Logo

Privacy Policy – FINCORY

Last updated: May 25, 2025
1. Purpose

This Privacy Policy is intended to inform:

  • Shopify Merchants using the FINCORY application;
  • as well as their end customers using the FINCORY extension.

(hereinafter referred to respectively as “Merchants” and “data subjects”),

of the conditions under which personal data is processed, in accordance with the General Data Protection Regulation (GDPR – EU 2016/679), the PSD2 directive, and Shopify’s customer data requirements.

FINCORY collects:

  • certain professional data from Merchants, strictly necessary for the business relationship, billing, or technical support;
  • pseudonymized data from end users, collected via the extension, and intended to enable Merchants to trigger targeted marketing actions based on actual purchasing behavior, in full compliance with the principles set out by the GDPR.

For more information on the terms of use of the application, please refer to our Terms of Use.



2. Data Controller

The processing of personal data is carried out by FINCORY,

a simplified joint-stock company (SAS) with a share capital of €1,000, registered with the Paris Trade and Companies Register under number 987 625 522.

Registered office: 5 rue François Bonvin, 75015 Paris – France.

Email: contact@fincory.com

FINCORY acts as the data controller for the collection, segmentation, and management of pseudonymized banking data of end users, in compliance with the GDPR.

Merchants, for their part, remain solely responsible for any data processing they perform based on the segments received through the FINCORY application.

FINCORY does not process any Merchant data for targeting or profiling purposes. Only technical and contractual information necessary for the use of the Application (such as name, email, and store ID) is retained.



3. Data Collected from End Customers

3.1. Data concerned (end user)

FINCORY does not collect or store any directly identifying data such as the name, surname, or email address of the data subjects.

FINCORY exclusively processes the following pseudonymized banking data:

  • Transaction labels (e.g., type of purchase, merchant name);
  • Transaction amounts;
  • Transaction dates.

This data is provided exclusively by our partner Linxo Connect, a PSD2-licensed aggregator operating under the trade name of OXLIN, a payment institution authorized by the ACPR (Autorité de Contrôle Prudentiel et de Résolution) under registration number 17248, and a subsidiary of the Crédit Agricole Group. It is transmitted only after the data subject's explicit consent, in full compliance with regulatory requirements.

Linxo Connect ensures the secure hosting of this data but does not use it in any way: there is no resale, nor any commercial or advertising use.

This data is pseudonymized, does not allow direct identification, and is processed within a framework strictly defined by the GDPR.



3.2. Source of the Data

The data is obtained, with proper authorization, through secure Open Banking interfaces implemented by Linxo Connect, FINCORY’s technical provider and a PSD2-licensed service provider.

In addition, certain technical data from the Shopify API (e.g., internal customer ID, order ID) is stored to associate a behavioral segment with a customer profile, without any independent storage or reuse by FINCORY.



4. Purposes of Processing

Banking data is processed exclusively for the following purposes:

  • Building behavioral customer segments (e.g., regular buyers, inactive, premium);
  • Triggering personalized offers defined by the Merchant (e.g., discount, gift, exclusive access);
  • Aggregate behavioral analysis for retention, reactivation, and marketing optimization.

FINCORY never uses this data for purposes like scoring or third-party advertising. All marketing actions enabled by FINCORY are conducted solely by and for the Merchant, for their own customers.



5. Legal Basis

Processing is based on Article 6.1.a of the GDPR: explicit consent of the data subject, obtained via a PSD2-compliant partner interface.

No data is collected without the user’s informed and voluntary action.



6. Profiling and Data Subject Rights

FINCORY performs automated processing for the purpose of marketing segmentation using pseudonymized banking data.

While this processing does not produce legal effects, it may significantly impact the individual. Therefore, under Article 22(2)(c) of the GDPR, FINCORY collects explicit consent and provides users with the means to withdraw it at any time.

Segments are shared with the Merchant, who may use them to trigger personalized offers.

Under Article 13(2)(f) of the GDPR, data subjects have the right to:

  • Know the criteria and general logic behind their segment classification;
  • Understand the general segmentation logic (e.g., frequency, amount, purchase types);
  • Contest the use of such segmentation in automated decision-making contexts.

FINCORY enables the exercise of these rights as described in Section 10 of this Privacy Policy.



7. Data Retention

Banking data is retained for a maximum of 5 years from the date of collection.

After this period, it is irreversibly deleted or anonymized, unless a legal obligation dictates otherwise.

Merchant data is stored for the duration of their contractual relationship with FINCORY and may be archived beyond that period for legal (e.g., tax or accounting) compliance.



8. Data Recipients

Data may be transmitted to Shopify Merchants using FINCORY only as pseudonymized segments (e.g., loyal customer, premium, inactive), with no identifiable data such as email, IBAN, or name. These segments enable Merchants to target their own customers without access to raw banking data.

FINCORY does not sell, resell, or transfer data to unauthorized third parties.

No identifying data is ever shared between Merchants. However, a user who has given consent across multiple stores may be linked to different segments based on distinct behaviors. No Merchant receives access to the user’s full raw data or full history.



9. Security, Integrity and Data Hosting

Pursuant to Article 32 of the GDPR, FINCORY implements appropriate technical and organizational measures to ensure the security, confidentiality, and integrity of personal data. These include:

  • Pseudonymization of data;
  • Encryption: all data is encrypted in transit; at rest, only specific items are encrypted (e.g., banking labels, professional emails, phone numbers);
  • Restricted access with strong authentication;
  • Comprehensive logging of all access to protected data;
  • Strict separation of environments (dev/test/production);
  • Auditable backups;
  • Documented incident response procedures.

FINCORY complies with Shopify’s security requirements for protected customer data levels 1 and 2, as outlined in the official Shopify API Access Scopes and App Store Requirements.

All data is hosted exclusively within the European Union:

  • Banking data is stored by Linxo Connect on secure servers located in the EU. Linxo Connect does not exploit the data it hosts.
  • FINCORY also stores banking data on Microsoft Azure (Germany data center).
  • Additional processing is carried out on Fly.io infrastructure (Paris - CDG data center).

No data transfers outside the EU occur, unless covered by appropriate safeguards such as Standard Contractual Clauses or a valid EU adequacy decision.



10. Data Subject Rights

Under Articles 15 to 22 of the GDPR, you have the right to:

  • Access: obtain a free copy of all data processed;
  • Rectification: correct inaccurate or incomplete data;
  • Erasure: request deletion of your data;
  • Objection: object to any processing, including profiling, without justification;
  • Portability: retrieve your data in a structured, readable format;
  • Restriction: temporarily suspend the use of your data;
  • Automated decision-making: be informed, contest decisions, request human intervention;
  • Lodge a complaint with the CNIL (www.cnil.fr) if you believe your rights are not respected.


11. Exercising Your Rights

To exercise any of the rights outlined in Section 10, data subjects may submit a request to the following address: contact@fincory.com

Requests must clearly specify the nature of the inquiry (e.g., access, erasure, objection, information about segment classification).

In accordance with the GDPR, you have the right to:

  • Access: Obtain a free copy of all personal data processed;
  • Rectification: Correct inaccurate or incomplete information;
  • Erasure: Request the deletion of your data. This can also be done directly via our public portal: https://www.fincory.com/consent
  • Objection: Refuse any data processing, including profiling;
  • Portability: Retrieve your data in a structured, commonly used, machine-readable format;
  • Restriction: Temporarily limit the processing of your data;
  • Information: Understand the criteria and general logic behind your segmentation;
  • Automated decision-making: Contest any automated decision, request an explanation, obtain human intervention, or refuse the application of a segment;
  • Complaint: File a complaint with the CNIL (www.cnil.fr) if you believe your rights are not being respected.

A copy of an identity document may be requested only when the nature of the request justifies it, particularly in the following cases:

  • Access: To obtain a free copy of all your personal data being processed;
  • Rectification: To correct inaccurate or incomplete data;
  • Objection: To object to a specific data processing activity or to an automated decision;
  • Request for explanation: To understand the logic behind the applied segmentation;
  • Portability: To retrieve your data in a structured, machine-readable format;
  • Restriction: To temporarily suspend the processing of your data;
  • Information: To know the criteria and general logic behind your segment classification;
  • Automated decision: To contest an automated decision, request an explanation or human intervention, or refuse the application of the segment;
  • Access to assigned segment: To request access to the segment you have been assigned to.

FINCORY is committed to responding within a maximum of 30 days, in accordance with Article 12 of the GDPR.



12. Changes to This Policy

This policy may evolve based on regulatory or technical changes.

In the event of a substantial update, FINCORY will inform users:

  • via its website,
  • and, where applicable, by email for Merchants with whom a direct contractual relationship exists.