This Policy is drafted in accordance with articles 13 and 14 of the GDPR and is intended to provide you with information on the way in which Finanz processes your personal data. Your personal data was collected through your use of the https://finanapp.io/ website and/or the Finanz app (hereinafter,”the Finance Platform or even simply the Platform”) when you decide to use one of the services offered by Finanz.
It is important that you read this Policy, together with any other documentation that we may provide to supplement, update or deepen the information regarding the collection and processing of your personal data. We will try to coordinate these policies so as to represent at all times the conditions applied to the processing of your personal data in the most transparent, complete and easily accessible way.

Finanz acts as data controller and is responsible for your personal data. In accordance with the Regulations, your Personal Data will be processed by Finanz, accessible at the e-mail address info@finanzapp.io (hereinafter the “Data Controller”).

This paragraph describes the categories of personal data that we process. In paragraph 4, we will explain the purposes for which we process these categories of personal data. The personal data we collect is subject to the use of the website https://finanzapp.io/ or the Finanz platform if you use our services.
If you visit the finanzapp.io website or download our app, your browser automatically transmits some data, such as the date and time you visited the web pages, the type and settings of your browser, your operating system, your IP address. Using our services, we may process the following personal data relating to the following categories of interested parties.
‍
‍Data of the interested parties
- Contact and identification data — First name, last name, date of birth, age, e-mail.
- Information on the history of user behavior with Finanz — level of financial education, objective, number of total lessons completed, number of courses started, number of levels and chapters completed, percentage of correct answers, number of times the Finanz app was opened, number of “kiwis” earned in total, number of “kiwis” available, consent or not to share data with third party partners, response to the survey “how did you know us”, time viewed video courses, friends invited, “kiwi” parties held, number of stories viewed, number of accesses, badges obtained, lives lost, links clicked by third-party partners or to buy the premium version or to try to skip a video, purchases made, activation or not of notifications.
- Payment Information - Credit or debit card details (last four digits of the card, expiration date and place of issue, transaction history).
- Information about your contacts with Finanz customer service - correspondence by e-mail.
- Device information - device ID, IP address, browser settings, operating system.

Finanz uses automated analysis systems and recommendation algorithms aimed exclusively at improving the user's educational experience and offering personalized content based on the level of learning and the degree of interaction with the platform.
These treatments are based solely on: (i) progress in training courses, (ii) activities carried out in the application (for example completed quizzes, badges obtained, “Kiwi” scores), and (iii) preferences expressed by the user.
Under no circumstances does the profiling adopted by Finanz involve automated decisions with legal or similarly significant effects pursuant to art. 22 GDPR. The purpose is exclusively to optimize training content, increase engagement and provide more relevant educational paths for the user.

We limit the amount and quality of personal data collected only to what is necessary for the purpose for which it is collected, as described in the table below. We limit, protect and control all of our computer resources against unauthorized access, damage, loss or destruction, both physical and electronic. We keep personal data only for the time described below, to respond to requests from interested parties, or longer if required by law. If we keep your personal data for historical or statistical purposes, we make sure that it cannot be used for other purposes. As long as they are in our possession, with your help, we try to maintain the accuracy of your personal data.
To facilitate the understanding of the purposes, legal bases and conditions under which we process data, we report below the categories of personal data processed, the purposes of the processing, the “legal basis” that authorizes each processing and confers lawfulness on it, as well as the period of time for which Finanz will keep your personal data:
‍‍
Data category: Contact and identification data
Purposes: Execution of the contract (provision of the service)
Legal basis: Contract
Storage period: Account Cancellation

‍Data category: Information on the history of consumer behavior with Finanz
Purposes: Service improvement, aggregated statistics
Legal basis: Legitimate interest (art. 6.1.f GDPR)
Storage period: 1 year after the termination of service

‍Data category: Information about your contacts with Finanz customer service
Purposes: Managing service requests
Legal basis: Contract
Storage period: 5 years

‍Data category: Information about the device
Purposes: Service improvement, anti-fraud
Legal basis: Legitimate interest (art. 6.1.f GDPR)
Storage period: 1 year after the termination of service

‍Data category: Payment Information
Purposes: Execution of the contract (provision of the service)
Legal basis: Contract
Storage period: 10 years (tax obligations)

‍Data category: Email
Purposes: Sending marketing communications, push notifications, optional surveys
Legal basis: Explicit consent (art. 6.1.a GDPR)
Storage period: 2 years from consent, unless revoked

Finanz informs that, for the purposes indicated in this information, personal data will be processed with IT, telematic and manual tools, in compliance with the principles of lawfulness, fairness and transparency and the rules of confidentiality and security established by current legislation.
In relation to these purposes, the data will be processed both by electronic tools and by paper media. The data may be entered in the writings and records required by law and may be transmitted, if necessary, to the operating offices of the Data Controller or to other authorized subjects, in compliance with regulatory obligations. All processing operations are carried out in such a way as to guarantee the integrity, confidentiality and availability of personal data.

‍Storage of technical logs and connection data
The computer systems and software procedures used to operate the services acquire, during their ordinary operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This information includes, by way of example, IP addresses, unique identifiers of the devices used and logs relating to access and use of the platform.
The processing of such data takes place for purposes related to system security, the prevention of unauthorized access and abusive activities, as well as the assessment of responsibility in the event of computer crimes or at the request of the competent authorities.
Technical logs are kept for a period not exceeding six months, except for any need for further storage for the fulfillment of legal obligations, at the request of the competent authorities or for the assessment, exercise or defense of a right in court.

‍Recipients and external data processors
Pursuant to art. 28 GDPR, the Data Controller may appoint external data processors who provide services functional to the pursuit of the purposes indicated above. These subjects belong, by way of example, to the following categories:
- cloud and infrastructure service providers (including Amazon Web Services - AWS);
- providers of analysis and monitoring services of interactions with the application;
- providers of marketing campaign attribution and measurement services;
- providers of customer relationship management (CRM) and customer support services;
- payment service providers and financial institutions.

The data may be stored on servers located in countries belonging to the European Economic Area. In any case, the Data Controller guarantees that the processing takes place exclusively with subjects that provide adequate guarantees in accordance with the provisions of articles 28 and 46 of the GDPR.
The updated list of external managers is available at the request of the interested party, by contacting the Data Controller in the manner indicated in this information.

The Finanz App may include links to third-party websites (for example, the websites of the stores where you buy the products or services). By clicking on these links or enabling them, it is possible that third parties process your personal data. To obtain detailed information on the purposes of the processing and on the Personal Data processed for each purpose, the User can refer to the “Details on the processing of Personal Data” section, referring to the privacy policy of these sites, as well as to the privacy policy of the Finanz App.
The Finanz App may include links to third-party websites or platforms (for example the websites of online stores or social profiles). By clicking on these links or enabling the integration, it is possible for third parties to process the User's personal data. For detailed information on the purposes of the processing and on the personal data collected, the User may refer to the “Details on the processing of Personal Data” section of this policy and to the privacy policies of third-party sites or platforms.

‍Access to the Google account (Google LLC)
‍This service allows the user to use their Google account, provided by Google LLC, to connect to Finance services.
Personal Data processed: Usage Data; Tracking Tools. Place of processing: United States — Privacy Policy

Access and use of the Platform are allowed only to users who are 14 (fourteen) years of age or older. Any registration made by underage individuals is to be considered void and involves the immediate cancellation of the related personal data, without prejudice to any legal obligations.
For users between 14 (fourteen) and 16 (sixteen) years old, the use of the Platform is subject to the acquisition of explicit and verifiable consent from those exercising parental responsibility or legal protection. For this purpose, the Data Controller reserves the right to adopt appropriate verification procedures, including, but not limited to, sending confirmation emails to parents/guardians, requesting signed statements or using electronic identification systems.
In the event of false or incomplete statements provided by the user regarding their age, the Data Controller will immediately suspend or cancel the account, as well as delete the data processed, reserving all legal action to protect their rights.
It is understood that the responsibility for the veracity of the information provided during registration lies solely with the user and, where applicable, on the parent or legal guardian. The Data Controller declines any responsibility deriving from false statements or uses that do not comply with these conditions.

In some cases, we need to collect your personal data by law or under the terms of a contract that we have with you or that we are trying to enter into with you. In these cases, failure to provide personal data will prevent Finanz from entering into a contract with you.

Some of the external third parties we rely on are based outside the European Economic Area (“EEA”), so the processing of your personal data may involve a transfer of data outside the EEA. Every time we transfer your personal data outside the EEA, we guarantee a level of protection appropriate to that present within the European Union, ensuring that at least one of the following guarantees is implemented:
- Adequacy measures: when the transfer of personal data takes place to countries that have been deemed able to provide an adequate level of personal data protection by the European Commission;
- Standard contractual clauses: in the absence of adequate measures, we will use specific contracts approved by the European Commission, aimed at ensuring the same protection of personal data as provided within the European territory.

Within the framework of the Finanz organization, personal data may be processed by those in charge of the internal offices responsible for carrying out individual processing activities. In order to provide the services, the data may be communicated to external parties, within the limits of the purposes for which they were collected and in compliance with the principles of minimization and proportionality. The data will be processed exclusively by the indicated subjects for specific purposes and in accordance with applicable legislation.

‍Data processors (art. 28 GDPR)
These subjects process the data on behalf of Finanz and according to the instructions provided by us, and they cannot use it for their own purposes.
These include, for example:
- Suppliers and subcontractors: software, data storage, payment processing, business consultants.
- Payment service providers (“PSP”), only for the execution of payment transactions requested by the user.
With these entities, Finanz concludes specific contractual agreements for the appointment of Data Processor, in which appropriate technical and organizational measures are envisaged to ensure data security.

Joint controllers (art. 26 GDPR)
If some partners use the data for their own purposes, such as marketing or profiling (other than those necessary for the provision of services), Finanz and these subjects act as joint controllers. In such cases, a joint ownership agreement is defined, which specifies: common purposes, responsibility of each joint owner, methods of exercising the rights of the interested parties.

Authorities and third parties for legal obligations
The data may be communicated to police, tax, financial or judicial authorities when required by law, at the request of the user or for purposes related to tax deductions or the fight against crime.
In any case, Finanz adopts all the contractual, legal, technical and organizational measures necessary to ensure that personal data is treated with an adequate level of security and in compliance with the principles of personal data protection.

We will only keep your personal data for as long as necessary to fulfill the purposes for which we collected it, including the purpose of complying with any legal, accounting or reporting requirements or obligations. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of personal data, the potential risk of harm resulting from unauthorized use or disclosure of personal data, the purposes for which we process personal data and whether we can achieve those purposes by other means, and the applicable legal requirements. You can find more information about the retention period in the table in paragraph 4.

We limit the amount of data, collecting only those necessary for the purposes described in paragraph 4 and for the time necessary to achieve it. We limit, protect and control all of our resources where data is stored to avoid access, damage, loss or destruction, both physical and electronic, or unauthorized access, both physical and electronic.

We inform you that as an interested party, in addition to the right to lodge a complaint with a supervisory authority, you also have the rights listed below, in accordance with the provisions of the General Data Protection Regulation n. 679/2016.

‍Right of access
‍The interested party has the right to obtain confirmation from the Data Controller as to whether or not Personal Data concerning him is being processed and, in this case, to obtain access to Personal Data and information regarding the processing.

‍Right to rectification
‍The interested party has the right to obtain from the Data Controller the correction of inaccurate Personal Data concerning him without undue delay. Taking into account the purposes of the processing, the interested party has the right to obtain the integration of incomplete Personal Data, even by providing a supplementary statement.

‍Right to cancellation (right to be forgotten)
‍The interested party has the right to obtain from the Data Controller the cancellation of Personal Data concerning him without undue delay and the Data Controller has the obligation to delete the Personal Data without undue delay.

‍Right to restrict processing
‍The interested party has the right to obtain from the Data Controller the limitation of processing when one of the following hypotheses occurs:
a) the interested party disputes the accuracy of the Personal Data, for the period necessary for the data controller to verify the accuracy of such Personal Data;
b) the processing is illegal and the interested party opposes the cancellation of Personal Data and asks instead that its use be limited;
c) although the Data Controller no longer needs it for the purposes of processing, Personal Data are necessary for the interested party to ascertain, exercise or defend a right in court;
d) the interested party has opposed the processing pursuant to article 21, paragraph 1, pending verification of the possible prevalence of the legitimate reasons of the Data Controller over those of the interested party.

‍Right to data portability
‍The interested party has the right to receive in a structured, commonly used and machine-readable format the Personal Data concerning him provided to a Data Controller and has the right to transmit such data to another data controller without hindrance from the Data Controller to whom he provided them.
In exercising their rights regarding data portability in accordance with paragraph 1, the interested party has the right to obtain the direct transmission of Personal Data from one data controller to another, if technically feasible.

‍Right to object
‍The interested party has the right to object at any time, for reasons related to his particular situation, to the processing of Personal Data concerning him pursuant to article 6, paragraph 1, letters e) or f), including profiling based on these provisions.

‍Right not to be subject to automated decision-making, including profiling
‍The interested party has the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects that concern him or that similarly significantly affects his person.
The rights referred to in the previous paragraph can be asserted by means of a written request sent by the interested party to the email address info@finanzapp.io. The Data Controller will provide a response within 30 days of receiving the request, extendable up to 90 days in complex cases, informing the interested party of the reasons for the delay.
To protect the interested party, an identity verification may be necessary before proceeding with the execution of the request.

In order to improve the performance of the site and to enable certain functions, the Finanz website, www.finanzapp.io in its entirety, it makes use of cookies. When you visit the site, a minimum amount of information is inserted into the user's device, small text files called “cookies”, which are saved in the user's web browser directory.
When the site is opened, a banner is displayed that allows you to express your consent in a clear and granular way. The user can accept, reject or select the categories of cookies that he intends to authorize. No profiling or third-party cookies will be installed before explicit consent is given.
For more information on how to manage or disable cookies, consult the browser settings or the privacy policies of the third parties indicated on the site. There are various types of cookies. Below are the types of cookies that can be used on the site with a description of the purpose related to the use.
The site directly installs only technical and analytical cookies aimed at optimizing the operation of the site.

‍Profiling cookies
‍Google may install profiling cookies when the site uses its services, in particular those related to advertising (e.g. Google Ads/AdSense/DoubleClick) or other tools that allow Google to collect browsing data (e.g. Google Analytics, YouTube or embedded Maps). In these areas, Google uses cookies to track user preferences and then show personalized advertisements.

‍Technical cookies
‍Cookies of this type are necessary for the proper functioning of some areas of the site. Cookies in this category include both persistent cookies and session cookies. Without these cookies, the site or some portions of it may not work properly. Therefore, they are always used, regardless of the user's preferences. Cookies in this category are always sent from the owner's domain.

‍Analytical cookies
‍Cookies of this type are used to collect information on the use of the site. The Data Controller uses this information for statistical analysis, to improve the site and simplify its use, as well as to monitor its proper functioning. This type of cookie collects anonymous information on the activity of users on the site and on the way in which they arrived at the Site and the pages visited. Cookies in this category are sent from the site itself or from the domains of the following third parties.

‍Third-party cookies
‍Through the site, other parties other than the Data Controller and completely autonomous from it (“Third Parties”) can install cookies. Third Party cookies are installed directly by Third Parties, they are not read by the Data Controller who therefore has limited knowledge and control over these cookies, the data processed and the methods of processing by the Third Parties. These cookies may include profiling cookies, which are defined as cookies (“aimed at creating user profiles that are used to send advertising messages in line with the preferences expressed by the user when browsing the net”) Below are the third parties that can install cookies through the site, specifying the links of each Third Party to the pages containing their respective rules for the protection of privacy. All users are invited to connect to third-party sites to view them, with the express warning that if the user does not proceed and continue browsing the site, unless he has disabled cookies according to the instructions below, the third parties will automatically install the respective cookies.

Account
‍An account is defined as a digital profile consisting of two elements: a User Name (Username) and a Password (keyword) to which the information and Personal Data provided are associated. In addition, an account can be assigned functionality, permissions, tools and other content.

‍Personal Data (or Data)
‍Personal data is any information that, directly or indirectly, even in connection with any other information, including a personal identification number, makes a natural person identified or identifiable.

‍Usage Data
‍This is the information collected automatically through the Platform, including: the IP addresses or domain names of the computers used by the User who connects with the Platform, the addresses in URI (Uniform Resource Identifier) notation, the time of the request, the method used to forward the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response from the server (successful, error, etc.) the country of origin, the characteristics of the browser and the operating system used by visitor, the various temporal connotations of the visit (for example the time spent on each page) and the details relating to the itinerary followed within the Application, with particular reference to the sequence of pages consulted, to the parameters relating to the operating system and the User's computer environment.

‍User
‍The individual who uses the Platform who, unless otherwise specified, coincides with the interested party.InterestedThe natural person to whom the Personal Data refers.

‍Data Processor (or Manager)
‍The natural person, legal entity and/or any other entity that processes personal data on behalf of the Data Controller, as set out in this privacy policy.

‍Data Controller (or Data Controller)
‍The natural or legal person, public authority, service or other body that, individually or together with others, determines the purposes and means of the processing of personal data and the tools adopted, including security measures related to the operation and use of the Platform. The Data Controller, unless otherwise specified, is the owner of the Platform.

‍Finance platform
‍The hardware or software tool through which Users' Personal Data is collected and processed, both accessible from the web and from the App.

‍Service
‍The Service provided by the Web Platform or App, as defined in the relevant terms (if any) on this site/application.

‍European Union (or EU)
‍Unless otherwise specified, any reference to the European Union contained in this document is intended to be extended to all current member states of the European Union and the European Economic Area.

We reserve the right to review and amend these privacy guidelines relating to the processing of personal data. If there are significant changes, we will contact you by email or through a visible notification on our website.
‍
This privacy statement was last updated on March 15, 2026.