Privacy notice
Last Updated: April 23rd, 2025
At FLIQA d.o.o. (“FLIQA”, “we”, “us”, or “our”), we are committed to protecting your personal data and ensuring compliance with the General Data Protection Regulation (GDPR), the EU Payment Services Directive 2 (PSD2), and Slovenian data protection laws, including the Personal Data Protection Act (ZVOP-2). This Privacy Notice explains how we collect, use, store, and protect your personal data when you use our Account Information Services (AIS) and Payment Initiation Services (PIS), including our “Pay by Bank” feature.
Who We Are
FLIQA d.o.o. is a company registered in Slovenia, with its registered office at Miklošičeva cesta 26, 1000 Ljubljana, SI-Slovenia, providing innovative financial services in collaboration with a licensed Third-Party Provider (TPP) under PSD2 and comply with all applicable EU and Slovenian regulations.
We offer:
- Payment Initiation Services (PIS): Enabling you to pay online merchants directly from your bank account via the “Pay by Bank” feature.
- Account Information Services (AIS): Allowing you to share specific bank account information (e.g., account holder name, account balance, and transaction details) with online merchants, with your explicit consent.
What Personal Data We Collect
When you use our services, we collect and process the following personal data, only with your explicit consent and as necessary to provide the requested service:
- For Payment Initiation Services (PIS):
- Identity Data: Name, surname, or other identifiers provided by your bank during the payment process.
- Payment Data: Bank account details (e.g., IBAN), payment amount, date, merchant details, and transaction reference.
- Authentication Data: Information required to authenticate your identity through your bank’s interface (e.g., login credentials or multi-factor authentication data), which we process only to initiate the payment and do not store.
- For Account Information Services (AIS):
- Account Information: Account holder name and surname, IBAN, account balance, transaction details (e.g., value, date, payer, and payee).
- Consent Data: Records of your consent to access and share your account information with online merchants.
- Technical Data: IP address, device information, browser type, and other technical details collected during your interaction with our website or services to ensure security and functionality.
- Contact Data: If you contact us (e.g., via email or customer support), we may collect your name, email address, phone number, and any other information you provide.
We do not process special categories of personal data (e.g., health or biometric data) unless explicitly required and consented to for specific purposes.
How We Use Your Personal Data
We process your personal data only for the purposes explicitly requested by you and in compliance with GDPR and PSD2. The legal bases for processing are:
- Performance of a Contract (Art. 6(1)(b) GDPR):
- To provide PIS, we process your payment data to initiate and complete transactions with online merchants via your bank account.
- To provide AIS, we access and share your account information (e.g., balance, transaction history) with merchants, as authorized by you.
- Explicit Consent (Art. 6(1)(a) GDPR and Art. 94(2) PSD2):
- We process your personal data for AIS and PIS only with your explicit consent, which you provide when selecting the “Pay by Bank” option or authorizing us to access your account information.
- You may withdraw your consent at any time, after which we will cease processing your data for these purposes.
- Legal Obligation (Art. 6(1)(c) GDPR):
- To comply with anti-money laundering (AML) and counter-terrorism financing (CTF) regulations, we may process certain data as required by Slovenian or EU law.
- Legitimate Interests (Art. 6(1)(f) GDPR):
- To ensure the security of our services, prevent fraud, and improve our website functionality, we process technical data as necessary.
We do not use your data for purposes other than those for which it was collected, except where permitted by law (e.g., for compatible further processing under Art. 6(4) GDPR).
How We Share Your Personal Data
We share your personal data only as necessary to provide our services and with your explicit consent:
- Online Merchants: For PIS, we share payment confirmation details with the merchant to complete the transaction. For AIS, we share your account information (e.g., balance, transaction history) with the merchant you authorize.
- Banks (Account-Servicing Payment Service Providers, ASPSPs): We interact with your bank via secure APIs to access payment account data or initiate payments, as permitted by PSD2.
- Regulatory Authorities: We may share data with the Bank of Slovenia, the Slovenian Information Commissioner, or other authorities to comply with legal obligations (e.g., AML/CTF requirements).
- Service Providers: We may engage trusted third-party processors (e.g., IT or hosting providers) who act under our instructions and comply with GDPR and PSD2.
We do not share your data with parties outside the scope of the requested service or without your consent, except where required by law.
International Data Transfers
We do not transfer your data outside EU/EEA. If your personal data would be transferred outside the EU/EEA (e.g., to process payments with a non-EU merchant), we ensure compliance with GDPR Chapter V by using appropriate safeguards, such as Standard Contractual Clauses (SCCs) or ensuring the recipient is in a country with an adequacy decision from the European Commission.
Data Security
We implement technical and organizational measures to protect your personal data, in line with PSD2 and GDPR requirements, including:
- Encryption of data in transit and at rest.
- Secure APIs for communication with banks and merchants.
- Regular security audits and compliance with Regulatory Technical Standards (RTS) on strong customer authentication (SCA).
- Strict access controls to ensure only authorized personnel can access your data.
Your Data Protection Rights
Under GDPR and Slovenian law (ZVOP-2), you have the following rights regarding your personal data:
- Right to Access: Request a copy of the personal data we hold about you.
- Right to Rectification: Correct inaccurate or incomplete data.
- Right to Erasure: Request deletion of your data, subject to legal retention obligations.
- Right to Restrict Processing: Limit how we process your data in certain circumstances.
- Right to Data Portability: Receive your data in a structured, machine-readable format.
- Right to Object: Object to processing based on legitimate interests.
- Right to Withdraw Consent: Withdraw your consent for AIS or PIS at any time, without affecting the lawfulness of prior processing.
To exercise these rights, contact us at privacy@fliqa.io or FLIQA d.o.o., Miklošičeva cesta 26, 1000 Ljubljana, SI-Slovenia. We will respond within one month, as required by GDPR. If you are dissatisfied with our response, you may lodge a complaint with the Slovenian Information Commissioner (Informacijski pooblaščenec).
Data Retention
We retain your personal data only for as long as necessary to fulfill the purpose for which it was collected or to comply with legal obligations:
- PIS Data: Transaction data is retained for 5 years to comply with AML/CTF and tax regulations.
- AIS Data: Account information is retained only for the duration of your consent or as required to provide the service.
- Technical Data: Logs and analytics data are retained for 12 months for security and fraud prevention purposes.
Once the retention period expires, your data is securely deleted or anonymized.
Cookies and Tracking
Our website uses cookies to enhance functionality and security. We use:
- Necessary Cookies: For website operation and secure transactions.
- Analytics Cookies: To understand how our services are used (only with your consent).
You can manage cookie preferences through our website’s cookie settings. For more details, see our Cookie Policy (#cookie-policy).
Contact Us
For questions, complaints, or to exercise your data protection rights, contact our Data Protection Officer (DPO):
- Email: privacy@fliqa.io
- Address: FLIQA d.o.o., Miklošičeva cesta 26, 1000 Ljubljana, SI-Slovenia
You may also contact the Slovenian Information Commissioner at:
- Address: Dunajska cesta 22, 1000 Ljubljana, Slovenia
- Email: gp.ip@ip-rs.si
- Website: www.ip-rs.si
Changes to This Privacy Notice
We may update this Privacy Notice to reflect changes in our services or legal requirements. Updates will be posted on our website with the effective date. If significant changes affect your rights, we will notify you directly.