Quick answers 

Your privacy is very important to us. Before we get to the details, we provide a summary of our privacy practices. You can click on the links to learn more, or simply read the full policy below the quick answers. 👍

Who are we? 

Cake NV is a Belgian company with its registered office at: Groenstraat 42A, 3381 Glabbeek, Belgium. Our VAT number is BE 0723.581.891. We are responsible for saving and processing your data (‘controller’). This means we determine the purposes and means of this processing. 

When do we save your data? 

We start saving data as soon as you download our App and register.

We then save your data at the following times: 

• when you link your payment account to our App
• when you use our App
• when you send us a copy of your ID or passport
• each time our App connects to your bank or payment institution through our PSD2 partners
• each time you contact us or ask us a question
• each time you earn Rewards

What data do we record and what do we do with it? 

We save various sorts of data for various purposes. For example, we require some personal data to be able to identify you in accordance with current financial rules and regulations and we require other data so we can offer you our great services.  

First and foremost, we record the personal data you provide to us via input in our App. This is the data you give us when registering for the App (surname, first name, date and place of birth), and in the second phase, also the details stated on your national ID card or passport. As soon as you provide us with a copy, scan or photo of this, we put the data from it in a database and save it. We don’t only save that data because we are legally obliged to do so, but also because it enables us to work more effectively. After all, there’s no point in promising you Rewards for a supermarket in Italy when you live in the Netherlands.   

Furthermore, we also save your bank account and transaction details. We can use this data to generate useful insights through which you can eventually earn Rewards. So, we need this to be able to provide our services. We get this data through our PSD2 partners. Which partner that is exactly depends on the country in which the bank holding your payment account is located. You can find a list of these partners on our website. 

In some cases, our App asks you for additional information. If we see, for instance, that your electricity bills are very high, we may ask you a few questions about your family situation. You might, unbeknownst to you, be paying too much. You don’t have to answer the additional questions, but we can only help you if you do. We save the answers you give us and process them in our database so that we can provide you with the most accurate information possible. 

We may also ask you additional questions related to an investigation into money laundering or the financing of terrorism. This sounds serious, and that’s because the relevant regulations are exceptionally serious. Do keep in mind that if we ever ask you additional questions or request documents in that context, we keep and process that data because we are legally obliged to do so. 

When you contact us through the App, we save the conversations. This helps us to help you. And, by doing so, the next time you ask us a question we can see what communication has gone before.

There’s more

We record other data, too. To keep it all clear, we have put it all in a table. It indicates which personal data we save, why we do this, on what basis and when. 

And what are we going to do with all that data? 

First and foremost, we will process the above data so we can offer you all kinds of great services. Below is a summary of what we do. If you would like to know more, please refer to our General Terms and Conditions. 

PFM

PFM, or Personal Finance Management in full, is the term we use for the advice we provide based on your income and expenses. In order for us to provide that advice, we need all kinds of data about you, your account and your transactions. We do stress though that you are completely at liberty not to follow any of our advice.   

Rewards

You can earn Rewards by shopping with our commercial partners. To earn Rewards, we need to be able to link your transactions to those partners’ payment terminals.  

Insights 

We will anonymise all our users’ data and turn it into statistics. This enables us to provide commercial companies with useful insights into our users’ behaviour, but they don’t have access to the users’ personal data. We share part of the payment we receive for those insights with the users. That means with you, too. Sounds good, doesn’t it? 

Proud as a peacock

Because we are proud of our App, we like promoting it. And to do that, we use our users’ data and convert it into statistics and anonymous information. For instance: we don’t let on that you use our App, but we do count you as one of the users. We can also count you in on a number of other points in our statistics, but without ever mentioning your name.

PSD2

We never share your personal details with commercial partners. Never. But in order to access your payment account details, we need to share a number of personal details with the PSD2 Aggregators. These are businesses that make a connection between us and your bank or payment institution.   

The minimum data we have to share to be able to make the connection is listed in the above table under ‘PSD2-related data’. It goes without saying that this collaboration takes place under strict conditions and is extremely secure. All parties concerned are also supervised by a financial supervisory authority.

Cookies

We love cookies. American chocolate chip cookies are our particular favourite. We also use IT cookies. They are small (text) files we send to your device when you use our App. These files are stored on your device and have various functions. 

Therefore, the PSD2 Aggregators and your bank may, to ease identification, place cookies when making a connection between your bank and our App.

Furthermore, we also use cookies to improve the functionality of our services. In our App we may refer to a page on our website, where we then use tracking cookies. We also use cookies to get to know you better so that we can improve the services we offer to you.  

Cookies

We love cookies. American chocolate chip cookies are our particular favourite. We also use IT cookies. They are small (text) files we send to your device when you use our App. These files are stored on your device and have various functions.

Therefore, the PSD2 Aggregators and your bank may, to ease identification, place cookies when making a connection between your bank and our App.

Furthermore, we also use cookies to improve the functionality of our services. In our App we may refer to a page on our website, where we then use tracking cookies. We also use cookies to get to know you better so that we can improve the services we offer to you. 

Plugins

We use a number of social plugins to make it easier for you to access the App. We use Google and Facebook. We receive a limited amount of information through Google and Facebook; we only request the e-mail address, name and date of birth and we don’t secretly collect more information. We also make sure that Google and Facebook don’t obtain data about you through our App. 

We also use a number of operational plugins that we need to enable our App to work properly. For example, a plugin to enable communication between us, a plugin to make graphics, a plugin to perform AML checks. We take good care to ensure that these plugins do not store any personal data; we only use these plugins to improve the way the App works.

A number of plugins have access to your personal data, but there are strict agreements in place about the use of your personal data. This regards Firebase (analyses of the use of the app, crash reports) and Amazon (to secure access and to host all data). You can find a complete list of our plugins on our website.    

Where do we save that data? 

We save all our data in an extremely secure environment. We use services from Amazon that provide all kinds of databases, depending on the type of data and purpose for saving the data. The servers Amazon uses are at two different European locations and are extremely well secured. 

Of course, we do our utmost to protect this database, but we can’t guarantee that. Unfortunately, when it comes to the internet there is no such thing as a 100% guarantee. So, if someone were to break into our database at any point, you can’t hold us responsible for that. Even if it’s not very nice and you encounter problems because of it. But we repeat, we do all we can to ensure that doesn’t happen. We use high security standards that are tested regularly, both by ourselves as well as our auditors. 

How long do we process that data?

We process all the data about you for as long as you are using our App. Once you are no longer a user, it depends on which data we are talking about. It sounds complicated, so we will explain.

We store and process your personal data, including account and transaction details, as long as you have a Cake account. From the moment you delete your account, we will stop processing your data for commercial purposes. In other words: if you delete your account, your data will no longer be processed for the purpose of generating anonymized statistics and insights for our commercial partners.

This does not mean that we are allowed to delete all your data when you delete your Cake account. We are legally obliged to keep certain data for a longer period. We fall under financial legislation, in particular, the Act of 18 September 2017 on the prevention of money laundering and the financing of terrorism. This Act is also called the Anti-Money Laundering Act. Well, the Anti-Money Laundering Act states in its Article 60 that we are obliged to save a number of details for 10 years after the collaboration has ended. In other words: after you have stopped using our App, we have to save a number of details for another 10 years. These are identification details and registration details of transactions. So, this is something we can’t avoid. However, all other personal data which we are not required to keep will be deleted immediately when you delete your account.

In short, we retain your personal data for the length of time we need in order to do what we do, unless we are legally obliged to save it for longer.

Added to that, we may save your personal data longer if you have given us permission to do so, or if we require those details for court proceedings. We will of course do all we can to prevent us ever having to use your details as evidence in court.

Privacy rights

In principle, you have a number of rights based on the GDPR. Let’s take a moment to go through these rights. To start with, you have the right to request us to obtain access to your personal data, to obtain rectification or erasure of your personal data, or to limit the processing of your personal data. You also have the right to object to the processing of your personal data and the right to data portability. Furthermore, you have the right to withdraw your consent to the processing of your personal data at any time. It is a priority for us to respect all these privacy rights. It is, however, important to clarify that we must take the following particularities into account.

As said earlier, we are legally obliged to keep your identification data and transaction registration data for 10 years. Most of your GDPR rights do not apply to this storage. The Anti-Money Laundering Act, Article 65 to be precise, states the following: “The person whose personal data are processed in accordance with this Law does not have the right to access and correct his or her data, nor the right to be forgotten, nor the right to portability of these data, nor the right to object, nor to the right not to be profiled, nor to the notification of security failures.”

Your privacy rights do remain applicable to the processing of your personal data for commercial purposes, for example, the processing for offering Rewards. This means, for example, that you have the right to request that we no longer process your personal data for these purposes, or to limit its processing.

Do keep in mind that we can only offer our services if we store and process your personal data. This is also explained in our General Terms and Conditions. The functionalities of our App, such as Rewards and Personal Finance Management, simply would not work if we could not process your data. For this reason, we, unfortunately, have to terminate our relationship if you request us to limit or stop the processing of your personal data. In this case, you can no longer use our App. Your right of access, rectification, or portability of your personal data can, of course, be exercised without any problem.

When we have processed your transaction data in statistics for our commercial partners, we cannot change or delete the statistical data derived from your personal data. This statistical data has already been processed and it has become impossible to trace it back to the identity of a person. It is therefore no longer personal data that is protected by the GDPR. Consequently, your privacy rights, such as the right to access, rectification or transferability, do not apply to statistical data derived from your personal data.

Let’s just check

We are under the strict supervision of the financial supervisory authorities. This means that we have to check our users to see whether they are on international sanction lists, PEP (Politically Exposed Persons) lists or other official lists. For this purpose we use the surname, first name, date and place of birth. 

Consequently, no one can object to this processing. This also means that if we suspect money laundering or terrorism financing, we are obliged to pass on the personal data with additional information (evidence) to the competent authorities. The GDPR can’t prohibit this.

Who bears the final responsibility for the processing of my data?

As we said earlier, we never ever share your personal data with our commercial partners. Nevertheless, the GDPR regulation provides that our partners are jointly responsible for the processing of your data. That sounds weird, right? The reason for this is that our commercial partners can ask us to produce statistics and insights. Therefore, the GDPR regulation considers that our partners have a certain influence on the way we process personal data into statistics, as they have a say on the determination of the purposes of processing.

Considering that our commercial partners are jointly responsible for the processing of your personal data, we have made arrangements with our partners, in order to determine our respective responsibilities for compliance with the GDPR regulation. Do you want to know what these arrangements say? We are more than happy to share this information with you! It is actually rather straightforward. As our commercial partners have no access whatsoever to your personal data, and as they are never involved in the storage of your data, we have decided to entirely take on the final responsibility for the processing of your personal data. It seems only right to us that we bear this responsibility, as we are the only party that stores, accesses, and processes you personal data.

Since we bear the final responsibility for the processing of your data, we have also agreed with our commercial partners that we are your contact point for all your questions and complaints regarding the protection of your personal data. To exercise your privacy rights, you can come to us.

Not happy? 

You don’t agree to this privacy policy. That’s a shame, because then you can’t use our App. We can’t offer you our services unless you agree to them. Collecting, saving and processing data is part of our services, after all.

Complaints? 

Do you have a complaint? Send us a message through our App and we will get back to you as soon as possible. If we can’t find a solution, you are free to submit a complaint to the Belgian Data Protection Authority.