We appreciate your interest in our products, our company and our handling of the information you have entrusted to us.

1.  Responsible Parties and Contact Information

The responsible party with regard to data protection laws is Star Finanz-Software Entwicklung und Vertriebs GmbH, Grüner Deich 15, 20097 Hamburg, Germany.

For questions related to data protection, please contact our data protection officer at:

Star Finanz-Software Entwicklung und Vertriebs GmbH, Data Protection Officer, Grüner Deich 15, 20097 Hamburg,
Germany; fax +49 40 23728-350
E-mail: datenschutz@starfinanz.de

1.1  First-time use of the app

When launching the app for the first time, after creating a password and setting up an optional biometric identifier to unlock the app in addition to the password, you will need to enter the name or routing number/BIC of the Sparkasse or bank whose account you want to use. The bank routing number you have entered will then be sent to the Star Finanz server one time in order to connect the app to the server of the respective Sparkasse/bank.

1.2  Ongoing use of the app and its features

After this one-time logging of the bank routing number, all data traffic takes place under the responsibility of the respective financial institution, that is, the institution where you administer the account(s) that you use in relation to the app.

2.  Data Privacy Policies

As a matter of principle, the software products from Star Finanz are designed to favor data privacy by default. This means, for example, that only those personal data required for the product to function are collected (per a policy of data minimization).
We assure you of the lawful and responsible handling of all data that you transmit to us as the user of our products. Hereinafter we would like to provide you with a transparent description of what data we process in detail, what we use it for, and to what extent it is stored by us and/or transmitted to third parties for specific purposes.

2.1  Which sources and information do we use?

We process personal data only within the scope authorized by you personally. In doing so, we only collect and process the data that is absolutely necessary for the maintenance and use of the services provided to you. Prior to use and transmission of your data, all services that transmit personal information indicate the precise scope of the data and require your confirmation of transmission. All of your data belongs to you, therefore we do not pass along any of the data transmitted to us to third parties without your consent unless we are legally obliged to do so, such as when presented with a corresponding court order.
We understand personal data to include, e.g., personal particulars (name, address and other contact information, date and place of birth and nationality), credentials (e.g., ID card information) and authentication information (e.g., signature sample). This may also include order information (e.g., payment order, securities order), data from the fulfillment of our contractual obligations (e.g., sales data in payment transactions), credit limits, product information (e.g., deposit, credit and portfolio transactions), information about your financial situation (e.g., credit information, scoring/rating information, source of assets), advertising and sales information (including ad scores), documentation information (e.g., consultation records), registry information, information about your use of the telemedia we offer (e.g., time at which our websites, apps or newsletter were accessed, clicks on our pages or entries as well as other comparable data provided that it can be discerned from this which person has carried out the action).

2.2  Rules for data processing for the fulfillment of contractual obligations

We process the personal data you transmit to us in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) for the provision of our services within the framework of the contractual relationship.

2.3  Processing based on your consent

Insofar as you have given us your consent to the processing of personal data for specific purposes (e.g., transfer of data within the network/group, analysis of payment transaction data for marketing purposes), the legality of this processing is based on your consent. The consent you have given can be revoked at any time.
Please note that the revocation only works with future effect. Any processing that occurred before the revocation is not affected.

2.4  Data protection rights

Per the EU GDPR, you have the right to information about your stored data free of charge (Article 15 GDPR), the right of rectification (Art. 16 GDPR), the right to delete your data (Art. 17 GDPR), the right to restrict processing (Art. 18 GDPR), and the right to data portability (Art. 20 GDPR).
Should you have any questions that this data privacy policy has not been able to answer, or if you would like information about the data that is stored about you, please contact us by e-mail at the address provided under the Contact section.
In addition, you have the right of appeal to a data protection authority (Art. 77 GDPR).

3.  Collection, Storage and Use of Personal Data

3.1  Feedback and support queries

When you send us feedback or a support query, or use the support form on our website, your e-mail address will be used only for correspondence with you and only for the purpose of clarifying your support case. It is not disclosed to third parties.
As part of the support you have requested, you may need to provide us with some of your personal information so that we can fulfill our contractual obligation. In these cases, prior consent from you in accordance with Article 6 of the GDPR is not required.

3.2  Setup of new bank accounts

When the app launches, the routing numbers or BICs of all financial institutions that are set up in the app are sent to us. The data is processed immediately and stored anonymously in order to send you available messages from your financial institutions or about your financial institutions via the app. Furthermore, via this service the app provides us with information about the possible length and makeup of the PIN and TAN of the institutions you have set up, the corresponding URL of the datacenter for direct HBCI communication, and the fingerprints, a short hash value, of the valid SSL certificate. The saved data does not allow any inferences to be drawn about specific users. The data is anonymized and then used to create usage statistics for our apps.

3.3  App launch

If in the app settings you have agreed to the transmission of the online-banking contract ID and the account numbers of the bank connections and accounts set up in the app, this data is sent to us when the app launches. The data is processed immediately and stored anonymously in order to send you available private messages from your financial institutions or about your financial institutions via the app. The data is neither stored nor transmitted to third parties.

3.4  Sending transactions and storing SEPA information

When manually storing an account's SEPA information in the app or when sending transactions, the IBAN and BIC are sent to us for validation. If account numbers and routing numbers are specified for transactions, they are sent to us for conversion to IBAN and BIC. The data is processed immediately in order to display an appropriate message in the event of an error, or to display the data that was converted into IBAN and BIC directly in the form. The data is neither stored nor transmitted to third parties.

3.5  Using "webviews"

The app offers various information in what are called "webviews." These are websites that are displayed in the app. This pertains, for example, to the license terms, (this) data privacy policy, FAQs, help and version history that can be viewed in the app. When using these sites, the data that is sent by the browser when a website is visited and that is necessary to use the site is automatically recorded. These are the web query, the user's IP address, the browser type, the browser language, and the date and time of the website visit. After the end of each use, the data is saved anonymously only in order to improve the quality of the services.

3.6  Photo transfer to automatically complete the transfer form

If you use the app's photo transfer feature, the photo of the invoice or the bank transfer form is transmitted to the Gini GmbH servers via a secure connection and processed there. The data that pertain to the fields of the bank transfer form are transmitted anonymously back to the app via a secure connection so that the fields of the bank transfer form are filled out automatically. After you have approved your bank transfer, the bank transfer data that were used are retransmitted to the service provider in order to verify and improve the quality of the document analysis. The transmitted photo and the data are stored with the service provider for up to four weeks for the purpose of verifiability and documentation and then deleted.
We have negotiated an order processing contract with Gini GmbH, Sonnenstraße 23, 80331 Munich, Germany, for processing the data pursuant to Article 28, Paragraph 3 of the GDPR.

4.  Collection, Storage and Use of Non-personal Data

4.1  App launch

When the app launches, the routing numbers or BICs of all financial institutions that are set up in the app are sent to us. The data is processed immediately and stored anonymously in order to send you available messages from your financial institutions or about your financial institutions via the app. Furthermore, via this service the app provides us with information about the possible length and makeup of the PINs and TANs of the institutions you have set up, the corresponding URL of the datacenter for direct HBCI communication, and the fingerprints of the valid SSL certificate. The saved data does not allow any inferences to be drawn about specific users. The data is anonymized and then used to create usage statistics for our apps.

4.2  App crashes

In the event of an app crash, it can manually or automatically send information to us about the features that had just been invoked provided you agree to do so. This information will allow us to respond more quickly to any problems that might occur and therefore offer you an improved version of the app more quickly through the app stores. The data transmitted in this event does not allow any inferences to be drawn about specific users.

4.3  Storing data to improve the quality of the app

On our centralized secure servers we save anonymized data that we use to monitor which features our users are using. IP addresses, account information and other data that would allow inferences to be drawn about a person are not saved as a part of this. These anonymized data are used to create usage statistics and routinely deleted.

5.  Permissions Requested by the App and Their Use

Before you convey any information or permissions, you must allow this via your device. You can revoke this permission in the app settings.

5.1  Camera & photos

When you attach a photo to a transaction, it will only be saved locally. For this reason you will be asked for permission to access photos on the device (e.g., from albums).
As part of the photo feature for filling out transfers, the photo of the invoice is sent to Gini GmbH and processed as described in section 3.6 in order to read the data and send it back to the app.

5.2  Mobile data

If there is no WiFi connection, the app uses the mobile data connection — for example, when using banking functions such as an account refresh, a bank transfer or viewing webviews.

6.  Data Protection

6.1  Technical safeguards

6.1.1  Star Finanz servers

All the servers we use are configured and installed in-house and operated in high-security datacenters in Germany. The hardware used is supplied by certified well-known manufacturers and is designed to be failsafe and redundant. The transport and installation of the servers to the datacenters is carried out by our own employees, not by subcontractors, logistics companies, or other third parties. We categorically do not store any data on other servers, especially not abroad.
We affirm that all security technologies we use are state-of-the-art and are continuously updated. Our security concepts are constantly being adapted to new findings and renewed to protect your data from theft and misuse. We handle all data that is transmitted to us responsibly and process said data according to all legal provisions on data protection, in particular the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG), and using the highest security standards for data processing and storage.

6.1.2  Data transfer

Your data is transferred exclusively via SSL-encrypted connections from your terminal device to our servers operated in high-security datacenters in Germany. During this process, the certificates are checked for validity and, if technically possible on a given platform, the fingerprints of the certificate are additionally verified in order to prevent misuse and man-in-the-middle attacks to the greatest possible extent.
Data transfer to third countries (countries outside the European Economic Area, or EEA) only takes place if it is required for the execution of your orders or by law, or if you have given us your consent. Insofar as it required by law, we will inform you of details separately.

6.1.3  Data processing, length of storage and deletion

Your data is processed and stored on servers that belong to Star Finanz-Software Entwicklung und Vertriebs GmbH in Germany and protected by us through comprehensive technical and organizational safeguards against access by third parties.
Where necessary, we process and store your personal data for the duration of our business relationship, which includes, for example, the initiation and execution of a contract. The data is then deleted afterwards.
In addition, we are subject to various filing and documentation obligations, which result, inter alia, from the German Commercial Code (HGB) and the German Tax Code (AO). The periods stated therein for storage or documentation are two to ten years, respectively.
Finally, the storage period is also assessed according to the statutory limitation periods, which can be up to thirty years, for example, according to §§ 195 et seqq. of the German Civil Code (Bürgerliches Gesetzbuch, BGB), for which the regular period of limitation is three years.
After the storage period expires, the data is routinely deleted.

6.2  Organizational safeguards

Within Star Finanz, only internal employees who are involved in the execution and fulfillment of the respective information processes have access to data. Through encryption and anonymization, even with physical access to the systems, the data cannot be read or assigned to particular users via different systems.

6.3  Use of external services

The use of third-party backup services shall be governed by the respective third party's own data protection policies, the content and compliance of which is beyond our control.

7.  Changes to this Data Privacy Policy

We reserve the right to change our privacy policy from time to time to reflect our current legal requirements and changes in our services. The current privacy policy applies to the use of the app.
 
Updated May 2018