1.1. “AISP” means account information service provider, a regulated payment service provider that provides consolidated information on one or more Payment Accounts held by End User with either another payment service provider or with more than one payment service provider.
1.2. “Applicable Laws” means:
- KSA Open Banking Framework (KSA OBF) together with all regulatory technical standards, codes of practice, guidelines and/or formal interpretations issued by a regulator with jurisdiction over the Services contemplated in these ToS, and all laws or regulations in force from time to time in PASP’s jurisdiction giving effect to PSD2; and
- all laws, statutes, rules, regulations, decrees, orders or directives in force from time that are applicable to the Services contemplated in these ToS.
1.3. “PASP” means payment account service provider, a payment service provider (such as bank, credit institution or electronic money institution) that provides and maintains a Payment Account for End User.
1.5. “Consent” of End User means any freely given, specific, informed and unambiguous indication of End User’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.
1.6. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
1.7. “Metadata” means all ancillary information, metadata, usage data, service data, relationships, trends, metrics, logs and all other information derived from use of the Services.
1.8. “Terms of Service” means Spire’s terms of service which govern End User’s use of the Services as the same may be amended from time to time for the purposes of compliance with changes in the Applicable Laws or good industry practice.
1.9. “Payment Account” means an account held in the End User’s name by the PASP which is used for the execution of Payment Transactions.
1.10. “Payment Account Data” means data relating to End User’s Payment Account, particularly:
- account information (including without limitation account number, type, currency, balance);
- transactions information (including without limitation transaction amount, date, description, currency); and
- account holder information (including without limitation name, address, email, phone number), on the condition that the respective PASP in its sole discretion provides access to such additional information.
1.11. “Payment Order” means an instruction by End User to its respective PASP requesting the execution of a Payment Transaction.
1.12. “Payment Order Data” means data relating to the Payment Order, including without limitation amount, currency, status, description, payee details.
1.13. “Payment Transaction” means an act initiated by End User or on End User’s behalf of placing, transferring or withdrawing funds from End User’s Payment Account.
1.14. “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data includes, but is not limited to, Payment Account Data and Personalized Security Credentials.
1.15. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
1.16. “Personalized Security Credentials” means personalized features provided by PASP to End User for the purposes of authentication, including without limitation username, password, access number, security questions and answers, token/SMS codes, multifactor information, device information.
1.17. “PISP” means payment initiation service provider, a regulated payment service provider that initiates Payment Orders at End User’s request with respect to End User’s Payment Account held with the respective PASP.
1.18. “processing” or “to process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, access, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.19. “Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
1.20. “Pseudonymization” means the processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific End User without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person.
1.21. “Services” means the services provided by Spire on behalf of End User’s respective PASP.
1.22. “Special Categories of Personal Data” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
1.23. “TPP” means a third-party provider, such as AISP or PISP.
1.24. “Website” means the website www.spiretech.co.
- COLLECTION OF INFORMATION
When End User starts using the Services Spire will collect information, including Personal Data, for the purpose of providing, maintaining and improving the Services, as well as meeting the compliance requirements set forth in the Applicable Laws with respect to the provision of Services. Spire collects information primarily in four (4) ways:
- Information collected through End User’s use of the Services.Spire collects information about: (i) the TPPs End User interacts with through the Services and a trail log of their actions with respect to access to End User’s Payment Account; (ii) any actions of End User within the Services; (iii) Payment Account Data to which Spire has been granted access to; and (v) details of the Consent given by End User, including without limitation scope and timestamp of such Consent. Spire may store this information or part thereof in log files or other Metadata associated with End User’s Account, and link it to other information Spire collects and processes about End User.
- Information collected from PASP.Spire collects information from End User’s respective PASP for the purposes of providing the Services as follows:
- Payment Account Data, Payment Order Data and confirmation of availability of funds in End User’s Payment Account;
Besides first-party cookies set by Spire itself, Spire also uses third-party cookies. These third-party service providers with whom Spire has contracted help analyze certain online activities and provide analytics services.
- USE OF INFORMATION
- Processing Personal Data.Spire processes Personal Data for the purpose of:
- providing, maintaining, supporting, protecting and improving the Services;
- meeting the regulatory compliance requirements set forth in the Applicable Laws;
- providing customer support;
- sending system alert messages;
- enforcing compliance with the Terms of Service for and Applicable Laws;
- protecting the rights and safety of End Users and third parties of Spire and End User’s respective PASP(s);
- troubleshooting, analyzing and solving service-related errors. In such cases, End Users’ Personal Data may be visible to and/or accessed by technicians, IT staff and/or system administrators authorized by Spire; and
- Use of Non-Personal Data.Spire may generate anonymous data derived from or based on Personal Data so that the results are no longer personally identifiable with respect to End User, and combine or incorporate such anonymous data with or into other similar data or information collected from other End Users or derived from other End Users’ use of the Services (collectively, “Anonymized Aggregate Data”). Spire may use such Anonymized Aggregate Data for any business purpose, including but not limited to:
- providing, supporting and improving the Services, including sharing such Anonymized Aggregate Data with the respective PASP for the purpose of conducting transaction risk analysis and/or compiling other statistical reports;
- conducting analytical research, compiling statistical reports and performance tracking;
- developing and/or improving other Spire’s services and products; and
- sharing such Anonymized Aggregate Data with Spire’s affiliates, agents or other third parties with whom Spire has a business relationship.
Spire will not sell Anonymized Aggregate Data.
- CHILDREN’S PRIVACY
Protecting the privacy of young children is especially important to Spire. The Services are not directed to children under the age of sixteen (18) years and Spire does not knowingly collect or process Personal Data from persons under sixteen (18) years of age. If Spire becomes aware of the fact that Personal Data of persons less than sixteen (18) years of age has been collected via the Services, Spire will take the appropriate steps to delete this information.
- DISCLOSURES AND TRANSFERS
- Disclosure to Third-Party Providers.Spire has put in place contractual (including data protection, confidentiality and security provisions) and other organizational safeguards with its third-party service providers (“Third-Party Providers”) to ensure an adequate level of protection of Personal Data. Spire may transfer Personal Data to such Third-Party Providers, including Spire’s subcontractors and hosting providers engaged by Spire in connection with the provision of Services and/or Website. Such Third-Party Providers may process, store and/or have access to Personal Data.
- Disclosure to PASP.Spire will disclose Personal Data to End User’s respective PASP for the purpose of providing the Services as further described in the Terms of Service.
- Disclosure for Legal Reasons.Spire may disclose Personal Data without End User’s Consent, and End User hereby authorizes Spire to do so, when Spire believes in good faith that the disclosure of such information is reasonably necessary or appropriate:
- to comply with the Applicable Laws, any subpoena, enforceable request from the competent authorities or other legal process;
- to enforce Spire’s rights against End User or in connection with a breach by End User of the Terms of Service, including investigation of potential violations;
- to help detect, curb or investigate fraud or other prohibited or illegal activities that affect or hurt the interests of Spire or other third parties;
- to identify, contact or bring legal action against someone who may be causing injury to, or interference with (either intentionally or unintentionally), Spire’s rights or property, other End Users of the Services, or anyone else (including the rights or property of anyone else) that could be harmed by such activities; and
- to help Spire comply with legal, accounting or security requirements, in which case Spire may disclose such information to its auditors, professional consultants, accountants and/or legal advisors.
- CONTROLLER AND PROCESSOR
In providing the Services Spire acts as Controller of Personal Data. Spire shall adhere to the following principles with respect to Personal Data processing:
- not to collect more Personal Data than is necessary for the purpose of providing the Services;
- ensure that all employees authorized by Spire to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- reasonably respond to requests for exercising End Users’ rights specified in Section 8.
- END USER’S RIGHTS
Taking into account the nature of the processing, Spire will provide reasonably respond to requests for exercising End User’s rights set forth below:
- the right to be informed: End User has the right to receive fair processing information about his/her Personal Data, including purpose of processing and lawful basis for processing, the identity of Controller and Processor, the categories of Personal Data collected and processed, the recipients to whom Personal Data has been or will be disclosed, details of transfers (if any) to third countries and applicable safeguards, Personal Data retention period, the existence of End User’s rights, the sources Personal Data originates from.
- the right of access:End User has the right to obtain: (i) confirmation that his/her Personal Data is being processed; and (ii) access to such Personal Data.
- the right to rectification:End User is entitled to have Personal Data rectified if it is inaccurate or incomplete. Spire can’t, however, rectify any Payment Account Data, Payment Order Data or Personalized Security Credentials, as this information is provided by and collected from End User’s respective PASP.
- the right to erasure (right to be forgotten):End User has the right to request the deletion of his/her Personal Data when there is no compelling reason for its continued processing or End User withdraws Consent to such processing. End User can delete (all) his/her Account(s) at any time, in which case End User’s Personal Data will be permanently deleted from Spire’s production servers, except for the information that Spire will retain in accordance with its Data Retention policy (see further Section 9 “Data Retention”).
- the right to restrict processing:End User has the right to block processing of Personal Data on the grounds specified in the Applicable Laws. In such case, throughout the duration of the restriction Spire will no longer be able to process End User’s Personal Data and, consequently, provide the Services to End User.
- the right to data portability:End User may request to receive free of charge a copy of Personal Data stored in Spire’s system in a structured, commonly used and machine-readable format or have Spire transmit the data directly to another organization if this is technically feasible. Spire will use commercially reasonable efforts to respond to any data portability requests without undue delay and at the latest within one (1) month, although in certain limited circumstances Spire: (i) may not be able to make all relevant information available to End User where that information also pertains to another End User; in such case, Spire will provide reasons for denial to comply with End User’s request or any part thereof; and (ii) may extend the reply period to two (2) months where the End User’s request is complex or Spire receives a number of requests; in such case, Spire will inform End User within one (1) month of the receipt of the request and explain why the extension is necessary. Spire reserves the right to charge a reasonable administrative fee if End User’s request is manifestly unfounded or excessive, particularly if it is repetitive, and for further copies of the same information.
- the right to object:End User has the right to object to: (i) processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); (ii) direct marketing (including profiling); and (iii) processing for purposes of scientific/historical research and statistics. Spire does not process End User’s Personal Data for any of the foregoing purposes.
- rights in relation to automated decision-making and profiling:End User has the right to object to processing of Personal Data for the purposes of automated individual decision-making (making a decision solely by automated means without any human involvement) and profiling (automated processing of Personal Data to evaluate certain things about an individual). Spire does not process End User’s Personal Data for any of the foregoing purposes.
- the right to withdraw Consent:End User may withdraw Consent to Spire’s processing of Personal Data at any time. However, withdrawing Consent may result in End User’s inability to continue using the Services.
- DATA RETENTION
Spire will delete End User’s Personal Data from its primary production servers when End User deletes (all) his/her Account(s) or withdraws Consent to further processing of his/her Personal Data by Spire. As a result, End User’s Personal Data will be excised permanently from Spire’s production servers and further access to End User’s Account(s) and use of the Services will be impossible. Notwithstanding the foregoing, Spire shall retain End User’s Personal Data or portions thereof:
- in backup files on its backup servers for a period of up to one (1) year in order to ensure compliance with internal business continuity and disaster recovery procedures; and
- in log files in order to: (i) comply with the requirements of the Applicable Laws; (ii) exercise or defend (ongoing) legal claims; and (iii) assist End User’s respective PASP in meeting audit or statutory requirements. The retention period for such Personal Data shall be a minimum of five (5) years from the date of deletion, or such longer period as required by the Applicable Laws, unless subject to statutory or regulatory change.
Backup files are stored using strong TLS encryption and Spire’s authorized personnel does not access such files in the ordinary course of business operations. Spire will not use any Personal Data retained in backup files in everyday business activities.
- DATA SECURITY
- Online Confidentiality.
- Although Spire will take reasonable steps to ensure that End User’s Personal Data is treated and stored securely, unfortunately, the sending of information via the Internet is not totally secure and on occasion such information can be intercepted. Therefore, Spire can’t guarantee the security of Personal Data that End User chooses voluntarily to send to Spire electronically. Spire expressly disclaims all liability for any interception or interruption of any Internet transmissions sent by End User or any losses of or changes to data, including Personal Data, resulting from such interception or interruption.
- Notice of Security Breach.Nobody is 100% safe from hackers. If a security breach causes an unauthorized intrusion into Spire’s systems, software or networks that leads to a Personal Data Breach resulting in a high risk to the rights and freedoms of End User, then Spire will notify Controller of the Personal Data Breach without undue delay after having become aware of it, by describing the nature of the Personal Data Breach, the data that has been, or Spire reasonably believes to have been, compromised and the immediate actions taken by Spire with respect thereto. Spire will later report to Controller the measures taken to mitigate potential adverse effects and prevent continuing or similar security breaches in the future.
- Personal Data Safeguards.Spire is committed to maintaining the confidentiality, integrity and security of the Personal Data of End Users. Spire employs advanced security techniques to safeguard Personal Data against unauthorized access, use and/or disclosure. Spire strictly restricts access to Personal Data in accordance with specific internal procedures governing access to such information. Spire carefully selects the individuals privileged with access to Personal Data in accordance with internal security policies and practices, and each such individual is bound by confidentiality obligations. The Services ensure secure communications with TLS encryption. To maintain the security of online sessions and protect Spire’s systems from unauthorized access, Spire uses a combination of firewall barriers, encryption techniques and authentication procedures, among others. Access to Spire’s systems requires multiple levels of authentication, including biometric recognition procedures. Security personnel monitor the systems 24 hours a day, 7 days a week. Spire databases are both physically and logically protected from general employee access. Spire enforces physical controls on its premises. Spire is routinely verified for its use of TLS encryption technologies and audited for its privacy practices. Spire tests its systems, the Services infrastructure for any failure points that might allow hacking.
- Data Pseudonymization.In addition to the technical and organizational security measures employed by Spire to ensure security, confidentiality and integrity of Personal Data, Spire also uses data Pseudonymization technique when processing and storing Personal Data in its systems by replacing the data fields which are the most identifying in a data record with pseudonyms. Personal Data which has undergone Pseudonymization can no longer be attributed to a specific End User without the use of additional information, and such additional information is kept by Spire separately and is subject to technical and organizational security measures to ensure that such pseudonymized Personal Data is not attributed to an identified or identifiable natural person.
- DATA PROTECTION OFFICER
Spire’s data protection officer can be reached at any time by email at firstname.lastname@example.org in case of any questions with respect to Spire’s collection, use, disclosure or processing of Personal Data.
Bayan Digital for Information Technology
2908 Ameer Mohd Bin Abdul Aziz
Kingdom of Saudi Arabia