Our privacy policy
Or in other words, what we do with your personal data 🤔
Hi there, and nice to meet you! 👋
We respect your privacy. And that makes sense really. This privacy policy explains how we handle all kinds of data, including your personal details. We explain which of your personal details we save, how we process them and why we do this.
Oh yeah, before we forget: by using our App you agree to the General Terms and Conditions. You can find them in our App and on our website (www.cake.app/terms). You can’t use our App without agreeing to our General Terms and Conditions. Considering that this privacy policy is linked to our General Terms and Conditions and it gives you lots of information about how we process your personal data, it is important you thoroughly read through this policy.
We guarantee that we keep your personal data confidential and that we save it in an extremely secure environment. We never pass on your personal data to our commercial partners. Let’s be clear about that.
We save and process your personal data in accordance with the rules of the GDPR, specifically Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and the national implementing legislation. In this privacy policy we use specific terms that are defined in those regulations (for instance, ‘personal data’, ‘processing’, ‘processor’, ‘controller’).
We don’t save any details of children under the age of 16. That means that we don’t allow children under the age of 16 on our platform. Are you under 16? Then, that’s a shame, you will have to be patient.
Well, that’s the introduction done, now we can get down to business. Ready?
Quick answers
Your privacy is very important to us. Before we get to the details, we provide a summary of our privacy practices. You can click on the links to learn more, or simply read the full policy below the quick answers. 👍
| Do you store my personal data? | YES |
| Do you store my transactional data? | YES |
| Do you store any other data? | YES |
| Do you use cookies? | YES |
| Do you use plugins? | YES |
| Will you continue to use my data if I delete my Cake account? | NO |
| Do you delete all my data if I delete my Cake account? | NO |
| Can I exercise my GDPR rights? | YES |
| Can I use your app without my permission to process my data? | NO |
| Do you sell my personal data? | NO |
| Will you tell commercial partners who I am? | NO |
| Do you earn money with my data? | YES |
| Can I file a complaint somewhere? | YES |
Who are we?
Cake NV is a Belgian company with its registered office at: Groenstraat 42A, 3381 Glabbeek, Belgium. Our VAT number is BE 0723.581.891. We are responsible for saving and processing your data (‘controller’). This means we determine the purposes and means of this processing.
When do we save your data?
We start saving data as soon as you download our App and register.
We then save your data at the following times:
- when you link your payment account to our App
- when you use our App
- when you send us a copy of your ID or passport
- each time our App connects to your bank or payment institution through our PSD2 partners
- each time you contact us or ask us a question
- each time you earn Rewards
What data do we record and what do we do with it?
We save various sorts of data for various purposes. For example, we require some personal data to be able to identify you in accordance with current financial rules and regulations and we require other data so we can offer you our great services.
First and foremost, we record the personal data you provide to us via input in our App. This is the data you give us when registering for the App (surname, first name, date and place of birth), and in the second phase, also the details stated on your national ID card or passport. As soon as you provide us with a copy, scan or photo of this, we put the data from it in a database and save it. We don’t only save that data because we are legally obliged to do so, but also because it enables us to work more effectively. After all, there’s no point in promising you Rewards for a supermarket in Italy when you live in the Netherlands.
Furthermore, we also save your bank account and transaction details. We can use this data to generate useful insights through which you can eventually earn Rewards. So, we need this to be able to provide our services. We get this data through our PSD2 partners. Which partner that is exactly depends on the country in which the bank holding your payment account is located. You can find a list of these partners on our website.
In some cases, our App asks you for additional information. If we see, for instance, that your electricity bills are very high, we may ask you a few questions about your family situation. You might, unbeknownst to you, be paying too much. You don’t have to answer the additional questions, but we can only help you if you do. We save the answers you give us and process them in our database so that we can provide you with the most accurate information possible.
We may also ask you additional questions related to an investigation into money laundering or the financing of terrorism. This sounds serious, and that’s because the relevant regulations are exceptionally serious. Do keep in mind that if we ever ask you additional questions or request documents in that context, we keep and process that data because we are legally obliged to do so.
When you contact us through the App, we save the conversations. This helps us to help you. And, by doing so, the next time you ask us a question we can see what communication has gone before.
There’s more
We record other data, too. To keep it all clear, we have put it all in a table. It indicates which personal data we save, why we do this, on what basis and when.
| Which personal data? | Why? | On what basis? | When? |
| Identification details:
surname, first name, date and place of birth, e-mail |
– identification
– for providing services |
– legal basis
– contractual |
– when registering for the
App |
| ID details:
surname, first name, date and place of birth, gender, nationality, tax ID no., document expiry date, place of issue, residential address (if available on the ID), photo of the front of the national ID card or front of the passport |
– identification
– for providing services |
– legal basis | – when claiming Rewards
– with payment initiation |
| Account details:
bank or payment institution, account number, account type, account description, balance, available balance, currency |
– for providing
services |
– legal basis
– contractual |
– when linking the
payment account to the App |
| Transaction details:
account number, transaction description, due date, transaction date, notification, currency, amount, reference, name of counterparty, payment initiation |
– for providing
services – ML/TF check (money laundering /terrorism financing) |
– legal basis
– contractual |
– with the connection between
the App and the PSD2 partners |
| PSD2-related data:
surname, first name, account number, bank or payment institution, customer access token, bank or payment institution’s authorisation token, IP address, remittance information |
– connection with
PSD2 partners |
– contractual | – with the connection between
the App and the PSD2 partners |
| Usage data:
Device brand, operating system, location details, cookies, user data, crash logs |
– providing +
improving services |
– contractual
– consent |
– when using the App |
| AML:
details of the background check, analysis of payment initiations, analysis of the Rewards |
– ML/TF check
(money laundering /terrorism financing) |
– legal basis | – on receipt of
ID details – with each payment initiation – when accumulating Rewards |
| Extended data:
all kinds of data we receive by asking you questions |
– for providing
services |
– considered
legitimate interest |
– with communication
between you and us |
| Communication:
all communication between you and us |
– for providing
services |
– considered
legitimate interest |
– with communication
between you and us |
| Enrichment data:
data we add to other data, such as label categorisation, retailer categorisation, point of sale, comparison with peers, rewards, etc. |
– for providing
services |
– contractual
– considered legitimate interest |
– when enriching the
data |
And what are we going to do with all that data?
First and foremost, we will process the above data so we can offer you all kinds of great services. Below is a summary of what we do. If you would like to know more, please refer to our General Terms and Conditions.
PFM
PFM, or Personal Finance Management in full, is the term we use for the advice we provide based on your income and expenses. In order for us to provide that advice, we need all kinds of data about you, your account and your transactions. We do stress though that you are completely at liberty not to follow any of our advice.
Rewards
You can earn Rewards by shopping with our commercial partners. To earn Rewards, we need to be able to link your transactions to those partners’ payment terminals.
Insights
We will anonymise all our users’ data and turn it into statistics. This enables us to provide commercial companies with useful insights into our users’ behaviour, but they don’t have access to the users’ personal data. We share part of the payment we receive for those insights with the users. That means with you, too. Sounds good, doesn’t it?
Proud as a peacock
Because we are proud of our App, we like promoting it. And to do that, we use our users’ data and convert it into statistics and anonymous information. For instance: we don’t let on that you use our App, but we do count you as one of the users. We can also count you in on a number of other points in our statistics, but without ever mentioning your name.
PSD2
We never share your personal details with commercial partners. Never. But in order to access your payment account details, we need to share a number of personal details with the PSD2 Aggregators. These are businesses that make a connection between us and your bank or payment institution.
The minimum data we have to share to be able to make the connection is listed in the above table under ‘PSD2-related data’. It goes without saying that this collaboration takes place under strict conditions and is extremely secure. All parties concerned are also supervised by a financial supervisory authority.
Plugins
We use a number of social plugins to make it easier for you to access the App. We use Google and Facebook. We receive a limited amount of information through Google and Facebook; we only request the e-mail address, name and date of birth and we don’t secretly collect more information. We also make sure that Google and Facebook don’t obtain data about you through our App.
We also use a number of operational plugins that we need to enable our App to work properly. For example, a plugin to enable communication between us, a plugin to make graphics, a plugin to perform AML checks. We take good care to ensure that these plugins do not store any personal data; we only use these plugins to improve the way the App works.
A number of plugins have access to your personal data, but there are strict agreements in place about the use of your personal data. This regards Firebase (analyses of the use of the app, crash reports) and Amazon (to secure access and to host all data). You can find a complete list of our plugins on our website.
Where do we save that data?
We save all our data in an extremely secure environment. We use services from Amazon that provide all kinds of databases, depending on the type of data and purpose for saving the data. The servers Amazon uses are at two different European locations and are extremely well secured.
Of course, we do our utmost to protect this database, but we can’t guarantee that. Unfortunately, when it comes to the internet there is no such thing as a 100% guarantee. So, if someone were to break into our database at any point, you can’t hold us responsible for that. Even if it’s not very nice and you encounter problems because of it. But we repeat, we do all we can to ensure that doesn’t happen. We use high security standards that are tested regularly, both by ourselves as well as our auditors.
How long do we save that data?
We save all the data about you for as long as you are using our App. Once you are no longer a user, it depends on which data we are talking about. It sounds complicated, so we will explain.
Firstly, we have the GDPR. Secondly, we also fall under financial legislation. Financial legislation entails the Act of 18 September 2017 on the prevention of money laundering and terrorism financing. That Act is also called the Anti-Money Laundering Act.
Well, the Anti-Money Laundering Act includes Article 60 that states that we are obliged to save a number of details for 10 years after the collaboration has ended. In other words: after you have stopped using our App, we have to save a number of details for another 10 years. These are identification details and registration details of transactions. So, this is something we can’t avoid.
In short, we retain your personal data for the length of time we need in order to do what we do, unless we are legally obliged to save it for longer.
Added to that, we may save your personal data longer if you have given us permission to do so, or if we require those details for court proceedings. We will of course do all we can to prevent us ever having to use your details as evidence in court.
Privacy rights
In principle, you have a number of rights based on the GDPR. Let’s take a moment to go through these rights. To start with, you have the right to request us to obtain access to your personal data, to obtain rectification or erasure of your personal data, or to limit the processing of your personal data. You also have the right to object to the processing of your personal data and the right to data portability. Furthermore, you have the right to withdraw your consent to the processing of your personal data at any time. It is a priority for us to respect all these privacy rights. It is, however, important to clarify that we must take the following particularities into account.
As said earlier, we are legally obliged to keep your identification data and transaction registration data for 10 years. Most of your GDPR rights do not apply to this storage. The Anti-Money Laundering Act, Article 65 to be precise, states the following: “The person whose personal data are processed in accordance with this Law does not have the right to access and correct his or her data, nor the right to be forgotten, nor the right to portability of these data, nor the right to object, nor to the right not to be profiled, nor to the notification of security failures.”
Your privacy rights do remain applicable to the processing of your personal data for commercial purposes, for example, the processing for offering Rewards. This means, for example, that you have the right to request that we no longer process your personal data for these purposes, or to limit its processing.
Do keep in mind that we can only offer our services if we store and process your personal data. This is also explained in our General Terms and Conditions. The functionalities of our App, such as Rewards and Personal Finance Management, simply would not work if we could not process your data. For this reason, we, unfortunately, have to terminate our relationship if you request us to limit or stop the processing of your personal data. In this case, you can no longer use our App. Your right of access, rectification, or portability of your personal data can, of course, be exercised without any problem.
When we have processed your transaction data in statistics for our commercial partners, we cannot change or delete the statistical data derived from your personal data. This statistical data has already been processed and it has become impossible to trace it back to the identity of a person. It is therefore no longer personal data that is protected by the GDPR. Consequently, your privacy rights, such as the right to access, rectification or transferability, do not apply to statistical data derived from your personal data.
Let’s just check
We are under the strict supervision of the financial supervisory authorities. This means that we have to check our users to see whether they are on international sanction lists, PEP (Politically Exposed Persons) lists or other official lists. For this purpose we use the surname, first name, date and place of birth.
Consequently, no one can object to this processing. This also means that if we suspect money laundering or terrorism financing, we are obliged to pass on the personal data with additional information (evidence) to the competent authorities. The GDPR can’t prohibit this.
Who bears the final responsibility for the processing of my data?
As we said earlier, we never ever share your personal data with our commercial partners. Nevertheless, the GDPR regulation provides that our partners are jointly responsible for the processing of your data. That sounds weird, right? The reason for this is that our commercial partners can ask us to produce statistics and insights. Therefore, the GDPR regulation considers that our partners have a certain influence on the way we process personal data into statistics, as they have a say on the determination of the purposes of processing.
Considering that our commercial partners are jointly responsible for the processing of your personal data, we have made arrangements with our partners, in order to determine our respective responsibilities for compliance with the GDPR regulation. Do you want to know what these arrangements say? We are more than happy to share this information with you! It is actually rather straightforward. As our commercial partners have no access whatsoever to your personal data, and as they are never involved in the storage of your data, we have decided to entirely take on the final responsibility for the processing of your personal data. It seems only right to us that we bear this responsibility, as we are the only party that stores, accesses, and processes you personal data.
Since we bear the final responsibility for the processing of your data, we have also agreed with our commercial partners that we are your contact point for all your questions and complaints regarding the protection of your personal data. To exercise your privacy rights, you can come to us.
Not happy?
You don’t agree to this privacy policy. That’s a shame, because then you can’t use our App. We can’t offer you our services unless you agree to them. Collecting, saving and processing data is part of our services, after all.
Complaints?
Do you have a complaint? Send us a message through our App and we will get back to you as soon as possible. If we can’t find a solution, you are free to submit a complaint to the Belgian Data Protection Authority.
There we go!
This was our privacy policy.
Any questions? Please feel free to ask them through our App’s contact function. We will reply as soon as possible. 👍
