Last updated on 19th of December, 2022
Thank you for choosing to avail our Services! We respect your privacy, and we are committed to protecting your personal information.
(Collectively referred to as “Services”)
This Policy is to be read and interpreted together with our Terms and Conditions, available at https://finflx.com/terms-of-use which collectively govern your access to and use of our Site and Services (“Platform”). By using the Platform, you agree to be bound by these policies, which supplement and are incorporated into our Terms and Conditions and Client Agreement. This Policy does not intend to override any clauses present in our Terms and Conditions and Client Agreement.
Any terms not defined in this Policy shall be deemed to have meanings given to them in the Terms and Conditions and/or the Client Agreement, as the case may be.
If you have any questions about this Policy please contact us by email at firstname.lastname@example.org.
From time to time, we may revise, amend or supplement this Policy to reflect necessary changes in law, our personal information collection and usage practices, our Platform, or certain advances in technology. If any material changes are made to this Policy, the changes may be prominently posted on the Site. However, this is not obligatory for us; the onus is on you to occasionally familiarize yourself with the contents of this Policy, for your own information; and particularly to do so every time you access our Platform.
Changes to this Policy are effective when they are published.
FinFlx processes the personal information of the following categories of individuals:
(Collectively referred to as “Data Subject”, “you” and “your”)
The controller of your personal information is the legal entity that determines the “means” and the “purposes” of any processing activities that is carried out in regards to your personal information. Our Services are being provided by two distinct legal entities, i.e., FWS and FIML. Hence, for your convenience, you may find in the table below, the respective details relevant to your personal information when it comes to the exact entity which is the controller of the personal information collected in connection with the use of FWS Services and FIML Services.
FWS and FIML may share your personal information with each other and use it in accordance with this Policy.
The contact details and address of FIML and FWS have been provided below:
We have appointed a Data Protection Officer (“DPO”), who is responsible for overseeing any personal information-related matters, to address any questions in relation to personal information and this Policy. If you have any questions in relation to your personal information and/or this Policy, including requests to exercise your rights related to personal information, please contact us via email on email@example.com.
Your personal information is collected and processed in accordance with the global best data processing principles, including: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability; with all relevant laws and regulations considered; and however applicable.
We collect, use, disclose, transfer, and otherwise process personal information about you, including legal representatives in accordance with this Policy. We do not collect any personal information revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life, including genetic data and biometric data where it is used for the purpose of uniquely identifying a natural person. The personal information we collect and process includes:
Such personal information is either collected automatically, provided by you directly to us, shared between FWS and FIML, or collected from our affiliates or third-party sources, as required or permitted by applicable law. Such personal information is processed for a variety of purposes including the provision of our Services to you and enhancement of your overall customer experience and marketing. We have provided in Paragraphs 6.5, 6.7, 6.9, 6.11 and 6.13 the categories of your personal information that we process and the sources of collection of such personal information.
As required under the DIFC’s Data Protection Law and ADGM’s Data Protection Regulations, we must have a legal basis for processing your personal information. Such legal bases will depend on the personal information at issue, the specific context in the which the personal information is collected and the purposes for which it is used. We generally only process your data where we are legally required to, where processing is necessary to perform any contracts we entered with you (or to take steps at your request prior to entering into a contract with you), where processing is in our legitimate interests to operate our business and not overridden by your data protection interests or fundamental rights and freedoms, or where we have obtained your consent to do so. We have provided in Paragraphs 6.6, 6.8, 6.10, 6.12 and 6.14 our purposes and legal bases for processing your personal information.
In respect to the personal information that you give us, you should inform us as soon as practicable if there are any errors in the personal information or if there have been any changes to the personal information. Any errors or incomplete personal information may prevent us providing access to the Platform to you or providing Services to our business customers (i.e., the employers of Account Admins and Employees and organisations in which KYC-ed Individuals have beneficial ownership or are authorised representatives and/or signatories).
The personal information that we collect or may collect from Site Visitors include:
Provided below is a list of how we use the personal information of Site Visitors (purpose of processing) and the corresponding legal bases of such processing:
Personal information we collect or may collect from Prospects include:
Provided below is a list of how we use the personal information of Prospects (purpose of processing) and the corresponding legal bases of such processing:
The personal information that we collect or may collect from Account Admins include:
Provided below is a list of how we use the personal information of Account Admins (purpose of processing) and the corresponding legal bases of such processing:
The personal information that we collect or may collect from Employees include:
Provided below is a list of how we use the personal information of Employees (purpose of processing) and the corresponding legal bases of such processing:
The personal information that we collect or may collect from KYC-ed Individuals include:
Provided below is a list of how we use the personal information of KYC-ed Individuals (purpose of processing) and the corresponding legal bases of such processing:
We provide you with choices regarding the personal information we use, particularly concerning any market research and/ or subsequent marketing, advertising and promotion. We may contact you through emails to send you information about our Services or information we feel may interest you and/or to inform you about new products and services we are offering (including promotional offers) (“Marketing Communications”).
You may at any time, object to receive Marketing Communication from us. If you wish to do so, please click on the “Unsubscribe” option available on all Marketing Communications that you may receive from us or by contacting us at firstname.lastname@example.org.
We may also create, process, collect, use and share aggregated, anonymised or de-identified data such as statistical or demographic data for any purpose. Such information will then no longer identify you as an individual person, despite being derived from your personal information. We may also use this information to comply with legal or regulatory obligations.
We may share your personal information with members of our group, service providers and our key partners. Some of these third-parties may be in a jurisdiction outside the laws stated in this Policy, in which case we will take all necessary steps to ensure that your personal information is treated securely and that such transfers are permitted under the applicable data protection laws.
We may also use any or all of the personal information above to administer and manage our business in general, to detect and prevent misuse of our Services (including fraud), and to enforce our Terms and Conditions, Client Agreement or any other contract to which we may be a party to.
As an Account Admin or Onboarded Individual, if you fail, neglect and/ or refuse to, or are unable to provide us any personal information which we necessarily need to provide our Services or which we need to collect by law, we may not be able to perform the Services. In this case, we have the right to discontinue your use of the Platform and/ or may or disapprove your Service requests. In such a situation, we will notify you of our inability to provide you the Service at the earliest.
We may collect and process some of your personal information without your knowledge or consent and only where this is required or permitted by law. We may be compelled to surrender your personal information to legal authorities without your express consent, if presented with a court order or similar legal or administrative order, or as required or permitted by the laws, rules and regulations of any nation, state or other applicable jurisdiction. Please refer to Paragraph 7 for our purposes of processing and the corresponding legal basis.
We specifically recommend that you, as the Data Subject (under this Policy) visit, familiarize, understand the below entity policies, as they are our partners in providing services under the facilities to you. While not a closed, comprehensive, or exhaustive list these are our third-party vendors:
Under the Data Protection Law of DIFC and Data Protection Regulations of ADGM, the Commissioners of Data Protection of the DIFC and ADGM are responsible for administering the respective law and regulations. You (in so far as these laws have application and subject to pertinent exemptions and restrictions stipulated therein) broadly have these rights under the Data Protection Law:
If you wish to exercise any of the rights set out above or any other laws concerning personal information (in so far as same is applicable), please contact us at email@example.com. We may need to request specific information from you to help us confirm your identity. This security measure is to ensure that your personal information is not disclosed to any person who has no right to receive it.
We aim to respond to all legitimate requests without undue delay and within one (1) calendar month of receipt of any request from you. Occasionally it may take us longer than one (1) calendar month, if your request is particularly complex, or if you have made duplicated or numerous requests. In this case, we will notify you of receipt of such request(s) and keep you updated as to the status of progress concerning such request(s).
Whenever possible, you can update your personal information, subject to verification by us. If you wish for us to update your personal information, please contact us at firstname.lastname@example.org to make the required changes. We will retain your personal information for as long as your accounts have not been closed or as may be needed to provide you access to your accounts and/ or our Services, and in compliance with the law.
We retain personal information mentioned under Paragraph 7, including session data linked to your Service usage or account, and all access or use of the Services.
We adhere to all applicable legislative provisions and data protection laws of each jurisdiction we operate in. Should any further information be required, please contact us at email@example.com.
Your personal information will be stored, retained, and processed for no period longer than as required by us for the purposes it was collected for, for the purposes of availing the Services, and for meeting any legal, accounting, reporting, government, regulatory or law enforcement requirements. Specifically for Account Admins and KYC-ed Individuals, we may retain your personal information for a period mandated by AML/CFT laws and regulations applicable to us. Unless required for any of the purposes specified above, we will delete personal information related to closed accounts every twelve (12) calendar months.
To determine the appropriate retention period for your personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
When we have no ongoing legitimate business needed to process your personal information, we will either delete or anonymize such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
Your personal information is stored and transferred in compliance with the applicable legislation or regulations of DIFC AND ADGM.
We store and process your personal information in data centers within the United Arab Emirates (“UAE”) (Amazon Web Services), wherever we have our premises, wherefrom we provide Services or where our third-party service providers are located.
We may transfer some of your personal information outside DIFC, ADGM and the UAE. Some of the international organisations and countries to which your personal information will benefit from an appropriate data protection regulatory framework as evidenced by an adequacy decision by the appropriate regulatory authority (Adequacy decisions for DIFC and ADGM can be accessed from link 1 and link 2 respectively). However, this may not always be possible. For such international organisations and countries, we shall transfer your personal information, only upon ensuring that a suitable degree of protection is afforded to it through the implementation of the necessary safeguards, such as adequate binding corporate rules or through the inclusion of standard contractual clauses in our agreements with such organisations and countries. If sought by you, we shall notify you of the specific safeguards we adopt to transfer your personal information to such an international organisation and/or country. Further, in all cases we shall take your explicit consent before we transfer your personal information outside of the country.
You have the right to make a complaint at any time to the Commissioners appointed under the DIFC Data Protection Law and ADGM Data Protection Regulations, depending on the controller. However, we would appreciate the opportunity to address your concerns before you approach any such authority. Please contact us in the first instance so that we may try to resolve your complaint swiftly and satisfactorily. Please contact us via email on firstname.lastname@example.org.
As an Account Admin, if you wish to close your accounts, please contact us at email@example.com. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our Terms and Conditions and/or Client Agreement available at firstname.lastname@example.org.
We use industry-standard technical mechanisms and ensure that our affiliates or vendor entities use data encryption technology while implementing restrictions related to the storage of and the ability to access your personal information.
Our facilities are scanned on a regular basis for security holes and known vulnerabilities, to best ensure its security.
Your personal information is contained behind secured networks and is only accessible by a limited number of individuals who have special access rights to such systems and are required to keep the information confidential.
Please note that no transmission over the Internet or any method of electronic storage can be guaranteed to be absolutely 100% secure, however, our best endeavours will be made to secure data and the ability to access your personal information.
Without prejudice to our efforts on protection of your personal information, nothing contained in this Policy constitutes a warranty of security of the facilities, and you agree to transmit data at your own risk.
Please note, that we do not guarantee that your personal information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.
Please, always check that any website on which you are asked for financial or payment information in relation to our Services is in fact legitimately owned or operated by us. The risk of impersonating hackers exists and should be taken into account when using our Platform.
If you do receive any suspicious communication of any kind or request, do not provide your information and report it us by contacting our offices immediately at email@example.com. Also, as an Account Admin, please also immediately notify us at firstname.lastname@example.org if you become aware of any unauthorised access to or use of your account.
Since we cannot guarantee against any loss, misuse, unauthorised acquisition, or alteration of personal information, please accept that, as an Account Admin, you play a vital role in protecting the personal information relating to yourself as well as Employees and KYC-ed Individuals, including the adoption of sufficient safety measures such as your choosing of an appropriate password of sufficient length and complexity and to not reveal this password to any third-parties.
Furthermore, we cannot ensure and do not warrant the security or confidentiality of data transmitted to us, or sent and received from us by Internet or wireless connection, including email, phone, or SMS, since we have no way of protecting that information once it leaves and until it reaches us. If you have reason to believe that your personal information is no longer secure, please contact us.
Lastly, please note that should your personal information be breached, and the security of your rights be at high risk, we shall promptly and immediately communicate to you the nature of the breach which has taken place, the likely consequences of such a breach and shall describe thoroughly the measures we have implemented to address the breach and to mitigate any and all adverse effects to you and your rights. In the unlikely event of a breach occurring, please reach out to us at email@example.com for further information and for further advise on how to mitigate the potential adverse effects of such a breach.
We also aim to conduct all applicable security risk assessments to ensure the availability of risk mitigation controls, to better safeguard the integrity of Data Subject information.
In the case of abuse or breach of security, we are not responsible for any breach of security or for any actions of any third-parties which receive the information illegally.
We will not distribute personal information to be used in mailing lists, surveys, or any other purpose other than what is required to perform our Services in accordance to this Policy.
If you have any questions about our Policy as outlined above, or if you have any complaints, please contact us firstname.lastname@example.org.
If you have any queries or issues pertaining to your information or our Policy or personal information, then please do write to us at any time by emailing us via email@example.com.
This policy was last updated on 19th December, 2022