top of page

Bankwards Privacy Policy 

1. Preamble 

In this Privacy Policy, Bankwards transparently informs its customers (hereinafter referred to as the “Bankwards Customer” or the “Bankwards Customers”) on what personal data is collected, the reasons behind it and who would be the recipient of such data.

With regards to the terms used in this Privacy Policy the definitions of the GDPR apply accordingly.  

2. Applicability 

Bankwards Operations GmbH with its corporate seat in Körösistraße 29c/Top 86, 8010 Graz, Austria, registered with the Austrian commercial register under registration number FN 631086 v (hereinafter referred to as "Bankwards") together with its affiliates (hereinafter referred to as "Bankwards Group") offer via its website (“Bankwards Platform”) services and products related to and in particular regarding the invoice approval process, cross-border payments, card utilization and the accounting service .

This Privacy Policy applies to all services and products regarding the Bankwards Platform, this website and our helpdesk.  

3. Controller  

Bankwards will solely use the Bankwards Customer’s personal data in compliance with the applicable data protection laws and this Privacy Policy.  

Each company of the Bankwards Group is a Controller pursuant to Art 4 para 7 GDPR and therefore responsible for the processing of personal data in connection with the services provided by the specific company. In some cases, entities of Bankwards might act as Processor pursuant to Art 4 para 8 GDPR on behalf of each other.   

If the Bankwards Group acts together with other parties as Joint Controller (e.g. processing data for jointly determined purposes within the Bankwards Group), the respective Bankwards entity provides those parties with personal data if applicable and based on at least one of the legal bases listed under section 6. In case of a joint controllership, the respective Bankwards entity transmits the Bankwards Customer’s personal data only based on a sufficient agreement with the respective partners (Art 26 GDPR). However, no sensitive payment data will be transmitted within the Bankwards Group.  

Bankwards will only share the Bankwards Customer’s personal data with other third parties if a legal basis applies. This may be due to the business relationship with the Bankwards Customer, Bankwards’ legitimate interests, a legal obligation or the prior consent of the Bankwards Customer (withdrawable at any time).  

4. Payment Services 

When the Bankwards Customer uses the payment services, Bankwards will only process the Bankwards Customer’s personal data with the Bankwards Customer’s consent or due to a contractual obligation towards the Bankwards Customer and Bankwards will not request any data from the Bankwards Customer other than those necessary to provide this service. Furthermore, Bankwards won’t use, access or store any data for purposes other than for the performance of the payment services as explicitly requested by the Bankwards Customer.  

5. Data Categories and Sources  

Bankwards processes the Bankwards Customer’s personal data within the scope of the business relationship and the Bankwards Customer’s usage of the Bankwards Platform. Furthermore, Bankwards might process the Bankwards Customer’s personal data within the Bankwards Group and data Bankwards received from credit agencies, debtor directories, business analysis providers (e.g. credit information services, business and financial information companies, security companies, etc..), and from publicly accessible sources (e.g. commercial register, register of associations, land register, media, sanctions lists).  

The following personal data might be processed: 

  • Contact and general account creation data: Bankwards might process for example the name, address, telephone number, email address, date of birth, photo for the account, etc.;  

  • Verification data: Bankwards might process for example screenshots/photos of national identity documents and identification data from these documents, details of utility bills for residence verification, data about politically exposed persons (PEPs), data regarding proof of funds etc.;  

  • Financial data for facilitation of transactions: Bank details (IBAN, BIC), payment service provider information, payment details, transaction-ID, other sensitive payment data etc.;  

  • Log data on the website: IP-address, deposit and withdrawal address, computer or mobile device information, frequency, time, operating system, browser type, device type, unique device identification number, identification cookies optionally form data, crash reports, performance data, interactive chat, third-party cookies, etc.;  

  • Company details: Commercial register reports, data of/or concerning beneficial owners (UBO), PEP status of UBOs, records or additional information on recent, past or planned business activities, other data necessary to determine/validate the structure, the beneficial ownership or any power of attorney of the company, etc;  

  • Personal data provided in support requests: data provided in the request to the support team;  

  • Marketing data: Bankwards might process statistical and marketing data for example number of visitors, frequency, clicks, time, places, target groups, data from cookies and similar technologies, Bankwards Customer behaviour, interests and preferences, data about market research and target groups surveys, etc.  

6. Purpose and Legal Basis for Using Personal Data  

The processing of personal data of Bankwards Customers is performed in accordance with applicable data protection legislation. This includes, inter alia, the EU General Data Protection Regulation (GDPR), the E-Privacy Directive and the national implementing acts (e.g. the Austrian Data Protection Act). Generally, Bankwards processes personal data of Bankwards Customers based on one of the legal bases listed below.   

Additionally Bankwards adheres to international standards that help trace and combat illicit activities in the financial sphere, such as those set by the Financial Action Task Force (FATF). Bankwards processes the Customer’s personal data:   

6.1. For the performance of contractual obligations (Art 6 para 1 lit b GDPR) 

Processing of personal data might be necessary for the performance of the business relationship with the Bankwards Customer. The following data processing operations are inter alia covered by such contractual obligations:  

  • General performance of Bankwards services, all tasks necessary for the operation, performance and administration of Bankwards and the Bankwards Platform;  

  • account management (e.g. continuous updating of Bankwards Customer data);   

  • execution of Bankwards Customer orders;  

  • Bankwards Customer service and support request; (e.g. contacting because of complications)  

  • analysis and improvement of the Bankwards Platform's quality and the general Bankwards Customer experience (e.g. performance tracking on the Platform). 

6.2. For compliance with legal obligations (Art 6 para 1 lit c GDPR) 

Processing of personal data might also be necessary for complying with various legal obligations (e.g. AML Directives, Payment Service Directives, etc.). The following data processing operations, for example, are inter alia covered by such legal obligations:  

  • Contract management, accounting and invoicing;  

  • Compliance and risk management;  

  • KYC measures like video authentication process (validation of identity) and proof of funds;  

  • Monitoring for prevention of fraud, misuse (e.g. for illegal purposes), money laundering and terrorist financing;  

  • Providing information to fiscal criminal authorities in the context of fiscal criminal proceedings or to prosecution in accordance with official orders;  

  • Consultation of credit agencies to determine creditworthiness and default risks;  

  • Transaction information;  

  • Communication.  

6.3. To protect legitimate interests (Art 6 para 1 lit f GDPR) 

Where necessary, data processing might take place beyond the performance of the contract in order to maintain the legitimate interests of Bankwards or a third party. The following data processing operations are inter alia covered by such a legitimate interest:  

  • Prevention of fraud, misuse (e.g. for illegal purposes), money laundering and terrorist financing;  

  • Processing inquiries from authorities, lawyers, collection agencies in the course of legal prosecution and enforcement of legal claims in the context of legal proceedings;  

  • Risk management and risk minimisation e.g. through enquiries to credit agencies, debtor directories or providers of business analysis;  

  • Data transmission within the Bankwards Group for internal administrative purposes;  

  • Account management and handling general Bankwards Customer requests and inquiries;  

  • Process and quality management measures;  

  • Analysis and improvement of the Bankwards Platform's quality and the general Bankwards Customer experience;  

  • Market research, business management and continuing development of services and products;  

  • Processing statistical data, performance data and market research data via the Bankwards website;  

  • Use of audio, video and photo data from public spaces (e.g. public events, fairs, etc.) for marketing and other representation purposes on our social media channels or the Bankwards website;  

  • Processing Bankwards Customer preferences (e.g. language, region) via cookies on the Bankwards website; 

  • For Bankwards Customer support communications.  

6.4. Based on the consent of the Customer (Art 6 para 1 lit a GDPR): 

If the Bankwards Customer has given Bankwards the consent to process the Bankwards Customer’s personal data, processing will only take place in accordance with the defined purposes and to the extent agreed in the declaration of consent. Given consent may be withdrawn at any time without giving reasons and with future effect, if the Bankwards Customer no longer agrees to the processing. For example, with the consent of the Bankwards Customer Bankwards is processing data for the following purposes:  

  • Direct marketing and advertising (e.g. Bankwards Customer satisfaction surveys, newsletters, sweepstakes and other advertising communications);  

  • Website analysis and tracking for advertising purposes; 

  • Certain uses of audio, video and photo data (e.g. commercials, interviews, etc.) for marketing and other representational purposes via various channels.  

6.5. Processing for other purposes 

Bankwards only processes personal data for the purposes for which they were collected. In exceptional cases, however, Bankwards might process the Bankwards Customer’s personal data which Bankwards has collected for one specific purpose for another purpose. In this case, Bankwards will inform the Bankwards Customer before the intended processing about this purpose, the period for which the Bankwards Customer’s personal data will be stored, the exercise of data subject rights, the option to withdraw consent, the existence of the right to file a complaint with the data protection authority, whether provision of the personal data was necessary on legal or contractual grounds and what the consequences would be if it were not provided, and whether automated decision-making or profiling is carried out.  

7. Recipients of Personal Data  

Bankwards transfers the Bankwards Customer’s personal data only to the extent described below or within the scope of an instruction at the time the data is collected from the Bankwards Customer and personal data will neither be sold by Bankwards nor otherwise disclosed to third parties and in  general limited to the recipients in the following four groups:   

7.1. Data transfer within the Bankwards Group 

Within the Bankwards Group, the Bankwards Customer’s personal data will be shared between Bankwards companies/entities, if there is a legal basis as described above. This happens for internal administrative purposes to conduct internal administrative activities efficiently. Bankwards employees treat the Bankwards Customer’s personal data with the highest security standards and also only have access on a need-to-know basis. In all these cases only those employees will receive the Bankwards Customer’s personal data who need it to fulfil the contractual and legal obligations and legitimate interests.   

If a Bankwards company/entity acts as a service provider for another Bankwards company/entity, Bankwards contractually obliges this company/entity to ensure the confidentiality and security of the Bankwards Customer’s personal data that are processed on the behalf of Bankwards.  

7.2. Data transfer to Processors  

To a limited extent, Bankwards also transmits personal data to Processors. Such include, inter alia, service providers for video authentication services, IT services, Customer support, improvement of the Bankwards website, monitoring of defective business cases, application management. Processors may only use or disclose this personal data to the extent necessary to perform services for Bankwards or to comply with legal requirements. Bankwards contractually obliges these Processors to ensure the confidentiality and security of the Bankwards Customer’s personal data that are processed on the behalf of Bankwards.  

7.3. Data transfer to public bodies and institution   

Bankwards might also transfer the Bankwards Customer’s personal data to public bodies and institutions (i) if Bankwards is required to do so by law or in the context of legal proceedings, (ii) if Bankwards believes that disclosure is necessary to prevent damages or financial loss, or (iii) in connection with an investigation into suspected or actual fraudulent or illegal activities.  

7.4. Data transfer to other third parties 

Bankwards will only share the Bankwards Customer’s personal data with other third parties if a legal basis applies. This may be due to our contract with the Bankwards Customer, Bankward’s legitimate interests, a legal obligation or prior consent of the Bankwards Customer (withdrawable at any time).  

  • Bankwards wants to especially highlight other types of third parties that Bankwards might have to share data with:   

  • Bank identification verification provider: Bankwards might process the personal data of the Bankwards Customer in connection with bank identity verification processes.  

  • Payment gateway provider: Payments made via the Bankwards Platform are made through an entrusted third party. Such partner will not share the Bankwards Customer’s payment card details with Bankwards and processing is subject to their own privacy policy and terms and conditions.   

  • Other third parties: Bankwards Group might transfer the Bankwards Customer’s personal data to any other person with the Bankwards Customer’s consent to the disclosure or the purpose of performing the business relationship or in order to take steps at the request of the data subject prior to performing a service to the Bankwards Customer, especially for the performance of payment services to credit institutions and other payment service providers.  

8. International Data Transfer 

Bankwards will process the Bankwards Customer’s personal data in general within the European Economic Area. In some circumstances it might be the case that it is processed also outside the European Economic Area. If this is the case, Bankwards will rely on appropriate data transfer mechanisms according to Art 44 et seq GDPR. This might be, inter alia:   

  • An adequacy decision by the European Commission (e.g.: EU-US Privacy Framework);  

  • standard contractual clauses as published by the European Commission;   

  • binding corporate rules.  

Regardless of where the Bankwards Customer’s personal data is processed, it will be processed in accordance with the provisions in this Privacy Policy.   

9. Newsletter

In case the Bankwards Customer would like to receive more information with regards to Bankwards services, the Bankwards Customer can receive the Bankwards newsletter after the Customer voluntarily and expressly subscribes to the Bankwards newsletter, whereby the Bankwards newsletter might contain trackers to better understand the Bankwards Customers’ interactions with the newsletter.  

10. Retention and Deletion Periods 

Bankwards retains and processes the Bankwards Customer’s personal data only as long as absolutely necessary. This means for the duration of the entire business relationship (from initiation through performance to termination of the business relationship), and after that for how long applicable legal retention periods stipulate. Beyond this time period Bankwards retains Bankwards Customer’s personal data only for a longer period, in accordance with statutory retention and documentation obligations or to defend legal claims. When Bankwards performs payment initiation services for the Bankwards Customer, we will not store the sensitive payment data obtained thereby.  

Statutory retention periods applicable to Bankwards are, inter alia:  

  • The Austrian Enterprise Code (Unternehmensgesetzbuch) and the Austrian Federal Tax Code (Bundesabgabenordnung) that foresee a retention period of seven years.  

  • The Austrian Financial Market Money Laundering Act (Finanzmarktgeldwäschegesetz) that foresees a retention period of ten years from after the termination of the business relationship.  

  • In certain cases, the limitation period according to the Austrian General Civil Code (Allgemeines Bürgerliches Gesetzbuch) that foresees a retention between three and thirty years; e.g. if data is required as evidence for legal disputes or for as long as there are other legitimate interests in retention.  

Therefore, Bankwards Customer’s personal data will only be kept as long as absolutely necessary per the conditions above, after which it will be erased from the systems of Bankwards.   

Unless expressly stated in this Privacy Policy, personal data of Bankwards Customers processed by Bankwards shall be erased as soon as they are no longer required for their intended purpose and the erasure does not conflict with any statutory retention obligations.  

11. Data subject rights: 

11.1. Right of access (Art 15 GDPR) 

The Bankwards Customer has the right to request confirmation from Bankwards as to whether Bankwards is processing personal data concerning the Bankwards Customer and to receive a copy of the personal data concerning the Bankwards Customer which is undergoing processing.  

11.2. Right to rectification (Art 16 GDPR) 

The Bankwards Customer can at any time request to rectify incorrect data and provide supplementary information to an incomplete record. 

11.3. Right to erasure (Art 17 GDPR) 

The Bankwards Customer can at any time ask Bankwards to delete the personal data Bankwards has stored about the Bankwards Customer, which Bankwards will act upon unless there is an overriding exception.  

11.4. Right to restriction of processing (Art 18 GDPR) 

The Bankwards Customer has the right to ask Bankwards to restrict the processing of the personal data of the Bankwards Customer where one of the following conditions applies: 

 

  • The Bankwards Customer contests the accuracy of the personal data (the restriction shall be put in place for a period which enables Bankwards to verify the accuracy of the personal data); 

  • the processing of the personal data of the Bankwards Customers was unlawful, and the Bankwards Customer opposes the erasure of respective personal data and request instead the restriction of its use; 

  • Bankwards no longer requires the personal data of the Bankwards Customer for the purposes of the processing, but the Bankwards Customers requires them for the assertion, exercise or defence of legal claims; or 

  • the Bankwards Customers has objected to processing of personal data of the Bankwards Customers and it has not yet been determined whether the legitimate grounds of Bankwards override the legitimate grounds of the Bankwards Customer. 

11.5. Right to data portability (Art 20 GDPR) 

The Bankwards Customer has the right to receive the personal data concerning the Bankwards Customer which were provided to Bankwards in a structured, commonly used and machine-readable format. The Bankwards Customer shall also have the right to request that Bankwards transfers these data directly to another controller, designated by the Bankwards Customer, where this is technically feasible and does not adversely affect the rights and freedoms of others. The right to data portability may only be exercised where the basis of the processing is either the consent of the Bankwards Customer or a (pre)contractual necessity, and where the processing is carried out by automated means. The right to data portability does not apply to processing which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. 

11.6. Right to object (Art 21 GDPR) 

The Bankwards Customer has the right to object on grounds relating to the particular situation to the processing of the personal data of the Bankwards Customer at any time if the processing is based on the legitimate interests of Bankwards. Bankwards will stop processing the personal data of the Bankwards Customer for this purpose unless Bankwards can demonstrate compelling legitimate grounds for the processing which override the interests of the Bankwards Customer, rights and freedoms or unless the processing is for the assertion, exercise or defence of legal claims. In regards to personal data processed for direct marketing purposes, the Bankwards Customer can object at any time by contacting Bankwards. The objection does not affect the lawfulness of processing of personal data based on legitimate interests before the respective withdrawal.  

11.7. Right to withdraw consent (Art 7 (3) GDPR) 

The Bankwards Customers has the right to at any time withdraw the consent for processing, upon which Bankwards will stop processing the personal data of the Bankwards Customer based on this legal basis unless a different legal basis is applicable. The withdrawal does not affect the lawfulness of processing the personal data based on legitimate interests before the respective withdrawal.  

11.8. Right to not be subject to automated decision-making (Art 22 GDPR) 

Bankwards does not use personal data for automated decision-making including profiling within the meaning of Art 22 GDPR (e.g. decisions producing legal effects concerning data subjects, or otherwise significantly affecting them, based solely on automated processing of personal data, including profiling). 

To exercise one of the above-mentioned rights Bankwards Customers can send Bankwards an email to help@bankwards.com or a letter to Bankwards GmbH, Körösistraße 29c/Top 86 , 8010 Graz, Austria.  

12. Supervisory authority 

In case the Bankwards Customer would like to receive more information with regards to Bankwards services, the Bankwards Customer can receive the Bankwards newsletter after the Customer voluntarily and expressly subscribes to the Bankwards newsletter, whereby the Bankwards newsletter might contain trackers to better understand the Bankwards Customers’ interactions with the newsletter.  

13. Declaration of Consent 

Bankwards Customers have the right to withdraw the consent at any time to Bankwards via email to help@bankwards.com. Please keep in mind that Bankwards might not be able to provide all Bankwards services to Bankwards Customers anymore, if the consent is withdrawn. The withdrawal of the respective consent does not affect the lawfulness of processing the personal data based on consent before the respective withdrawal.  

14. Updates of this Privacy Policy 

Bankwards regularly reviews and updates this Privacy Policy from time to time when required, in order to take current circumstances into account. If Bankwards makes significant changes to this Privacy Policy, Bankwards will notify the Bankwards Customer accordingly and will provide the Bankwards Customer with the updated version of the Privacy Policy.  

15. Contact 

If the Bankwards Customer should have any further questions about this Privacy Policy or the processing of the Bankwards Customer’s personal data the Bankwards Customer can contact the Data Protection Officer of Bankwards (help@bankwards.com) anytime. 

bottom of page