We, infinnity financial technologies GmbH, provide you, in addition to our internet website and the Pliant web app, also with a Pliant mobile app, which you can download to your mobile device (hereinafter "Pliant mobile app"). In the following, we provide information about the collection of personal data when using our Pliant mobile app. Please refer to the separate privacy policies for the website and our Pliant web app.
Controller for the processing of personal data collected when using our Pliant mobile app is:
infinnity financial technologies GmbH
Oberwallstraße 6 c/o rent24
10117 Berlin, Germany
2. Contact data of the data protection officer
Our data protection officer will be happy to provide you with information on data protection:
3. Usage data for statistical purposes
When using our Pliant mobile app, we collect the personal data described below on the basis of Art. 6 (1) lit. f GDPR to provide you with the features of our Pliant mobile app as well as to ensure the stability and security of the Pliant mobile app. These purposes pursued by us represent at the same time the legitimate interest within the meaning of Art. 6 (1) lit. f GDPR. The data set consists of:
the date and time of the request,
time zone difference from Greenwich Mean Time (GMT),
the amount of data transferred,
the access status (file transferred, file not found),
the operating system used,
the device model,
the IP address of the requesting device, which is shortened so that a personal reference can no longer be established.
4. Functionalities and purposes of the Pliant mobile app
With the help of the Pliant mobile app, card users who have received a company credit card via their employer are able to manage their card transactions. In the Pliant mobile app, the payment-relevant card information (card number, security code) can be accessed. In addition, the self-executed transactions can be checked and, for example, images of receipts can be uploaded or a new card can be ordered in case of loss. The processing of personal data is based on Art. 6 para. 1 lit. b GDPR.
When downloading the Pliant mobile app, the following information is transferred to the app store: name, email address and customer number of your account, time of download, payment information and the individual device identification number. However, we have no influence on this data collection and are not responsible for it. We process this provided data as far as this is necessary for downloading the Pliant mobile app to your end device. The data is not stored further beyond that.
Login to the Pliant mobile app
The following card user data is processed for login: Email address, password and mobile tan (two-factor authentication) or alternatively biometric identification via the mobile device (e.g. fingerprint, FaceID). We process the specified data for registration and further operation/use of the Pliant mobile app.
Push notifications in the Pliant mobile app are used to notify cardholders about new card transactions, approval of new cards, or expiration of existing cards. We also use push-TANs to authenticate users via two-factor authentication for the Pliant web app.
5. Pliant mobile app authorizations
In order for all functionalities and services of the Pliant mobile app to work, the Pliant mobile app must be able to access various functions and data of the device. For this it is technically necessary that the Pliant mobile app is granted certain access permissions. If you do not want to grant certain access permissions, some functionalities and services of the Pliant mobile app are not usable. The Pliant mobile app requires the following authorizations:
Camera and memory (taking photos/accessing photos on the device as well as files)
You can allow the Pliant mobile app to take photos or access your smartphone's memory (image gallery and file system). The Pliant mobile app needs access to the photos stored on the device (image gallery and file system) so that you can upload images of receipts. For authentication, we need access to the interface for biometric identification (e.g. Face ID).
6. Google Firebase (Analytics)
The legal basis for the data processing is your consent according to Art. 6 (1) lit. a DSGVO. Consent can be revoked at any time with effect for the future, e.g. by restricting the use of the advertising ID in the device settings or by activating or deactivating the slider under Profile Settings and Preferences for Firebase. You can find more information here and in the privacy information of Firebase.
7. Storage duration
We delete processed personal data when they are no longer required for the aforementioned processing purposes and no statutory retention obligations prevent deletion.
8. Transfer to third parties
We will only pass on your data to third parties if you have agreed to this or if we are entitled or obliged to do so on by virtue of a legal basis.
The following categories of recipients receive your data:
Card issuer for the implementation of legal requirements
Partner bank for setting up and maintaining a settlement account and thereby fulfilling legal requirements
Card office for issuing the card
Companies for processing card payments and cardholder data
Service providers to support the sales team (shared growth)
9. Data processors
For the provision of certain services and for the processing of your data we use service providers (data processing on behalf pursuant to Art. 28 GDPR).
These are service providers of the following categories:
Hosting service providers for the operation of the Pliant mobile app
Development service providers for programming, development, maintenance and support of software applications
SMS dispatch service providers for sending confirmation codes (2-factor authentication)
Service providers for push notifications
email delivery service providers for sending emails in connection with our contractual services
Service providers for ensuring IT security
Service providers in the context of the log-in process
Cloud service providers
Analytics service provider for the evaluation of data and analysis of the use of the Pliant mobile app
Insofar as these service providers have access to your data, this is only done on our behalf and in accordance with our instructions. The service providers have been carefully selected and are also obliged to comply with the applicable data protection regulations. They will only have access to your data to the extent and for the period required to provide the services.
The servers of some service providers used by infinnity are located in the USA and other countries outside the European Union (EU) / European Economic Area (EEA). Where possible, we would like to avoid this and only use servers located within the EU/EEA. Companies in countries outside the EU/EEA are subject to data protection laws that do not generally protect personal data to the same extent as they do in the member states of the European Union. There is currently no decision by the EU Commission that third countries generally provide an adequate level of protection. In particular, a secure transfer to the USA is currently not fully possible. Insofar as your data is processed in a country that does not have a recognized high level of data protection such as the European Union, infinnity will ensure that the level of data protection is secured to the greatest possible extent by means of contractual regulations or other recognized instruments.
10. Obligation to provide the data
The provision of your data is not required by law and is voluntary. However, for the use of the Pliant mobile app services, the login with the user data as well as the provision of access to the image gallery and file system is required so that we can implement the functions of the Pliant mobile app according to purpose (see above). Without this data we cannot provide our Pliant mobile app services.
11. Your rights as a data subject
When processing your personal data, the GDPR grants you certain rights as a data subject:
Right of access (Article 15 GDPR)
You have the right to request confirmation as to whether personal data concerning you are being processed; if this is the case, you have the right to be informed about these personal data and to receive the information listed in detail in Article 15 GDPR.
Right of rectification (Art. 16 GDPR)
You have the right to request the correction of any inaccurate personal data relating to you and, where applicable, the completion of any incomplete data without delay.
Right to erasure (Art. 17 GDPR)
You have the right to request that personal data concerning you be deleted without delay, provided that one of the reasons listed in detail in Art. 17 GDPR applies.
Right to the restriction of processing (Art. 18 GDPR)
You have the right to request the restriction of processing if one of the conditions listed in Art. 18 GDPR applies, for example, if you have objected to the processing, for the duration of the review by the controller.
Right to data portability (Art. 20 GDPR)
In certain cases, which are listed in detail in Art. 20 GDPR, you have the right to receive the personal data concerning you in a structured, common and machine-readable format, or to request the transfer of this data to a third party.
Right of objection (Art. 21 GDPR)
If data are collected on the basis of Art. 6(1)(f) GDPR (data processing for the protection of legitimate interests), or on the basis of Article 6(1)(e) GDPR (data processing for the protection of public interests, or for the exercise of official authority), you have the right to object to the processing at any time on grounds relating to your particular situation. We will then no longer process the personal data unless there are proven compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the assertion, exercise or defense of legal claims.
Right of appeal to a supervisory authority (Art. 77 GDPR)
In accordance with Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority if you are of the opinion that the processing of data concerning you violates data protection regulations. The right of appeal may in particular be exercised before a supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement.