Privacy policy

Following the voluntary surrender and formal revocation of our crypto-custody license as of 31 December 2025, personal data from previous or still ongoing business relationships is processed primarily to enable the orderly wind-down of our regulated business.
This includes, but is not limited to:
- Executing the final phases of ceasing all regulated business activities.
- Fulfilling contractual and statutory obligations regarding the custody and final settlement of assets.
- Handling inquiries from former clients during the residual asset management phase.
- Communicating with authorities or judicial bodies such as the Federal Financial Supervisory Authority (BaFin), Deutsche Bundesbank regarding the finalization of the wind-down.
The processing is performed in order to fulfill: residual contractual and post-contractual obligations (Art. 6 para. 1 (b) GDPR),  Compliance with legal obligations, including BaFin supervisory requirements (Art. 6 para. 1 (c) GDPR), and Legitimate interests in ensuring a solvent, compliant, and risk-mitigated cessation of the regulated business activities (Art. 6 para. 1 (f) GDPR).

If you have given us consent to process personal data for certain purposes (e.g. transfer of data within the company/network), this processing is lawful on the basis of your consent. Consent given can be revoked at any time. This also applies to the revocation of declarations of consent that were given to us before the EU General Data Protection Regulation came into force, i.e. before May 25, 2018. Please note that the revocation is only effective for the future. Processing that took place before the revocation is not affected. You can request a status overview of the consents you have granted from us at any time.

The processing of personal data formerly carried out for the provision of financial services in the context of the implementation of our contracts with our customers or for the implementation of pre-contractual measures, which are carried out at your request, is now strictly governed by the regulatory and operational requirements for the orderly conclusion and winddown of our regulated business activities.

In addition, as a formerly licensed financial services provider under continued supervision during the orderly conclusion and winddown of the regulated business activities, we are subject to various legal obligations, i.e. legal requirements (e.g. German Banking Act, German Money Laundering Act, tax laws) and financial supervisory requirements (e.g. of the European Central Bank, the European Banking Authority, the German Federal Bank and the German Federal Financial Supervisory Authority). For the purpose and duration of the orderly winddown and until the competent authorities waive the related legal and regulatory obligations, the purposes of the processing may include, among others, identity and age verifications, fraud and money laundering prevention, the fulfillment of control and reporting obligations under tax law, and the assessment and management of risks at Finoa GmbH.

If necessary, Finoa GmbH will process your data beyond the actual fulfillment of the contract and the conclusion and winddown of our regulated business activities in order to protect the legitimate interests of Finoa GmbH or third parties. Examples:If necessary, Finoa GmbH will process your data beyond the actual fulfillment of the contract in order to protect the legitimate interests of Finoa GmbH or third parties. Examples:
‍

We process your personal data on the servers of AWS Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, 1855 Luxembourg. The personal data we process are:
‍

To comply with the regulatory obligations still applicable to us during the orderly conclusion and winddown of our regulated business activities, under applicable counter-terrorist financing and anti-money laundering laws (esp. German Money Laundering Act (Geldwäschegesetz(GWG)), we are using different services to verify your identity and carry out control measures  for the prevention and detection of crime including fraud and/or money laundering. The contracted providers  are subject to our instructions by a data processing agreement.

We are using the services of IDnow GmbH, Auenstr. 100, 80469 Munich (“IDnow”) to conduct video identifications for the identification documents verification in order to start providing you our services.
‍
The data that is processed is your last name, first name, place of birth, date of birth, nationality, full address mobile phone number, email address, photo/screenshot of the person and the front and back of the ID document, ID data (such as date and place of issue, issuing authority, etc.), user name for the video conference program used, video and sound recording of the video call.
‍
The legal basis for the processing of your personal data is Art. 6 Para. 1 lit. b GDPR for the initiation or implementation of a contractual relationship of which you are a part. The purpose of data processing is to fulfill the service contract.
‍
Furthermore, the legal basis for data processing is Art. 6 para. 1. lit. c of GDPR, based on our compliance with the legal obligation arising from anti-money laundering laws.
‍
We delete your personal data when they are no longer necessary to achieve the purpose of their processing.
‍
Due to the statutory retention periods and documentation obligations, this is between two to ten years as mentioned in section 6 of this policy.

Further information on data protection at IDnow can be found here: https://go.idnow.de/privacy/de

We use the services of Notabene ID GmbH, Dammstrasse 16, CH-6300 Zug, Switzerland, CHE-148.625.400 ("Notabene") to fulfill our legal obligations under the German Ordinance on Enhanced Due Diligence Obligations for the Transfer of Crypto Assets (Kryptowertetransferverordnung - KryptoWTransferV).
‍
Notabene's so-called SafeTransact platform enables us to automate decisions in real time, assign the affiliation of addresses and ensure the implementation of the KryptoWTransferV.
‍
The processing of the personal data required for this purpose is carried out in accordance with the KryptoWTransferV and the associated anti-money laundering regulations.
The legal basis for data processing is Art. 6 (1) lit. c GDPR due to our legal obligations mentioned above.
‍
If the purpose no longer applies and there is no statutory retention period, the corresponding personal data will be deleted. In principle, the data will only be stored for the duration of the purposes stated above.

We use the “Compass” service from Merkle Science (Stackseer Technologies Pte. Ltd), a limited liability company registered in Singapore ("Merkle Science”), to fulfill our legal due diligence obligations under the Regulation on Enhanced Due Diligence Obligations for the Transfer of Crypto Assets (Kryptowertetransferverordnung - KryptoWTransferV) and the anti-money laundering regulations.
‍
Merkle Science provides blockchain transaction monitoring solutions that help detect, investigate and prevent money laundering, terrorist financing and other criminal activities.
‍
This includes collecting, processing and storing data on blockchain transactions and addresses from public sources and reconciling this information.
‍
The legal basis for data processing is Art. 6 Para. 1 lit. c GDPR based on our fulfillment of the legal obligation under the KryptoWTransferV and the anti-money laundering regulations.
‍
If the purpose no longer applies and there is no statutory retention period, the corresponding personal data will be deleted. In principle, the data is only stored for the duration of the purposes mentioned above.

8.5.1. Use of Atlassian products
‍We use Atlassian's cloud products (e.g., Jira, Confluence) for project management, collaboration, and to process your service inquiries. This involves processing personal data you provide, such as your name, email address, and any content within project tickets or pages.

8.5.2. Legal basis and data processing
‍The legal basis for this processing is the performance of our contract with you (Art. 6(1)(b) GDPR) and our legitimate interest in efficient business operations (Art. 6(1)(f) GDPR).
‍
Our data processor for these services is Atlassian Pty Ltd. We have a Data Processing Addendum (DPA) in place with Atlassian in accordance with Art. 28 GDPR.

8.5.3. Third-country data transfer
As Atlassian uses subprocessors globally, including in the USA, your data may be transferred to a third country outside the EU. This transfer is safeguarded by Atlassian's certification under the EU-U.S. Data Privacy Framework (DPF) and our agreement which incorporates the EU Standard Contractual Clauses (SCCs).
‍
For more details, please see Atlassian's Privacy Policy.

If you send us inquiries via the contact form, your details from the inquiry form, including the contact data you provide there, will be stored by us for the purpose of processing the inquiry and in the event of follow-up questions.
‍
The legal basis for the processing of your data, which is transmitted in the course of sending the message, is Art. 6 para. 1 p. 1 lit. b of the GDPR, insofar as your contact is aimed at the conclusion of a contract with us or the communication concerns an already existing contractual relationship.
‍
If the contact is neither related to a contract nor aimed at the conclusion of a contract, the legal basis for the data processing is your consent pursuant to Art. 6 para. 1 sentence 1 lit. a of the GDPR.
‍
The data entered by you in the contact form will remain with us until you request us to solve the problem, revoke your consent for storage, or the purpose for which the data is stored no longer applies (e.g. after your inquiry has been processed). Mandatory legal provisions - in particular retention periods - remain unaffected.

If you contact us by email, telephone, your inquiry including all personal data (name, inquiry) will be stored and processed by us for the purpose of processing your request.
‍
The legal basis for the processing of your data, which is transmitted in the course of sending the message, is Art. 6 para. 1 lit. b of the GDPR, insofar as your contact is aimed at the conclusion of a contract with us or the communication concerns an already existing contractual relationship.
‍
If the contact is neither related to a contract nor aimed at the conclusion of a contract, the legal basis for the data processing is your consent pursuant to Art. 6 para. 1 lit. a of the GDPR.
‍
The data sent to us by you via contact inquiries will remain with us until you request us to delete it, revoke your consent to its storage, or the purpose for storing it no longer applies (e.g. after your inquiry has been processed). Mandatory legal provisions - in particular
legal retention periods - remain unaffected.

We use the ticket system Zendesk, a customer service platform of Zendesk Inc., 989 Market Street, San Francisco, CA 94102, USA to provide customer support. The purpose of the data processing is the handling of your request with which you have contacted us through the contact form (point 11.1) and/or via email (point 11.2). For this purpose, the types of data you give us depend on the content of the message you send us.
‍
‍Typically, we receive the types of data below from you: surname, first name, postal address, telephone number, e-mail address, country, company information, and other personal data transmitted as part of the message.  
‍
The legal basis for the processing of your data, which is transmitted in the course of sending the message, is Art. 6 para. 1 lit. b of the GDPR, insofar as your contact is aimed at the conclusion of a contract with us or the communication concerns an already existing contractual relationship.
‍
If the contact is neither related to a contract nor aimed at the conclusion of a contract, the legal basis for the data processing is your consent pursuant to Art. 6 para. 1 lit. a of the GDPR. You can revoke your consent to data processing at any time in accordance with Art. 7 GDPR by sending an e-mail with the corresponding content to datenschutz@finoa.io. This does not affect the lawfulness of the processing carried out until then on the basis of the consent. In the event of revocation, your personal data will no longer be processed and will be deleted, provided that there are no legal retention obligations to the contrary.
‍
Zendesk is contractually bound to our instructions under a data processing agreement, incorporating Standard Contractual Clauses of the European Commission. It has also supplementary measures that are required by the Schrems II C-311/18 decision of the Court of Justice of the European Union.
‍
The appropriate safeguards are agreed upon under SCCs as an annex and can be demanded by making a request to us to datenschutz@finoa.io or by making a request to review the data processing agreement as a non-signatory in this link https://www.zendesk.de/company/data-processing-form/ You can find further information about data protection in Zendesk’s privacy policy and about supplementary measures on their blog. The purpose of the data processing is the handling of your request with which you have contacted us.
‍
We delete your personal data when they are no longer necessary to achieve the purpose of their processing.

We use the services of Google Workspace (“GWS”) tools of Google Cloud EMEA Ltd. with offices at 70 Sir John Rogerson's Quay, D02 R296, Dublin 2, Ireland (“Google”). Google is our email service and call provider.  
‍
The purpose of the data processing is the handling of your request with which you have contacted us as a backup solution to Zendesk. For this purpose, the types of data you give us depend on the content of the message you send us. Typically, we receive the types of data below from you: surname, first name, postal address, telephone number, e-mail address, country, company information, and other personal data transmitted as part of the message.
‍
The legal basis for the processing of your data, which is transmitted in the course of sending the message, is Art. 6 para. 1 p. 1 lit. f of the GDPR, our legitimate interest is in the prevention of loss of customer messages in the event that our customer service platform’s services become unavailable.
‍
In case, our customer service platform’s services become unavailable, the legal basis for the processing of your data is based on Art. 6 para. 1 p. 1 lit. b of the GDPR, insofar as your contact is aimed at the conclusion of a contract with us or the communication concerns an already existing contractual relationship.
‍
Finoa has chosen Europe as the location of the data center for the email service provider. For future cases, if there is a need to change the storage location outside of this region, your personal data will be transferred in accordance with the Art. 46 para 2 lit. c of the GDPR, based on Standard Contractual Clauses (“SCC”) accompanied by a conducted data transfer impact assessment. The appropriate safeguards are agreed upon under SCCs as an annex and can be demanded by making a request to us to datenschutz@finoa.io according to clause 8.3 of the SCCs, Transparency, under the Module 2 or directly to the processor data exporters, mentioned in title 5 as recipients, according to the clause 8.3 under the Module 3 of SCCs. Additionally, Google made available their appropriate safeguards on its webpage under its data protection-related terms, Google Cloud SCCs.
‍
We delete your personal data when they are no longer necessary to achieve the purpose of their processing.
‍
There is no possibility to object to this data processing per Art. 21 GDPR, as the processing of the data is mandatory for the provision of customer support.

Functions of the X service are integrated into our services. These functions are offered by the:
X Internet Unlimited Company, One Cumberland Place, Fenian Street Dublin 2, D02 AX07 Ireland.
‍
By using X and the "Repost" function, the websites you visit are linked to your X account and made known to other users. This also involves the transfer of data to X. We expressly point out that we, as the provider of the services, have no knowledge of the content of the transmitted data or its use by X. Further information on this can be found in the X privacy policy. You can change your data protection settings on X.

Our services use functions of the LinkedIn network. The provider is:
LinkedIn Ireland Unlimited Company,
Wilton Place, Dublin 2, Ireland.
‍
When you visit our services and click the LinkedIn plugin ("Recommend button"), a connection to LinkedIn servers is established. LinkedIn will be notified that you have visited our services using your IP address. If you click on the LinkedIn "Recommend Button" and are logged into your LinkedIn account, LinkedIn may associate your visit to our services with your account. We expressly point out that we, as the provider of the pages, have no knowledge of the content of the data transmitted or of the use of such data by LinkedIn. You can find further information on LinkedIn’s data protection provisions.
‍
The LinkedIn Insight Tag enables the collection of data regarding members’ visits to Finoa's website, including the URL, referrer, IP address, device and browser characteristics (User Agent), and timestamp. The IP addresses are truncated or (when used for reaching members across devices) hashed, and members’ direct identifiers are removed within seven days in order to make the data pseudonymous. This remaining pseudonymized data is then deleted within 180 days.

We have integrated the component Google Analytics (with anonymization function) on this website. Google Analytics is a web analytics service. Web analysis is the gathering, collection, and analysis of data about the behavior of visitors to websites. Among other things, a web analysis service collects data on which website a data subject has come to a website from (so-called referrers), which subpages of the website were accessed, or how often and for which period of time a subpage was viewed. A web analysis is mainly used to optimize a website and for the cost-benefit analysis of Internet advertising.
‍
The operator of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
‍
Google Analytics uses cookies. The information generated by the cookie about your use of this website is usually transmitted to a Google server and stored there. Google might transfer the personal information collected via this technical procedure to third parties.
‍
During your visit to the website the following data, among others, is recorded:
‍

Google Analytics stores cookies in your web browser for a period of two years since your last visit. These cookies contain a randomly generated user ID with which you can be recognized during future visits to the website. The recorded data is stored together with the randomly generated user ID, which enables the evaluation of pseudonymous user profiles. This user-related data is automatically deleted after 26 months. Other data remain stored in aggregated form for an unlimited period.
‍
If you do not agree with the collection, you can prevent this by installing the browser add-on once to deactivate Google Analytics.

Within our work environment (Google Workspace), we use AI-powered features from Gemini to simplify our communication and organizational processes. This applies in particular to email communication (e.g., assistance with drafting emails) and calendar management (e.g., automatically creating events).
‍
This involves the processing of communication and calendar data (such as email content, names and email addresses of participants, subject lines, and descriptions). The legal basis is our legitimate interest in efficient work processes (Art. 6(1)(f) GDPR) or the initiation and performance of contracts (Art. 6(1)(b) GDPR). Our data processor is Google (Google Ireland Limited). Data may be transferred to Google LLC in the USA; this transfer is legally secured by the EU-U.S. Data Privacy Framework and Standard Contractual Clauses.

We also use AI features from Zendesk (e.g., AI Copilot) to process your inquiries faster and more effectively. This involves analyzing the content of your message to support our agents. Through contractual guarantees, Zendesk ensures that when your data is processed by AI partners (such as OpenAI), it is not stored or used for training purposes and remains within the European Economic Area. The legal basis and our existing agreement with Zendesk remain unaffected by this.

To improve our internal workflows, we also use the integrated "Atlassian Intelligence" feature to assist in summarizing, analyzing, and creating content.
Important Data Protection Guarantee: Atlassian contractually ensures that your data (both inputs and AI-generated outputs) will not be used to train their general AI models or those of their subprocessors. Your data remains under our control and is processed only for the specified purpose.

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(e) of the GDPR (data processing in the public interest) and Article 6(1)(f) of the GDPR (data processing on the basis of an assessment of interests). This also applies to profiling based on this provision within the meaning of Article 4 (4) GDPR. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that overrides your interests, rights, and freedoms, or the processing serves the assertion, exercise, or defense of legal claims.

In individual cases, we process your personal data for the purpose of direct advertising. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising. This also applies to profiling, insofar as it is associated with such direct advertising. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes. The objection can be made form-free.

The objection can be made informally with the subject "Objection", stating your name, address, and date of birth, and should be addressed to:

Finoa GmbH
Voltastraße 1
14482 Potsdam, Germany
E-Mail: datenschutz@finoa.io

If you would like information that this data protection notice cannot provide or if you would like further information on a specific point, please contact the Finoa GmbH data protection officer at: datenschutz@finoa.io.