Logo

Privacy Policy – FINCORY

Last updated: July 3, 2025
1. Definitions

For the purposes of this Privacy Policy, the following terms are defined as follows:

FINCORY Application: refers to the application installed by merchants on their Shopify store, enabling them to create retargeting campaigns based on their customers’ financial data (income, spending, loyalty) obtained via open banking.

Extension: refers to the banner displayed on the merchant’s website, visible to end users, through which they can give consent to the processing of their banking data by connecting their bank account (open banking). This extension is an integral part of the application’s overall functionality.

Merchant: refers to the professional client who has installed the FINCORY Application on their Shopify store.

End User: refers to any natural person (a customer of the merchant) whose banking data may be used (with their explicit consent) for marketing targeting purposes via the FINCORY Application.



2. Purpose

This Privacy Policy aims to inform:

  • Shopify merchants using the FINCORY application, hereinafter referred to as "Merchants";
  • as well as their end customers using the FINCORY extension, hereinafter referred to as "End Users" or "Data Subjects";

about the conditions under which personal data is processed, in accordance with Regulation (EU) 2016/679 on the protection of personal data and the free movement of such data (hereinafter “GDPR”), Directive (EU) 2015/2366 (hereinafter “PSD2”), and Shopify’s customer data requirements.

FINCORY collects:

  • certain professional data from Merchants, strictly necessary for business relations, billing, or technical support ;
  • pseudonymized data from End Users, collected via the extension and used to enable Merchants to trigger targeted marketing actions based on actual purchasing behavior, in full compliance with the principles set out by the GDPR.

For more information on the terms of use of the Application, please refer to our Terms of Use.



3. Data Controller


The processing of personal data is carried out by FINCORY.

Simplified joint-stock company (SAS) with a share capital of €1,000, registered with the Paris Trade and Companies Register under number 987 625 522.

Head office: 5 rue François Bonvin, 75015 Paris – France.

Email : contact@fincory.com

FINCORY acts as the data controller for the collection, segmentation, and management of pseudonymized banking data of End Users, in compliance with the GDPR.

Merchants, for their part, remain responsible for any processing they initiate based on the segments provided via the FINCORY Application.

FINCORY does not process any Merchant data for targeting or profiling purposes. Only technical and contractual information necessary for the use of the Application (such as name, email, and store ID) is retained.






4. Data Collected from End Users

4.1. Data Collected

FINCORY does not collect or store directly identifiable information such as the name, surname, or email address of data subjects.

FINCORY exclusively processes the following pseudonymized banking data :

  • Transaction labels (e.g., type of purchase, merchant name) ;
  • Transaction amounts ;
  • Transaction dates.

This data is provided exclusively by Linxo Connect, a PSD2-licensed aggregator. Linxo Connect is the trade name of OXLIN, a payment institution authorized by the French Prudential Supervision and Resolution Authority (ACPR) under registration number 17248, and a subsidiary of the Crédit Agricole Group.

Linxo Connect ensures secure data hosting but does not in any way use or exploit the data: there is no resale, commercial use, or advertising usage of any kind.

These pseudonymized data do not allow direct identification and are processed strictly in accordance with the GDPR framework.

4.2. Data Origin

The data is obtained, with user consent, via secure open banking interfaces operated by Linxo Connect, FINCORY’s PSD2-licensed technical provider.

Additionally, certain technical data from the Shopify API (e.g., internal customer ID, order ID) may be stored in order to associate a behavioral segment with a customer profile. However, FINCORY does not store or reuse this data independently.



5. Purpose of Data Processing

Banking data is processed solely for the following purposes.

  • Building behavioral customer segments (e.g., frequent buyers, inactive customers, premium clients);
  • Triggering personalized offers defined by the Merchant (e.g., discount, gift, exclusive access);
  • Performing aggregated analyses of customer behavior for loyalty, reactivation, or marketing optimization purposes.

FINCORY never uses the data for any other purposes, such as credit scoring or advertising on behalf of third parties. All marketing actions enabled by FINCORY are carried out exclusively for the benefit of the Merchant and directed toward their own customers.



6. Legal Basis

The processing is based on Article 6.1.a of the GDPR: the explicit consent of the data subject, obtained through the partner interface in compliance with the requirements of the PSD2 directive.

No data is collected without the user’s voluntary and informed action.



7. Profiling of Data Subjects and Associated Rights

FINCORY carries out automated processing for marketing segmentation purposes, based on pseudonymized banking data.

As this processing may have a significant impact on data subjects, FINCORY requests their explicit consent in accordance with Article 22(2)(c) of the GDPR before carrying out any profiling, and provides appropriate mechanisms for withdrawing such consent.

The resulting segments are shared with the Merchant, who may then choose to trigger personalized offers at their discretion.

In accordance with Article 13(2)(f) of the GDPR, every data subject has the right to :

  • know the criteria and general logic that led to their inclusion in a specific segment;
  • understand the general segmentation logic applied (e.g., frequency, amount, type of spending);
  • and contest the use of such segmentation in the context of an automated decision.

FINCORY enables data subjects to exercise their rights as described in Article 10 of this Privacy Policy.



8. Data Retention Period

Banking data collected is retained for a maximum period of 5 years from the date of collection.

After this period, the data is either permanently deleted or irreversibly anonymized, unless a legal obligation requires otherwise.

Professional data relating to Merchants is retained for the entire duration of the contract between the Merchant and FINCORY and may be archived beyond that period in the event of a legal obligation (e.g., accounting or tax purposes).



9. Data Recipients

Data may be shared with Shopify merchants using FINCORY, but only in the form of pseudonymized segments, i.e., behavioral categories (e.g., loyal customer, premium, inactive) without any identifying information (e.g., email, IBAN, name). These segments allow the Merchant to activate targeted marketing actions toward their own customers, without ever accessing raw banking data.

FINCORY does not sell, resell, or transfer data to unauthorized third parties.

FINCORY never shares identifying data between Merchants.

When the same user has consented to data sharing across multiple stores, they may be associated with different segments reflecting their individual purchasing behavior on each store. No direct access to raw data or a complete transaction history is ever provided to the Merchants.



10. Data Security, Integrity and Hosting

In accordance with Article 32 of the GDPR, FINCORY implements appropriate technical and organizational measures to ensure the security, confidentiality, and integrity of the personal data it processes. The following security measures are applied by FINCORY:

  • Pseudonymization of data;
  • Encryption: all data is systematically encrypted in transit. At rest, only specific types of data are encrypted, including banking transaction labels, merchants' professional email addresses, and phone numbers;
  • Restricted access to data via strong authentication;
  • Full logging of access to protected data;
  • Strict separation of environments (development / testing / production);
  • Secure and auditable backups;
  • Documented incident response procedures.

FINCORY complies with the security requirements imposed by Shopify for Level 1 and Level 2 protected customer data, as described in Shopify’s official API Access Scopes and App Store Requirements documentation.

Data is hosted exclusively within the European Union.

  • Banking data is stored by our partner Linxo Connect on secure servers located within the EU. Linxo Connect does not exploit the hosted data in any way (no resale, no commercial use).
  • Banking data is also stored by FINCORY on Microsoft Azure (data center located in Germany).
  • Additional processing is performed on Fly.io infrastructure (data center located in Paris - CDG).

No data is transferred outside the European Union.



11. Rights of Data Subjects

In accordance with Articles 15 to 22 of the GDPR, you have the following rights:

  • Access: Obtain a free copy of all personal data processed;
  • Rectification: Correct inaccurate or incomplete information;
  • Erasure: Request the deletion of your data. This can also be done directly via our public portal: https://www.fincory.com/consent
  • Objection: Refuse any processing, including profiling, without needing to justify your request;
  • Portability: Retrieve your data in a structured and readable format;
  • Restriction: Temporarily limit the processing of your data;
  • Information: Understand the criteria and general logic that led to your inclusion in a segment;
  • Automated decision-making: Be informed, contest a decision, and request human intervention;
  • Complaint: File a complaint with the CNIL (www.cnil.fr) if you believe your rights are not being respected.

To exercise these rights, data subjects may send their request to: contact@fincory.com.

The request must clearly specify the nature of the right being exercised (e.g., access, objection, erasure, information on segmentation, etc.).

A copy of a valid ID may be requested only when the nature of the request justifies it, particularly in the following cases:

  • Access: To obtain a free copy of all your personal data being processed;
  • Rectification: To correct inaccurate or incomplete data;
  • Objection: To object to a specific data processing activity or to an automated decision;
  • Request for explanation: To understand the logic behind the applied segmentation;
  • Portability: To retrieve your data in a structured, machine-readable format;
  • Restriction: To temporarily suspend the processing of your data;
  • Information: To know the criteria and general logic behind your segment classification;
  • Automated decision: To contest an automated decision, request an explanation or human intervention, or refuse the application of the segment;
  • Access to assigned segment: To request access to the segment you have been assigned to.

FINCORY is committed to responding within a maximum of 30 days, in accordance with Article 12 of the GDPR.



12. Changes to This Policy

This policy may evolve based on regulatory or technical changes.

In the event of a substantial update, FINCORY will inform users:

  • via its website,
  • and, where applicable, by email for Merchants with whom a direct contractual relationship exists.