Spiir Privacy Notice

Effective Date: January 2023

This Privacy Notice (the “Notice”) describes how the Mastercard entities identified in the “How to Contact Us” section below (together, “Spiir,” “we,” or “us”) process your Personal Information.


This Notice applies to the processing of Personal Information you provide to us or that we collect through our website www.spiir.com (the "Site"), our mobile application, (the “App”) and any services provided by Spiir that link to this Notice (collectively the “Services”).

This Notice describes the Personal Information we collect, the purposes for which we process that Personal Information, the parties with whom we may share it and the measures we take to protect its security. It also tells you about your rights and choices with respect to your Personal Information, and how you can contact us about our privacy practices.

For more information about Mastercard’s Open Banking Solutions, please visit Mastercard’s Open Banking Notice. For more information about Mastercard’s privacy practices in other contexts, please visit Mastercard’s Global Privacy Notice.

 


1. Personal Information We May Collect

We may collect the following types of Personal Information:

  • User account Information
  • Payment Account Information
  • Payment Receipts
  • Contact Information
  • Questionnaire and Quiz Information
  • Usage Information collected via cookies and similar technologies

For the purpose of this Privacy Notice, “Personal Information” means any information relating to an identified or identifiable individual. In connection with the provision of the Services, we obtain Personal Information relating to you from the various sources described below.

  1. Personal Information provided by you
     
    • User Account Information. When registering a user account with the Services, you must provide us with your e-mail address, password, and your country of residence. In case you make use of the “Joint Finances” feature, you must provide us with the email address of your partner user account user account (collectively “User Account information”).

    • Payment Account Information. You may choose to upload information about your bank account(s) to Spiir via the Site, such as account holder name or reference, balance, transactions, as well as the name(s) of other individuals with whom you share a bank account (“shared account”).

    • Payment Receipts. You may choose to upload electronic copies of payment receipts when using our Services. Where possible, we make these receipts searchable and process their content.

    • Contact information. When you contact us, via email, we collect your first and last name, email address, as well as any other content that you provide. Please be aware that if you do not provide certain contact information, we may not be able to answer your requests or queries. 

    • Questionnaire and Quiz Information. When you take part in questionnaires or quizzes within our Services, we collect any information that you provide through your answers. 

  2. Personal Information provided by third parties

    • Payment Account Information (uploaded via your Financial Institution(s)). When you add a bank account to your user account in our Services, you must enter the username and password or other information that you use to login to your online bank account. This allows us to retrieve payment account information from the bank account(s) that you enrol into the Services, such as account holder name or reference, balance, and transactions.

  3. Personal Information automatically obtained from your interaction with the Services

    • Usage Information collected via cookies and similar technologies. When you use our Services, we may collect certain information via automated means such as cookies, web beacons, pixel tags, and embedded scripts. This usage information may include standard information from a web browser (such as browser type and browser language), the operating system used, the IP-address used, your overall geographical location, device identifier numbers, logs of events, information about which features you use and to what extent, and the actions taken on a website (such as how a visitor interacts with the web pages and the links clicked) (collectively “Usage Information”). For detailed information about the use of cookies and similar technologies, please see our cookie policy here.

 

2. How We May Use Your Personal Information

We may use your Personal Information to:

  • Provide and operate our Services
  • Evaluate the use and performance of our Service, and develop new features, technologies, and improvements to the Services
  • Monitor and ensure data quality
  • Generate anonymized and/or aggregated data to prepare insights regarding spending patterns, fraud, and other trends
  • Diagnose and troubleshoot our Services, including customer support
  • Monitor and understand IT performance
  • Market, promote and advertise our Services
  • Comply with legal obligations, and to establish, exercise, or defend against legal claims
  • Detect, investigate, and prevent fraud
  • To manage our customer and vendor relationships

Where required under applicable law, we will only use your Personal Information as necessary to provide you with our Services; with your consent; to comply with a legal obligation; or when there is a legitimate and overriding interest that necessitates the use.

We may use Personal Information we obtain about you for the purposes set out below. Depending on the country in which you are located, we will only process your Personal Information when we have a legal basis for the processing as identified in the table below.

Processing purposes Legal basis Categories of Personal Information

Provide and operate our Services

This includes (a) creating and managing any user account you may have with us; (b) retrieving your Payment Account Information on a periodic basis; (c) providing an overview of your spending (d) enabling you to initiate payments within the App; and (e) allowing you to set spending limits.

The processing is necessary for entering into, or performance of a contract to which you are a party.

User Account Information

Payment Account Information

Payment Receipts

Contact Information

Questionnaire and Quiz Information

Usage Information

Evaluate the use and performance of our Service, and develop new features, technologies, and improvements to the Services

We have a legitimate interest in developing and improving our Services (e.g., develop new features, improve our algorithms and models).

Where required under applicable law, we obtain your prior consent to process your Payment Account Information for this purpose.

User Account Information

Payment Account Information

Payment Receipts

Questionnaire and Quiz Information

Usage Information

Monitor and ensure data quality

Compliance with a legal obligation (e.g., to detect and fix issues with data quality or accuracy).

Profile Information

Payment Account Information

Payment Receipts

Generate anonymized and/or aggregated data to prepare insights regarding spending patterns, fraud, and other trends

We have a legitimate interest in anonymizing or aggregating Personal Information and analyzing it for internal business purposes. 

Where required under applicable law, we obtain your prior consent to process your Payment Account Information for this purpose.

User Account Information

Payment Account Information

Payment Receipts

Questionnaire and Quiz Information

Usage Information

Diagnose and troubleshoot, our Services, including customer support

This includes our ticketing system where you contact us for assistance when you are experiencing a technical issue as well as ongoing maintenance, and updates performed on the Services.

The processing is necessary for the performance of a contract to which you are a party (e.g., to keep the overview of your bank account(s) and the data provided therein up to date).

 

User Account Information

Payment Account Information

Contact Information

Usage Information

Monitor and understand IT performance

We have a legitimate interest in monitoring and understanding IT performance of our Services for stability and improvement and ensuring the integrity of our Services.

Usage Information

Market, promote and advertise our Services

Where required under applicable laws, we will obtain your prior consent to send you electronic direct marketing communications.

User Account Information

Contact Information

Questionnaire and Quiz Information

Usage Information

Comply with legal obligations, and to establish, exercise, or defend against legal claims

Compliance with a legal obligation (e.g., to respond to law enforcement requests or requests to exercise your data protection rights).

We, or a third party, have a legitimate interest in protecting against legal claims.

User Account Information

Payment Account Information

Payment Receipts

Contact Information

Questionnaire and Quiz Information

Usage Information

Any other data element you provide us when submitting a request

Detect, investigate, and prevent possible fraud

This includes tracking and hindering any possible illegal activities and abuse of our products and services, including by monitoring logs. For more information about our fraud and security activities, please refer to the Fraud and Security Notice.

We have a legitimate interest in detecting, investigating, and preventing fraud, such as illegal activities or abuse of the Services, or we must do so to comply with legal obligations (e.g., under anti-money laundering laws).

User Account Information

Payment Account Information

Payment Receipts

Contact Information

Questionnaire and Quiz Information

Usage Information

To manage our customer and vendor relationships

We have a legitimate interest in managing our customer and vendor relationships as necessary to operate the Services.

Contact Information

Usage Information

 

3. How We Share Your Personal Information

We may share Personal Information with the following third parties:

  • Other permitted Spiir users
  • Service Providers acting on our behalf
  • Public authorities
  • Potential transactional partners
  • Mastercard’s headquarters in the U.S., our affiliates and other entities within Mastercard’s group of companies

We may disclose Personal Information we collect about you to the following third parties, for the purposes described below:

  1. Other permitted Spiir users

    You may allow other Spiir users to access and view your Personal Information in the Services (e.g., a spouse, via the “Partner Settings”). To enable such access, we may need to disclose your Personal Information to the concerned individual. You can revoke this access at any time in the Services’ settings.

  2. Service Providers acting on our behalf

    We may share Personal Information with our service providers who perform services on our behalf and in relation to the purposes described in this Notice (e.g., for marketing, security, hosting, customer support). We require these service providers by contract to only process Personal Information in accordance with our instructions and as necessary to perform services on our behalf or comply with legal requirements. We also require them to have safeguards designed to protect the security and confidentiality of the Personal Information they process on our behalf.

  3. Public authorities

    We may share the Personal Information we collect with public authorities (i) if we are required to do so by law or legal process, (ii) in response to a request from a court, law enforcement authorities, or government officials, or (iii) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss, to protect our legal interests, or in connection with an investigation of suspected or actual fraudulent or illegal activity.

  4. Potential transactional partners

    We reserve the right to transfer Personal Information we have about you to potential transactional partners or other third parties in the event we sell or transfer all or a portion of our business or assets. Should such a sale or transfer occur, we will use reasonable efforts to direct the transferee to use Personal Information you have provided to us in a manner that is consistent with this Notice.

  5. Mastercard Group

    We may share the Personal Information we collect with Mastercard’s headquarters in the U.S., our affiliates and other entities within the Mastercard group of companies, for the purposes described in this Notice. Please see the “Data Transfers” section below to understand how we comply with applicable cross-border data transfer rules.

 

4. Your Rights and Choices

Subject to applicable law, you have the right to:

  • Access your Personal Information, rectify it, restrict, or object to its processing, request its deletion, and request us to transmit it to another company
  • Withdraw any consent provided, including in relation to the use of cookies and other tracking technologies
  • Opt-out from receiving marketing communications
  • Where applicable, lodge a complaint with your supervisory authority

You can exercise your rights by accessing the export feature on Mine Spiir platform or by submitting a manual request as described in the “How to Contact Us” section below.

You can learn more about Mine Spiir’s export feature here.


Please see the “Data Transfers” section below to understand how we comply with applicable cross-border data transfer rules (including for any Personal Information provided in connection with data export accessible from Mine Spiir.).  

You have certain rights regarding the Personal Information we maintain about you and certain choices about what Personal Information we collect from you, how we use it, and how we communicate with you.

Subject to applicable law, you have the right to:

  • Request access to and receive information about the Personal Information we maintain about you, to update and correct inaccuracies in your Personal Information, to restrict or to object to the processing of your Personal Information, to have the information anonymized or deleted, as appropriate, or to exercise your right to data portability to easily transfer information to another company.
  • Withdraw any consent you previously provided to us regarding the processing of your Personal Information, at any time and free of charge. We will apply your preferences going forward and this will not affect the lawfulness of the processing before your consent withdrawal.

  • Opt-out from receiving marketing communications by clicking on the unsubscribe link in such communications or via your privacy settings in the Services.
  • Not to provide Personal Information to us by refraining from using our Services and from submitting Personal Information directly to us. When we collect Personal Information from you, we indicate whether and why it is necessary to provide it to us, as well as the consequences of failing to do so. If you do not provide Personal Information, we may not be able to provide you with our Services if that information is necessary to provide you with them, or if we are legally required to collect it in relation to the provision of such Services.

 

The above rights may be limited in some circumstances by local law requirements.

To update your preferences, ask us to remove your information from our mailing lists or submit a request to exercise your rights under applicable law, contact us as specified in the "How To Contact Us" section below.

If we fall short of your expectations in processing your Personal Information or you wish to make a complaint about our privacy practices, please tell us because it gives us an opportunity to fix the problem. To assist us in responding to your request, please give full details of the issue. We attempt to review and respond to all complaints within a reasonable time and as required under applicable law.

 

5. How We Protect Your Personal Information

We maintain appropriate security safeguards to protect your Personal Information and only retain it for a limited period of time.

We maintain appropriate administrative, technical, and physical safeguards to protect Personal Information against accidental or unlawful destruction, accidental loss, unauthorized alteration, unauthorized disclosure or access, misuse, and any other unlawful form of processing of the Personal Information in our possession. The types of measures we take vary depending on the type of data, and how it is collected and stored. 

We restrict access to Personal Information about you to those employees who need to know that information to provide products or services to you. All our employees are subject to strict confidentiality requirements when processing Personal Information. 

When determining the specific retention period, we take into account various criteria, such as the type of service provided to you, the nature and length of our relationship with you, and mandatory retention periods provided by law and the statute of limitations.

We retain your Personal Information until you delete your user account on our Services. However, we may retain Personal Information for a longer period, if required to comply with legal requirements or to protect our legal interests.

We also take measures to delete your Personal Information or keep it in a form that does not permit your identification when this information is no longer necessary for the purposes for which we process it or when you request their deletion unless we are required by law to keep the information for a longer period.

 

6. Data Transfers

We may transfer your Personal Information outside of your country, including to the United States, in compliance with Mastercard Binding Corporate Rules and other data transfer mechanisms.

Aiia A/S, which is part of the Mastercard group, is a global business. We may transfer or disclose Personal Information to recipients in countries other than your country, including the United States, where Mastercard is headquartered. These countries may not have the same data protection laws as the country in which you initially provided the information. When we transfer or disclose your Personal Information to other countries, we will protect that information as described in this Notice.

We comply with applicable legal requirements when transferring Personal Information to countries other than the country where you are located. In particular, we established and implemented a set of Binding Corporate Rules (“BCRs”) that have been recognized by EEA data protection authorities and by the UK data protection authority as providing an adequate level of protection to the Personal Information we process globally. A copy of our BCRs is available here. We may also transfer Personal Information to countries for which the EU Commission or the UK Government has issued an adequacy decision or use contractual protections for the transfer of Personal Information to third parties, such as the European Commission’s Standard Contractual Clauses or the UK Standard Contractual Clauses.

You may contact us as specified in the “How to Contact Us” section below to obtain a copy of the safeguards we use to transfer Personal Information outside of the EEA or UK.

 

You may choose to use certain features for which we partner with other entities that operate independently from us.

 

8. Children’s Privacy

The Services are not intended for use by children under the age of 16 years old. We do not knowingly collect information from children under the age of 16.

Our Services are not directed to, or intended for, children under the age of 16. If you learn that a child has provided us with Personal Information in violation of this Notice, please alert us at privacyanddataprotection@mastercard.com.

 

9. Updates to This Notice

This Notice may be updated periodically to reflect changes in our privacy practices.

This Notice may be updated periodically to reflect changes in our Personal Information practices. We will notify you of any significant changes to our Notice and indicate at the top of the Notice when it was most recently updated. If we update this Privacy Notice, in certain circumstances, we may seek your consent.

 

10. How to Contact Us

You may contact our global privacy office at privacyanddataprotection@mastercard.com, or write to us at:

Aiia A/S
Att.: Privacy
Artillerivej 86, st. tv.
2300, Copenhagen
Denmark

If you have any questions, comments or complaints about this Notice and our privacy practices, or would like to update your privacy preferences, please email us at: privacyanddataprotection@mastercard.com or write to entity responsible for the processing of your Personal Information (or data controller) as indicated below:

Aiia A/S
Att.: Privacy
Artillerivej 86, st. tv.
2300, Copenhagen
Denmark

You can also contact our data protection officer at privacyanddataprotection@mastercard.com, or by writing to:   

Europe Data Protection Officer
Mastercard Europe SA
Chaussée de Tervuren 198A
B-1410 Waterloo
Belgium