1. Scope of this privacy statement
This privacy statement applies to:
- Bizcuit B.V., who develops, manages and sells a platform for enterprises (“End Users”). Bizcuit developed an app (the “Bizcuit app”) to enable its End Users to, amongst other things, create sales invoices, process purchase invoices and receipts, and pay sales invoices.
- Bizcuit Payments B.V who provides account information services (“AIS”) and payment initiation services (“PIS”); these services are accessible via the Bizcuit app.
Bizcuit B.V. and Bizcuit Payments B.V. will be referred hereafter as “Bizcuit Group”.
2. Purpose of this statement
Bizcuit Group believes that privacy of the persons they do business with is very important. Bizcuit Group actively promotes its employees to be privacy aware. Employees are trained in privacy protection and information security. It has taken technical and organisational measures to protect the personal data it processes.
The purpose of this privacy statement is to inform the customers of Bizcuit Group about the personal data it processes, how this information is used and shared. The privacy statement also describes the rights data-subjects have and how they can exercise these rights.
3. What does processing of personal data mean?
Personal data is defined as any information relating to an identified or identifiable natural person (‘data subject’). Processing personal data includes the following activities: collecting, recording, saving, viewing, adapting, using, publishing, transferring and deleting of personal data.
4. What personal data is processed?
Bizcuit Group processes the personal data of:
- Persons who are using Bizcuit as an End User and/or Customer
- Persons who represent a legal entity that is configured in the Bizcuit app
- An ultimate benefit owner (UBO) of a legal entity that is configured in the Bizcuit app
- Persons making use of the Bizcuit platform or app
- Persons want to make use of the payment services provided by Bizcuit Payments (AIS and PIS)
- Counterparts in payments (PIS) and bank transactions (AIS)
- Persons of which data has been entered, uploaded, emailed to, retrieved from connected systems, or otherwise inputted in Bizcuit (e.g. consumers to whom invoices are addressed or from whom invoices have been received)
- Natural persons with whom any Bizcuit Group company is engaged
- Persons who visit the Bizcuit website but who are not (yet) Bizcuit customers
- Job applicants
Of these data subjects the following data is processed:
- Name, postal code, country, location and/or date of birth
- Contact details such as telephone and e-mail address
- Bank account numbers
- Payment history of payments initiated (PIS)
- Transaction history of bank account connected through the Bizcuit app (AIS)
- Information needed to perform legally required Customer Due Diligence (CDD) and transaction monitoring
- Resume of job applicants
5. What is the personal data used for?
The personal data is used by Bizcuit for the following purposes:
- To enter into a contract or to perform a contract
- To comply with legal requirements
- Bizcuit’s legislative interest e.g. fraud detection, safety of transactions
- The consent given by the data subject. This consent can be revoked at any time.
6. Protection of Personal Data
Bizcuit Group has measures in place to ensure that client data is stored securely to prevent unauthorized access. Bizcuit Group systems are protected through a combination of physical and electronic access controls, firewall technology, and other security measures. Bizcuit Group maintains segregated access to systems, to ensure that the only staff who have access to client data are those who facilitate the purpose for which clients shared their data. IT administrators with broader access sign additional agreements obligating them to protect client data. Bizcuit Group requires the same standards of security from their service providers.
7. Personal Data shared
Bizcuit Group may use third parties for certain services that need the processing of Personal data, such as a specialized KYC service provider, a specialized provider of Compliance and Risk services, a specialized IT-security provider, payroll processors, insurers, IT-providers, other service providers and auditors. In these instances, Bizcuit Group only shares the personal data that is needed to perform that specific service, and makes sure that the personal data is being treated by the third party adhering to the same standards as upheld within Bizcuit Group with regards to data safety and privacy Bizcuit Group does not share personal data outside the EU.
8. Data minimization
- All personal data is stored for a finite period of time
- Personal data will be deleted or anonymized if no longer necessary
9. Rights of data subjects
The persons of whom Bizcuit Group collects data (“Data subjects”) have the following rights:
- The right to information about which Personal data is processed and for what purpose
- The right to ask for rectification of their Personal data or to delete their data
- The right to restriction, which means that clients have the right to request a restriction on the data Bizcuit Group can use in the future
- The right to ask for a copy of their Personal data that are recorded by Bizcuit Group
- The right to object or to complain about the collection, processing and storage of their Personal data
10. How to exercise these rights
Data subjects can exercise their rights by sending an email to Bizcuit Group:
For the attention of the Privacy Officer
If a Data Subject requests for deletion of the Personal data, please note that this can only be executed if retention of the data is not bound by law or regulation. If access to Personal data is requested, Bizcuit Group will provide an overview of processed and stored data (e.g. showing what data Is stored in a database) or copies of documents containing personal data.
Bizcuit Group will reply within one month after receipt of a Data Subject’s request to exercise its rights. In case it is expected that the reply will take more time, the Data Subject will be informed of the expected timeframe to answer. The Data Subject will be required to provide identification when exercising his/her rights.
The address above can also be used to file a complaint on the processing of Personal Data by Bizcuit Group. Please indicate in the complaint to which Bizcuit entity the complaint refers. The person complaining will receive an acknowledgement of receipt in which the process of complaint handling will be explained. In case a Data Subject is not (completely) satisfied with the complaint handling of Bizcuit Group the Data Subject has the right to submit its complaint to the Data Protection Authority of the Netherlands.
Date of this Privacy Statement: November 20, 2019.
Bizcuit Group has the right to unilaterally change this Privacy Statement. This is the most recent version. Earlier versions are available on request from Bizcuit Group.