DRAFT — for demo and vendor-risk-review purposes only. This document has not yet been reviewed by counsel. Final wording will be substituted before pilot launch. Do not rely on this draft for any binding commercial decision.
Privacy Policy
Effective from 1 May 2026 — Version 1
This Privacy Policy describes how Fintum Market Intelligence GmbH ("we", "us", "our") processes personal data on the Market Intelligence platform at `platform.fintum-mi.com` and on the public legal pages at `/legal/*`. It is written to satisfy our information obligations under Articles 13 and 14 of the EU General Data Protection Regulation (GDPR), § 13 of the German Telemediengesetz (TMG), and § 25 of the Telekommunikation-Telemedien-Datenschutz-Gesetz (TTDSG).
1. Controller and contact
The controller responsible for processing the personal data described in this Policy is:
Fintum Market Intelligence GmbH Abt-Plazidus-Str. 24 97359 Schwarzach am Main Germany
Managing Director (Geschäftsführer): David Siegl Registered: Amtsgericht Würzburg, HRB [[FILL: HRB-Nummer]] USt-IdNr.: [[FILL: USt-IdNr]]
For privacy-related questions, requests under Articles 15 to 22 GDPR, or any other data-protection matter, contact our Data Protection Officer at dpo (at) fintum-mi.com or our privacy team at privacy (at) fintum-mi.com. Postal correspondence reaches us at the address above.
2. Scope of this Policy
This Policy covers personal data we process in our role as controller — that is, data we collect about visitors and Authorized Users of the Market Intelligence platform itself (account creation, login, support interactions, public-page visits).
It does not cover:
- Personal data we process as a processor on behalf of our enterprise customers. That processing is governed by the Data Processing Agreement at /legal/dpa/v1 which controls between us and the customer entity.
- Personal data processed by the el-fondo consumer application, which is a separate product with its own privacy disclosures.
- Personal data processed by our subprocessors under their own controllers' privacy programmes (their respective privacy policies are linked from our Subprocessor list at /legal/subprocessors/v1).
3. What personal data we collect
We collect personal data in the following contexts.
3.1 Account creation and onboarding
When a Global Admin invites a new company or a Company Admin invites a new user, the platform receives:
- Full name, work email address, role within the customer organisation
- Time of invitation, IP address of the inviter, IP address of the acceptor on first login
3.2 Authentication and session
On every login the platform records:
- Authentication method (password, MFA factor, WebAuthn credential, SSO assertion)
- Timestamp, IP address, approximate geolocation derived from the IP, device fingerprint and a user-supplied device label
- The result of the login (success, failure, MFA challenge, lockout)
3.3 Platform usage
While the user is signed in:
- The endpoints they call (audit-logged when they touch sensitive operations such as user management, license changes, or data exports)
- Time of last activity, used to enforce idle timeouts
- Preferences they set (timezone, locale, dashboard layout, notification settings)
We do not load any third-party analytics, advertising, or product-tracking script in the browser. There is no PostHog, Plausible, Google Analytics, Mixpanel, Amplitude, or comparable telemetry on the platform. Behavioural data we keep is server-side only and is described above.
3.4 Support and billing
When you open a support ticket or correspond with our sales team:
- The contents of your message and any attachments you choose to share
- The metadata of the channel you use (email headers, in-app ticket identifiers)
- Billing contact name, address, and tax identifiers for invoice generation
3.5 Public legal pages
The pages at `/legal/*` are accessible without an account. We do not set cookies on these pages beyond the strictly-necessary session cookie for users who arrive already signed-in. Standard server-access logs (IP, user-agent, request URL, timestamp) are retained for 14 days for security monitoring.
4. Lawful bases for processing
| Purpose | Categories of data | Lawful basis (GDPR Art. 6) |
|---|---|---|
| Provide the platform to Authorized Users | Account, authentication, usage | Art. 6 (1) (b) — performance of the contract between us and the Authorized User's company |
| Authenticate users and prevent unauthorised access | Authentication, IP, device fingerprint | Art. 6 (1) (f) — legitimate interest in platform security; balanced against the user's interest in confidentiality |
| Bill the customer and meet tax obligations | Billing contact, tax IDs, invoice data | Art. 6 (1) (b) and Art. 6 (1) (c) — contract and legal obligation under HGB / AO |
| Respond to support inquiries | Ticket contents, contact metadata | Art. 6 (1) (b) — performance of the contract |
| Send security alerts (new device, new country) | Authentication metadata, email | Art. 6 (1) (f) — legitimate interest in account-takeover detection |
| Comply with audit, retention, and reporting obligations | Audit log, financial data | Art. 6 (1) (c) — legal obligation |
| Defend or pursue legal claims | Any data above as relevant | Art. 6 (1) (f) — legitimate interest |
We do not rely on consent (Art. 6 (1) (a)) for any of the platform processing described in this Policy, because all of it is necessary for the platform to function or for us to meet a legal obligation. Where consent becomes relevant in the future (for example if we add an opt-in product analytics layer), we will request it through a clear opt-in mechanism and document the consent through a cookie / consent log.
5. Cookies and similar technologies
The platform sets exactly two cookies, both classified as strictly necessary under § 25 (2) TTDSG and Article 5 (3) of the ePrivacy Directive:
| Cookie | Purpose | Lifetime | Type |
|---|---|---|---|
| `access_token` | Short-lived session JWT | minutes | HttpOnly, Secure, SameSite=Lax |
| `refresh_token` | Refresh of the session JWT without re-login | days | HttpOnly, Secure, SameSite=Lax, restricted path |
In addition the platform stores an in-memory CSRF token bound to the session JWT — this never appears in a cookie, in localStorage, or in any other persistent client-side storage.
Because we do not place any non-essential cookies, no consent banner is required under TTDSG / ePrivacy. If we add non-essential cookies in the future, we will introduce a granular consent flow before that change goes live.
6. Recipients and subprocessors
We share personal data with a small set of carefully chosen subprocessors that act on our documented instructions and are bound by contracts meeting Article 28 GDPR. The current list, kept up to date and with at least 30 days advance notice for any addition or replacement, is published at /legal/subprocessors/v1.
We do not sell personal data and we do not share it with advertising networks, data brokers, or other third parties beyond the named subprocessors and the legally-required recipients listed in §7 below.
7. Legally-required recipients
We will disclose personal data when required to do so by law, including:
- Public authorities, courts, or supervisory authorities exercising statutory powers
- Tax authorities under HGB / AO retention and reporting rules
- Lawyers, accountants, and auditors engaged by us under their respective professional confidentiality obligations
Each disclosure is logged in our audit system with the legal basis cited.
8. International transfers
Our subprocessors process personal data exclusively inside the European Union. Specifically:
- Hosting, database, and file storage with Amazon Web Services EMEA SARL are located in the `eu-central-1` (Frankfurt) region.
- Transactional email with Resend, Inc. is delivered through their EU (Ireland) region.
If a future change introduces a transfer outside the European Economic Area, we will rely on an adequacy decision by the European Commission, the EU Standard Contractual Clauses (Decision 2021/914) supplemented by appropriate technical and organisational measures, or another transfer mechanism listed in Articles 45 to 49 GDPR. The change will be announced through the Subprocessor change-notice flow described in §6.
9. Retention
We retain personal data only as long as needed for the purpose described in §4, then delete or anonymise it.
| Category | Retention |
|---|---|
| Account, authentication, usage | Lifetime of the account, plus 90 days post-deletion buffer for accidental-deletion recovery |
| Audit log | 10 years from the event date, in line with the commercial retention rule of § 257 HGB |
| Billing and invoice data | 10 years from the end of the calendar year in which the invoice was issued (§ 147 AO) |
| Server-access logs on public pages | 14 days |
| Support ticket contents | 24 months from ticket closure |
| Security alert emails (delivery records) | 12 months |
When the retention period ends we either delete the data permanently or, where the data has analytical value in aggregated form, irreversibly anonymise it.
10. Your rights
Under the GDPR you are entitled to:
- Access (Art. 15) — confirm whether we process personal data about you and obtain a copy of it.
- Rectification (Art. 16) — correct inaccurate or incomplete personal data.
- Erasure (Art. 17) — have us delete your personal data where one of the listed grounds applies and no legal retention obligation overrides.
- Restriction (Art. 18) — limit the processing of your data, for example while a rectification request is pending.
- Portability (Art. 20) — receive the data you have provided in a structured, commonly used, machine-readable format and have it transmitted to another controller.
- Objection (Art. 21) — object to processing based on Art. 6 (1) (e) or (f), including profiling. Where we process for direct marketing the objection is unconditional; we do not currently engage in direct marketing.
- Withdraw consent (Art. 7 (3)) — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, write to privacy (at) fintum-mi.com or to our Data Protection Officer at dpo (at) fintum-mi.com. We respond within one month of receiving the request, with a possible extension of two further months for complex requests (Art. 12 (3) GDPR).
You also have the right to lodge a complaint with a supervisory authority — for residents of Germany this is the data protection authority of the federal state in which you reside or work, or the Bayerisches Landesamt für Datenschutzaufsicht as our lead authority.
11. Automated decision-making
We do not subject Authorized Users to decisions based solely on automated processing, including profiling, that produce legal effects concerning them or similarly significantly affect them. Risk-based authentication step-ups (such as MFA prompts on a new device or new country) are technical security responses, not significant decisions about the person — but we surface their existence here for transparency and a user can always reach human review by contacting support.
12. Children
The platform is a B2B service for institutional customers. We do not knowingly collect personal data from children under the age of 16 and have no expectation of doing so. If you believe a child's data has reached the platform, please contact us at privacy (at) fintum-mi.com.
13. Security
We maintain technical and organisational measures appropriate to the risk of our processing, in line with Article 32 GDPR. The most relevant measures are summarised in Annex II of our Data Processing Agreement at /legal/dpa/v1 and include encryption of personal data at rest and in transit, role-based access control, audit logging, regular vulnerability scanning, and a documented incident-response procedure.
If you believe you have discovered a security issue with the platform, please follow our Vulnerability Disclosure Policy and contact security (at) fintum-mi.com.
14. Changes to this Policy
We update this Policy from time to time to reflect changes in our processing or in the legal landscape. Each version stays at its permanent URL (this version is `/legal/privacy/v1`); when we publish a new version we increment the URL path and notify the company admin of every active customer through the in-platform notification surface. Substantive changes require a fresh acknowledgement in the platform shell.
15. Imprint
Information required by § 5 TMG and § 18 (2) MStV is published at https://www.fintum-mi.com/imprint.