Mobile App Privacy Policy

Information under Articles 13, 14, and 21 of the European Data Protection Regulation - DPA

With this Data Privacy Policy, Finoa GmbH informs you about the processing of your personal data (Art. 4 No. 2 DSGVO) by Finoa GmbH and the claims and rights you are entitled to according to the data protection regulations. What type of data is processed and what it’s used for, depends mainly on the services that have been requested or you as a user agreed to.

With the following Data Privacy Policy, we inform you in particular about the type and scope, purpose, duration, and legal basis of the processing of personal data by use of the Finoa application (hereinafter App), provided that we either alone or jointly decide with others on the purposes and means of processing. We also inform you in the following about the services we offer for optimization purposes and to increase the quality of external components, as far as third parties use data in their own data processing systems or Process responsibility.

1. Information about us and whom to contact

Responsible provider of this App in the sense of data protection law is:

Finoa GmbH
Voltastraße 1
14482 Potsdam

The data protection officer of Finoa GmbH can be reached at:

Finoa GmbH
Data protection officer
Voltastraße 1
14482 Potsdam

2. On what legal basis do we process your data?

Finoa GmbH processes the above-mentioned personal data in accordance with the EU Data Protection Basic Regulation (DSGVO) and the Federal Data Protection Act (BDSG).


a) To fulfill contractual obligations (Article 6 paragraph 1 b DSGVO)

The legal basis for the processing of your personal data is provided by you, upon agreement to the conditions for access to Finoa via electronic media. The purpose of data processing is primarily based on the specific service. Further details on the use of data processing can be found in the respective sections of the contract documents.

b) Within the framework of the balancing of interests (Article 6 para. 1 f DSGVO)

As far as necessary, we process your data about the actual fulfillment of the contract to safeguard the legitimate interests of us or third parties.


  • Assertion of legal claims and defense in legal disputes
  • Ensuring the IT security and IT operation of Finoa GmbH
  • Prevention of criminal offenses
  • Risk management in the company

c) Based on your consent (Article 6 paragraph 1 a DSGVO)

As far as you use our service, you have given us your consent to the processing of your personal data of personal data for specific purposes. In regards to your rights to a granted consent, please see chapter 3 of this privacy notice. You can obtain a status overview of the consent you have given us at any time via request.

d) Due to legal requirements (Article 6 para. 1 c DSGVO) or in the public interest (Article 6 para. 1 e DSGVO)

Also, as a financial services provider, we are subject to various legal obligations and legal requirements (e.g., German Banking Act, Money Laundering Act, Securities Trading Act, tax laws) as well as regulatory requirements (e.g., the European Central Bank, the European Banking Authority, the Deutsche Bundesbank and the Federal Financial Supervisory Authority).

3. Rights of users and data subjects

Concerning the data processing described in more detail below, the user has the right to;

  • Request confirmation, whether or not data concerning him/her is being processed, information on the processed data itself, as well as further information on the data processed as well as to copies of the data (see also Art. 15 DSGVO), 
  • on rectification or completion of incorrect or incomplete data (see also Art. 16 DSGVO), 
  • the immediate deletion of data concerning the user (see also Art. 17 DSGVO), or insofar as further processing is necessary pursuant to Art. 17 para. 3 DSGVO, to restriction of processing per Art. 18 DSGVO, 
  • to receive data concerning the individual and his/her provided data as well as transmission of these data to other providers/responsible parties (see also Art. 20 DSGVO), 
  • on a complaint to the supervisory authority, if they consider that the data concerning them by the provider in violation of data protection laws provisions (see also Art. 77 DSGVO). 

In addition, the provider is obliged to inform all recipients to whom data is transferred by the provider, about any correction or deletion of data, or the restriction of processing carried out based on Articles 16, 17 (1), 18 DSGVO, to teach. However, this obligation shall not apply where such notification is impossible or is associated with a disproportionate effort. Irrespective of this, the user has a right to information about these recipients. 

Users and affected parties also have the right to object under Art. 21 DSGVO against the future processing of data relating to him/her, provided that the data are being processed per Article 6(1)(f) DPA. In particular, an objection to data processing for direct marketing is allowed.

4. What type of data is processed by the Finoa Application

The Finoa app is designed solely for the verification and authorization of transactions, as part of a multi-factor authorization, to increase the security of Finoa's customers. All transaction data sent to the App is encrypted. The keys generated by the App are stored exclusively in the device used, e.g. mobile phone, and are not passed on. The communication of the App to authorize a release is encrypted without exception.

4.1 The processing of the Finoa App in detail

4.1.1 What data is accessed by the Finoa App

The list of tasks that the user is allowed to edit/view.

The list of public blockchain addresses of the customer.

To the "universally unique identifier", also called unique user ID, (hereinafter UUID) of the user. 

4.1.2 What access rights does the app need

The App requires a one-time access right to the camera to get the QR code of the activation letter to be able to recognize the user. The App requires access rights to the Hardware Security Module (hereinafter HSM).

4.1.3 How does the Finoa app process data?

  • At the start, an individual key in the HSM of the mobile phone is generated. This key cannot be read by the App, but can only be used for a series of predefined algorithms that are used (e.g., encrypting or decrypting with the key).
  • Fingerprint / FaceID Scan initiates the authorization. The biometric data are available on the App, but are automatically generated by the operating system of the mobile phone.
  • After the scan is complete, the App can decrypt data with the individual key (all data received from the server), and signatures (if a task is confirmed or rejected).
  • The IP address of the mobile phone is also sent, but not processed by Finoa.

4.1.4 Deleting the collected data

If the App is uninstalled, the individual key is replaced by the operating system of the mobile phone deleted. The recorded UUID of the user is also deleted. Otherwise, no further data is stored. 

All communication between mobile phones and servers is always encrypted. An encrypted connection is first established via HTTPS. The actual data during communication from the Finoa server to the mobile phone by means of individual keys is also encrypted. The encryption from the mobile phone to the Finoa server is done using TLS encryption.

4.1.5 Is the User behavior evaluated in the App?

The App does not evaluate user behavior.

5. Inquiry by e-mail, telephone or fax

If you contact us by e-mail, telephone, or fax, your request will be processed, including all resulting personal data (name, request) for the processing of your request is stored and processed by us. We do not give this data without your consent to other parties.

This data is processed on the basis of Art. 6 para. 1 lit. b DSGVO, provided that your request is related to the performance of a contract or for the implementation of pre-contractual measures is necessary. In all other cases, the processing is based on our legitimate interest in the effective processing of the requests addressed to us (Art. 6 para. 1 lit. f DSGVO) or on your consent (Art. 6 para. 1 lit. a DSGVO), provided that such requests were.  

The data sent by you to us via contact requests will remain with us until you send us the request deletion, revoke your consent to the storage, or the purpose for which the data is stored not applicable (e.g. after completion of the processing of your request). Mandatory legal provisions - in particular statutory retention periods - remain unaffected.

6. Data protection information in accordance with the basic EU data protection regulation

In addition to the application-specific data protection information, the data protection information according to the EU data protection basic regulation also applies. 

If you are not satisfied with the data protection measures described here or if you have any questions regarding the collection, processing and/or use of your personal data, please do not hesitate to contact us. We will answer your questions as soon as possible, and we will make sure to implement your suggestions. Please address your data protection issues and contact; for other requests, you can reach us via


Published by Finoa GmbH.
© Finoa GmbH, Potsdam.
All rights reserved.