Privacy policy

Thank you for your interest in our company, our website and our Application. 

The protection of your personal data, the transparency of the processing and the information how and where you can assert your rights is important to us. Therefore, through this policy (together with the General Terms of Use of the Application and any other documents this policy refers to) we would like to inform you in accordance with Art. 13 and Art. 14 of the EU General Data Protection Regulation 2016/679 (the “General Data Protection Regulation” or the “GDPR”) regarding the processing of personal data when using the Application. The respective concrete content and scope of data processing results from the respective products and services requested by you or agreed with you.

Who can you contact with questions about data protection?

dataprotection@fairo.ro

Who is responsible for the processing of personal data?

The provider responsible for data processing is:
Fairo GmbH, with its seat in Vienna and business address Am Stadtpark 9, A-1030 Vienna, Austria, registered with the commercial register at the commercial court of Vienna under FN 552682v (the “Company” or the “we”). 

What personal data can be processed about you?

We process the following categories of personal data for the purposes mentioned below: Personal details that you provide (e.g., name, address, date and place of birth, nationality, e-mail, etc.), identity and travel document data (e.g. specimen signature, ID card data), payment data (e.g., payment data in regards to the created invoices), electronic log and identification data (Application identification confirmation, IP address, cookies, etc.), invoice data (e.g., Tax and social security data (Tax and VAT ID, personal identification number - CNP) Participation, memberships in corporate bodies, powers of representation (e.g. detailed information on the respective role, type of power of representation, voting rights, size of participation, and authorization), as long as these refer to a natural person and other data comparable to the above categories, provided by you through the information or documents provided or created in the Application.

When you choose to connect your Application account with your bank account(s) by accessing the payment services offered by our provider from the Application (“PSD2 Services”), the following data will be processed:

Personal details (Name, internal identification numbers (e.g. customer number, contract partner number))
Financial identification data (e.g. IBAN/BIC, data of credit-, debit- or prepaid-cards (type, holder, issuing organization, validity period, limit))
Payments and clearing data (Details of payer, recipient/beneficiary, transaction amount, transaction currency, IBAN/BIC of payer and recipient account, clearing data, other SWIFT-related data),
as long as these refer to a natural person. These will be shared through the Application, so we will also access them for providing our services. The PSD2 Services provider will act as a separate and independent data controller. For more details on its personal data processing, please see its privacy policy available in the Application when accessing the PSD2 Services.

Where does your personal data come from?

We process personal data that we receive from you when you create a user account in the Application, as well as a result of your actions when using the Application, during our business relationship. In addition, we process data that we have permissibly received from our business analysis services provider from publicly accessible sources (e.g., register of companies, register of associations, or media), when creating your user account, or from our customer care services providers and customers. Also, when you connect your Application account with your bank account(s) over the PSD2 Services, we will process the data received from the PSD2 Services provider for the purpose of providing our services through the Application. The processed data categories are the personal details, financial identification data and payments and clearing data described above.  

On what legal basis and for what purpose is your personal data processed?

Your personal data will be processed in accordance with the provisions of the General Data Protection Regulation as well as any other applicable local law. The GDPR lists various legal bases for permitted data processing. In the following section, we explain on which legal basis of the GDPR and for which purpose we process your data.

A. Fulfillment of contractual obligations (Art. 6 para. 1 lit b GDPR)

"Fulfillment of contractual obligations" is the legal basis for processing activities performed in the context of the conclusion, respectively the execution of the contract between you and the Company, as well as for the performance of pre-contractual measures, in order to allow you to use the Application and for the provision of the services within the scope of the business relationship through the Application. This is applied for the following purposes:

1. Creating a user account in the Application and providing access to the Application
2. Providing the services available in the Application, namely creating, sending, receiving and managing invoices, overseeing connected account transactions, paring the transactions with issued invoices, as well as other services as these will be available in the Application. In relation to the PSD2 Services, we will receive the data necessary for providing our services in the Application and consequently we will be able to provide you with services such as overseeing connected account transactions or paring the transactions with issued invoices, if you agree for the PSD2 Service provider to share the data with us.

The exact manner in which the data processing addressed here is carried out can be found in the respective contract documents and General Terms of Use, as well as in the Application features.

B. Fulfillment of legal obligations (Art. 6 para. 1 lit c GDPR)

"Compliance with legal obligations" is the legal basis for processing that is necessary to comply with various legal obligations, such as those arising from Austrian legislation such as the Fiscal Code(Bundesbabgabenordnung, BAO), Commercial Code (Unternehmensgesetzbuch, UGB), Industrial Code (Gewerbeordnung, GewO) , etc., or Romanian legislation such as the Fiscal Code and its implementing norms, the Law on the prevention and combating of money laundering and financing of terrorism, etc., as well as on the basis of certain supervisory requirements to which the Company is subject as an Austrian company.

Examples of processing purposes based on a legal obligation: 

• Providing information concerning the invoice storage mechanism as well as allowing access, download and review of the issued invoices upon demand of the tax authorities in order for the tax authorities to be able to verify the accuracy and authenticity of the invoices presented by the user
• Notifications to the Money Laundering Reporting Office in certain suspicious cases
• Assessment and management of risks

The purpose is thus the fulfillment of legal obligations. 

C. Within the scope of your consent (Art. 6 para. 1 lit a GDPR)

"Consent" is the legal basis for data processing that applies when you have given us your consent to process your personal data for specific purposes. 

Processing will only be carried out in accordance with the purposes and to the extent agreed in the declaration of consent. Consent given can be revoked at any time with effect for the future.

Such processing based on consent is made for the following purposes:      

• Sending of newsletters, here too we request your consent before sending
• Sending you marketing information with news, exclusive offers or other promotional information, regarding the Company’s products and services 

Specific details about the purpose can be found in the text of the consent.

D. Safeguarding legitimate interests (Art. 6 para. 1 lit f GDPR) 

“Legitimate interest” is the legal basis for processing that takes place in the context of a balancing of interests. We will only process your data if your interests or fundamental rights and freedoms do not override our interests. 

Examples of processing purposes based on legitimate interests:

1. Testing and optimization of procedures for demand analysis and direct customer contact
2. Measures for business management and further development of services and products
3. Measures to protect customers and employees as well as the Company`s property and legal interests, including by conducting customer due diligence procedures for verification of the identity and representation of the user
4. Data processing for the purpose of legal prosecution
5. Assertion of legal claims and defense in legal disputes
6. Ensuring the Company`s IT security and IT operations
7. Prevention and investigation of criminal offences
8. Develop services and products that are tailored to your interests and life situation
9. Providing customer care to the users and answering user requests, questions, or complaints

The purposes are determined by the business relationship and the provision of services, also in the context of the (pre-contractual) business relationship.

The evaluation of the data for this purpose only takes place as long as you have not objected to it.

Who receives my personal data?

Within the Company, your data is received by those departments or employees that need it to fulfill contractual, legal and/or supervisory obligations, as well as legitimate interests or based on your consent. In addition, contractually bound processors (in particular IT and back-office service providers, the group company handling GDPR rights requests for us, located in the European Union and Economic European Area, as well as the customer care services providers located in the European Union) will receive your data. 

The companies with which we cooperate for providing you the services in the Application (e.g. PDS2 Services providers), located in the European Union or the United Kingdom, will also receive your data. We share your Tax ID with the business analysis services provider, located in the European Union, which performs customer due diligence for us. These recipients receive your data insofar as they require the data to fulfill their respective service. 

All processors are contractually obligated to treat your data confidentially and to process it only in the context of providing the service. 

The PSD2 Services and the business analysis services providers, as separate and independent data controllers with respect to any personal data processed (received from us, directly from you or from other sources) will be solely responsible for compliance with the applicable legislation. 

In the event of a legal or regulatory obligation, public bodies and institutions, as well as our statement auditors or legal consultants from Austria or Romania may be recipients of your personal data.

Your personal data may also be transferred to third parties acquisitors, insofar the business of the Company would be (totally or partially) transferred and the data subjects’ data would be part of the assets representing the object of the transaction.

Is personal data transferred to a third country or to an international organization?

Transfer of personal data to third countries only takes place in accordance with the bases of the transfer of the GDPR. We oblige such recipients to comply with European data protection and security standards (e.g. by implementing EU Standard Contractual Clauses). 

You are welcome to ask us for specific information.

How long will my personal data be stored?

We store your personal data during the customer business relationship (i.e., for as long as you have a user account in the Application) and for a further 7 years after the end of the entire business relationship in accordance with our retention obligations under applicable laws. After that, the personal data from the customer business relationship will be deleted in accordance with the General Data Protection Regulation unless there is a further legal basis for retention. 

Am I obliged to provide my personal data?

Within the scope of the business relationship, you must provide those personal data that are required for the establishment and execution of the business relationship (your use of the Application and the services offered), this being a contractual requirement (represented by the General Terms of Use) and the data that we are legally obligated to collect. If you do not provide us with this data, we will usually refuse to conclude the contract (which means impossibility of the Company to register your request for account creation in the Application) or to give you access to the services available in the Application, or will no longer be able to perform an existing contract and will therefore have to terminate it. 

Is there any automated decision-making?

We do not use fully automated decision-making pursuant to Article 22 of the GDPR for the establishment and performance of the business relationship, for the processing of personal data referred to herein. Should we use these procedures in the future, we will inform you about this separately, as required under the law.

What data protection rights do I have?

Within the context of the processing of your personal data, you have the following rights: 

1. The right of access to the processed personal data: you have the right to obtain a confirmation whether or not your personal data are being processed, and, if affirmative, to have access to the type of personal data and to the conditions of processing;
2. The right to request the rectification or erasure of personal data: you have the possibility to request the rectification of inaccurate personal data, the supplementation of incomplete data or the erasure of your personal data in case (i) the data are no longer needed for their original purpose (and no new lawful purpose exists), (ii) the lawful basis for the processing is the data subject's consent, the data subject withdraws that consent, and no other lawful ground exists, (iii) the data subject exercises the right to object and the controller has no overriding grounds for continuing the processing, (iv) the data have been processed unlawfully, (v) erasure is necessary for compliance with EU law or Romanian law, or (vi) the data were collected in connection with the informational society services offered to children (if the case), where specific requirements regarding consent are applicable;
3. The right to request the restriction of processing: you have the right to obtain the restriction of processing in cases where: (i) you consider that the processed personal data are inaccurate, for a period enabling the controller to verify the accuracy of the personal data; (ii) the processing is unlawful, however you don’t want us to erase your personal data, but to restrict the use of data; (iii) in case the data controller no longer needs your personal data for the above-mentioned purposes, but you are requiring the data for establishing, exercising or defending a legal claim or (iv) you have objected to processing pending the verification whether the legitimate grounds of the data controller override those of the data subject;
4. The right to withdraw your consent for processing, when the processing is based on consent, without affecting the lawfulness of processing undertaken until that moment;
5. The right to object to the data processing on grounds relating to your particular situation, when the processing is based on legitimate interest and to object at any moment to the data processing for direct marketing purposes, including profiling;
6. The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly affects the data subject in a significant manner;
7. The right to data portability, meaning the right to receive your personal data, which you provided to the data controller in a structured, commonly used and machine-readable format and the right to transfer those data to another controller, if the processing is based on your consent or the performance of a contract and is undertaken by using automatic means;
8. The right to file a complaint with the competent local supervisory authority and the right to address to the competent courts of law.

We will be happy to help you with any questions, suggestions or complaints you may have about data protection. The above rights may be exercised at any time. For exercising these rights, we encourage you to send a notice in writing, dated and signed or in electronic format, to the address indicated in the beginning of this policy. 

If you feel that your right to data protection has been violated, you can also lodge a complaint with the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, Austria, www.dsb.gv.at. 

Version last updated on 24.11.2021