Privacy Notice

About processing of personal data

A significant part of our mission here in Lunar is to be transparent about our business operations, including how we process personal information about you. We are therefore very focused on our obligations to protect your rights according to the data protection regulation (that consists of among other the General Data Protection Regulation also known as the GDPR and supplementary national regulation). In the following sections, you can read more about which information we collect about you, for what purposes, how we store and share it, and what rights you - as a data subject - can assert.

About ShareIt users

This notice also applies to the users of ShareIt. Each section below has been elaborated with information relevant to the specific use of ShareIt. ShareIt is developed by Lunar Way A/S, which is part of Lunar Group A/S, which also owns Lunar Bank A/S. You do not need to be a Lunar Bank customer to be a user of ShareIt.

Table of content

1. More about the application and use of cookies

2. Data protection officer (DPO)

3. Data controller

4. Who is covered by this privacy notice?

5. Why and on what legal basis do we process personal data about you?

To comply with legal requirements

To fulfill an agreement with you

For the purpose of our own legitimate interests

About recording of telephone conversations and storing chat conversations

About video surveillanceg

6. Types of information we process about you

7. Who do we disclose your personal data to, where do we collect it from and why?

8. Do we transfer your personal data to third countries?

9. Automatic decision making

10. For how long a period of time do we process information about you?

11. Your rights as a data subject

Right of accesst

Right to rectification

Right to erasure (“right to be forgotten”)

Right to restriction of processingr

Right to data portabilityt

12. Changes to this policy

13. Complaints or questions about the processing of personal data

1. More about the application and use of cookies

You can read more about our application and use of cookies on our website by accessing this link.

2. Data protection officer (DPO)

If you have any questions or complaints about our processing of personal data or this policy, please contact our DPO at dpo@lunar.app.

3. Data controller

Lunar Bank A/S ("we", "us", "our"), CVR (company number) 39697696 with headquarters at Hack Kampmanns Plads 10, 8000 Aarhus C is the data controller for the processing of your personal data, even if you are only a ShareIt user.

4. Who is covered by this privacy notice?

When we refer to "you" in this policy, we mean you as our private customer, owner of an individually owned company or an employee of our customer.

However, you may also be another relevant party such as an authorized representative, beneficiary, guarantor, shareholder or related party.

We also mean you as a user of ShareIt.

5. Why and on what legal basis do we process personal data about you?

In short, we process personal data about you for several purposes and on several different legal grounds, which are described in the following sections below:

To comply with legal requirements

First and foremost, as a bank and financial services provider, we are subject to a number of legal regulations that determine how and what personal data must be processed, including how long it must be stored. We are therefore subjected to legal obligations that include:

Know your customer requirements
Prevention of money laundering and terrorist financing
Sanctions screening
Bookkeeping
Reporting to law enforcement authorities such as: police, tax and regulatory authorities in all the three respective Scandinavian countries
Credit-, risk-, solvency and risk- management hereunder assessment
Fraud monitoring and reporting

The processing of personal data is carried out in accordance with Article 6(1)(c) of the General Data Protection Regulation (hereafter the GDPR), cf. the above-mentioned respective legal obligations.

To fulfill an agreement with you

We also process personal data about you so that we - as a provider of a specific service or product - can fulfill our contractual agreement with you. This need includes the following processing activities:

Internal documentation of completed tasks or requests
Delivery and administration of our services and products, including cooperation with our partners
Customer care and assistance
Establishment of users and user profiles in Lunar Bank App and ShareIt App
Opening of account(s) and issuing of payment cards
Verification of your identity as a customer

The processing of personal data takes place in accordance with Article 6(1)(b) of the GDPR.

For the purpose of our own legitimate interests

We also need to process information about you for the purposes of our own legitimate interests, which include:

Establishing and defending legal claims
Profiling of transactions for the purpose of detecting possible fraud
Protection and development of our business and systems
Marketing, product and customer analysis

The processing of personal data takes place in accordance with Article 6(1)(f) of the GDPR and only as long as our legitimate interests do not override your interests or fundamental freedoms.

Consent

Prior to processing data about you in the following situations, we will ask for your consent pursuant to Article 6(1)(a) (and if applicable according to Article 9(2)(a) of the GDPR when:

Processing of data in connection with payment transactions
Processing of payment data containing sensitive personal data as defined in Article 9(1) in connection with a single payment or the establishment of a payment service agreement
Sending direct marketing by email
Recording of telephone conversations for internal learning and development purposes

The given consent can always be withdrawn (in the Lunar Bank App), but does not affect the conducted processing prior to the withdrawal of consent.

Sensitive personal data as defined in Article 9(1) of the GDPR that derives from your transactional history or your Lunar account(s) is also processed on the ground of your consent in accordance with Article 6(1)(a) and Article 9 (2)(a) of the GDPR.

About recording of telephone conversations

We record telephone conversation with you in order for us to document and execute on the following:

implementing know-your-customer procedures (processing of personal data takes place in accordance with Article 6(1)(c) of the GDPR)
preventing/managing fraud and fraud attempts (processing of personal data takes place in accordance with Article 6(1)(c) of the GDPR)
documenting entered agreements with you (processing of personal data takes place in accordance with Article 6(1)(f) of the GDPR and only as long as our legitimate interests do not override your interests or fundamental freedoms)
welcoming you as a Lunar Bank customer (processing of personal data takes place in accordance with article 6(1)(f) of the GDPR and only as long as our legitimate interests do not override your interests or fundamental freedoms) and
having concrete educational and training material for our Customer Support employees (for this purpose, conversations will only be recorded if you consent to this in accordance with Article 6(1)(a) of the GDPR).

About video surveillance

For security and crime prevention reasons, our office buildings are monitored by video surveillance.

6. Types of information we process about you

For the above mentioned purposes, we process different types of data about you. In certain situations, we may also need to process data about persons related to you, such as your representatives, guarantors, payers, employees, etc.

The list of types of data is not exhaustive, as the type of data we collect depends on the type of service or product we need to provide:

Identification information: social security number, full name, copy of passport/driver's license, IP address, verification relevant to Lunar Bank App and ShareIt App
Contact information: Residential address, phone number and email address
Personal: Citizenship, marital status and employment
Financial information (does not apply to just ShareIt users): Information about income, accounts, assets, debt and transaction history, purpose of using Lunar Bank, historical information about the customer relationship with Lunar Bank and country of taxation, purchase/registration for products/services offered in cooperation with Lunar Bank's partners
Use of Lunar Bank App (gælder ikke for ShareIt brugere): time and duration of use of the application including selected windows
Use of ShareIt App: time and duration of use of the application including selected windows

Special categories of personal data

We note that the subscriptions and other payment agreements that you may link to your Lunar Bank account may relate to matters that may be covered by the concept of "special categories of personal data" in Article 9 of the General Data Protection Regulation (e.g. trade union membership, health information, political orientation, etc.)

7. Who do we disclose your personal data to, where do we collect it from and why?

We disclose information about you if:

we are required to do so by law to which we are subjected
we have a legitimate interest and as long as it does not override your interests or fundamental freedoms and/or
it is necessary for us to fulfill the agreement we have entered into with you.

Where, as a result of one or more of the above circumstances, it is necessary to disclose information about you, the disclosure is made to the following categories of recipients:

Public authorities in either Denmark, Sweden or Norway (e.g. tax, police, law enforcement and supervisory authorities).
External business partners (e.g. other banks, credit agencies, correspondent banks, finance companies)
External suppliers of e.g. IT development, hosting, support and maintenance.

In addition to collecting information directly from you, we also collect personal data from third parties such as publicly available and other external sources. This collection is necessary for us to offer you our products, services, process correct information about you and fulfill the legal obligations to which we are subject.

Third parties from which we collect personal data may be, for example:

Public registers (e.g. population registers, tax registers, business registers and other law enforcement agencies' registers)
Economic sanction lists (e.g. within national and international organizations such as the EU and UN)
Registers of credit rating agencies and other commercial providers of information on e.g. beneficial owners
Money transfer services, merchants, banks and others in relation to payments

8. Do we transfer your personal data to third countries?

In certain specific cases - as part of our use of a data processor or sub-processor - information about you is transferred to a third country. Such transfers are only carried out in the following cases:

The EU Commission has determined that the country in question has an adequate level of protection.
The EU Commission's Standard Contractual Clauses 2021 have been entered and additional security measures have been implemented.
The applied data processor’s processing activity is certified under the EU-US Data Privacy Framework that has been adopted in 2023.

You can find the current EU Standard Contractual Clauses by clicking here.

9. Automatic decision making

In certain situations - like in order to make our customer management more efficient and thus improve your customer experience - Lunar Bank will make decisions based on automatic processing, including profiling. This happens especially in relation to e.g.ongoing customer due diligence and offboarding you as a customer.

10. For how long a period of time do we process information about you?

We retain information about you for as long as:

the rules we are subjected to require retention for a certain period of time (e.g. accounting rules or prevention of money laundering and terrorist financing),
retention is necessary for the purposes for which we have collected and processed the data (e.g. to fulfill our contract with you), or
you have not withdrawn your consent to the processing of data.

The deadlines for erasing data, that we must oblige to, are not only different across borders but also among themselves depending on the purpose with the processing.

11. Your rights as a data subject

According to the GDPR you as the data subject have the following rights you can exercise by contacting us.

Your request will always be assessed as soon as possible and specifically based on the circumstances.

Right of access

You have the right to access the personal data we process about you. This means that you have the right to receive a copy of the data we process about you. Furthermore, you have the right to receive specific information about the processing to which the data is subjected. However, your right of access may be limited by law, protection of other people's privacy and considerations of protection of our business concept, trade secrets and know-how.

Right to rectification

If any information about you is incorrect or incomplete, you have the right to have it corrected and/or updated.

Right to erasure (“right to be forgotten”)

You have the right to request the erasure of your data in the following cases, as set out in the GDPR:

You withdraw the consent you have given for the processing of personal data.
Information about you is no longer necessary to fulfill the purpose for which it was collected or otherwise processed.
You object to the processing and the processing does not serve legitimate grounds.
Information about you has been processed unlawfully.
The processing concerns minors and the data has been collected in connection with the provision of information services.
You object to the processing of data in direct marketing and the processing is unlawful.

Right to restriction of processing

If you believe that the processing of data about you is unlawful or that the data is incorrect, or you have objected to the processing of the data, you can ask us to restrict the processing of that data. The restriction may then include retention until the accuracy of the data is established, or we demonstrate that we have a legitimate interest in processing personal data that overrides your interests.

Right to data portability

You have the right to request to receive information about you in a machine-readable format. This right only applies to personal data that is processed automatically and where valid consent has been given or for the purpose of fulfilling a contract.

12. Changes to this policy

As with everything else in our business, we are constantly improving and developing. We may therefore change this data processing policy from time to time.

The current information is updated with effect from (december 2023)

13. Complaints or questions about the processing of personal data

If you are dissatisfied with this policy or our processing of personal data, then you are welcome to contact our Data Protection Officer (DPO) at dpo@lunar.app.

If you wish to complain about the processing of your personal data, you can contact the Danish Data Protection Agency. You can find the Danish Data Protection Agency's contact information on their webpage.

Lunar Bank A/S, Hack Kampmanns Plads 10 DK-8000 Aarhus C, CVR nr. 39697696