BNGroup App Privacy Policy

Effective date: 01 September 2025
This Privacy Policy explains how BNGroup (“we”, “us”) processes personal data when you use bngroup.ro and connect bank accounts via Salt Edge open banking connectivity.

This policy is designed to meet the EU transparency requirements (GDPR Art. 13/14).

1) Controller and contact

Data controller: BN FINTECH SRL

Registered office: Cluj Napoca, Romania. Registration number: 43792885

Privacy contact: tech@bngroup.ro

Data Protection Officer (DPO): Andrei Rusu (andrei.rusu@bngroup.ro)

2) What data we process

A) Account and usage data

Account details: name, email, phone (optional), company name (optional), role.
Authentication/security data: hashed password, MFA status, login timestamps, IP address, device/browser data.
Support data: messages you send to us, issue logs.

B) Open banking (bank account) data you choose to connect

Depending on the bank and your consent scope, we may retrieve:

Account identifiers (e.g., IBAN/partial account number where available), account name/type, currency
Balances
Transactions (date, amount, description, merchant/creditor/debtor details where provided by bank)
Connection metadata (bank name, connection status, consent/connection timestamps)

C) Cookies and similar technologies

We may use strictly necessary cookies and, if enabled, analytics/marketing cookies (see Section 10). EU rules generally require consent for non-essential cookies.

3) Where the data comes from

Directly from you (registration, settings, support).
From your bank via Salt Edge after you authenticate and grant consent in the bank/open banking flow.
From your device/browser (logs, cookies).

4) Why we process data and our legal bases

We process personal data for these purposes:

Provide the App and your account (create account, login, security, core features).

Legal basis: contract necessity (GDPR Art. 6(1)(b)).
Enable open banking connections and show your financial data in the App (connect banks, refresh data, display reports).

Legal basis: contract necessity (Art. 6(1)(b)) and/or legitimate interests (Art. 6(1)(f)) depending on the specific feature.

Note: “Consent” in open banking/PSD2 flows is an authorization mechanism to access bank data; GDPR lawful basis may still be contract/legitimate interest (and must be described transparently).
Fraud prevention, security, and abuse detection.

Legal basis: legitimate interests (Art. 6(1)(f)).
Legal/compliance obligations (accounting, audits, responding to lawful requests).

Legal basis: legal obligation (Art. 6(1)(c)).
Marketing communications (optional).

Legal basis: consent (Art. 6(1)(a)) or legitimate interests (e.g., B2B relationship communications), as applicable. You can opt out anytime.

5) Salt Edge and open banking connectivity

We use Salt Edge as a connectivity provider to establish and maintain bank API connections and retrieve Account Data.

Salt Edge describes how it processes personal data in its own privacy documentation.
In many partner setups, Salt Edge acts as a data processor for the partner that provides the end-user service (this must match your contract/channel with Salt Edge).

Important: you authenticate with your bank during the open banking flow; availability and exact data fields depend on the bank’s API.

6) Who we share data with

We may share personal data with:

Salt Edge (open banking connectivity)
Hosting and infrastructure providers (cloud hosting, databases, monitoring, email delivery)
Customer support tools (ticketing/chat) if used
Professional advisers (legal, auditors) when necessary
Authorities/courts when legally required

We do not sell your personal data.

7) International transfers

We aim to keep processing within the EU/EEA where possible. Salt Edge states EU/EEA users’ personal data is stored in the EU and transfers outside the EU follow GDPR mechanisms.
If any of our vendors transfer data outside the EU/EEA, we rely on appropriate safeguards (e.g., EU Standard Contractual Clauses) and provide details on request.

8) Retention

We keep data only as long as necessary for the purposes above:

Account data: for the duration of your account, plus [X months/years] after closure (for support, security, and legal reasons).
Open banking data: while your connection is active; after disconnection/account closure we delete or anonymize within [X days/months], unless retention is required by law or for dispute/security handling.
Logs/security events: typically [X days/months].
Marketing preferences: until you withdraw consent/opt out.

(Replace bracketed values with your actual retention schedule.)

9) Security

We use reasonable technical and organizational measures (access controls, encryption in transit, least privilege, monitoring). No service can be guaranteed 100% secure; you are responsible for keeping your credentials safe and using MFA if available.

10) Cookies and similar technologies

Strictly necessary cookies: required for login, sessions, and core security; typically do not require consent.
Analytics/marketing cookies (if enabled): require prior consent in the EU (opt-in).

We provide a cookie banner/manager where you can accept/reject optional cookies and change preferences later.

11) Your GDPR rights

Subject to GDPR conditions, you can:

access your data, correct it, delete it
restrict or object to processing
receive a portable copy of data you provided (where applicable)
withdraw consent (for consent-based processing)
lodge a complaint with the supervisory authority

Romania’s supervisory authority (ANSPDCP) contact details are available on its official site.

12) Children

The App is not intended for children under 16. We do not knowingly process children’s data.

13) Changes to this policy

We may update this Privacy Policy. We will post the new version on bngroup.ro and, if changes are material, notify you in-app or by email.

14) Contact

Privacy questions or requests: tech@bngroup.ro
DPO : andrei.rusu@bngroup.ro

Data Protection Officer (DPO): Andrei Rusu (andrei.rusu@bngroup.ro) 2) What data we process A) Account and usage data

Account details: name, email, phone (optional), company name (optional), role.

Authentication/security data: hashed password, MFA status, login timestamps, IP address, device/browser data.

Support data: messages you send to us, issue logs.

B) Open banking (bank account) data you choose to connect Depending on the bank and your consent scope, we may retrieve:

Account identifiers (e.g., IBAN/partial account number where available), account name/type, currency

Balances

Transactions (date, amount, description, merchant/creditor/debtor details where provided by bank)

Connection metadata (bank name, connection status, consent/connection timestamps)

C) Cookies and similar technologies We may use strictly necessary cookies and, if enabled, analytics/marketing cookies (see Section 10). EU rules generally require consent for non-essential cookies. 3) Where the data comes from

Directly from you (registration, settings, support).

From your bank via Salt Edge after you authenticate and grant consent in the bank/open banking flow.

From your device/browser (logs, cookies).

4) Why we process data and our legal bases We process personal data for these purposes:

Provide the App and your account (create account, login, security, core features).

Legal basis: contract necessity (GDPR Art. 6(1)(b)).

Enable open banking connections and show your financial data in the App (connect banks, refresh data, display reports).

Legal basis: contract necessity (Art. 6(1)(b)) and/or legitimate interests (Art. 6(1)(f)) depending on the specific feature.

Note: “Consent” in open banking/PSD2 flows is an authorization mechanism to access bank data; GDPR lawful basis may still be contract/legitimate interest (and must be described transparently).

Fraud prevention, security, and abuse detection.

Legal basis: legitimate interests (Art. 6(1)(f)).

Legal/compliance obligations (accounting, audits, responding to lawful requests).

Legal basis: legal obligation (Art. 6(1)(c)).

Marketing communications (optional).

Legal basis: consent (Art. 6(1)(a)) or legitimate interests (e.g., B2B relationship communications), as applicable. You can opt out anytime.

5) Salt Edge and open banking connectivity We use Salt Edge as a connectivity provider to establish and maintain bank API connections and retrieve Account Data.

Salt Edge describes how it processes personal data in its own privacy documentation.

In many partner setups, Salt Edge acts as a data processor for the partner that provides the end-user service (this must match your contract/channel with Salt Edge).

Important: you authenticate with your bank during the open banking flow; availability and exact data fields depend on the bank’s API. 6) Who we share data with We may share personal data with:

Salt Edge (open banking connectivity)

Hosting and infrastructure providers (cloud hosting, databases, monitoring, email delivery)

Customer support tools (ticketing/chat) if used

Professional advisers (legal, auditors) when necessary

Authorities/courts when legally required

Account data: for the duration of your account, plus [X months/years] after closure (for support, security, and legal reasons).

Open banking data: while your connection is active; after disconnection/account closure we delete or anonymize within [X days/months], unless retention is required by law or for dispute/security handling.

Logs/security events: typically [X days/months].

Marketing preferences: until you withdraw consent/opt out.

Strictly necessary cookies: required for login, sessions, and core security; typically do not require consent.

Analytics/marketing cookies (if enabled): require prior consent in the EU (opt-in).

We provide a cookie banner/manager where you can accept/reject optional cookies and change preferences later. 11) Your GDPR rights Subject to GDPR conditions, you can:

access your data, correct it, delete it

restrict or object to processing

receive a portable copy of data you provided (where applicable)

withdraw consent (for consent-based processing)

lodge a complaint with the supervisory authority

Data Protection Officer (DPO): Andrei Rusu (andrei.rusu@bngroup.ro)

2) What data we process

A) Account and usage data

B) Open banking (bank account) data you choose to connect

Depending on the bank and your consent scope, we may retrieve:

C) Cookies and similar technologies

We may use strictly necessary cookies and, if enabled, analytics/marketing cookies (see Section 10). EU rules generally require consent for non-essential cookies.

3) Where the data comes from

4) Why we process data and our legal bases

We process personal data for these purposes:

5) Salt Edge and open banking connectivity

We use Salt Edge as a connectivity provider to establish and maintain bank API connections and retrieve Account Data.

Important: you authenticate with your bank during the open banking flow; availability and exact data fields depend on the bank’s API.

6) Who we share data with

We may share personal data with:

We provide a cookie banner/manager where you can accept/reject optional cookies and change preferences later.

11) Your GDPR rights

Subject to GDPR conditions, you can: