Our privacy policy
Or in other words, what we do with your personal data 🤔
Hi there, and nice to meet you! 👋
We respect your privacy. And that makes sense really. This privacy policy explains how we handle all kinds of data, including your personal details. We explain which of your personal details we save, how we process them and why we do this.
Oh yeah, before we forget: by using our App you agree to the General Terms and Conditions. You can find them in our App and on our website (www.cake.app/terms). You can’t use our App without agreeing to our General Terms and Conditions. Considering that this privacy policy is linked to our General Terms and Conditions and it gives you lots of information about how we process your personal data, it is important you thoroughly read through this policy.
We guarantee that we treat your personal data confidentially and that we save it in an extremely secure environment. We never pass on your personal data to our commercial partners. Let’s be clear about that.
We save and process your personal data in accordance with the rules of the GDPR, specifically Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and the national implementing legislation. In this privacy policy we use specific terms that are defined in those regulations (for instance, ‘personal data’, ‘processing’, ‘processor’, ‘controller’).
We don’t save any details of children under the age of 16. That means that we don’t allow children under the age of 16 on our platform. Are you under 16? Then, that’s a shame, you will have to be patient.
Well, that’s the introduction done, now we can get down to business. Ready?
Quick answers
Your privacy is very important to us. Before we get to the details, we provide a summary of our privacy practices. You can click on the links to learn more, or simply read the full policy below the quick answers. 👍
| Do you store my personal data? | YES |
| Do you store my transactional data? | YES |
| Do you store any other data? | YES |
| Do you use cookies? | YES |
| Do you use plugins? | YES |
| Will you continue to use my data if I delete my Cake account? | NO |
| Do you delete all my data if I delete my Cake account? | NO |
| Can I exercise my GDPR rights? | YES |
| Can I use your app without my permission to process my data? | NO |
| Do you sell my personal data? | NO |
| Will you tell commercial partners who I am? | NO |
| Do you earn money with my data? | YES |
| Can I file a complaint somewhere? | YES |
Who are we?
Cake NV is a Belgian company with its registered office at: Groenstraat 42A, 3381 Glabbeek, Belgium. Our VAT number is BE 0723.581.891. We are responsible for saving and processing your data (‘controller’). This means we determine the purposes and means of this processing.
We hold a so-called ‘PSD2-licence’, which is an authorisation from the National Bank of Belgium allowing us to offer you payment services. PSD2 stands for ‘Payment Services Directive 2’, which is legislation that ensures European consumers can oblige their bank to share data with other companies, such as us.
When do we save your data?
We start saving data as soon as you download our App and register.
We then save your data at the following times:
- when you link your payment account to our App
- when you use our App
- when you send us a copy of your ID or passport
- each time our App connects to your bank or payment institution
- each time you contact us or ask us a question
- each time you earn Rewards
What data do we record and what do we do with it?
We save various sorts of data for various purposes. For example, we require some personal data to be able to identify you in accordance with current financial rules and regulations and we require other data so we can offer you our great services.
First and foremost, we record the personal data you provide to us via input in our App. This is the data you give us when registering for the App (surname, first name, date and place of birth), and in the second phase, also the details stated on your national ID card or passport. As soon as you provide us with a copy, scan or photo of this, we put the data from it in a database and save it. We don’t only save that data because we are legally obliged to do so, but also because it enables us to work more effectively. After all, there’s no point in promising you Rewards for a supermarket in Italy when you live in the Netherlands.
Furthermore, we also save your bank account and transaction details. We can use this data to generate useful insights through which you can eventually earn Rewards. So, we need this to be able to provide our services. We get this data through our PSD2 partners. These are specialised companies which ensure that the connection with your bank and the transfer of your transaction data happens in accordance with the security standards of PSD2 legislation. Which partner that is, exactly, depends on the country in which the bank holding your payment account is located. You can find a list of these partners on our website.
In some cases, our App asks you for additional information. If we see, for instance, that your electricity bills are very high, we may ask you a few questions about your family situation. You might, unbeknownst to you, be paying too much. You don’t have to answer the additional questions, but we can only help you if you do. We save the answers you give us and process them in our database so that we can provide you with the most accurate information possible.
We may also ask you additional questions related to an investigation into money laundering or the financing of terrorism. This sounds serious, and that’s because the relevant regulations are exceptionally serious. Do keep in mind that if we ever ask you additional questions or request documents in that context, we keep and process that data because we are legally obliged to do so.
When you contact us through the App, we save the conversations. This helps us to help you. And, by doing so, the next time you ask us a question we can see what communication has gone before.
There’s more
We record other data, too. To keep it all clear, we have put it all in a table. It indicates which personal data we save, why we do this, on what basis and when.
| Which personal data? | Why? | On what basis? | When? |
|
Identification details: surname, first name, date and place of birth, e-mail |
– identification
|
– legal obligation |
– when registering for the App |
|
ID details: surname, first name, date and place of birth, gender, nationality, tax ID no., document expiry date, place of issue, residential address (if available on the ID), photo of the identity document |
– identification – to provide our services |
– legal obligation |
– when claiming Rewards – upon payment initiation |
|
Account details: bank or payment institution, account number, account type, account description, balance, available balance, currency |
– to provide our services |
– legal obligation – contractual |
– when linking the payment account to the App |
|
Transaction details: account number, transaction description, due date, transaction date, notification, currency, amount, reference, name and address of counterparty, payment initiation |
– to provide our services – ML/TF check |
– legal obligation – contractual – legitimate |
– upon the connection between the App and your bank |
|
PSD2-related data: surname, first name, account number, bank or payment institution, customer access token, bank or payment institution’s authorisation token, IP address, remittance information |
– connection with PSD2 partners | – contractual | – upon the connection between the App and the PSD2 partners |
|
Usage data: Device brand, operating system, location details, cookies, user data, crash logs |
– providing and improving services |
– contractual – consent |
– when using the App |
|
Anti-Money Laundering: details of the background check, analysis of payment initiations, analysis of the Rewards |
– ML/TF check (money laundering /terrorism financing) |
– legal obligation |
– upon receipt of – upon each – when accumulating |
|
Extended data: all kinds of data we receive by asking you questions |
– to provide our services | – legitimate interest (improving service levels, product development) |
– when communicating with us |
|
Communication: all communication between you and us |
– to provide our services | – legitimate interest (improving service levels, product development) |
– when communicating with us |
|
Enrichment data: data we add to other data, such as label categorisation, retailer categorisation, point of sale, comparison with peers, rewards, etc. |
– to provide our services |
– contractual – legitimate |
– when enriching the data |
And what are we going to do with all that data?
First and foremost, we will process the above data so we can offer you all kinds of great services. Below is a summary of what we do. If you would like to know more, please refer to our General Terms and Conditions.
PFM
PFM, or Personal Finance Management in full, is the term we use for the advice we provide based on your income and expenses. In order for us to provide that advice, we need all kinds of data about you, your account and your transactions. We do stress though that you are completely at liberty not to follow any of our advice.
Rewards
You can earn Rewards by shopping with our commercial partners. To earn Rewards, we need to be able to link your transactions to those partners’ payment terminals. In addition, we also need to know whether you are eligible to receive a Rewards offer in the first place. This is also determined on the basis of your transaction data. Let us clarify this. As explained in our General Terms and Conditions, a shop can identify a target audience to whom it wants to offer a Reward. Only if you are in that target group, you will receive a notification in the App that there is a commercial promotion at that shop.
In order to know whether you are in that target group, we analyze whether you meet certain characteristics. This is also referred to as “profiling”. Indeed, we create a profile about you based on your transaction data, and if this profile matches the target audience of a Rewards promotion, you will automatically receive a notification.
Simply explained: you will only receive notifications for Rewards if we think they suit you.
In other words (and now we do need to bring up our legal vocabulary): Rewards involve direct marketing based on automated profiling. You have the right to object to this. We will get back to your privacy rights later in this Privacy Policy.
Insights
We will anonymise all our users’ data and turn it into statistics. This enables us to provide commercial companies with useful insights into our users’ behaviour, but they don’t have access to the users’ personal data. We share part of the payment we receive for those insights with the users. That means with you, too. Sounds good, doesn’t it?
Proud as a peacock
Because we are proud of our App, we like promoting it. And to do that, we use our users’ data and convert it into statistics and anonymous information. For instance: we don’t let on that you use our App, but we do count you as one of the users. We can also count you in on a number of other points in our statistics, but without ever mentioning your name.
Staying in touch
We usually communicate with you via the chat in our app, but if you’re not a frequent visitor, we may also send you an email every once in a while, just to stay in touch with you and to keep you posted about awesome new features of our app. We won’t cram your mailbox with love letters or useless information, pinky promise!
PSD2
We never share your personal details with commercial partners. Never. But in order to access your payment account details, we need to share a number of personal details with the PSD2 Aggregators. These are businesses that make a connection between us and your bank or payment institution.
The minimum data we have to share to be able to make the connection is listed in the above table under ‘PSD2-related data’. It goes without saying that this collaboration takes place under strict conditions and is extremely secure. All parties concerned are also supervised by a financial supervisory authority.
Plugins
We use a number of social plugins to make it easier for you to access the App. We use Google and Facebook. We receive a limited amount of information through Google and Facebook; we only request the e-mail address, name and date of birth and we don’t secretly collect more information. We also make sure that Google and Facebook don’t obtain data about you through our App.
We also use a number of operational plugins that we need to enable our App to work properly. For example, a plugin to enable communication between us, a plugin to make graphics, a plugin to perform checks required by anti-money laundering legislation. We take good care to ensure that these plugins do not store any personal data; we only use these plugins to improve the way the App works.
A number of plugins have access to your personal data, but there are strict agreements in place about the use of your personal data. This regards Firebase (analyses of the use of the app, crash reports) and Amazon (to secure access and to host all data). You can find a complete list of our plugins on our website.
Where do we save that data?
We save all our data in an extremely secure environment. We use services from Amazon that provide all kinds of databases, depending on the type of data and purpose for saving the data. The servers Amazon uses are at two different European locations and are extremely well secured.
Of course, we have implemented appropriate technical and organisational measures to ensure the security of the processing of your data. Unfortunately, when it comes to the internet there is no such thing as a 100% guarantee. So, if someone were to break into our database at any point, you can’t claim damages for that, unless your harm is caused by a breach of our obligations under the GDPR. But we repeat, we apply high security standards that are tested regularly, both by ourselves as well as our auditors.
Who receives my data?
To be able to offer you our services, we need to disclose some of your data to third parties, which can be divided into the following categories.
| Who receives data? | Why do they receive my data? |
| Cloud database service providers | To enable us to store your data in highly secured and encrypted databases. |
| PSD2 Aggregators | To make a secure connection between our App and your bank, and to ensure that the exchange of data with your bank takes place in accordance with the safety standards of the PSD2 regulations. |
| ICT service providers | To be able to communicate with you through the App in a secure and confidential manner. |
| Entities of the Cake group | Dino Saurus is the mother company of Cake. Like a real mother, Dino Saurus supports Cake on operational matters. For instance, Dino Saurus helps Cake with the processing of transaction data into anonymous statistics. |
| Data analytics service providers | We use different data analysis tools in order to improve our services and to be able to aggregate the transaction data of all the users of our App and to process it into anonymous statistics. |
| Social media platforms | Only if you participate in a social media campaign of Cake, the personal data you shared with us for this campaign (for instance, a photo you posted) may be shared on the relevant social media platforms. |
| Ombudsman services | If you are not satisfied with our services, you can submit a complaint to an ombudsman service. In this case, the ombudsman service may ask us for information about your complaint. |
As some of these service providers are located outside the European Economic Area, Cake may transfer personal data to third countries, in particular the United States. These transfers are only made to service providers that are certified under the EU-US Privacy Shield. With regard to these transfers, there is an adequacy decision by the European Commission in place (namely, Decision 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield). This ensures that the protection of your personal data is safeguarded.
How long do we process that data?
We process all the data about you for as long as you are using our App. Once you are no longer a user, it depends on which data we are talking about. It sounds complicated, so we will explain.
We store and process your personal data, including account and transaction details, as long as you have a Cake account. From the moment you delete your account, we will stop processing your data for commercial purposes. In other words: if you delete your account, your data will no longer be processed for the purpose of generating anonymized statistics and insights for our commercial partners.
This does not mean that we are allowed to delete all your data when you delete your Cake account. We are legally obliged to keep certain data for a longer period. We fall under financial legislation, in particular, the Act of 18 September 2017 on the prevention of money laundering and the financing of terrorism. This Act is also called the Anti-Money Laundering Act. Well, the Anti-Money Laundering Act states in its Article 60 that we are obliged to save a number of details for 10 years after the collaboration has ended. In other words: after you have stopped using our App, we have to save a number of details for another 10 years. These are identification details and registration details of transactions. So, this is something we can’t avoid. However, all other personal data which we are not required to keep will be deleted immediately when you delete your account.
In short, we retain your personal data for the length of time we need in order to do what we do, unless we are legally obliged to save it for longer.
Added to that, we may save your personal data longer if you have given us permission to do so, or if we require those details for court proceedings. We will of course do all we can to prevent us ever having to use your details as evidence in court.
Privacy rights
In principle, you have a number of rights based on the GDPR. Let’s take a moment to go through these rights. To start with, you have the right to request us to obtain access to your personal data, to obtain rectification or erasure of your personal data, or to limit the processing of your personal data. You also have the right to object to the processing of your personal data and the right to data portability. Furthermore, you have the right to withdraw your consent to the processing of your personal data at any time. It is a priority for us to respect all these privacy rights. It is, however, important to clarify that we must take the following particularities into account.
As said earlier, we are legally obliged to keep your identification data and transaction registration data for 10 years. Most of your GDPR rights do not apply to this storage. The Anti-Money Laundering Act, Article 65 to be precise, states the following: “The person whose personal data are processed in accordance with this Law does not have the right to access and correct his or her data, nor the right to be forgotten, nor the right to portability of these data, nor the right to object, nor to the right not to be profiled, nor to the notification of security failures.”
Your privacy rights do remain applicable to the processing of your personal data for commercial purposes, for example, the processing for offering Rewards. This means, for example, that you have the right to request that we no longer process your personal data for these purposes, or to limit its processing.
Do keep in mind that we can only offer our services if we store and process your personal data. This is also explained in our General Terms and Conditions. The functionalities of our App, such as Rewards and Personal Finance Management, simply would not work if we could not process your data. For this reason, we, unfortunately, have to terminate our relationship if you request us to limit or stop the processing of your personal data. In this case, you can no longer use our App. Your right of access, rectification, or portability of your personal data can, of course, be exercised without any problem.
When we have processed your transaction data in statistics for our commercial partners, we cannot change or delete the statistical data derived from your personal data. This statistical data has already been processed and it has become impossible to trace it back to the identity of a person. It is therefore no longer personal data that is protected by the GDPR. Consequently, your privacy rights, such as the right to access, rectification or transferability, do not apply to statistical data derived from your personal data.
If you want to exercise your rights, please send us a message directly via the chat tool in the App. Please specify clearly which right you want to exercise. When you contact us directly via the App, you do not need to give us your ID to exercise your rights, considering that we have already identified you when you created your account in the App. If you do not have an account in the Cake App, you can exercise your rights via email to our DPO. In this case, we do ask you to attach a copy of the front of your ID to your email for identification purposes.
Let’s just check
We are under the strict supervision of the financial supervisory authorities. This means that we have to check our users to see whether they are on international sanction lists, PEP (Politically Exposed Persons) lists or other official lists. For this purpose we use the surname, first name, date and place of birth.
Consequently, no one can object to this processing. This also means that if we suspect money laundering or terrorism financing, we are obliged to pass on the personal data with additional information (evidence) to the competent authorities. The GDPR can’t prohibit this.
Who bears the final responsibility for the processing of my data?
As we said earlier, we never ever share your personal data with our commercial partners. Nevertheless, the GDPR regulation provides that our partners are jointly responsible for the processing of your data. That sounds weird, right? The reason for this is that our commercial partners can offer you Rewards, or ask us to produce statistics and insights. Therefore, the GDPR regulation considers that our partners have a certain influence on the way we process personal data for them, as they have a say on the determination of the purposes and means of processing.
Considering that our commercial partners are jointly responsible for the processing of your personal data, we have made arrangements with our partners, in order to determine our respective responsibilities for compliance with the GDPR regulation. Do you want to know what these arrangements say? We are more than happy to share this information with you! It is actually rather straightforward. As our commercial partners have no access whatsoever to your personal data, and as they are never involved in the storage of your data, we have decided to entirely take on the final responsibility for the processing of your personal data. It seems only right to us that we bear this responsibility, as we are the only party that stores, accesses, and processes you personal data.
Since we bear the final responsibility for the processing of your data, we have also agreed with our commercial partners that we are your contact point for all your questions and complaints regarding the protection of your personal data. To exercise your privacy rights, you can come to us.
Not happy?
You are not happy with this privacy policy? That’s a shame, because we can’t offer you our services without processing your personal data. Collecting, saving and processing data is part of our services, after all. If you want to stop us from processing your data for commercial purposes, it is sufficient to delete your Cake account. You can do this via your profile settings in the app.
Questions?
Do you have questions about your privacy, your rights, or about the way we process your data? Feel free to ask your questions via the chat tool of our App, or to hit up our Data Protection Officer (DPO) for a chat. You can reach him by sending an email to dpo@cake.app.
Complaints?
Do you have a complaint? Send us a message through our App and we will get back to you as soon as possible. If we can’t find a solution, you are free to submit a complaint to a competent authority. In Belgium, this is the Belgian Data Protection Authority.
There we go!
This was our privacy policy.
Any questions? Please feel free to ask them through our App’s contact function. We will reply as soon as possible. 👍
EN 
NL 
FR