Privacy Policy
Effective from 15 May 2026 - Version 1
This Privacy Policy describes how Fintum Market Intelligence GmbH ("we", "us", "our") processes personal data on the Market Intelligence platform at `app.fintum-mi.com` and on the public legal pages at `/legal/*`. It is written to satisfy our information obligations under Articles 13 and 14 of the EU General Data Protection Regulation (GDPR), § 13 of the German Telemediengesetz (TMG), and § 25 of the Telekommunikation-Telemedien-Datenschutz-Gesetz (TTDSG).
1. Controller and contact
The controller responsible for processing the personal data described in this Policy is:
Fintum Market Intelligence GmbH Abt-Plazidus-Str. 24 97359 Schwarzach am Main Germany
Managing Director (Geschäftsführer): David Siegl Registration: Application filed with Amtsgericht Würzburg; HRB number will be added once registration completes. USt-IdNr.: pending issuance; will be added once received.
For privacy-related questions or requests under Articles 15 to 22 GDPR, contact us at it (at) fintum-mi.com. Postal correspondence reaches us at the address above.
We have not appointed a Data Protection Officer at this stage; the criteria of Article 37 GDPR do not apply to our current processing operations.
2. Scope of this Policy
This Policy covers personal data we process in our role as controller, that is, data we collect about visitors and Authorized Users of the Market Intelligence platform itself (account creation, login, support interactions, public-page visits).
It does not cover:
- Personal data we process as a processor on behalf of our enterprise customers. That processing is governed by the Data Processing Agreement at /legal/dpa/v1 which controls between us and the customer entity.
- Personal data processed by our subprocessors under their own controllers' privacy programmes (their respective privacy policies are linked from our Subprocessor list at /legal/subprocessors/v1).
3. What personal data we collect
We collect personal data in the following contexts.
3.1 Account creation and onboarding
When a Global Admin invites a new company or a Company Admin invites a new user, the platform receives:
- Full name, work email address, role within the customer organisation
- Time of invitation, IP address of the inviter, IP address of the acceptor on first login
3.2 Authentication and session
On every login the platform records:
- Authentication method (password, MFA factor, WebAuthn credential, SSO assertion)
- Timestamp, IP address, approximate geolocation derived from the IP, device fingerprint and a user-supplied device label
- The result of the login (success, failure, MFA challenge, lockout)
3.3 Platform usage and product analytics
While the user is signed in:
- The endpoints they call (audit-logged when they touch sensitive operations such as user management, license changes, or data exports)
- Time of last activity, used to enforce idle timeouts
- Preferences they set (timezone, locale, dashboard layout, notification settings)
We additionally use PostHog Inc. (EU cloud, see /legal/subprocessors/v1) to capture pseudonymised product-analytics and error-monitoring events that help us understand how the platform is used, diagnose problems, and improve features. The data captured is limited to:
- The Authorized User's stable platform identifier (UUID), name, and work email address (used to make analytical dashboards and support investigations operable, never combined with external profiles or sold)
- Event metadata describing user interactions (screen viewed, filter applied, period selected, item clicked, export started)
- Redacted IP addresses and redacted error messages from unhandled exceptions; free-text payloads, URL query strings, and full stack traces are stripped before any data leaves the user's browser
- A pseudonymised company-group attribution so we can analyse the platform at the customer-organisation level
This processing is a necessary component of the Service we provide to the customer. It is how we operate, debug, and improve the platform on their behalf. We do not use the data for marketing, advertising, or third-party profiling. It is not shared outside Fintum and our named subprocessors, and the lawful basis is set out in §4 below.
We do not load any third-party advertising, marketing, or social-media tracking scripts on the platform. There is no Google Analytics, no Facebook Pixel, no Twitter / LinkedIn conversion tag, no programmatic-advertising network.
3.4 Support and billing
When you open a support ticket or correspond with our sales team:
- The contents of your message and any attachments you choose to share
- The metadata of the channel you use (email headers, in-app ticket identifiers)
- Billing contact name, address, and tax identifiers for invoice generation
3.5 Public legal pages
The pages at `/legal/*` are accessible without an account. We do not set cookies on these pages beyond the strictly-necessary session cookie for users who arrive already signed-in. Standard server-access logs (IP, user-agent, request URL, timestamp) are retained for 14 days for security monitoring.
4. Lawful bases for processing
| Purpose | Categories of data | Lawful basis (GDPR Art. 6) |
|---|---|---|
| Provide the platform to Authorized Users | Account, authentication, usage | Art. 6 (1) (b): performance of the contract between us and the Authorized User's company |
| Authenticate users and prevent unauthorised access | Authentication, IP, device fingerprint | Art. 6 (1) (f): legitimate interest in platform security; balanced against the user's interest in confidentiality |
| Product analytics and error monitoring (PostHog) for operating, debugging, and improving the Service | User UUID, name, email, event metadata, redacted error payloads | Art. 6 (1) (b): necessary for the performance of the contract (delivering and supporting the Service the customer pays us for) and Art. 6 (1) (f): legitimate interest in product quality, security, and continuous improvement; balanced against the user's interest in privacy by means of pseudonymisation, redaction, EU-only hosting, and no third-party profiling |
| Bill the customer and meet tax obligations | Billing contact, tax IDs, invoice data | Art. 6 (1) (b) and Art. 6 (1) (c): contract and legal obligation under HGB / AO |
| Respond to support inquiries | Ticket contents, contact metadata | Art. 6 (1) (b): performance of the contract |
| Send security alerts (new device, new country) | Authentication metadata, email | Art. 6 (1) (f): legitimate interest in account-takeover detection |
| Comply with audit, retention, and reporting obligations | Audit log, financial data | Art. 6 (1) (c): legal obligation |
| Defend or pursue legal claims | Any data above as relevant | Art. 6 (1) (f): legitimate interest |
We do not rely on consent (Art. 6 (1) (a)) for any of the processing described in this Policy. Each purpose either is necessary to perform the contract with the customer's organisation (Art. 6 (1) (b)), serves a legitimate interest that we have weighed against the rights of data subjects (Art. 6 (1) (f)), or fulfils a legal obligation we are subject to (Art. 6 (1) (c)). Where you believe a particular processing operation should not apply to you, you may object under Article 21 GDPR, see §10.
5. Cookies and similar technologies
The platform sets exactly two cookies, both classified as strictly necessary under § 25 (2) TTDSG and Article 5 (3) of the ePrivacy Directive:
| Cookie | Purpose | Lifetime | Type |
|---|---|---|---|
| `access_token` | Short-lived session JWT | minutes | HttpOnly, Secure, SameSite=Lax |
| `refresh_token` | Refresh of the session JWT without re-login | days | HttpOnly, Secure, SameSite=Lax, restricted path |
In addition the platform stores an in-memory CSRF token bound to the session JWT. This never appears in a cookie, in localStorage, or in any other persistent client-side storage.
Our product-analytics provider, PostHog, runs in memory-persistence mode in the browser. It does not set cookies, does not write to localStorage, and does not place any persistent identifier on your device. Each tab session generates a transient in-memory identifier that is discarded when the tab closes; the only persistent identifier we associate analytics events with is your platform UUID, which already exists for your account regardless of analytics.
Because no non-essential cookies are placed and no non-essential persistent storage is written, no consent banner is required under TTDSG / ePrivacy. If we add non-essential persistent storage in the future, we will introduce a granular consent flow before that change goes live.
6. Recipients and subprocessors
We share personal data with a small set of carefully chosen subprocessors that act on our documented instructions and are bound by contracts meeting Article 28 GDPR. The current list, with at least 30 days advance notice for any addition or replacement, is published at /legal/subprocessors/v1 and currently includes:
- Amazon Web Services EMEA SARL: cloud hosting and infrastructure
- Resend, Inc.: transactional email delivery
- PostHog Inc.: product analytics and error monitoring (EU cloud)
We do not sell personal data and we do not share it with advertising networks, data brokers, or other third parties beyond the named subprocessors and the legally-required recipients listed in §7 below.
7. Legally-required recipients
We will disclose personal data when required to do so by law, including:
- Public authorities, courts, or supervisory authorities exercising statutory powers
- Tax authorities under HGB / AO retention and reporting rules
- Lawyers, accountants, and auditors engaged by us under their respective professional confidentiality obligations
Each disclosure is logged in our audit system with the legal basis cited.
8. International transfers
Our subprocessors process personal data exclusively inside the European Union. Specifically:
- Hosting, database, and file storage with Amazon Web Services EMEA SARL are located in the `eu-central-1` (Frankfurt) region.
- Transactional email with Resend, Inc. is delivered through their EU (Ireland) region.
- Product analytics and error monitoring with PostHog Inc. are hosted in their EU cloud (Frankfurt, Germany).
If a future change introduces a transfer outside the European Economic Area, we will rely on an adequacy decision by the European Commission, the EU Standard Contractual Clauses (Decision 2021/914) supplemented by appropriate technical and organisational measures, or another transfer mechanism listed in Articles 45 to 49 GDPR. The change will be announced through the Subprocessor change-notice flow described in §6.
9. Retention
We retain personal data only as long as needed for the purpose described in §4, then delete or anonymise it.
| Category | Retention |
|---|---|
| Account, authentication, usage | Lifetime of the account, plus 90 days post-deletion buffer for accidental-deletion recovery |
| Audit log | 10 years from the event date, in line with the commercial retention rule of § 257 HGB |
| Billing and invoice data | 10 years from the end of the calendar year in which the invoice was issued (§ 147 AO) |
| Server-access logs on public pages | 14 days |
| Support ticket contents | 24 months from ticket closure |
| Security alert emails (delivery records) | 12 months |
| Product-analytics events (PostHog) | Standard PostHog retention as configured per environment; revisable on operational need |
When the retention period ends we either delete the data permanently or, where the data has analytical value in aggregated form, irreversibly anonymise it.
10. Your rights
Under the GDPR you are entitled to:
- Access (Art. 15): confirm whether we process personal data about you and obtain a copy of it.
- Rectification (Art. 16): correct inaccurate or incomplete personal data.
- Erasure (Art. 17): have us delete your personal data where one of the listed grounds applies and no legal retention obligation overrides.
- Restriction (Art. 18): limit the processing of your data, for example while a rectification request is pending.
- Portability (Art. 20): receive the data you have provided in a structured, commonly used, machine-readable format and have it transmitted to another controller.
- Objection (Art. 21): object to processing based on Art. 6 (1) (e) or (f), including profiling. Where we process for direct marketing the objection is unconditional; we do not currently engage in direct marketing.
- Withdraw consent (Art. 7 (3)): where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, write to it (at) fintum-mi.com. We respond within one month of receiving the request, with a possible extension of two further months for complex requests (Art. 12 (3) GDPR).
You also have the right to lodge a complaint with a supervisory authority. For residents of Germany this is the data protection authority of the federal state in which you reside or work, or the Bayerisches Landesamt für Datenschutzaufsicht as our lead authority.
11. Automated decision-making
We do not subject Authorized Users to decisions based solely on automated processing, including profiling, that produce legal effects concerning them or similarly significantly affect them. Risk-based authentication step-ups (such as MFA prompts on a new device or new country) are technical security responses, not significant decisions about the person. We do, however, surface their existence here for transparency, and a user can always reach human review by contacting support.
12. Children
The platform is a B2B service for institutional customers. We do not knowingly collect personal data from children under the age of 16 and have no expectation of doing so. If you believe a child's data has reached the platform, please contact us at it (at) fintum-mi.com.
13. Security
We maintain technical and organisational measures appropriate to the risk of our processing, in line with Article 32 GDPR. The most relevant measures are summarised in Annex II of our Data Processing Agreement at /legal/dpa/v1 and include encryption of personal data at rest and in transit, role-based access control, audit logging, regular vulnerability scanning, and a documented incident-response procedure.
If you believe you have discovered a security issue with the platform, please follow our Vulnerability Disclosure Policy and contact security (at) fintum-mi.com.
14. Changes to this Policy
We update this Policy from time to time to reflect changes in our processing or in the legal landscape. Each version stays at its permanent URL (this version is `/legal/privacy/v1`); when we publish a new version we increment the URL path and notify the company admin of every active customer through the in-platform notification surface. Substantive changes require a fresh acknowledgement in the platform shell.
15. Imprint
Information required by § 5 TMG and § 18 (2) MStV is published at https://www.fintum-mi.com/imprint.