Last Updated on 14th December, 2022
This privacy policy explains how Service Provider uses the personal data that is collected from You once You access or use website www.nordigen.com and services available on this website and all related subdomains, including ob.nordigen.com ( Open Banking Portal) ( hereinafter - Services).
Services are provided by SIA "Nordigen Solutions", a private limited liability company registered under the laws of the Republic of Latvia, company registration number 40103982535 (hereinafter referred to as Nordigen). Nordigen is committed to protect your personal data and to respect your privacy. Nordigen SIA was acquired by GoCardless (as defined below) in July 2022. As a result of such acquisition, the parties are currently going through an integration period. Throughout this integration period, the Services shall be provided by Nordigen and GoCardless S.A.S, with company number 834422180 and registered address 7 Rue de Madrid, 75008 Paris, France for all services provided to Users located in the European Economic Area and by GoCardless Ltd with company number 07495895 and registered address Sutton Yard, 65 Goswell Road, London, England, EC1V 7EN for the provision of services provided to Users located in the United Kingdom and the rest of the world (with the exception of the European Economic Area) (hereinafter jointly and independently referred to as “GoCardless”). From 1 April 2023, the Services shall be provided solely by GoCardless and Norgiden shall no longer be a party of these Terms. Nordigen and GoCardless shall jointly and severally be defined as “Service Provider”, “we” or “us”.
By accessing and using the Services You agree to the data processing practices described in this Privacy Policy.
"Applicable data privacy laws" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the GDPR) or any national or internationally binding data privacy laws or regulations that may be applicable at any time during the term of this Privacy Policy.
"Data Controller" means the natural or legal entity/entities which determines the purposes and means of the processing of Personal Data.
"Data Processor" means the legal entity processing Personal Data on behalf of the Data Controller(s).
"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Services" means Open Banking Portal.
"You" or “User” means You or the legal entity You represent.
“Account Information” means information relating to payment accounts.
"Account Information Service" means a service which enables to access, view or share (where relevant) information relating to payment accounts.
“Account Servicing Payment Service Provider” means an entity which provides and maintains a payment account for a payer.
“Service Provider Partner” means a third party, for example bank, credit institution or other service provider, which requires Your Account Information via Service Provider Account Information API to provide You services.
This Privacy Policy applies when You visit the Service Provider’s website or access and use the Services.
If You are an end-user of Service Providers Account Information Service or You have connected Your bank account to Open Banking portal please refer to our End-User Privacy Policy.
This Privacy Policy does not apply to services provided to You by Service Provider‘s Partners. Such services may be subject to Service Provider’s Partner terms and conditions and privacy policies.
If You are Open Banking Portal user
| Types of personal data we are Processing | Purpose of Processing | Lawful basis of Processing |
|---|---|---|
| Registration and login data (including email, information on company You work for) | To provide Services; to carry out customer support and Service maintenance | Performance of contract between You and Service Provider |
| Email, first name, last name, IP address, client/account ID, personal identity code and other information provided by You or obtained by performing Services | User identification and administration; to investigate any fraud, illegal activity or wrongdoing in connection with the Services; to conduct any due diligence required for us to provide You Services | To comply with our legal obligations (including regulatory requirements that we are subject to) |
| Contact details (including email, first name, last name, address, phone number and other data provided by You) | To contact You send You relevant information regarding Services and personalized offers; | Your consent |
| Contact details (including email, first name, last name and other data provided by You) | To record Your feedback and inquiries for the purpose of improving Services | Our legitimate interest in ensuring that we can provide You with the Services and to continuously improve our Services |
If You are visitor of Service Provider’s website
| Types of personal data we are Processing | Purpose of Processing | Lawful basis of Processing |
| Contact details (including email, first name, last name, address, phone number and other data provided by You) | To contact You and send You relevant information regarding Services and personalized offers; | Your consent |
Service Provider collects information You voluntarily provide us via the website or by registering and using the Services. Information You provide when registering to use our Services is mandatory to enter into a contract with Service Provider and for Service Provider to be able to provide You the Services. In case You don’t provide the required information we may not be able to provide You the Services.
When You use the Open Banking Portal and connect Your bank account, we obtain Account Information from Your Account Servicing Payment Service Provider. When You add additional users under Your Open Banking Portal account, we obtain email address and name of the users You have added directly on the Open Banking Portal account. Service Provider may also collect data we obtain from cookies. Information on how Service Provider uses cookies or similar tracking technologies is described in the Cookie Policy.
In general, Service Provider only keeps Your Personal Data for the time necessary to fulfil the purpose of collection or further Processing, namely providing the required Services. To determine data retention periods Service Provider takes into account:
Where Personal Data is processed based on Your consent, Personal Data is deleted after you have withdrawn Your consent or unsubscribed to receive relevant information. You can withdraw Your consent at any time by sending an e-mail to: help@gocardless.com or by clicking ‘unsubscribe’ where such option is present.
You can delete Your Open Banking Portal account and the Personal Data You have provided to Service Provider at any time, by clicking ‘delete account’. Please note that Service Provider still may keep log data and other Personal Data associated with Your account up to 5 years after deletion of Your account to fulfil applicable legal obligations.
Service Provider would like to make sure You are fully aware of Your data protection rights. Every user is entitled to the following:
The right to access – You have the right to request Service Provider for copies of Your personal data.
The right to rectification – You have the right to request that Service Provider corrects any information You believe is inaccurate. You also have the right to request Service Provider to complete information You believe is incomplete.
The right to restrict Processing – You have the right to request that Service Provider restrict the Processing of Your personal data.
The right to data portability – You have the right to request that Service Provider transfers the data that Service Provider has collected to another organization or directly to You.
Where Personal Data is Processed for direct marketing purposes or Processing is based on our legitimate interests, You have the right to object to such Processing.
If You make a request, Service Provider will answer You within one month. If You would like to exercise any of these rights, please contact us at our email: help@gocardless.com.
In case of requests that are manifestly unfounded or excessive, in particular because of their repetitive character, Service Provider is entitled to charge an administrative fee. In such cases You will be notified thereof beforehand.
Your Personal Data may be accessed and Processed only by authorized Service Provider’s employees in connection with the provision of Services. All authorized employees are under confidentiality agreements with a legitimate need to process personal data for the Processing purposes stated in this policy.
We have also engaged multiple suppliers and vendors as Data Processors to help us provide You with the Services, e.g. cloud service providers, client relations management service providers, email service providers, payment processors etc. Service Provider will be responsible for the correct Processing of Your Personal Data according to Service Providers instructions given to such Data Processors and Applicable data privacy laws.
Your Personal Data may be disclosed if it is required by the Applicable data privacy laws or competent authority in order to fulfil Service Provider's legal obligations.
Your Personal Data will not be transferred or stored in countries outside of the United Kingdom and/or the European Economic Area / European Union unless there are legal grounds for such transfer and there is an adequate level of data protection.
In order to protect Your Personal Data, ServiceProvider has put in place a number of technical and organisational measures. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the Processing and the nature of the Personal Data being processed. Organisational measures include restricting access to the Personal Data solely to authorised persons under confidentiality agreements with a legitimate need to process Personal Data for the Processing purposes stated in this policy.
Service Provider keeps this privacy policy under regular review and places any updates on this web page. Service Provider will inform You about substantial changes to this privacy policy via Service Provider’s website, via email or other means of electronic communication. Service Provider has the right to change this privacy policy solely at any time.
If You have any questions about this privacy policy, the data Service Provider holds on You, or You would like to exercise one of Your data protection rights, please do not hesitate to contact our data protection officer:
E-mail:help@gocardless.com
Should You wish to report a complaint or if You feel that Service Provider has not addressed Your concern in a satisfactory manner, You may contact the Information Commissioner’s Office of the United Kingdom via e-mail: icocasework@ico.org.uk and via phone at: 0303 123 1113. You may also contact the Data State Inspectorate of the Republic of Latvia via e-mail: info@dvi.gov.lv and via phone at +37167223131