Vivid Group Privacy Notice
In this Privacy Notice (“Notice”) we describe how the companies of the Vivid Group (collectively “Vivid”, “we”, “us”) collect, process, share, and protect your personal data when you use our products, content, features, technologies, or functions, as well as any related websites and applications offered to you by Vivid Group. It also contains information about your rights with respect to your personal data and how you may exercise them.
About
We provide different Vivid products and services to you. The Vivid company providing the relevant product to you is also responsible for processing your personal data in the context of your use of this product, and is known as the “controller” of your personal data for the respective processing activities.
You can find detailed information about which Vivid companies are providing you with services below and in the Vivid Money App or the Vivid Website in context of the service or pocket that you are dealing with.
If you have any concerns, requests or questions about your data, or think that some of our privacy practices are not addressed in this Privacy Notice, please contact our Privacy Team at [email protected] or our Data Protection Officer at [email protected], or fill out a Data Privacy support request at the following link https://vivid.money/en-it/support/.
Here is the list of Vivid Group companies that may provide services to you:
Vivid Money GmbH
Zimmerstrasse 78,
10117 Berlin, Germany
Vivid Money GmbH provides to you general and joint services on your Vivid Money App (such as cross functional monthly statements or cost overviews) and may, subject to your marketing settings, send you marketing about the products available on the Vivid Money app.
Vivid Money S.A.
Rue Glesener 21,
1631 Luxembourg, Luxembourg
Vivid Money S.A. is an electronic money institution regulated by the Commission de Surveillance du Secteur Financier, Luxembourg under register number W00000015, and authorized to provide payment services related to issuance, circulation and redemption of electronic money and issuance of payment instruments to customers in the European Economic Area.
Vivid Money S.A. provides electronic money accounts and commercial cards, as well as payment facilitation services relating to acquiring of card transactions, to consumers (“Retail Customers”), companies and sole-traders (“Business Customers”).
Please note that data protection laws do not apply to information relating to companies, but they do protect information about natural persons. As such, Vivid Money S.A. will process and be the controller of personal data relating to a freelancer, sole trader or proprietor account, or the authorized persons appointed by the Business Customers. If you are a team member or a customer of the company holding a Vivid Business Customer Account, they are the controller of your personal data, and any inquiries should be directed to them.
Vivid Money B.V.
Strawinskylaan 4117
1077 ZX Amsterdam, the Netherlands
Vivid Money B.V. is licensed as an investment firm by the Dutch Authority for the Financial Markets (AFM). It offers the brokerage of transactions for the purchase and sale of financial instruments, including in the context of foreign exchange products, on the Vivid Money App.
Vivid Digital S.r.l.
Viale Andrea Doria 7,
20124 Milan, Italy
Vivid Digital S.r.l. is a virtual asset services provider (VASP) registered with the Italian OAM (Organismo Agenti e Mediatori), the Bank of Spain (Banco de España) and the French AMF (Autorité des Marchés Financiers) that provides services relating to virtual assets to customers in these jurisdictions.
What personal data do we collect?
1. Information you provide to us when you:
● register to use the Vivid Mobile App;
● open accounts and use our products and services;
● give us access to your other bank accounts (e.g. for Open Banking);
● correspond or speak with us e.g. via chat, email, phone;
● connect with us on social media;
● fill out forms or respond to surveys.
Depending on the type of Vivid products and services you use, the following personal data may be collected and processed:
● your login credentials;
● identification data, e.g. name, place and date of birth, nationality;
● contact details, e.g. residence address, email address, mobile number, delivery address for your Vivid card. As appropriate, we will use these data for communicating with you on topics such as customer service issues and other business and service related matters;
● copies of identification documents (e.g. passport), photos, video and audio recordings and any other information you provide for identification purposes to prove you are eligible to use our services and products, including face scans and other measurements extracted from your identity documents, photos and/or video recordings, which are used to authenticate you (this data is collected and processed by our identity verification service provider Veriff OÜ - https://www.veriff.com/privacy-notice);
● country of residence, tax residency, and tax identification number;
● details of accounts, debit or credit cards you use to add or transfer funds to your Vivid account, including account number, IBAN, BIC, card number, expiration date and CVC/CVV code, transaction amounts;
● information about the other participants in the transactions executed using Vivid mobile app, website or paylink, such as bank account or external crypto wallet details, email or phone number of the participant involved in person-to-person transfer through paylink;
● in the context of Business Customer services, information about the company’s directors, shareholders, employees, customers or business partners, if we are legally required to ask for this information (e.g. as part of know-your-customer checks or for compliance with anti-money laundering laws requiring us to verify your company’s sources of funds);
● information regarding your employment and income in the course of application for Business, Investment or Crypto oriented services;
● information about other people (e.g. authorized account user, spouse or family members) when you wish to add them to your account, and we must ask for this data in order to comply with our know-your-customer obligations, anti-money laundering and other laws, and to assist with fraud monitoring. In this case, we have to assume that you have their permission to share this information with us;
● information you provide when you communicate with us via chat, email, phone, online, etc;
● data and content shared by you when participating in online discussions, surveys or promotions, including those you post on our social media and community pages;
● photo (if you choose to upload one).
2. Information we automatically collect and process when you use our products and services
Depending on the type of Vivid products and services you use, we may collect and process the following personal data:
● personal data retrieved from your identification documents;
● information about your device, how and when you access our mobile application, trading terminal and any other web based products or services, e.g. the IP address of the device, your login information, type of device, unique device identifier such as IMEI number or MAC address (if available), whether your device uses a VPN, device language, time zone setting, operating system/platform and browser type, mobile network information, software version,
Vivid mobile application version, information about pages you look at, page response times, download errors, page interaction information, date and time, how long you stay on certain pages, services viewed or searched for;
● information about your use of Vivid products and services, i.e. data relating to your transactions (e.g. payments into and out of the account, card or financial instrument purchases), including date, time, amount, currency, type and amount of financial instrument or digital asset, type and amount of currency, price, fees, exchange rate, beneficiary details, details of the merchant or ATMs associated with the transaction, IP address of sender and receiver, sender and receiver's name and registration information, messages sent or received with the payment, details of device used to make the payment and the payment method used;
● information about the notifications that have been sent to your email address or mobile device, including date and time, type and category of notification, delivery channel and location (country level), and in some cases information about whether the message was delivered/opened;
● information stored on your device (if you have given us permission), e.g contacts in your phone book, photos, videos or other digital content. In the case of your phone book, we have to assume that you have your contacts’ permission to share this information with us;
● if you switch on a location services, we will track the location of your device using GPS technology;
● cookies and similar technologies we use to recognise you, remember your preferences and tailor the content we provide to you;
● risk rating information, e.g. transactional behavior and underwriting information;
● investigations and public information data, e.g. due diligence checks, sanctions and anti-money laundering checks;
● information we need to support our regulatory obligations, e.g. information about transaction details, detection of any suspicious or unusual activity.
3. Information we receive from others:
Depending on the type of Vivid products and services you use, the following personal data may be collected and processed:
● information we receive from other Vivid Group companies, e.g. when your KYC data is internally shared, if you decide and where required to register for additional Vivid products or services, or information about the standing of your other Vivid product accounts (e.g. in the course of a credit application or for defense from legal claims);
● in the context of Business Customer services, if a company that holds a Vivid Business account and nominates you as account administrator or team member, your employer will give us information about you, e.g. your name, business contact details, employment status, salary and tax information;
● depending on which Vivid products and services you use, we may collect and process personal data from third parties, e.g. financial or credit institutions, credit reference agencies, public registers and similar database providers, as well as authorized account users, fraud prevention agencies and other partners who help us to provide our services;
● information about your transactions from merchants and third party financial institutions (in the context of Open Banking);
● in certain cases we may collect information about you if you make it publicly available online, including, but not limited to public company registers and social media;
● information to help us verify your identity.
We do not ask you to provide information that belongs to a “special” category, like racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, data concerning health or data concerning sex life or sexual orientation. However, there may be circumstances where your transaction data reveals this type of sensitive information. For example:
● Payments for medical services or treatments may reveal data concerning your health.
● Making contributions and donations to churches, NGOs, political parties, trade unions etc. may reveal your religious or philosophical beliefs or political affiliation.
● Payments to sex shops or certain night clubs may reveal sensitive information regarding your sex life.
Taking into account this risk, we ensure that all payment information is kept confidential, and forbid our staff to extract data which belongs to special categories.
Why we process your personal data (purpose and legal basis)
In order to collect and process your personal data, we have to have a valid legal basis. It can be one of the following:
1. Contract
When you apply for and use our products and services, we must collect and process certain personal data, because they are necessary to fulfill our contractual and pre-contractual obligations. For example, we rely on this legal basis to process data when you make payments into and out of your account, make purchases with your Vivid cards, buy or sell financial instruments or digital assets, or require customer service assistance.
Please note that for many of our financial services and features, without the necessary personal data we will not be able to fulfill our contractual obligations, and therefore we will likely have to refuse entering into, or terminate a business relationship with you if you refuse to provide us with this information.
2. Legal obligation
In certain cases, we and/or our partners are required to collect, process and store your personal data in order to comply with applicable laws. Some examples of data processing under this legal basis include:
● verification of your identity and age when you apply to use our products and services (e.g. copies of identity documents, photos and videos of you, as well as data such as face scans and other measurements);
● checks and monitoring relating to prevention of money laundering and fraud;
● tax reporting obligations;
● providing information to fiscal criminal authorities in the context of fiscal criminal proceedings or to prosecution in accordance with official orders;
● compliance check of the receiving crypto wallet, as required by applicable laws implementing the FATF guidelines applying to virtual assets service providers in general and Crypto to Crypto transactions in particular.
3. Legitimate interests
Sometimes we need to collect and process your personal data to safeguard our legitimate interests. Some examples may include:
● developing and improving measures to prevent duplicate account creation, abuse of our services and criminal or suspicious activity such as fraud;
● measures for safeguarding our network and ensuring information security;
● risk management;
● personalizing marketing messages, push notifications and in-app banners in order to offer you services and products that might be interesting to you (if allowed by law). This may include analyzing how you use our products, services and transactions;
● helping you balance your expenses and control your budget by providing subscription protection;
● helping you save money and understand your spending behavior by providing insights about your short and long term spending, and how you use our products and services;
● optimization of your user experience and personalization of services and tariff options by analyzing how you use our products and services;
● preparing anonymous statistical reports that can be shared internally and externally (you cannot be identified from anonymous data);
● data transmission within the Vivid Group for account management, any operations requested by you, to conduct internal administrative activities, and improve our products and services;
● processing of inquiries from authorities, lawyers, collection agencies in the course of legal prosecution and enforcement of legal claims in the context of legal proceedings.
Cashback/Vivid Points Program
In the context of our cashback/points program we process your client ID, as well as data about your transactions, including details received from payment processors about the amount, date, time and merchant. Additionally, in order to verify your transactions and correctly calculate your cashback amounts, we have to share with the merchants or our cashback partners some pseudonymised data about your transactions: date/time, operation amount and currency, merchant data (merchant category code, merchant id and merchant name in case of card operations, IBAN and recipient name in case of direct debits), country and city of purchase, acquirer id, terminal id. If you do not wish to participate in this program and that we process or share your data for this purpose, you can object at any time. To do so, please contact us at [email protected]. Please note that we do not sell or share your personal data with third parties for marketing purposes.
When you visit our website
When you visit our website, we may automatically collect some personal data from your device. This information may include your IP address, date and time of the request, time zone difference to GMT, browser language and version, operating system version or producer, information about your device, as well as some data about how you interact with our website (e.g. which website you came from, pages visited, links clicked). We do this to keep our website secure and to understand who visits it and which pages they find interesting, so we can improve the site and provide relevant content. Some of this data is collected using cookies, and you will have further options relating to cookies that are not required for the use of our services. You can find more information about them in our Cookie Notice (https://vivid.money/en-eu/cookie-notice/).
4. Consent
If you give us consent, you allow us to process your personal data for purposes such as showing other Vivid customers that you are also our customer, sending you marketing messages about our products and services, adding a photo avatar and showing it to other customers (e.g. in their contact lists, shared banking activities, referral links), or accessing your phone contacts or other system settings on your device.
You can withdraw your consent at any time and without giving any reasons, for example by removing your photo, adjusting your marketing or visibility preferences in your Vivid Money App settings or on your device, or by contacting us. However, keep in mind that any processing which took place prior to the withdrawal of the consent remains lawful.
Visibility and access to your phone’s contact book
When you join Vivid, or later, when you first use certain Vivid features and joint banking activities such as shared pockets, referral links, instant money transfers, or money requests by phone number, we ask for your consent to make you visible as a Vivid user to other customers and/or to access the contact book on your phone via its operating system.
If you give us this consent, a Vivid icon will appear next to your photo in other customers’ contact lists within the Vivid Money App, and in joint bank activities and recommendation links when you interact with other Vivid customers. This means that other Vivid customers who have your phone number in their contact books can identify you as a Vivid user. You can withdraw this consent anytime in your app’s profile settings. The second consent, for Vivid to access the phone book on your device, which you give through your phone’s operating system, can also be withdrawn directly in your device’s settings at any time.
How we use your personal data for marketing purposes
When you sign up for our services, if it is permitted under applicable national law, we may send you information about Vivid products, services, offers and promotions by post, email, push notification or text message. Where national law requires us to get your consent to send marketing messages, we will do so. If you decide at any time that you no longer wish to receive marketing messages from us, you can always object or opt out by way of changing your
marketing preferences.
When you have opted into receiving marketing messages from us, and you open any such e-mail, push or other text messages, we may use technologies, usually web beacons or tracking pixels, in order to track your opening of the message and clicking on links in it. We may also analyze your user behavior by processing data related to your transactions, withdrawals, balance, payments and such, and use this information for structuring personalized marketing
campaigns. The purpose is to provide you with marketing based on your interests and to analyze the success of a campaign. If you do not want to be tracked in messages for marketing purposes or that we analyze your behavior for marketing purposes, you can always object by way of changing your marketing settings.
We may also collect and use for marketing purposes your personal information and contact details from publicly available sources, such as websites, online registers or directories. When we do this, we make sure that the information provided to us has been collected and shared lawfully, that we have a legitimate interest in collecting and using it, and it is balanced against your right to privacy.
Automated decisions
In some cases, the way we analyze your personal data relating to our products and services may involve automated decisions. This means that we will process your personal data using software to evaluate your personal financial circumstances and other factors in order to predict risks or outcomes. This type of data processing can also be called profiling. We do this to make sure that your eligibility for our services and their continued use are determined based on the most accurate and up to date information, and to protect your interests and keep your funds secure. For example, automated methods may be used to make decisions about you in the following situations:
● anti-money laundering and sanctions checks;
● identity and address checks;
● monitoring your account for fraud and other financial crime, either to prevent instances of fraud, or to prevent you from becoming a victim of fraud;
● screening people who may be classed as ‘politically exposed’ (for example, if you are a government minister);
● assessments required by the regulators and relevant authorities to make sure we meet our regulatory obligations (for example, making decisions about those at risk of becoming financially vulnerable).
Our monitoring model combines information from transaction details, customer profile data and device session data. The approach is based on current fraud trends, best practices from VISA and other sources. You can contact us to ask to review an automated decision by sending an email to [email protected].
When we share or disclose your personal data
In order to provide you with certain functions and services, we have to share your personal data with partners, external third party service providers, related and regulatory entities. They only process your personal data on the basis of data processing agreements and according to strict instructions, which do not allow them to use your data for any other purposes without notifying you or asking for your consent. Here are some of the categories of the parties we may share data connected with your account:
● Vivid Group companies - e.g. when you request to sign up for other Vivid products and services quickly and easily, to prevent fraud and abuse of our services or other Vivid customers, to ensure and improve availability and connectivity of our products and services;
● Service providers that help us to fulfill our obligations towards applicable laws, e.g. identity verification service provider Veriff OÜ;
● Companies that make and deliver your cards;
● Payment service providers;
● Mobile payment providers like Google and Apple Pay;
● Other Vivid customers or companies who pay money into your account and to whom you transfer money, share pockets, or split the bill, grant access rights through our functionality (Business Customers), or where you request money from them (in this case we may share your name and phone number as it appears in your account);
● Cloud computing and storage providers like Amazon Web Services;
● Analytics and business intelligence platforms;
● Companies that help us send you service related and marketing messages;
● Providers of software we may use for customer support and issue tracking;
● Companies that help us with customer and operations support;
● Service providers in the context of security and fraud protection;
● AI service providers to help prepare decisions for compliance or customer service, without competence to work on customer data or any final decisions;
● Cashback partners.
We, our partners, service providers and others may also be required to share your personal data with various financial institutions and/or enforcement or court authorities to comply with applicable laws, prevent fraud, enforce an agreement we have with you, or to protect our rights, property or safety, or the rights, property or safety of our employees or agents.
Additionally, we may reveal your personal data to third-parties if: (1) you request or authorize it; (2) to address emergencies or acts of God; and (3) to address disputes, claims, or to persons demonstrating provable legal authority to act on your behalf.
In relation to the virtual currency services provided by Vivid Digital S.r.l., it is required to provide the data about the transactions carried out on the territory of the Italian Republic to OAM (Organismo Agenti e Mediatori). OAM processes this data legitimately on the basis of the relevant legislation, but it doesn’t have direct contact with you, i.e. the 'Interested Subjects'. As such, you can access the information about how OAM processes your personal data on its website, in a publicly accessible area.
If you would like to receive more detailed information regarding third parties we share your personal data with, please contact us at [email protected].
Your rights
Data protection laws provide you with rights to help you understand and control how your personal data is used. These are your rights:
● Right to be informed about why and how we are processing your personal data - this information is provided within this Privacy Notice.
● Right to have access to your data - you have the right to ask us if we are processing your personal data, why we are doing so, under what lawful basis, the categories of your personal data, whether the data is being sent outside the EU, who we share your data with, how long we keep it, and request a copy of the data we are processing.
● Right to object to some processing - direct marketing, or if processing is based on legitimate interests.
● Right to have your data deleted - otherwise known as “right to be forgotten”. You can exercise this right if you withdraw your consent and there is no further legitimate interest in our processing of your data, your objection to processing under legitimate interests outweighs our interests, the processing is no longer necessary, there is a law that requires the data to be deleted, or the processing is unlawful.
● Right to restrict processing - if the personal data we are processing is inaccurate, if our processing is unlawful, if the data is no longer necessary for the original purpose of processing but needs to be kept for potential legal claims, or you have objected to processing carried out under legitimate interests and we’re still in the process of determining whether there is an overriding need to continue processing.
● Right to data portability - you can ask for your data that we process by using a computer, which you provided to us on the basis of consent or because it was necessary for a contract.
● Right to ask us about automated decision-making - you have the right to ask us to explain the logic involved in making any automated decisions and for the decision to be reviewed by a human being, if that decision had an effect on your rights or freedoms.
● Right to rectification - if any of your personal data that we hold is inaccurate, you can request to have it corrected.
● Right to lodge a complaint with the competent data protection authority if you have concerns about how we process your personal data (a list of national and regional data protection authorities is available on this website). However, we would appreciate it if you contacted us first and gave us an opportunity to resolve the issue.
If you would like to exercise any of these rights, or find out more about how we process your personal data, please contact us at [email protected]. Reasonable access to your personal data will be provided at no cost. If access cannot be provided within a reasonable time frame, we will let you know the date when the information will be provided. If for some reason we cannot satisfy your request, we will provide an explanation why.
With regard to accounts previously held with our former partner bank Solaris SE, Cuvrystraße 53, 10997 Berlin, Germany, you can still exercise your data protection rights or submit inquiries by contacting us via the Support web page or by email [email protected].
Data transfers to third countries
Some of our partners, service providers or other parties we transfer your personal data to may be located in countries throughout the world, including outside the EU or the EEA. Therefore, the data may be sent to countries with different data protection laws than your country of residence. In such cases, to ensure that your personal data receives a comparable level of protection, we provide appropriate safeguards, such as adequacy decisions and frameworks or Standard Contractual Clauses adopted by the European Commission. If you would like to receive more information about the transfers or safeguards, please contact us at [email protected].
How long we keep your data
We keep your personal data for as long as it is necessary to achieve the purpose for which it was collected, usually for the duration of our contractual relationship plus any period thereafter as required by anti-money laundering or any other applicable laws and regulations, or in cases of potential or ongoing court litigation. When the purpose for processing is fulfilled, but we are required to keep the data, it will be restricted and stored in a secure archive until it can be deleted.
In particular, we will keep the data relating to your identity verification (e.g. copies of identification documents, photos, video and audio recordings, face scans and other measurements, which are used to authenticate you) for a minimum of 5 years from the end of our relationship with you in accordance with applicable Law. In certain cases this data can be retained longer (up to 10 years), e.g. for investigation or prosecution of suspicious activity related to fraud or money laundering, or when it is necessary for defense from/of legal claims.
Security of your information
To help protect the privacy of personal data you provide through the use of our mobile app or websites, we maintain physical, technical and administrative safeguards. We update and test our security technology on an ongoing basis. We restrict access to your personal data to those employees who need to know that information to provide services to you. In addition, we train our employees about the importance of confidentiality and maintaining the privacy and security of your data. We commit to taking appropriate disciplinary measures to enforce our employees' data protection responsibilities.
Changes and updates to this Privacy Notice
As our organisation and services change from time to time, this Privacy Notice may change as well. We reserve the right to amend it at any time, for any reason, without notice to you, other than the posting of the amended Privacy Notice on our website or in the mobile app. We may email periodic reminders of our notices and terms and conditions and will notify you of material changes thereto, but you should check our site or the app to see the Privacy Notice that is in effect and any changes that may have been made to it.
Effective date: 15 October 2024