Or in other words, what we do with your personal data 🤔
Hi there, and nice to meet you! 👋
Oh yeah, before we forget: by using our App you agree to the General Terms and Conditions. You can find them in our App and on our website (www.cake.app/terms). You can’t use our App without agreeing to our General Terms and Conditions.
We guarantee that we treat your personal data confidentially and that we save it in an extremely secure environment. We never pass on your personal data to our commercial partners. Let’s be clear about that.
We don’t save any details of children under the age of 16. That means that we don’t allow children under the age of 16 on our platform. Are you under 16? Then, that’s a shame, you will have to be patient. In this case we ask you not to create a Cake account or to delete your Cake account.
Well, that’s the introduction done, now we can get down to business. Ready?
Your privacy is very important to us. Before we get to the details, we provide a summary of our privacy practices. You can click on the links to learn more, or simply read the full policy below the quick answers. 👍
|Do you store my personal data?||YES|
|Do you store my transactional data?||YES|
|Do you store any other data?||YES|
|Do you use plugins?||YES|
|Will you continue to use my data if I delete my Cake account?||NO|
|Do you delete all my data if I delete my Cake account?||NO|
|Can I exercise my GDPR rights?||YES|
|Can I use your app without the processing of my personal data?||NO|
|Do you sell my personal data?||NO|
|Will you tell commercial partners who I am?||NO|
|Do you earn money with my data?||YES|
|Can I file a complaint somewhere?||YES|
Who are we?
Cake NV is a Belgian company with its registered office at: Hendrik Van Veldekesingel 150/23, 3500 Hasselt, Belgium. Our VAT number is BE 0723.581.891. We are responsible for saving and processing your data (‘controller’). This means we determine the purposes and means of this processing.
We hold a so-called ‘PSD2-licence’, which is an authorisation from the National Bank of Belgium allowing us to offer you payment services. PSD2 stands for ‘Payment Services Directive 2’, which is legislation that ensures European consumers can oblige their bank to share their data with other companies, such as us.
When do we save your data?
We then save your data at the following times:
- when you link your payment account to our App
- when you use our App
- when you send us a copy of your ID or passport
- each time our App connects to your bank or payment institution
- each time you contact us or ask us a question
- each time you earn Rewards
- each time you initiate a payment
What data do we record and what do we do with it?
We save various sorts of data for various purposes. For example, we require some personal data to be able to identify you in accordance with current financial rules and regulations and we require other data so we can offer you our great services.
First and foremost, we record the personal data you provide to us via input in our App. This is the data you give us when creating an account in the App (such as your surname, first name, date of birth, and possibly also your email address or the name of your Facebook account in case you decide to use these to create your Cake account). In the second phase, we also collect the details stated on your national ID card or passport. As soon as you provide us with a copy, scan or photo of this, we read out the data from it, put it in a database and save it. We don’t only save that data because we are legally obliged to do so, but also because it enables us to work more effectively. After all, there’s no point in promising you Rewards for a supermarket in Italy when you live in the Netherlands.
Furthermore, we also save your bank account and transaction details of the payment account that you connect to our App. We can use this data to generate useful insights through which you can eventually earn Rewards. So, we need this to be able to provide our services. We get this data through our PSD2 partners. These are specialised companies which ensure that the connection with your bank and the transfer of your transaction data happens securely and in accordance with the security standards of PSD2 legislation. Which partner that is exactly depends on the country in which the bank holding your payment account is located.
In some cases, our App asks you for additional information. If we see, for instance, that your electricity bills are very high, we may ask you a few questions about your family situation. You might, unbeknownst to you, be paying too much. You don’t have to answer the additional questions, but we can only help you if you do. We save the answers you give us and process them in our database so that we can provide you with the most accurate information possible.
We may also ask you additional questions related to an investigation into money laundering or the financing of terrorism. This sounds serious, and that’s because the relevant regulations are exceptionally serious. Do keep in mind that if we ever ask you additional questions or request documents in that context, we keep and process that data because we are legally obliged to do so.
When you contact us through the App, we save the conversations. This helps us to help you. And, by doing so, the next time you ask us a question we can see what communication has gone before.
We record other data, too. To keep it all clear, we have put it all in a table. It indicates which personal data we save, why we do this, on what basis and when.
|Which personal data?||Why?||On what basis?||When?|
|Identification details: surname, first name, date and place of birth, e-mail||– identification – to provide our services – to stay in touch||– legal obligation – contractual – legitimate interest (customer relationship management)||– when registering for the App|
|ID details: surname, first name, date and place of birth, gender, nationality, tax ID no., document expiry date, place of issue, residential address (if available on the ID), photo of the identity document||– identification – to provide our services||– legal obligation||– when claiming Rewards – upon payment initiation|
|Account details: bank or payment institution, account number, account type, account description, balance, available balance, currency||– to provide our services||– legal obligation – contractual||– when linking the payment account to the App|
|Transaction details: account number, transaction description, due date, transaction date, notification, currency, amount, reference, name and address of counterparty, payment initiation||– to provide our services – ML/TF check (money laundering /terrorism financing)||– legal obligation – contractual – legitimate interest (legitimate provision of services to our users)||– upon the connection between the App and your bank|
|PSD2-related data: surname, first name, account number, bank or payment institution, customer access token, bank or payment institution’s authorisation token, IP address, remittance information||– connection with PSD2 partners||– contractual||– upon the connection between the App and the PSD2 partners|
|Usage data: Device brand, operating system, location details, cookies, user data, actions undertaken in the App, crash logs||– providing and improving services||– contractual||– when using the App|
|Anti-Money Laundering: details of the background check, analysis of payment initiations, analysis of the Rewards||– ML/TF check (money laundering /terrorism financing)||– legal obligation||– upon receipt of ID details – upon each payment initiation – when accumulating Rewards|
|Extended data: all kinds of data we receive by asking you questions||– to provide our services||– legitimate interest (improving service levels, product development)||– when communicating with us|
|Communication: all communication between you and us||– to provide our services||– legitimate interest (improving service levels, product development)||– when communicating with us|
|Enrichment data: data we add to other data, such as label categorisation, retailer categorisation, point of sale, comparison with peers, rewards, etc.||– to provide our services||– contractual – legitimate interest (improving service levels, product development)||– when enriching the data|
|Advertising data||– to improve our Cake ads and our direct marketing|
– campaign management
|– consent – legitimate interest (campaign management)||– when using the App – when scanning a QR-code in a Cake ad or when clicking on a weblink in an ad, article or email from Cake|
And what are we going to do with all that data?
First and foremost, we will process the above data so we can offer you all kinds of great services. Below is a summary of what we do. If you would like to know more, please refer to our General Terms and Conditions.
PFM, or Personal Finance Management in full, is the term we use for the advice we provide based on your income and expenses. In order for us to provide that advice, we need all kinds of data about you, your account and your transactions. We do stress though that you are completely at liberty not to follow any of our advice.
You can earn Rewards by shopping with our commercial partners. To earn Rewards, we need to be able to link your transactions to those partners’ payment terminals. In addition, we also need to know whether you are eligible to receive a Rewards offer in the first place. This is also determined on the basis of your transaction data. Let us clarify this. As explained in our General Terms and Conditions, a shop can identify a target audience to whom it wants to offer a Reward. Only if you are in that target group, you will receive a notification in the App that there is a commercial promotion at that shop.
In order to know whether you are in that target group, we analyze whether you meet certain characteristics. This is also referred to as “profiling”. Indeed, we create a profile about you based on your transaction data, and if this profile matches the target audience of a Rewards promotion, you will automatically receive a notification.
Simply explained: you will only receive notifications for Rewards if we think they suit you.
We will convert the data of the users of our App and into anonymous statistics. This enables us to provide commercial companies with useful insights into our users’ behaviour, but they don’t have access to the users’ personal data. We share part of the payment we receive for those insights with the users. That means with you, too. Sounds good, doesn’t it?
Looking for friends
We are going to make it possible for you to make payments to people from your phone’s contact list who also have Cake. You will also be able to receive payments from people who have your phone number in their contact list. How are we going to make that happen? It’s not rocket science. The people who have your phone number in their contact list can see that you have a Cake account and transfer money to you. To make this possible we do need your telephone number and consent. We will ask for your consent when you enter your phone number in the App. We can never use your phone number to make payments in your name. And as much as we would like to hear your voice, we promise we will never call you.
Proud as a peacock
Because we are proud of our App, we like promoting it. And to do that, we use our users’ data and convert it into statistics and anonymous information. For instance: we don’t let on that you use our App, but we do count you as one of the users. We can also count you in on a number of other points in our statistics, but without ever revealing your identity.
To improve our digital marketing campaigns, we also measure how many people download our App after seeing a digital ad. We do this to prevent you from seeing Cake ads on the internet while you have already installed our App. Have you also ever clicked on that one pair of sneakers in a webshop, and 5 months later you still get online ads for that same pair of sneakers? That’s exactly what we want to prevent. In order to configure our digital marketing campaigns as accurately as possible, we measure not only who has downloaded our App, but also who effectively uses our services by creating a Cake account and by linking a bank account. In other words, we track these actions in the App. We only do this if you give your consent for ad analysis. We will ask you for your consent in the App.
In addition to digital marketing campaigns, we also want to be able to promote our App in the real world, for example by means of gigantic billboards or posters full of Cake. In these materials we usually provide a QR code or a web link to download our App. In order to be able to keep an overview and to find out what’s the best place to put up our billboards and posters, we need information about the number of downloads per advertising campaign. That is why we integrate a tracker in every QR code or weblink, which counts the number of downloads of our App. This does not yet enable us to see who used which QR code or web link. We will only be able to link you to a certain campaign if you give your consent for ad analysis.
Staying in touch
We usually communicate with you via the chat in our App, but from time to time, we may also send you an email, just to stay in touch with you and to keep you posted about awesome new features of our app. We won’t cram your mailbox with love letters or useless information, pinky promise! Of course you can unsubscribe from our emails if you don’t like them. You can do this using the unsubscribe button in our emails.
We never share your personal details with commercial partners. Never. But in order to access your payment account details, we need to share a number of personal details with the PSD2 Aggregators. These are businesses that make a connection between us and your bank or payment institution.
The minimum data we have to share to be able to make the connection is listed in the above table under ‘PSD2-related data’. It goes without saying that this collaboration takes place under strict conditions and is extremely secure. All parties concerned are also supervised by a financial supervisory authority.
We love cookies. American chocolate chip cookies are our particular favourite. We also use IT cookies. They are small (text) files we send to your device when you use our App. These files are stored on your device and have various functions.
Therefore, the PSD2 Aggregators and your bank may, to ease identification, place cookies when making a connection between your bank and our App.
We use a number of social plugins to make it easier for you to access the App. We use Google and Facebook. We receive a limited amount of information through Google and Facebook; we only request the e-mail address, name and date of birth and we don’t secretly collect more information. We also make sure that Google and Facebook don’t obtain data about you through our App.
We also use a number of operational plugins that we need to enable our App to work properly. For example, a plugin to enable communication between us, a plugin to make graphics, a plugin to perform checks required by anti-money laundering legislation. We take good care to ensure that these plugins do not store any personal data; we only use these plugins to improve the way the App works.
A number of plugins do record personal data, but there are strict agreements in place about the use of your personal data. This regards Adjust (to track certain actions in the App in case you consent to this, and to track the number of Cake installs per advertising campaign), Intercom (to support and save our conversations), Firebase (to analyse and report crashes during your use of the App) and Amazon (to secure access and to host all data).
Where do we save that data?
We save all our data in an extremely secure environment. We use services from Amazon that provide all kinds of databases, depending on the type of data and purpose for saving the data. The servers Amazon uses are at two different European locations and are extremely well secured.
Of course, we have implemented appropriate technical and organisational measures to ensure the security of the processing of your data. Unfortunately, when it comes to the internet there is no such thing as a 100% guarantee. So, if someone were to break into our database at any point, in principle you can’t claim damages for that. You do have a right to be compensated for damages if your harm is caused by a breach of one of our obligations under the GDPR. But we repeat, we apply high security standards that are tested regularly, both by ourselves as well as our auditors.
Who receives my data?
To be able to offer you our services, we need to disclose some of your data to third parties, which can be divided into the following categories.
|Who receives data?||Why do they receive my data?|
|Cloud database service providers||To enable us to store your data in highly secured and encrypted databases.|
|PSD2 Aggregators||To make a secure connection between our App and your bank, and to ensure that the exchange of data with your bank takes place in accordance with the safety standards of the PSD2 regulations.|
|ICT service providers||To be able to communicate with you through the App in a secure and confidential manner.|
|Entities of the Cake group||Dino Saurus BV is the mother company of Cake. Like a real mother, Dino Saurus BV supports Cake on operational matters. For instance, Dino Saurus BV helps Cake with the processing of transaction data into anonymous statistics.|
|Data analytics service providers||We use different data analysis tools in order to improve our services and to be able to aggregate the transaction data of all the users of our App and to process it into anonymous statistics. We also use data analytics tools to help us improve our marketing strategy and manage our advertising campaigns.|
|Social media platforms||Only if you participate in a social media campaign of Cake, the personal data you shared with us for this campaign (for instance, a photo you posted) may be shared on the relevant social media platforms.|
|Ombudsman services||If you are not satisfied with our services, you can submit a complaint to an ombudsman service. In this case, the ombudsman service may ask us for information about your complaint.|
How long do we process that data?
We process all the data about you for as long as you are using our App. Once you are no longer a user, it depends on which data we are talking about. It sounds complicated, so we will explain.
We store and process your personal data, including account and transaction details, as long as you have a Cake account. From the moment you delete your account, we will stop processing your data for commercial purposes. In other words: if you delete your account, your data will no longer be processed for the purpose of generating anonymized statistics and insights for our commercial partners.
This does not mean that we are allowed to delete all your data when you delete your Cake account. We are legally obliged to keep certain data for a longer period. We fall under financial legislation, in particular, the Act of 18 September 2017 on the prevention of money laundering and the financing of terrorism. This Act is also called the Anti-Money Laundering Act. Well, the Anti-Money Laundering Act states in its Article 60 that we are obliged to save a number of details for 10 years after the collaboration has ended. In other words: after you have stopped using our App, we have to save a number of details for another 10 years. These are identification details and registration details of transactions. So, this is something we can’t avoid. However, all other personal data which we are not required to keep will be deleted immediately when you delete your account.
In short, we retain your personal data as long as we need in order to offer you our services, unless we are legally obliged to save it for longer.
Added to that, we may save your personal data longer if you have given us permission to do so, or if we require those details for court proceedings. We will of course do all we can to prevent us ever having to use your details as evidence in court.
In principle, you have a number of rights based on the GDPR. Let’s take a moment to go through these rights. To start with, you have the right to request us to obtain access to your personal data, to obtain rectification or erasure of your personal data, or to limit the processing of your personal data. You also have the right to object to the processing of your personal data and the right to data portability. Furthermore, you have the right to withdraw your consent to the processing of your personal data at any time. It is a priority for us to respect all these privacy rights. It is, however, important to clarify that we must take the following particularities into account.
As said earlier, we are legally obliged to keep your identification data and transaction registration data for 10 years. Most of your GDPR rights do not apply to this storage. The Anti-Money Laundering Act, Article 65 to be precise, states the following: “The person whose personal data are processed in accordance with this Law does not have the right to access and correct his or her data, nor the right to be forgotten, nor the right to portability of these data, nor the right to object, nor to the right not to be profiled, nor to the notification of security failures.”
Your privacy rights do remain applicable to all other processing operations of your personal data, for example, the processing for offering PFM or Rewards. This means, for example, that you have the right to request that we no longer process your personal data for these purposes, or to limit its processing.
Do keep in mind that we can only offer our services if we store and process your personal data. This is also explained in our General Terms and Conditions. The functionalities of our App, such as Rewards and Personal Finance Management, simply would not work if we could not process your data. For this reason, we, unfortunately, have to terminate our relationship if you request us to limit or stop the processing of your personal data. In this case, you can no longer use our App. Your right of access, rectification, or portability of your personal data can, of course, be exercised without any problem.
When we have processed your transaction data in statistics for our commercial partners, we cannot change or delete the statistical data derived from your personal data. This statistical data has already been processed and it has become impossible to trace it back to the identity of a person. It is therefore no longer personal data that is protected by the GDPR. Consequently, your privacy rights, such as the right to access, rectification or transferability, do not apply to statistical data derived from your personal data.
If you want to exercise your rights, please send us a message directly via the chat tool in the App. Please specify clearly which right you want to exercise. When you contact us directly via the App, you do not need to give us your ID to exercise your rights, considering that we have already identified you when you created your account in the App. If you do not have an account in the Cake App, you can exercise your rights via email to our DPO. In this case, we do ask you to attach a copy of the front of your ID to your email for identification purposes.
Let’s just check
We are under the strict supervision of the financial supervisory authorities. This means that we have to check our users to see whether they are on international sanction lists, PEP (Politically Exposed Persons) lists or other official lists. For this purpose we use the surname, first name, date and place of birth.
Consequently, no one can object to this processing. This also means that if we suspect money laundering or terrorism financing, we are obliged to pass on the personal data with additional information (evidence) to the competent authorities. The GDPR can’t prohibit this.
Who bears the final responsibility for the processing of my data?
As we said earlier, we never ever share your personal data with our commercial partners. Nevertheless, the GDPR regulation provides that our partners are jointly responsible for the processing of your data. That sounds weird, right? The reason for this is that our commercial partners can offer you Rewards, or ask us to produce anonymous statistics and insights. Therefore, the GDPR regulation considers that our commercial partners have a certain influence on the way we process personal data for them, as they have a say on the determination of the purposes and means of processing.
Considering that our commercial partners are jointly responsible for the processing of your personal data, we have made arrangements with our partners, in order to determine our respective responsibilities for compliance with the GDPR regulation. Do you want to know what these arrangements say? We are more than happy to share this information with you! It is actually rather straightforward. As our commercial partners have no access whatsoever to your personal data, and as they are never involved in the storage or protection of your data, we have decided to entirely take on the final responsibility for the processing of your personal data. It seems only right to us that we bear this responsibility, as we are the only party that stores, accesses, protects and processes you personal data.
Since we bear the final responsibility for the processing of your data, we have also agreed with our commercial partners that we are your contact point for all your questions and complaints regarding the protection of your personal data. To exercise your privacy rights, you can come to us.
Do you have questions about your privacy, your rights, or about the way we process your data? Feel free to ask your questions via the chat tool of our App, or to hit up our Data Protection Officer (DPO) for a chat. You can reach our DPO by sending an email to firstname.lastname@example.org.
Do you have a complaint? Send us a message through our App and we will get back to you as soon as possible. If we can’t find a solution, you are free to submit a complaint to a competent authority. In Belgium, this is the Belgian Data Protection Authority.
There we go!
Any questions? Please feel free to ask them through our App’s contact function. We will reply as soon as possible. 👍
Your privacy is very important to us. Before we get to the details, we provide a summary of our privacy practices. You can click on the links to learn more, or simply read the full policy below the quick answers. 👍