Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

COREFINÓS is operated by ITWILLROCK Sp. z o.o. and provides Account Information Services (AIS) under the Payment Services Directive 2 (PSD2) framework.

2. Information We Collect

We collect the following categories of personal data:

Account Information

• Email address
• Name
• Password (encrypted)
• Country of residence

Banking Data (with your explicit consent)

• Bank account identifiers (IBAN)
• Account balances
• Transaction history (up to 90 days)
• Merchant names and transaction descriptions
• Transaction amounts and currencies

Technical Data

• IP address
• Browser type and version
• Device information
• Usage data and analytics

3. Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Consent (Article 6(1)(a) GDPR): For accessing your bank account data through Open Banking APIs. You provide explicit consent when connecting your bank accounts.
• Contract Performance (Article 6(1)(b) GDPR): To provide our account aggregation and analytics services as described in our Terms of Service.
• Legal Obligations (Article 6(1)(c) GDPR): To comply with applicable laws, including PSD2 requirements for Account Information Service Providers (AISPs).
• Legitimate Interests (Article 6(1)(f) GDPR): For service improvement, security, and fraud prevention.

4. How We Use Your Data

We use your personal data to:

• Aggregate your bank accounts in a single dashboard
• Display your account balances and transaction history
• Categorize transactions and provide spending analytics
• Generate financial insights and trends
• Authenticate you and secure your account
• Communicate important service updates
• Improve our services based on usage patterns

We do NOT sell, rent, or share your personal data with third parties for marketing purposes.

5. Data Sharing

We share your data only with the following parties:

• Enable Banking: Our licensed Open Banking provider that facilitates secure connections to your bank accounts under PSD2 regulations.
• Cloud Infrastructure Providers: For secure data storage (Vercel, Neon Database) within the European Union.
• Legal Authorities: When required by law or to protect our legal rights.

6. Data Retention

We retain your data as follows:

• Account Data: Retained as long as your account is active. Deleted within 30 days of account deletion request.
• Transaction Data: Up to 90 days of transaction history is stored. Older transactions are automatically deleted.
• Bank Connections: Connection tokens expire after 90 days as per PSD2 requirements. You must re-authorize access periodically.

7. Your Rights Under GDPR

As an EU resident, you have the following rights:

• Right of Access: Request a copy of your personal data.
• Right to Rectification: Correct inaccurate personal data.
• Right to Erasure: Request deletion of your personal data ("right to be forgotten").
• Right to Data Portability: Receive your data in a machine-readable format.
• Right to Withdraw Consent: Withdraw consent for bank account access at any time by disconnecting your accounts.
• Right to Object: Object to processing based on legitimate interests.
• Right to Lodge a Complaint: File a complaint with your national data protection authority.

To exercise these rights, contact us at corefinos@itwillrock.com

8. Data Security

We implement appropriate technical and organizational measures to protect your data:

• All data is encrypted in transit (TLS 1.3) and at rest
• Passwords are hashed using industry-standard algorithms (Argon2)
• Bank connections use secure OAuth 2.0 flows via licensed providers
• We never store your bank login credentials
• Regular security assessments and updates
• Access controls and audit logging

9. Cookies

We use the following cookies:

• Essential Cookies: Required for authentication and security. These cannot be disabled.
• Preference Cookies: Remember your settings and preferences.

We do not use third-party advertising or tracking cookies.

10. International Transfers

Your data is processed and stored within the European Union. We do not transfer personal data outside the EU/EEA unless required by law or with appropriate safeguards in place (e.g., Standard Contractual Clauses).

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through the application. The "Last updated" date at the top of this page indicates when the policy was last revised.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us: