MCOBS Europe Privacy Notice (Spiir)
Effective Date: March 2024
This Privacy Notice (the “Notice”) describes how the Mastercard entities identified in the “How to Contact Us” section below (together, “Spiir,” “we,” or “us”) process your Personal Information.
Spiir is a Personal Financial Management app used by Mastercard OB Services Europe A/S ("MCOBS Europe"). MCOBS Europe will provide you with 'account information services' ("AIS"), which allows you to connect your online payment accounts to the Spiir application so that you can view consolidated payment account information (such as balance and transaction information), obtained from your online payment accounts through Spiir. Please see further information about how to contact MCOBS Europe, in the "How to Contact Us" section below.
This Notice describes the Personal Information we collect, the purposes for which we process that Personal Information, the parties with whom we may share it and the measures we take to protect its security. It also tells you about your rights and choices with respect to your Personal Information, and how you can contact us about our privacy practices.
This Notice applies to the processing of Personal Information you provide to us or that we collect through our website www.spiir.com (the "Site"), our mobile application, (the “App”) and any services provided by Spiir that link to this Notice (collectively the “Services”).
For more information about MCOBS Europe’s Open Banking Solutions, please visit Mastercard’s Open Banking Notice. For more information about Mastercard’s privacy practices in other contexts, please visit Mastercard’s Global Privacy Notice.
1. Personal Information We May Collect
We may collect the following types of Personal Information:
- User account Information
- Payment Account Information
- Payment Receipts
- Contact Information
- Questionnaire and Quiz Information
- Usage Information collected via cookies and similar technologies
For the purpose of this Privacy Notice, “Personal Information” means any information relating to an identified or identifiable individual. In connection with the provision of the Services, we obtain Personal Information relating to you from the various sources described below.
- Personal Information provided by you
- User Account Information. When registering a user account with the Services, you must provide us with your e-mail address, password, and your country of residence. In case you make use of the “Joint Finances” feature, you must provide us with the email address of your partner user account user account (collectively “User Account information”).
- Payment Account Information. You may choose to upload information about your bank account(s) to Spiir via the Site, such as account holder name or reference, balance, transactions, as well as the name(s) of other individuals with whom you share a bank account (“shared account”).
- Payment Receipts. You may choose to upload electronic copies of payment receipts when using our Services. Where possible, we make these receipts searchable and process their content.
- Contact information. When you contact us, via email, we collect your first and last name, email address, as well as any other content that you provide. Please be aware that if you do not provide certain contact information, we may not be able to answer your requests or queries.
- Questionnaire and Quiz Information. When you take part in questionnaires or quizzes within our Services, we collect any information that you provide through your answers.
- User Account Information. When registering a user account with the Services, you must provide us with your e-mail address, password, and your country of residence. In case you make use of the “Joint Finances” feature, you must provide us with the email address of your partner user account user account (collectively “User Account information”).
- Personal Information provided by third parties
- Payment Account Information (uploaded via your Financial Institution(s)). We retrieve payment account information from the bank account(s) that you enrol into the Services, such as account holder name or reference, balance, and transactions.
- Payment Account Information (uploaded via your Financial Institution(s)). We retrieve payment account information from the bank account(s) that you enrol into the Services, such as account holder name or reference, balance, and transactions.
- Personal Information automatically obtained from your interaction with the Services
- Usage Information collected via cookies and similar technologies. When you use our Services, we may collect certain information via automated means such as cookies, web beacons, pixel tags, and embedded scripts. This usage information may include standard information from a web browser (such as browser type and browser language), the operating system used, the IP-address used, your overall geographical location, device identifier numbers, logs of events, information about which features you use and to what extent, and the actions taken on a website (such as how a visitor interacts with the web pages and the links clicked) (collectively “Usage Information”). For detailed information about the use of cookies and similar technologies, please see our cookie policy here.
2. How We May Use Your Personal Information
We may use your Personal Information to:
- Provide and operate our Services
- Evaluate the use and performance of our Service
- Monitor and ensure data quality
- Generate anonymised and/or aggregated data to prepare insights regarding spending patterns, fraud, and other trends
- Diagnose and troubleshoot our Services, including customer support
- Monitor and understand IT performance
- Market, promote and advertise our Services
- Comply with legal obligations, and to establish, exercise, or defend against legal claims
- Detect, investigate, and prevent financial crime
- To manage our customer and vendor relationships
Where required under applicable law, we will only use your Personal Information as necessary to provide you with our Services; with your consent; to comply with a legal obligation; or when there is a legitimate and overriding interest that necessitates the use.
We use Personal Information we obtain about you for the purposes set out below. We will only process your Personal Information when we have a legal basis for the processing as identified in the table below.
Processing purposes | Legal basis | Categories of Personal Information |
---|---|---|
Provide and operate our Services This includes (a) creating and managing any user account you may have with us; (b) retrieving your Payment Account Information on a periodic basis; and (c) providing an overview of your spending and income. |
The processing is necessary for entering into, or performance of a contract to which you are a party. |
User Account Information Payment Account Information Payment Receipts Contact Information Questionnaire and Quiz Information Usage Information |
Monitor and ensure data quality |
Monitoring IT performance of our Open Banking Solutions for stability, improvement and ensuring the integrity of our Solutions is necessary for the performance of the contract to which you are a party. Compliance with a legal obligation (e.g., to detect and fix issues with data quality or accuracy). |
Profile Information Payment Account Information Payment Receipts |
Generate anonymised and/or aggregated data to prepare insights regarding spending patterns, fraud, and other trends |
We have a legitimate interest in anonymising or aggregating Personal Information and analysing it for internal business purposes. Where required under applicable law, we obtain your prior consent to process your Payment Account Information for this purpose. |
User Account Information Payment Account Information Payment Receipts Questionnaire and Quiz Information Usage Information |
Diagnose and troubleshoot, our Services, including customer support This includes our ticketing system where you contact us for assistance when you are experiencing a technical issue |
The processing is necessary for the performance of a contract to which you are a party (e.g., to keep the overview of your bank account(s) and the data provided therein up to date).
|
User Account Information Payment Account Information Contact Information Usage Information |
Monitor and understand IT performance |
We have a legitimate interest in monitoring and understanding IT performance of our Services for stability and improvement and ensuring the integrity of our Services. |
Usage Information |
Market, promote and advertise our Services |
We will obtain your prior consent to send you electronic direct marketing communications. |
User Account Information Contact Information Questionnaire and Quiz Information Usage Information |
Comply with legal obligations, and to establish, exercise, or defend against legal claims |
Compliance with a legal obligation (e.g., to respond to law enforcement requests or requests to exercise your data protection rights). We, or a third party, have a legitimate interest in protecting against legal claims. |
User Account Information Payment Account Information Payment Receipts Contact Information Questionnaire and Quiz Information Usage Information Any other data element you provide us when submitting a request |
Detect, investigate, and prevent possible financial crime This includes tracking and hindering any possible illegal activities and abuse of our products and services, including by monitoring logs.
|
We have a legitimate interest in detecting, investigating, and preventing financial crime, such as illegal activities or abuse of the Services, or we must do so to comply with legal obligations (e.g., under anti-money laundering laws). |
User Account Information Payment Account Information Payment Receipts Contact Information Questionnaire and Quiz Information Usage Information |
To manage our customer and vendor relationships |
Managing our customer and vendor to operate the Services is necessary for the performance of a contract to which you are a party. |
Contact Information Usage Information |
3. How We Share Your Personal Information
We may share Personal Information with the following third parties:
- Other Permitted Spiir users
- Service Providers acting on our behalf
- Other entities within the Mastercard group of companies
- Public authorities
- Potential transactional partners
We may disclose Personal Information we collect about you to the following third parties, for the purposes described below:
- Other permitted Spiir users
You may allow other Spiir users to access and view your Personal Information in the Services (e.g., a spouse, via the “Partner Settings”). To enable such access, we may need to disclose your Personal Information to the concerned individual. You can revoke this access at any time in the Services’ settings.
- Service Providers acting on our behalf
We may share Personal Information with our service providers who perform services on our behalf and in relation to the purposes described in this Notice (e.g., for marketing, security, hosting, customer support). We require these service providers by contract to only process Personal Information in accordance with our instructions and as necessary to perform services on our behalf or comply with legal requirements. We also require them to have safeguards designed to protect the security and confidentiality of the Personal Information they process on our behalf.
- Other entities within the Mastercard Group
We share the Personal Information we collect with Mastercard’s headquarters in the U.S., our affiliates and other entities within the Mastercard group of companies, for the purposes described in this Notice. Please see the “Data Transfers” section below to understand how we comply with applicable cross-border data transfer rules.
MCOBS Europe is part of the Mastercard group. We engage MCOBS Europe to provide services which enable us to deliver our account information services and work with MCOBS Europe in connection with the delivery of our services. We therefore share your Personal Information with MCOBS Europe which is a controller for this purpose. If you have any questions regarding the services of MCOBS Europe, please contact us.
- Public authorities
In some circumstances we share the Personal Information we collect with public authorities. This includes (i) if we are required to do so by law or legal process, (ii) in response to a request from a court, law enforcement authorities, or government officials, or (iii) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss, to protect our legal interests, or in connection with an investigation of suspected or actual fraudulent or illegal activity.
- Potential transactional partners
We reserve the right to transfer Personal Information we have about you to potential transactional partners or other third parties in the event we sell or transfer all or a portion of our business or assets. Should such a sale or transfer occur, we will use reasonable efforts to direct the transferee to use Personal Information you have provided to us in a manner that is consistent with this Notice.
4. Your Rights and Choices
Subject to applicable law, you have the right to:
- Access your Personal Information, rectify it, restrict, or object to its processing, request its deletion, and request us to transmit it to another company
- Withdraw any consent provided, including in relation to the use of cookies and other tracking technologies
- Opt-out from receiving marketing communications
- Where applicable, lodge a complaint with your supervisory authority
You can exercise your rights by accessing the export feature on Mine Spiir platform or by submitting a manual request as described in the “How to Contact Us” section below.
You can learn more about Mine Spiir’s export feature here.
Please see the “Data Transfers” section below to understand how we comply with applicable cross-border data transfer rules (including for any Personal Information provided in connection with data export accessible from Mine Spiir.).
You have certain rights regarding the Personal Information we maintain about you and certain choices about what Personal Information we collect from you, how we use it, and how we communicate with you.
Subject to applicable law, you have the right to:
- Request access to and receive information about the Personal Information we maintain about you, to update and correct inaccuracies in your Personal Information, to restrict or to object to the processing of your Personal Information, to have the information anonymized or deleted, as appropriate, or to exercise your right to data portability to easily transfer information to another company.
- Withdraw any consent you previously provided to us regarding the processing of your Personal Information, at any time and free of charge. We will apply your preferences going forward and this will not affect the lawfulness of the processing before your consent withdrawal.
- Opt-out from receiving marketing communications by clicking on the unsubscribe link in such communications or via your privacy settings in the Services.
- Not to provide Personal Information to us by refraining from using our Services and from submitting Personal Information directly to us. When we collect Personal Information from you, we indicate whether and why it is necessary to provide it to us, as well as the consequences of failing to do so. If you do not provide Personal Information, we may not be able to provide you with our Services if that information is necessary to provide you with them, or if we are legally required to collect it in relation to the provision of such Services.
The above rights may be limited in some circumstances by local law requirements.
To update your preferences, ask us to remove your information from our mailing lists or submit a request to exercise your rights under applicable law, contact us as specified in the "How To Contact Us" section below.
If we fall short of your expectations in processing your Personal Information or you wish to make a complaint about our privacy practices, please tell us because it gives us an opportunity to fix the problem. To assist us in responding to your request, please give full details of the issue. We attempt to review and respond to all complaints within a reasonable time and as required under applicable law.
5. How We Protect Your Personal Information
We maintain appropriate security safeguards to protect your Personal Information and only retain it for a limited period of time.
We maintain appropriate administrative, technical, and physical safeguards to protect Personal Information against accidental or unlawful destruction, accidental loss, unauthorised alteration, unauthorised disclosure or access, misuse, and any other unlawful form of processing of the Personal Information in our possession. The types of measures we take vary depending on the type of data, and how it is collected and stored.
We restrict access to Personal Information about you to those employees who need to know that information to provide products or services to you. All our employees are subject to strict confidentiality requirements when processing Personal Information.
When determining the specific retention period, we take into account various criteria, such as the type of service provided to you, the nature and length of our relationship with you, and mandatory retention periods provided by law and the statute of limitations.
We retain your Personal Information until you delete your user account on our Services. However, we may retain Personal Information for a longer period, if required to comply with legal requirements or to protect our legal interests.
We also take measures to delete your Personal Information or keep it in a form that does not permit your identification when this information is no longer necessary for the purposes for which we process it or when you request their deletion unless we are required by law to keep the information for a longer period.
6. Data Transfers
We may transfer your Personal Information outside of your country in compliance with Mastercard Binding Corporate Rules and other data transfer mechanisms.
Spiir is the Personal Financial Management application used by MCOBS Europe which is part of the Mastercard group, a global business. We may transfer or disclose Personal Information to third party recipients which are situated in countries other than your country. These countries may not have the same data protection laws as the country in which you initially provided the information. When we transfer or disclose your Personal Information to other countries, we will protect that information as described in this Notice.
We comply with applicable legal requirements when transferring Personal Information to countries other than the country where you are located. If Personal Information is transferred to a country outside the EEA, the adequacy of that country and the organisations and systems processing the information is assessed to ensure that appropriate safeguards are in place. This is in accordance with EU data protection law and may be by an adequacy decision issued by the EU, Binding Corporate Rules, standard contractual clauses or other transfer mechanisms as permitted by law.
Mastercard has established and implemented Binding Corporate Rules (“BCRs”) that have been recognised by the relevant European Data Protection Authorities as providing an adequate level of protection to the Personal Information we process globally. Copies of our BCRs applicable to the EEA and to the UK are available here.
You may contact us as specified in the “How to Contact Us” section below to obtain a copy of the safeguards we use to transfer Personal Information outside of the UK or EEA.
7. Features and Links to Other Websites
You may choose to use certain features for which we partner with other entities that operate independently from us.
You may choose to use certain features for which we partner with other entities or click on links to other websites or mobile applications for your convenience and information. These entities may operate independently from us. They may have their own privacy notices or policies, which we strongly suggest you review. To the extent any features or linked websites you visit are not owned or operated by us, we are not responsible for the sites or the features’ content, any use of the sites or feature or the privacy practices of the sites or feature.
8. Children’s Privacy
The Services are not intended for use by children under the age of 16 years old. We do not knowingly collect information from children under the age of 16.
Our Services are not directed to, or intended for, children under the age of 16. If you learn that a child has provided us with Personal Information in violation of this Notice, please alert us at spiirprivacy@mastercard.com.
9. Updates to This Notice
This Notice may be updated periodically to reflect changes in our privacy practices.
This Notice may be updated periodically to reflect changes in our Personal Information practices. We will notify you of any significant changes to our Notice and indicate at the top of the Notice when it was most recently updated. If we update this Privacy Notice, in certain circumstances, we may seek your consent.
10. How to Contact Us
You may contact our global privacy office at spiirprivacy@mastercard.com, or write to us at:
Att.: Privacy
Mastercard OB Services Europe
Arne Jacobsens Allé 13
2300, Copenhagen
Denmark
If you have any questions, comments or complaints about this Notice and our privacy practices, or would like to update your privacy preferences, please email us at: spiirprivacy@mastercard.com or write to entity responsible for the processing of your Personal Information (or data controller) as indicated below:
Att.: Privacy
Mastercard OB Services Europe
Arne Jacobsens Allé 13
2300, Copenhagen
Denmark