Treasury Intelligence Solutions (hereafter: TIS) operates a mobile app with the aim of facilitating the usage of TIS services. TIS places great importance on the protection of privacy and complies with the applicable data protection regulations. In the following, you will find an explanation of how we handle your personal data within the TIS app.
Please note that this Privacy policy covers merely the processing activities for which TIS is a controller within the meaning of Art. 4 No. 7 of the General Data Protection Regulation (GDPR), such as guaranteeing the overall functioning and security of the app. The information obligations regarding the processing activities for which TIS is a processor (such as payment processing) shall be fulfilled by the respective TIS customer as a controller, as per Art. 13 GDPR.
1. Who is responsible for the app?
The responsible parties (controllers) pursuant to data protection laws, in particular the GDPR, are
Treasury Intelligence Solutions GmbH
Langer Anger 7
69115 Heidelberg
Germany
Treasury Intelligence Solutions, Inc.
75 State St, 1st Floor
Boston, MA 02109
USA
Phone: +49 6227 69 82 40
E-mail: info@tispayments.com
Treasury Intelligence Solutions GmbH has appointed a data protection officer:
Data protection officer of Treasury Intelligence Solutions GmbH
c/o activeMind.legal Rechtsanwaltsgesellschaft mbH
Potsdamer Straße 3
80802 Munich
Germany
Phone: +49 89 91 92 94 900
E-mail: dataprotection@tis.biz
2. Which processing activities are carried out?
2.1. Download of the TIS app
You can download our app from the Apple App Store or Google Play Store. When downloading the app, the necessary information is transferred to the respective app store provider. This information includes, in particular, your user name, e-mail address and customer number of your Google or Apple account, the time of the download, the serial number of the end device (IMEI) and the MAC address.
Regarding the data processing associated with the download of the app, the respective app store provider is the data controller within the meaning of the GDPR. To find out more about their processing of your data, please visit https://policies.google.com/privacy (Google) or https://www.apple.com/legal/privacy/en-ww/ (Apple), respectively.
2.2. Collection of general information during your app usage
Type and purpose of the processing
When you use our app, i.e. even if you do not register or otherwise submit any information, information of a general nature is automatically collected. This information (log files) includes, among others, the IP address of your device, date and time of the request, technical information about the terminal device used and your online identifiers (e.g., device identifier, app installation identifier).
In particular, this data is processed for the following purposes:
- ensuring a problem-free connection,
- ensuring seamless use of our app,
- evaluation of system security and stability, and
- optimization of our app.
We do not use this data to draw conclusions about your person. We might statistically analyze them in an anonymized form in order to optimize our app and its underlying technology.
Legal basis and legitimate interest
The processing is carried out pursuant to Art. 6(1)(f) GRPR on the basis of our legitimate interest in improving the stability and functionality of the app.
Data recipients
Recipients of the data may be our technical service providers acting as data processors in the area of operation and maintenance of our app.
Retention period
The data will be deleted as soon as it is no longer required for the purpose for which it was collected. With regard to the data processed with the aim of app provision, this is generally the case after the respective session has ended.
Data stored in log files will be deleted after 1 month at the latest. Storage beyond this period is possible, in which case we will anonymize the IP addresses of the users so that an assignment of the calling client is no longer possible.
Mandatory or required provision
The provision of the aforementioned personal data is neither statutory nor contractually required. However, without the provision of the aforementioned data, the service and functionality of our app cannot be guaranteed. Furthermore, individual services may be unavailable or limited. Hence, objection to the aforementioned processing is not possible.
2.3. Login into the TIS app
Type and purpose of the processing
In order to be able to use the TIS app, you have to set credentials. Besides using a PIN, you can also login using your biometric data (face scan and/or a fingerprint). Using biometric data is voluntary.
Legal basis
Given that the underlying processing is necessary to fulfil obligations stemming from contracts with our customers, the legal basis for this data processing is Art. 6(1)(b) GDPR. Furthermore, this processing also occurs based on our legitimate interest in electronic access control and in guaranteeing the security of the data processed within the app pursuant to Art. 6(1)(f) GDPR.
The legal basis for the processing of your biometric data is your consent according to Art. 6(1)(a) GDPR.
Recipients
Recipients of the data may be our technical service providers (data processors) in the field of operation and maintenance of our app.
Retention period
The aforementioned data will only be processed as long as necessary to achieve the processing purposes. Thereafter, it will be deleted, unless there is a statutory retention obligation contradicting the deletion. In principle, we will delete your credentials once you close your account. The data processed based on your consent will be deleted when it is no longer required for the fulfillment of the processing purposes or after you have withdrawn your consent.
Mandatory or required provision
The provision of your personal data is not statutory required. However, without setting credentials, you will not be able to use our app. In that case, please access your TIS account via a web browser.
2.4. Establishment of a connection to an existing TIS account
Type and purpose of the processing
In order to be able to use the full functionalities of the TIS app, you have to connect your mobile app to your already existing TIS account. To do this, you have to scan a QR code that you can find in your TIS account in a web browser, for which your permission to access the camera is needed.
Legal basis
Given that the underlying processing is necessary to fulfil obligations stemming from a contract with our customers, the legal basis for this data processing is Art. 6(1)(b) GDPR. Furthermore, this processing also occurs based on our legitimate interest in guaranteeing the security of your data and preventing abuse (Art. 6(1)(f) GDPR).
Recipients
Recipients of the data may be our technical service providers (data processors) in the field of operation and maintenance of our app.
Retention period
The aforementioned data will only be processed as long as necessary to achieve the processing purposes. Thereafter, it will be deleted, unless there is a statutory retention obligation contradicting the deletion.
Mandatory or required provision
The provision of your personal data is not statutory required. However, without establishing a connection to your existing TIS account, you will not be able to use our app. In this case, please access your TIS account via a web browser.
2.5. Usage of the TIS app
Type and purpose of the processing
In the TIS app, you can review your list of payments and approve payments. The purpose of the TIS app is make the usage of TIS services easier and more flexible for you. For example, using our app, you can easily access your TIS account also on the way.
Legal basis
Given that the underlying processing is necessary to fulfil obligations stemming from contracts with our customers, the legal basis for this data processing is Art. 6(1)(b) GDPR. Furthermore, this processing also occurs based on our legitimate interest in providing you an easy and flexible way of using our services pursuant to Art. 6(1)(f) GDPR.
Recipients
Recipients of the data may be our technical service providers (data processors) in the field of operation and maintenance of our app.
Retention period
The aforementioned data will only be processed as long as necessary for fulfillment of the processing purposes. Thereafter, it will be deleted, unless there is a statutory retention obligation contradicting the deletion.
Mandatory or required provision
The provision of your personal data is not statutory required. Your usage of the app is voluntary. In case you do not want to use the app, please access your TIS account via a web browser.
2.6. Push notifications
Type and purpose of the processing
Within the TIS app, you have the possibility to enable push notifications. In this case, you will be notified instantly in case a new payment is ready to be approved or if a payment was rejected by the bank. The purpose of this processing is to make your usage of TIS services more convenient.
For push notifications, we use the tool “Firebase Cloud Messaging”.
Legal basis
The legal basis for the underlying processing is your consent pursuant to Art. 6(1)(a) GDPR.
Recipients and third country transfer
Recipients of the data may be our technical service providers (data processors) in the field of operation and maintenance of our app. In particular, Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA (“Google”) as the provider of the tool “Firebase Cloud Messaging” acts as our processor, and may obtain access to your data. To enable this, we have entered into a data processing agreement with Google.
Google will at no time obtain access to financial/transaction data of your company processed within the app.
Google processes your data in the USA. Please note that the level of data protection in the USA might not correspond to that of the European Union. There is currently no adequacy decision of the European Commission in place for the USA. To protect your data after the transfer, we have concluded standard contractual clauses with Google. Please let us know should you want to obtain a copy thereof.
Retention period
The aforementioned data will only be processed as long as necessary for the fulfillment of the processing purposes or as long as your consent is given. Afterwards, it will be deleted.
Withdrawal of consent
You may withdraw your consent at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of the processing based on consent before its withdrawal.
To withdraw your consent for push notifications, please disable this option in the “Settings” section of the app under “Push Notifications”.
Mandatory or required provision
The provision of your personal data is neither statutory nor contractually required. Apart from not being instantly notified about the above-mentioned events, there will be no negative consequences in case you do not give us your consent.
2.7. Usage of third-party tools (Google Firebase)
We embedded third party tools into our app to make app usage more comfortable and more secure, to be able to swiftly react to any issues, and to better tailor the offering of our app to your interests, among others.
We use the following third-party tools provided by Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA (“Google”):
- Google Analytics for Firebase,
- Firebase Crashlytics,
- Firebase App Distribution and
- Firebase Cloud Messaging (see above, Section 2.6).
In this section, you will first find common information applicable to all before-mentioned tools, followed by tool-specific information. Furthermore, you can find more information on the data processing by Google under the following link: https://policies.google.com/privacy.
Legal basis
The legal basis for these processing activities is your consent according to Art. 6(1)(a) GDPR. Insofar as storing information on your terminal device, or accessing information already stored there, takes place, the legal basis is your consent pursuant to Sec. 25(1) of the German Telecommunications-Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz).
Recipients and third country transfer
The data is shared with Google as our processor. To enable this, we have entered into a data processing agreement with Google.
Google processes your data in the USA. Please note that the level of data protection in the USA might not correspond to that of the European Union. There is currently no adequacy decision of the European Commission in place for the USA. To protect your data after the transfer, we have concluded standard contractual clauses with Google. Please let us know should you want to obtain a copy thereof.
Retention period
The data is deleted as soon as you have withdrawn your consent or it is no longer required to achieve the purposes of processing. In principle, the deletion occurs 14 months after the provision of the data.
Mandatory or required provision, withdrawal of consent
The provision of your personal data in this context is not statutory required. However, the real-time crash reporter that helps us track, prioritize, and fix stability issues of our app is of essential importance for us to provide a well-functioning app. Against this background, the app usage is only possible if you consent into using the named Google services. Nonetheless, you can withdraw your consent to the usage of Google services with effect for the future. Please note that if you withdraw your consent, you will have to access your TIS account via a web browser instead of through the app.
Please also note that the aforementioned tools build on each other and are codependent. Hence, giving and/or withdrawing consent is merely possible with regard to all three tools together.
In general, you can restrict the underlying data processing in the settings of your mobile device:
- Android: Settings –> Google –> Ads –>select “Reset Advertising ID” or “Delete Advertising ID”
- iOS: Settings –> Privacy –> Tracking –> disable “Allow Apps to Request to Track”
Profiling
With the help of third-party tools, the browsing behavior of the app users can be evaluated and their respective interests analyzed. For this analysis, we create pseudonymous user profiles.
2.7.1 Google Analytics for Firebase
This app uses Google Analytics, an analytics service provided by Google. Google Analytics uses a unique device ID that enables us to analyze your usage of the app and to make inferences about user
behavior in our app. The information about your use of the app is transmitted to a server of Google in the USA, and stored there. However, due to the activation of IP anonymization, your IP address will be truncated beforehand by Google within the European Union or in an EEA country. Only in exceptional cases will the full IP address be sent to a Google server in the USA and truncated there. On behalf of TIS, Google will use this information to evaluate your use of the app, summarize reports on activities within the app and provide other services related to app usage to TIS.
2.7.2 Firebase Crashlytics
Our app uses Firebase Crashlytics, a service of Google, to analyze app errors and to fix problems. Firebase Crashlytics is a real-time crash reporting tool that helps us track, prioritize, and fix stability issues that might occur in our app. If the app crashes, Firebase Crashlytics will generate an anonymized crash report in real time. This report contains information related to your use of our app, your device, app version, time of the crash as well as the device identification number and location data at the time of the crash. Firebase Crashlytics reports enable us to swiftly identify and respond to any technical issues within our app.
2.7.3 Firebase App Distribution
Firebase App Distribution is a tool offered by Google. Its main goal is to facilitate the distribution of the app to trusted testers, and to obtain feedback from them. Furthermore, in connection with Firebase Crashlytics, Firebase App Distribution provides stability metrics for the app, hence helping us to be able to provide you a well-functioning and stable app.
3. Your rights as the data subject
You can exercise the following rights at any time using the contact details specified above:
- information on your data stored by us and the processing thereof (Art. 15 GDPR),
- rectification of inaccurate personal data (Art. 16 GDPR),
- deletion of your data stored by us (Art. 17 GDPR),
- restriction of the processing, provided that we may not delete your data due to legal obligations (Art. 18 GDPR),
- data portability, provided that you have consented to the data processing or have entered into a contract with us (Art. 20 GDPR) and
- objection to the processing of your data with us (Art. 21 GDPR)
If you have given us consent, you may withdraw it at any time with effect for the future. Please note that the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
You can lodge a complaint with a supervisory authority at any time, e.g. with the supervisory authority of the state of your residence or the authority that oversees us as the responsible party. You can find a list of supervisory authorities under the following link:
https://edpb.europa.eu/about-edpb/about-edpb/members_en
4. Information on your right to object according to Art. 21 GDPR
You have the right at any time, for reasons that arise from your particular situation, to object to the processing of personal data pertaining to you based on 6(1)(f) GDPR (data processing on the basis of a balance of interests); this also applies to profiling based on this provision in accordance with Art. 4 No. 4 GDPR.
If you file an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or if the processing is for the purpose of enforcing, carrying out or defending legal claims.
5. Information on the Joint Controllership Agreement
The aforementioned companies belong to a group of undertakings and jointly operate the TIS mobile app for their customers. A Joint Controllership Agreement concluded between the companies governs the delineation of responsibilities between them.
Data subjects may approach any party of the Joint Controllership Agreement if they wish to obtain additional information on the processing of their data, or to exercise their data protection rights. Should the approached company not be in the position to fulfill the request, it will forward the request to the other, responsible party.
In case you wish to obtain additional information on the Joint Controllership Agreement, please feel free to contact us via one of the communication channels listed above.
6. SSL encryption
To protect the security of your data during transmission, we use state-of-the-art encryption methods (such as SSL) via HTTPS.
7. Revision of our privacy policy
We reserve the right to amend this privacy policy so that it always complies with current legal requirements or to reflect changes to our services in the privacy policy. In case of a modification of the privacy policy, your next visit will be subject to the new privacy policy.