disclosing Personal Information on behalf of one of our customers, we will assist them in responding to questions and complaints respecting their customers’ Personal Information maintained by us on their behalf. Any inquiries or complaints regarding this Policy or our practices relating to the handling of Personal Information should be addressed to email@example.com.
Except in respect of our European Processing Activities, use of any of our Services in conjunction with this Policy is deemed to be consent to the collection, retention, processing, transfer to third parties and transfer to other countries of your Personal Information, all in accordance with the purposes set forth herein. Data subjects provide Personal Information at their own volition and may be entitled to withdraw consent as described above under “Rights”. The lawful basis for processing Personal Information in respect of our European Processing Activities is set out in our “Finastra EEA Privacy Notice”.
9. CONTACT US
For further information on our privacy policies and practices relating to the handling of Personal Information, contact our Privacy Officer by postal mail to Four Kingdom Street, Paddington, W2 6BD, United Kingdom or by email to firstname.lastname@example.org.