Finzr

Privacy Policy

Protection of your personal data

At FINZR, the protection of your personal data is a priority. When using the website https://www.finzr.io/ (hereinafter the "Website") and/or the FINZR application (hereinafter the "Application"), we may collect personal data about you.

The purpose of this policy is to inform you about how we process this data in compliance with Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter "GDPR").

1. Who is the data controller?

In the context of our services (in particular, assessing your creditworthiness and deciding whether to transmit your financing request to our financial partners), the data controller is FINZR, a simplified joint-stock company, registered in the Paris Trade and Companies Register under number 881689780, with its registered office at 55 rue la Boétie, 75008 Paris, France (hereinafter "We").

However, when we transmit your data to our financial partners, we act within the framework of our mandate as Insurance Intermediary Agent and Non-exclusive Agent for banking operations and payment services. Therefore, we collect and process personal data on their behalf and for their account. Financial institutions are thus responsible for data processing in accordance with Article 4 of the GDPR. We act as a subcontractor, as a service provider.

2. What data do we collect?

Personal data is data that allows an individual to be identified directly or by cross-referencing with other data. We collect data falling into the following categories:

  • Identification data (for example: surname, first name, email and postal address, telephone number, nationality, gender, date of birth)
  • Identity documents (for example: identity card, driving license)
  • Vehicle-related data (for example: license plate, VIN)
  • Data relating to your family situation (for example: number of dependent children, type of marriage contract)
  • Data relating to your professional life (for example: professional sector, type of employment contract, company name)
  • Data relating to your remuneration (for example: professional income)
  • Banking data (for example: bank account details, account statements, crossed cheques)
  • Transaction data (for example: vehicle sale price, trade-in amount, deposit amount)
  • Access to your photos on your mobile phone (for example: scans of supporting documents required for processing your financing application)
  • Data from recordings of telephone calls between you and our customer service (for example: call content, dates)
  • Any information you wish to provide to us during your interview with one of our advisors

Mandatory data is indicated when you provide your data in our mobile application.

3. How did we obtain your data?

We collected your data either because you provided it yourself, or because your auto dealership, a Finzr partner, transmitted it to us at your request.

4. On what legal bases, for what purposes and for how long do we keep your personal data?

PurposesLegal BasesRetention Periods
Provide our services available on our Application (including evaluating your creditworthiness and deciding to transmit your financing application to our financial partners where applicable)Execution of pre-contractual measures taken at your request and/or execution of the contract that you or your company has entered into with UsWhen you have created an account: your data is kept for the entire duration of your account. Your connection logs are kept for 6 months or 1 year. In case of an inactive account for 2 years, your personal data will be deleted in the absence of a response from you to our reactivation email. In addition, your data may be archived for evidentiary purposes for a period of 5 years.
Carry out operations relating to customer management and monitoring of the contractual relationshipExecution of the contract that you or your company has entered into with UsPersonal data is kept for the entire duration of the contractual relationship. In addition, your data (except for your bank details) is archived for evidentiary purposes for a period of 5 years.
Improve our servicesOur legitimate interest in improving our servicesRecording of telephone calls: 6 months from collection. Documents analyzing the content of telephone calls: 1 year from collection.
Build a customer and prospect fileOur legitimate interest in developing and promoting our businessFor customers: data is kept for the entire duration of the contractual relationship. For prospects: data is kept for a period of 3 months from your last contact, for prospecting purposes.
Send newsletters, solicitations and promotional messagesFor customers: our legitimate interest in retaining and informing our customers. For prospects: your consent.Data is kept for 3 years from your last contact with Us or until withdrawal of your consent.
Respond to your information requestsOur legitimate interest in responding to your requestsData is kept for the time necessary to process your information request and deleted once the information request has been processed.
Manage rights exercise requestsOur legitimate interest in responding to your requests and keeping track of themIf we ask you for proof of identity: we keep it only for the time necessary to verify identity. Once verification is complete, the proof is deleted. If you exercise your right to object to receiving marketing: we keep this information for 3 years.

5. Who are the recipients of your data?

The following will have access to your personal data:

  • Our company's staff
  • Our subcontractors: hosting provider (Microsoft Azure), newsletter sending provider (SendGrid), audience measurement and analysis provider, email messaging provider (SendGrid)
  • Our financial partners, at your request
  • Where applicable: public and private bodies, exclusively to meet our legal obligations

6. Is your data likely to be transferred outside the European Union?

Your data is kept and stored for the entire duration of processing on Microsoft Azure servers, located in France, within the European Union.

As part of the tools we use (see article on recipients regarding our subcontractors), your data may be subject to transfers outside the European Union. The transfer of your data in this context is secured using the following tools:

  • either the data is transferred to a country that has been the subject of an adequacy decision by the European Commission, in accordance with Article 45 of the GDPR: in this case, that country ensures a level of protection deemed sufficient and adequate to the provisions of the GDPR
  • or the data is transferred to a country whose level of data protection has not been recognized as adequate to the GDPR: in this case, these transfers are based on appropriate safeguards indicated in Article 46 of the GDPR, adapted to each provider, including but not limited to the conclusion of standard contractual clauses approved by the European Commission, the application of binding corporate rules or under an approved certification mechanism
  • or the data is transferred on the basis of one of the appropriate safeguards described in Chapter V of the GDPR

7. How do we make the decision to transmit your financing request?

In order to assess whether your financing request can be transmitted to our partners, we have implemented a decision support process that uses risk assessment models for borrower default.

The decision also depends on the compatibility between the client's profile and the KYC policy of the partner credit institution. For example, if you refuse to provide us with the documents requested by the partner credit institution, this may lead to the rejection of your request.

The decision-making process is not fully automated and you will always have the right to obtain an interview with an authorized agent to review your file, during which you can present observations about your personal financial situation.

8. What are your rights regarding your data?

You have the following rights regarding your personal data:

  • Right to information : this is precisely why we have written this policy. This right is provided for by Articles 13 and 14 of the GDPR.
  • Right of access : you have the right to access all your personal data at any time, pursuant to Article 15 of the GDPR.
  • Right of rectification : you have the right to rectify your inaccurate, incomplete or outdated personal data at any time in accordance with Article 16 of the GDPR.
  • Right to restriction : you have the right to obtain the restriction of the processing of your personal data in certain cases defined in Article 18 of the GDPR.
  • Right to erasure : you have the right to require that your personal data be erased, and to prohibit any future collection for the reasons set out in Article 17 of the GDPR.
  • Right to lodge a complaint : with a competent supervisory authority (in France, the CNIL), if you consider that the processing of your personal data constitutes a violation of applicable laws (Article 77 of the GDPR).
  • Right to define directives : relating to the retention, erasure and communication of your personal data after your death.
  • Right to withdraw consent : at any time: for purposes based on consent, Article 7 of the GDPR provides that you can withdraw your consent at any time. This withdrawal will not affect the lawfulness of processing carried out before the withdrawal.
  • Right to data portability : under certain conditions specified in Article 20 of the GDPR, you have the right to receive the personal data you have provided to us in a standard machine-readable format and to require its transfer to the recipient of your choice.
  • Right to object : pursuant to Article 21 of the GDPR, you have the right to object to the processing of your personal data. Note, however, that we may continue processing despite this objection, for legitimate reasons or for the defense of legal rights.

You can exercise these rights by writing to us at the contact details below. We may ask you to provide additional information or documents to verify your identity.

9. Personal data contact point

Contact email: dpo@finzr.io

Contact address: 55 rue la Boétie, 75008 Paris

10. Modifications

We may modify this policy at any time, particularly to comply with any regulatory, case law, editorial or technical developments. These modifications will apply from the effective date of the modified version. You are therefore invited to regularly consult the latest version of this policy. Nevertheless, we will inform you of any significant modification to this privacy policy.